Australian Security Magazine, Oct/Nov 2016 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct/Nov 2016

National Security & Legislative reform for IoT Digital technology versus national security threats

Deception detection - Part 2

Incident investigations

Martin Place Siege Inquest

Stats man & the sea – professional profile

The great submarine leak

China’s underwater great wall

PLUS $8.95 INC. GST

TechTime, Quick Q&A, Cyber Security and much more...

CYBer SecurITY

Do we have IT right?

25th November Crown Perth

Perth Conference 2016

From the War Room to the Board Room, HuntsmanÂŽ Defence Grade Cyber Security Platform delivers: Advanced Threat Detection and Incident Response Continuous Compliance Serious Cyber Security ROI

Proven in the most secure and sensitive environments within the intelligence, defence and criminal justice networks across the 5 Eyes community.

LEARN MORE TODAY 1300 135 897 huntsmansecurity.com

Contents Editor's Desk 5 Quick Q @ A with Kevin Mitnik

International China's underwater great wall Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai

The great submarine leak

The stats man and the sea

National Security Lindt Cafe siege - Damned if you do damned if you don't

Corporate Security

Art Director Stefan Babij Correspondents Tony Campbell Adeline Teoh Sarosh Bana

MARKETING AND ADVERTISING T | +61 8 6361 1786 promoteme@australiansecuritymagazine.com.au SUBSCRIPTIONS

T | +61 8 6361 1786 subscriptions@mysecurity.com.au

What really happened

Deception detection uncovered - Part 2

Digital technology vs national security threats

Worrying statistics - Inaugural cyber security survey for Australia

Cover Feature Artificial intelligence & cybersecurity

Without security the internet of things is doomed and could kill millions

National security reforms needed before the internet of things

Scalable optics - New lanes laid for the internet of things super highway

Cyber Security What's causing the cybersecurity skills gap?

Women in Security Championing for open source collaboration

Copyright ÂŠ 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | info@mysecurity.com.au E: editor@australiansecuritymagazine.com.au All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US www.facebook.com/apsmagazine

Page 10 - The great submarine leak

Advertorial Obstinatley clinging to iconic obsolescence

TechTime - the latest news and products

Editor's book review

Page 24 - Digital technology vs national security threats

OUR NETWORK Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors

Page 28 - Artificial intelligence & cybersecurity

www.twitter.com/apsmagazine www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia

Sophie Zadeh

James Wootton

Fraser Duff

Josh Kennedy

www.asiapacificsecuritymagazine.com

Page 32 Cover feature - National security reforms needed before the

www.malaysiasecuritymagazine.com

internet of things

Steve Cotrell www.drasticnews.com

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

4 | Australian Security Magazine

www.cctvbuyersguide.com

Tony Campbell*

Adeline Teoh*

Sarosh Bana*

Editor's Desk

“In short, the Army is protecting important national security objectives in every region of the world against five significant security challenges: Russia, China, Iran, North Korea, and counterterrorism. ”

- General Mark A. Milley Chief of Staff, United States Army,

Senate Armed Services Committee, September 15, 2016

’ll admit to writing with a high degree of despondency. As we go to print, the US elections are about to take place. There are many other ‘big’ events occurring internationally, regionally and nationally, as well as within each of our Australian states – it is difficult to find a good news story today and therefore remain positive and upbeat. Be it confirmed reports of an increase in children’s poverty despite 20 years of prosperity (expect a corresponding continuation of inequality, crime, drug abuse and neglect), or the out of control Indigenous suicide rates in the Kimberly (expect yet another generation suffering alcohol and drug abuse, intrafamilial sexual assault and lack of education, jobs and opportunity), or statewide blackouts in South Australia from mega storms or the destruction of the Great Barrier Reef from global warming (expect another review report that leads to nowhere and the ongoing rise and frequency in natural disasters). It remains far too easy to point to crises in Australia and globally. Despite the concerns around the US Federal elections, it is just as easy to point to Australian Federal and State Government ineptitude to controlling effective and trustworthy institutions – things are going to get a lot worse before they get better. There are circumstances alive today that will most likely instigate war between the USA with Russia and China. Increasing military war games, diplomatic break downs and war mongering rhetoric from Army Generals are now aligned to the largest ever seen cyber-attacks, including against critical infrastructure systems. I’m happy to be proven wrong or be called overly pessimistic – but I make the call regardless. All the while we seem to be happy to distract the public’s attention

with discussions around a plebiscite for gay marriage. I appreciate this may be an important social reform but seriously, the attention drawn from all these other issues is an attack on the intellect of all Australians. Security advisors are under increased pressure to stay abreast of the many interdependent trends and illicit activities taking place that affect clients, corporations and government enterprise. I’ve been fortunate to have travelled nationally and overseas over recent weeks and the attendance to security conferences in Singapore, Kuala Lumpur, San Francisco and Silicon Valley on the Internet of Things, drones, security technology and cyber security. With much of the discussion around the convergence of cybersecurity with physical security and the rapid increase in attacks and their effectiveness. As it should be clear to all, there is an obvious and rapid technology trend and the scale of connected ‘things’ is to triple over the next 5 years – my point being that the issues we are discussing in this Edition are only going to be exacerbated unless our governments and the legislation they control is effectively reformed. Yet my hope is deflated as we see the Federal Attorney General and the Solicitor General publicly spat over their control and independence – both gentleman appear unfit for office and indicates to me Australia is doomed to continued legislative impotency and inadequacy – we will never compete on a global scale with this quality of leadership and poor government. The only good news is that we appear to have produced another great ASM Edition with articles addressing subsea developments in the South China Sea, the loss of the 22,400 pages which contained the entire design plans, specifications

and stealth capabilities of the Scorpene submarine, with detailed operating instructions for its underwater warfare system and revealed too was the range of technical specifications of the sonars and at what degrees and frequencies they would function. Almost the entire Operating Instruction Manual has been detailed, with explanations on target selection for weapon configuration and firing, among a host of critical minutiae. The submarine is developed by the same French defense contractor, DCNS, that Australia signed an A$50 billion (US$38 billion) contract to design and build our 12 next generation submarines. It is speculated that the expose could have been the consequence of corporate espionage, as competition is fierce in current global military markets. From these regional defence issues we drill down to the day to day concerns of security advisor capabilities, be it detecting signs of deception, conducting investigations, the response to the Lindt Café siege and through to the growth of optical network capabilities and profile interviews with the likes of Kevin Mitnick and Karsten von Hoesslin. And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Yours sincerely, Chris Cubbage CPP, RSecP, GAICD Executive Editor

Australian Security Magazine | 5

....with Kevin Mitnik

Internet hacker and cyber security expert Internet hacker and now Cyber security expert Kevin Mitnick is in Australia in November for a conference in Sydney and Melbourne with business leaders where Kevin will talk about security risks and issues in the modern day business environment and how to best manage and combat such risks. What is your view of Open Source and the development of open source white hat communities? Do you see the need for these to be developed better, faster or with higher reward components as we move towards the Internet of Things. Kevin Mitnik (KM) I do like Open Source and I do believe that these communities should be expanded, but there is no management of these things as they are run on a completely voluntary basis. As far as moving faster and increasing rewards on open source projects, no one is really getting paid per say, so the reward is really just being a contributor. Maybe by creating additional incentives, it might make that particular community grow faster. We’re not seeing the notoriety of black hat hackers as we once did, rather we see the rise of particular hacker groups, such as Anonymous – can you explain why this might be? Is it the complexity of systems limits, individual hacker capabilities or is the risk of capture greater? KM - We do actually hear stories about individual hackers in the press all the time, we may not necessarily know their names but we do see their actions, usually for fraud or theft for example. Individuals from Russia have recently been indicted in cases. Anonymous is really a kind of idea, rather than an organised group, and people will jump on the bandwagon because they believe in a particular cause, and I think because Anonymous have had a lot of press due to some of its stunts, like hacking into police stations and hacking some of its officers, they have done a lot of brazen type of attacks, so it garners a lot of press. I also see an equal amount of press on other types of hacking activity as well. What can law enforcement do to better prevent and detect cybercrime, rather than the traditional approach of waiting for a report to be made and responding to a cybercrime report? KM - The problem is it’s not that law enforcement can’t do anything, or if a government starts regulating private sector businesses and become the watchman so to speak, I really don’t see that

6 | Australian Security Magazine

happening. It is really just individual businesses that have to develop and mature their security programmes well enough, so that they become a difficult target, so that the attackers then go after the easier targets. The government could improve in their investigations by using different tools and techniques to track the perpetrators down. Nowadays attackers could use TOR, which is a system designed by the US Naval services to anonymise Internet searching to protect journalists and dissidents and that sort of thing. It is also used by hackers to mask their IP address. For example, what we call the ‘dark web’ and what exists on the dark web is a lot of criminal activity. The silk road site is an example of this, it was an online drug emporium, and eventually the FBI got its man, the details of how they did this has not been made public, but it could have been by a vulnerability in TOR. It is actually hard to track down the perpetrators if they really know what they are doing, if they are sloppy and unsophisticated then it is quite easy. Do you see law enforcement and government security services developing their cybersecurity skills at the necessary pace to stay ahead of the curve or do you think they will always be a few degrees (or more) behind the curve – how much of a gap to you currently see? KM - The problem is that the government and

public sector do not pay as well as the private sector, so it is difficult to attract talent into this area. This will only change if governments pay enough to attract the right people. How do you view the moral implications of your background, given your criminal activities have been turned towards making a profit and how do you think we can turn younger people to the white hat community before they start black hat activities? KM - Well, I do have a unique past. I am not profiting off my criminal activity now; I am profiting off all the good things I am doing today. I run a company that performs system vulnerabilities, before the bad guys do. I am also the owner of a company where we do security awareness training and automated phishing against our clients so that they can better protect their business against social engineering attacks. I did illegal stuff back 20 years ago, but now my notoriety is resulting from the good things that I am doing. Today it’s a lot different to back in the 80’s and 90’s, when I started. Now there is cyber security taught in schools and universities, so it’s a better environment now to teach and instruct students that will hopefully become cyber security professionals, nowadays there is coursework and available programmes to help those people do it in a moral and ethical way.

CYBER SECURITY TRAINING & AWARENESS COURSES, WORKSHOPS & E-LEARNING • FOUNDATION CERTIFICATE IN INFORMATION SECURITY (FCIS) • CYBER SECURITY INVESTIGATIONS & INTELLIGENCE • CYBER ATTACK-RESPONSE DRILL (CARD)

FROM ENTERPRISE AWARENESS TO FULL CERTIFICATION

SUITABLE FOR: LAW ENFORCEMENT, REGULATORS, JUSTICE MINISTRY HEADS, INFORMATION TECHNOLOGY / IT MANAGERS INFORMATION SECURITY OFFICERS NETWORK ENGINEERS / SUPPORTS HEADS OF PROCUREMENT / BUSINESS DEVELOPMENT FACILITY AND SECURITY MANAGERS HUMAN RESOURCE / TRAINING MANAGERS

w w w. a m l e ch o u s e . co m

International

China’s Underwater Great Wall

T By Sarosh Bana APSM Correspondent

8 | Australian Security Magazine

he stakes in the South China Sea (SCS) are apparently reaching down to the murky depths of this contentious waterway as Beijing readies its undersea surveillance network to consolidate its presence in the region. The China State Shipbuilding Corporation (CSSC), one of China’s top shipbuilding and defence groups that builds virtually all People’s Liberation Army Navy (PLAN) warships, has been laying a network of ship and subsurface sensors that it calls the ‘Underwater Great Wall Project’ that is designed to gain Beijing an enormous undersea warfare advantage. Estimated to be close to completion, the project will help China push its effective control zone and track all submarine, surface and aerial activity in the littoral. CSSC is also flaunting the system as “a package solution” in terms of underwater environment monitoring and collection, real-time location, tracing of surface and underwater targets, warning of seaquakes, tsunamis and other disasters, as well as for garnering research data on marine life and geology. Project details were made available at a CSSC booth at a public exhibition in China late last year, with IHS Jane’s managing to have them translated from a government official. According to a recent IHS Jane’s report, the system proposed by CSSC will likely be obtained by PLAN and may also be offered for export. The CSSC document is quoted as claiming that one of the company’s objectives, among others, is to provide its customers with “a package solution in terms of underwater environment monitoring and collection, real-time location,

tracing of surface and underwater targets, warning of seaquakes, tsunamis, and other disasters as well as marine scientific research”. Describing itself as “an extra-large conglomerate and state-authorised investment institution directly administered by the central government of China”, the 17-year-old Corporation notes: “Under its wing, there are totally 60 sole proprietorship enterprises and shareholding institutions, including a batch of most powerful and some renowned shipbuilding and ship-repairing yards, research and design institutes, marine-related equipment manufacturers and trading firms in China.” The CSSC stakeout model appears to be a vastly advanced and comprehensive version of the SOund SUrveillance System (SOSUS) that had accorded the United States a significant advantage in countering Soviet submarines during the Cold War. SOSUS was the result of an ultra secret mission tasked by the US’s Office of Naval Research (ONR) to AT&T and its manufacturing arm, Western Electric, in 1950 to develop an undersea surveillance system designed to detect and track Soviet submarines. The System was an array of hydrophones on the ocean bottom connected by undersea cables along the entire US East Coast to on-shore processing centres. SOSUS was itself a high engineering spin-off of the US Navy’s SOFAR (Sound Fixing And Ranging) channel discovered toward the end of WWII to detect submarines hundreds of miles away by listening for the noises they generate. The Underwater Great Wall gives visible shape to China’s intent on asserting its role in the region. Beijings’ claims of

International

sovereignty over almost the entire South China and East China seas have sparked disputes with its neighbours such as Japan, the Philippines, Vietnam, Taiwan, Malaysia and Brunei Darussalam. The bone of contention has been the various island enclaves, not of much value in themselves, but the possession of which would provide strategic resource-rich continental shelves and Exclusive Economic Zones (EEZ) that extend 200 nautical miles from the low-water shoreline. Towards this, China has been creating islands and militarising them to further its access to marine resources. Also, Beijing’s energyhungry export-driven economy that is heavily reliant on raw material and fuel imports seeks to buttress its suzerainty over the regional Sea Lines of Communication (SLOC) that are critical to the survival of the entire Asia-Pacific community. It is largely to its seaborne trade that China owes its spectacular economic transformation that helped shrink the 61 per cent of its population living in extreme poverty in 1990 to only four per cent by 2015. One study reckons that of the four billion tonnes added to global seaborne trade between 2002 and 2014, Chinese imports accounted for 94 per cent of the increase in iron ore volumes and 35 per cent in coal volumes, while Chinese exports accounted for 60 per cent of the expansion in container trade. To ensure safe passage to its maritime trade and expand its commercial footprint, China has been extending its blue-water presence in its neighbourhood through the establishment of its South Sea Fleet surface combatants in Zhanjiang in Guangdong province that faces Hainan Island to the south where its nuclear-submarine fleet is located. The area also has the deployment of precision cruise and advanced ballistic missiles that can target all current US bases and naval forces in the region. The ominous developments are posing a threat to the Asia-Pacific as a whole, the fastest growing economic region in the world. While this region has hitherto been driven by commercial interests, this widening unrest threatens the sea lanes that are its lifeline. With one of the largest fleets of attack submarines comprising four ballistic missile submarines (SSBNs), six nuclear-powered attack submarines (SSNs) and 53 dieselelectric submarines (SSKs), Beijing is close to deploying a powerful sea-based nuclear deterrent through long-range nuclear-armed submarines. Five Type 094 Jin Class SSBNs may eventually be built, each armed with 12 JL-2 missiles that can deliver one-tonne nuclear warheads at a range of 4,320 nautical miles (8,000 km). China’s military posturing challenges the US, viewing as it does Washington’s pursuit of its policy of “pivot” to Asia as an American attempt to curb Chinese influence across the region and embolden countries to brazen out China on the maritime disputes. Beijing has argued too that this policy is aimed at containing its legitimately expanding economy and military, as also at bolstering American presence in this region of the future. Also termed “rebalance”, the strategy was outlined in President Barack Obama’s 2012 Defence Strategic Guidance that reorients the US’s capabilities and capacities to better prepare for future global security. It enunciates the relocation of 60 per cent of the US’s naval assets – up from 50 per cent

today – to the region by 2020. Beijing views these moves as an American attempt to curb Chinese influence across the region and embolden countries to defy China on the maritime disputes. Though Washington has sought to be neutral, it is conscious of the need for freedom of navigation for all countries. It hence finds it imperative to raise its already formidable profile in the Asia-Pacific. Its numerous military bases in the region include 17 in Japan and 12 in South Korea, while it also has a presence in Australia, Thailand, the Philippines, Guam and Singapore, and on the Britishcontrolled Indian Ocean island of Diego Garcia. CSSC’s Underwater Great Wall combines a network of crewed and Unmanned Surface Vehicles (USV), or Autonomous Surface Vehicles (ASV), which are unmanned watercraft, active and passive sensors located up to 3,000 metres underwater, and a seabed sensor picket line to create a subsurface perimeter around China’s claimed maritime territory. This will help in the autonomous location and tracking of enemy submarines and ultimately in setting up a zone of anti-access/area denial in the waterways deemed critical by China for its security. The seabed-based component of this network features an array of hydrophones and magnetic anomaly detectors cited along undersea cables laid at the axis of deep sound-channels roughly to the direction that the arrays are to listen. This capability is next paired with maritime reconnaissance / ASW (anti-submarine warfare) aircraft assets to establish a multitier ASW network. Through its Underwater Great Wall, China may also well affirm the so-called ‘nine-dash line’ that it had unilaterally delineated in 1947 to claim as much as 90 per cent of the 2 million sq km expanse of the South China Sea. The line extends to as far as 2,000 km from the Chinese mainland to within a few hundred kilometres of the Philippines, Malaysia and Vietnam. And it was this claim that the Permanent Court of Arbitration in The Hague debunked in July in the case against China brought before it by the Philippines. The Court upheld Manila’s contention that the line exceeded the limits of maritime entitlements permitted under the UN Convention on the Law of the Sea (UNCLOS), a verdict that Beijing rejected, whilst re-asserting its “historical maritime rights” across the region. Actually, China had scripted a 11-dash line in 1947, but had removed two ‘dashes’ in the early 1950s to bypass the Gulf of Tonkin as a gesture to communist comrades in North Vietnam. This was the first time the Chinese government had been summoned before the international justice system, the tribunal indicting Beijing also for violating international law by causing “irreparable harm” to the marine environment, endangering Philippine ships and interfering with Philippine fishing and oil exploration. The absence of any mechanism to enforce the ruling, despite its being legally binding, emboldened China to defy it, affirming its claim to sovereignty over the South China Sea “since ancient times”. Not only the creation itself of the Underwater Great Wall, but its locational sweep in disputed waters, may spark fresh reprisals from nations in the littoral that are no longer agreeable to countenance any further excesses.

Australian Security Magazine | 9

International

The great submarine leak

T By Sarosh Bana APSM Correspondent

10 | Australian Security Magazine

he wide-ranging data leak on India’s French-origin Scorpene submarines hosted on its website recently by the daily broadsheet, The Australian, on two consecutive days clearly undermines New Delhi’s sensitive submarine construction programme. The 22,400 leaked pages detailed the combat capabilities of the 1,565-tonne 61.7-metre Scorpene 2000 SSKs (dieselelectric hunter/killer submarines). Six of these submarines are being built under the Indian Navy’s Project-75 (P-75) under a Transfer of Technology (ToT) agreement between DCNS, the European leader in naval defence, and the Mumbai-based state-owned shipyard, Mazagon Dock Limited (MDL). The first of this series, construction on which began at the MDL yards in December 2006, is being launched in September, its commissioning scheduled a year thereafter, with subsequent boats delivered at intervals of nine months. The programme is running four years behind schedule, its original contract cost of US$2.63 billion in 2010 having spiralled to US$3.8 billion. The cost includes a US$1 billion Technical Data Package for MDL to gain competence in submarine construction, especially in the field of hull fabrication, outfitting, and system integration. While the question is whether India’s security is under threat as a result of the data leak, another question concerns

the motive of the morninger, owned by Rupert Murdoch’s News Corp Australia and published out of New South Wales, in exposing a friendly nation’s defence agenda. The paper has been described as one that acts more like a propaganda sheet for the rightwing of Australia’s Liberal party than a broadbased sounding board for big ideas and public policy. Canberra in April awarded the same French defence contractor, DCNS, an A$50 billion (US$38 billion) contract to design and build 12 next generation submarines. It is speculated that the expose could have been the consequence of corporate espionage, as competition is fierce in the global military sweepstakes. Variants of the DCNS Scorpene operate with the Malaysian and Chilean navies and will soon also be deployed by Brazil from 2018. The uploaded sets of documents contained the entire design plans, specifications and stealth capabilities of the Scorpene, as also detailed operating instructions for its underwater warfare system and revealed too was the range of technical specifications of the sonars and at what degrees and frequencies they would function. Almost the entire Operating Instruction Manual has been detailed, with explanations on target selection for weapon configuration and firing, among a host of critical minutiae. Of the leaked information, 6,841 pages elaborated on

International

the submarine’s communications system, 4,457 pages on its underwater sensors, 4,209 on its above water sensors, 4,301 on its combat management system, and 493 on its torpedo system. Bared also were the diving depth ranges, magnetic, electromagnetic and infrared data, frequencies at which the submarine gathers intelligence, requisite speeds and conditions for use of the periscope, noise specifications of the propellers, radiated noise levels that occur when submarines surface, levels of noise at various speeds, and the locations where the crew can speak to avoid sonar detection. The Australian reported it had been informed that the secret data were stealthily drawn from DCNS by a former sub-contractor in 2011 and taken to a private company in Southeast Asia before being passed on to a branch of that company in a second Southeast Asian nation. A compact disk containing the data was then posted in regular mail to a company in Australia. Evidently taken aback, Indian authorities downplayed the incident, affirming it did not compromise national security, as such information was available on “many naval defence websites”, and The Australian blacked out vital factors, and besides numerous parameters have been modified since 2011 in the submarines under construction. While it is not unusual for parameters to be altered at the behest of the customers, at

times within a series production, with follow on vessels being finer tuned and more streamlined, a comprehensive disclosure as by The Australian’s undoubtedly conveys confidential information and cannot be belittled. Such sensitive data would not only be unobtainable in the public domain, they would not be publicised by any credible websites guided by professional ethics. Much similar information very likely vests with various media agencies worldwide, but they would be circumspect in revealing it. There is also the question as to what Canberra’s reaction would have been if an Indian paper had carried detailed descriptions of Australia’s own submarine programme or its two 27,800 tonne Canberra-class Landing Helicopter Docks (LHDs), also known as amphibious assault ships. The two LHDs, HMAS Canberra and HMAS Adelaide, were commissioned in November 2014 and December 2015 and were constructed for the Australian Defence Force (ADF) at a cost of $2.9 billion. To be jointly crewed by personnel from the three services, they will provide one of the most capable and sophisticated air-land-sea amphibious deployment systems in the world, each being able to land a force of over 2,000 personnel by helicopter and water craft, along with all their weapons, ammunition, vehicles and stores. Design and construction

Australian Security Magazine | 11

were by Spain’s Navantia, while BAE Systems Australia, a subsidiary of BAE Systems plc and the largest defence contractor in Australia, was the prime contractor. Navantia’s Ferrol-Fene shipyard in north-west Spain constructed the hulls to the level of the flight decks, including the majority of fitting out, and the island structures were installed at BAES’s Williamstown shipyard in Victoria. Though he said that the leakage was “of concern”, Australian Prime Minister Malcolm Turnbull specified that the Indian Scorpene was a model different from the one Australia was buying. “The submarine we are building or will be building with the French is called the Barracuda, quite completely different submarine to the Scorpene they are building for India,” he told Channel Seven. “We have the highest security protections on all of our defence information, whether it is in partnership with other countries or entirely within Australia.” According to DCNS, the 97-metre 4,000-tonne Shortfin Barracuda Block 1A, designed specifically for the Royal Australian Navy, is “the world’s most advanced conventionally-powered submarine”, with state-ofthe-art signature reduction technology, pumpjet propulsion replacing ‘obsolete’ propeller technology, retractable hydroplanes minimising drag and noise, and outfitted with the most powerful sonar ever produced for a conventional submarine. Quick access tech insert hatches moreover allow upgrades to be carried out easily. As with issues of this nature, India’s Defence Minister Manohar Parrikar asked the Chief of Naval Staff (CNS), Admiral Sunil Lanba, to have the extent of the leak examined. Maintaining that any information lapse is viewed very seriously by the Indian Navy, the CNS pointed out that DCNS had been asked to launch an urgent investigation into this. “Detailed assessment of the potential impact is being undertaken at Integrated Headquarters, Ministry of Defence (Navy), an analysis is being carried out by concerned specialists, and an internal audit of procedures is also being undertaken to mitigate any probable security compromise,” he indicated. India has also taken up this matter with the Director General of Armament of the French government, with the request to investigate with urgency and share its findings with India. “It is not a leak, it is theft,” a naval official affirmed. “We

12 | Australian Security Magazine

have not found any DCNS negligence, but we have identified some dishonesty by an individual.” The matter is also being pursued with other concerned foreign governments through diplomatic channels to verify the authenticity of the reports. DCNS took the issue to the Supreme Court of the State of New South Wales that directed The Australian to withdraw the documents published on its website, to provide DCNS with all related documents in its possession and to desist from publishing any additional documents. “Confidentiality of information and communication is a matter of utmost importance and DCNS welcomes this decision of the court,” a DCNS statement mentioned. “In parallel to this action, DCNS filed a complaint against unknown persons for breach of trust, receiving the proceeds of an offence and aiding and abetting before the Paris Public Prosecutor.” The French contractor is understandably worried. Apart from having set up its subsidiary, DCNS India Pvt. Ltd, in Mumbai for the Scorpene construction, it is now establishing another fully-owned subsidiary to produce air independent propulsion (AIP) technology for its submarines. It has submitted its proposal for this to India’s Foreign Investment Promotion Board (FIPB). DCNS, after all, is seeking to bid for the lucrative $8.06 billion – possibly $12 billion - Project-75(I) contract for the construction of six new generation stealth diesel-electric submarines that is eliciting wide interest among shipyards both at home and abroad. Defence-oriented enterprises, which have invested heavily in creating and expanding their warship building facilities and competencies, are preening themselves for the competitive bidding for the tender that requires the submarines to be built in India at an identified shipyard, within the public and private sectors assessed to have the potential to build modern conventional submarines. It remains to be seen whether DCNS will be countenanced for the tender by the Indian authorities following this disastrous leak. The Indian Navy has already scotched all previous speculation of construction of three more Scorpenes being contracted out to DCNS.

I N V I T A T I O NCyber Security

EXCLUSIVE INTERPOL WORLD 2017 AUSTRALASIA POLICE & SECURITY PROFESSIONALS SINGAPORE DELEGATION INNOVATION TOUR

5-7 July 2017 | Suntec Singapore Convention and Exhibition Centre MySecurity Media is pleased to be the official and exclusive marketing agency for the region of Australia & New Zealand for INTERPOL World 2017. INTERPOL World 2017 provides a premium platform for public and private security sectors to discuss and showcase solutions to fast evolving global security challenges. The biennial exhibition and congress brings together law enforcement, government bodies, academia, international security professionals and decision making buyers to security solution providers and manufacturers. For more about the program visit - www.interpol-world.com

MySecurity Media will manage all logistics, such as flight/hotel bookings for the visiting delegation. 2015: 7,807 Visitors & Delegates 2017: 300 Exhibitors

Some of the main topics:

PREMIUM SPONSORSHIP OF INTERPOL WORLD 2017 DELEGATION AVAILABLE:

Email: interpol_world2017@mysecuritymedia.com Delegate Profiles: Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators. Visitor profiles: www.interpol-world.com/visiting

• • • • • • •

IoT, cybersecurity, big data analytics Biometrics Genetic & synthetics biology Safe cities Robotics Unmanned/artificial intelligence Face recognition

• Forensics

“We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” -Ian Readhead, National Police Chiefs’ Council, UK

news.com

Express interest in joining us at this exclusive event interpol_world2017@mysecuritymedia.com Australian Security Magazine | 13

International

The stats man and the sea Pirate hunter, undercover statistician or psychological medic? Karsten von Hoesslin's career is as hard to pin down as the oceans he covers as a 'maritime response consultant'.

I By Adeline Teoh ASM Correspondent

14 | Australian Security Magazine

'm flying in an Antonov 27, 50 metres over the water, dropping $3.5 million to a bunch of guys in raggedy clothes. Really, the money is just a prop," says Karsten von Hoesslin on how to make a ransom payment to Somali pirates who've hijacked a ship and taken its crew hostage. Ask him what he does for a living and the answer is necessarily circumspect. On paper he may be a 'maritime response consultant', but delve a little deeper and more amazing details start to emerge. Best known publicly as the host of National Geographic's series Lawless Oceans, von Hoesslin began his oceanic voyage many years prior with an interest in the South China Sea disputes for his Masters. "Having examined the United National Convention of the Law of the Sea, I asked myself 'how can something be so simply laid out and yet so complex to implement?'" The grants and funding he secured for that research also allowed him to peek at piracy issues where there were plenty of open source statistics but suspicions of under-reporting. "I then started my PhD research looking at various human intelligence methodologies for infiltrating organised crime groups," says von Hoesslin. "I started testing that in South East Asia in pirate networks, seeing how far I could infiltrate. The results were unprecedented, especially in comparison to what was reported in open sources." In addition to working with law enforcement agencies in South East Asia, he worked jointly with authorities on West Africa, Somali and Horn of Africa pirate issues. That exposed him to specialist training in areas such as hostage negotiation and behavioural profiling. It was at

this point he decided to pivot from intelligence work into more operational roles, "doing delivery drops, negotiations, support work and then actually commanding operations myself ", including that of delivering one of the highest value ransoms in Somali piracy history. But the rewards are less about the money and more about the people, von Hoesslin says. Having trained in paramedicine, tactical, flight and remote medicine as well as major incident medical management prepared him to work with the hostages of hijacked ships. "The people who were hostages were simply not in good enough condition to provide actionable intelligence. A lot of them are at various stages of PTSD and they haven't actually been given any psychological first aid," von Hoesslin explains. "There was a tremendous difference in the four days we would have with them, they were much better off. That was the most rewarding thing." Hunting phantom ships Filling in the gaps of some questionable statistics led von Hoesslin to his current role. There was a 'boom' in South East Asian piracy in 2014-15, he explains. "There were a lot of vessels that would disappear or were hijacked and sometimes they were off the books, it wasn't reported. I was able to find some of these vessels in Indonesia and various places where they were being heldâ&#x20AC;&#x201D;some of them were insurance scams." It was at this point he crossed paths with National Geographic, who were filming an episode of Underworld, Inc on South East Asian pirates. National Geographic followed

International

von Hoesslin as he worked to locate phantom tankers, then approached him to develop a series called Lawless Oceans, which "examines the various crimes at sea ranging from drug smuggling to piracy to migrant smuggling and illegal fishing," he describes. Being on an international TV channel has its drawbacks as a maritime investigator, von Hoesslin admits, and it's doubly hard when he can be the only white man in a village in Asia or Africa. "I prefer to keep a low profile. Let's say there's an episode of Underworld, Inc on pirates, then that probably means that I have to be a bit more careful when I'm in the field afterwards," he notes. Fortunately he does have other occupations that seem to satisfy most people he meets: doing medical work, such as volunteering in hospitals, and practising heritage photography. For everything else there's human interaction. "I've been places where I've got my camera and I'm just taking pictures—not even intel pictures—and people go, 'you're CIA'. I just look at them and I say: 'You're right, I'm here for you.' They freeze and don't know what to say. I will break that moment with a laugh and they usually realise how silly their accusation sounds. You de-escalate their suspicion and then you can talk to them." Von Hoesslin is potentially open to a second series of Lawless Oceans. In any case, he's about to obtain a commercial licence to fly his drone—a handy piece of kit to record maritime crime unobtrusively, and for surveying—and he has advanced care paramedics training to complete. He says his next role is likely to be in crisis response on the medical side, "helping companies as well as NGOs better prepare for incidents, and more importantly, preventing them

from getting involved in bad situations". In the meantime, past success is reasonably easy to define. "On the law enforcement side, nothing gives me more joy than to see an active interest in a case, an arrest and then, most importantly, a conviction. On the human side it's to see people recover from bad things or even to see pirates not wanting to be pirates anymore. There are cases of people I've worked with in the past, assets, who then cleaned up and got regular jobs." As for von Hoesslin, his job is anything but regular with international travel always on the cards and a lot on his mind at all times. "If I take holidays I'm always calculating and figuring out how to do projects—'I will not stop until this current case is properly investigated'." And despite the frequency of guns, money and espionage in his career, he says he's not addicted to the thrill of it as some might be. "I get more of a thrill out of backcountry skiing."

US$1.32 billion was the estimated cost of maritime piracy in the Western Indian Ocean during 2015, down from $7 billion in 2010. Source: oceansbeyondpiracy.org

Australian Security Magazine | 15

National Security

Dammed if you DO and Dammed if you DON’T

T By Fraser Duff

16 | Australian Security Magazine

here are many questions being asked by Senior Council acting for the Dawson family as part of the Coronial inquest into the Lindt Café Siege, and understandably so. Police operations have never been more under the microscope. There is almost daily reporting in the media into the Police decisions, actions and operational capability on that fateful night in December 2014. The actions of the NSW Police on that evening have evoked strong public opinion and the Police situation is almost one of; damned if you do, and damned if you don’t. Perhaps one way to reduce the risks associated with such a loss of public faith would be to revisit who and how incidents of this nature can best be dealt with. In doing so, we need to revisit ALL possible resources and methods of operation objectively. A debate as to whether terrorist incidents should remain under the control of Police or whether future Military involvement needs to be considered and evaluated? This question raises some big issues. Specifically, whether Australia has the stomach for a military intervention on home soil and whether our risk averse culture hinders this type of commitment and resolution going forward? Before exploring this question, I might first suggest that we not lose sight of the bravery of a small group of Police officers from the tactical operations unit (TOU). Above all else, these officers risked their lives. They were also severely affected by the decisions and actions of the ‘Police Operational Command’. It was these officers who had to come in off the back foot, behind the eight ball in an

Emergency Action and engage a man committed to mayhem and murder. They are the bravest of souls and we can only ever be grateful for their service. Leigh Sales on the 7.30 report recently asked the Premier Mike Baird (24th August 2016) a very challenging question about the siege. Leigh asked, “If your son was one of the hostages in the café that night, would you be happy with how the Police resolved the incident”? The Premier didn’t answer the question. It’s perhaps his absence of an answer that provides some insight into current community and public sentiment. The answer for any parent who had a loved one in such dire circumstances and facing possible execution would be a resounding NO. The Premiers attempt to then shed light on how operational equipment experienced failings on the night including; night vision goggles, communication systems and the command truck, fall well short of the mark. We don’t want an incident as significant as this to have the lessons learnt reduced to such a low level as 'equipment failings'. There are far greater issues, much higher up the food chain. The Commissioner Mr. Scipioni and Deputy Commissioner Catherine Burn have been ducking for cover, distancing themselves from any of the decision making or operational command of the terrorist incident. These are the Captains who will not go down with the ship. In fact they are already in the lifeboats, while public confidence dwindles over the handling of the incident. What message does their behaviour now send to the Police who may be called upon to command an incident tomorrow?

Cyber Security

If we examine issues at a strategic level, then the Police brand is now on public trial. They have been backed into a corner with only one option left, to strongly justify all their actions and decision making on the night in the belief that everything was done that could be done. At the risk of being derided by the staunch Police advocates, I feel the more open and public the debate about what occurred and how it was resolved the greater the chance for real learning and future improvement. The intent should always be to learn the real lessons from that night and hopefully be in a much stronger position to make decisions that prioritise the lives of each and every innocent victim above all else. Strategically we need to consider the apex of our response, i.e. the operational command and control aspects of dealing with an ideologically based attack on our way of life. This is an area where perhaps policy change will yield the biggest benefit in enhancing future efforts to maximise public safety. Hopefully this is where the Coroner will publish his most valued findings in what may be our longest and most detailed coronial inquest. We spend 100’s of millions of tax payers’ dollars each year on our Counter Terrorism readiness capability. The end result being that when we have an ideological self proclaimed gunman/killer taking numerous hostages and threatening lives, and the Police Operational Commander by virtue of his own evidence indicates that he would not authorize an assault, until death or serious injury had occurred to the hostages. I truly can’t believe this position and further, that

if faced with the same set of circumstances today would do exactly the same thing. If command, with all the evidence before it, did genuinely NOT believe it likely that a life would be taken, then I understand this statement. If, however we take from this, that any future event involving a person espousing extremist beliefs, where murder is perceived as LIKELY and no lethal force would be taken, then I would have the gravest concerns over this type of decision making framework. If this is the framework that our Police agency believes our community supports, then that’s equally of grave concern. With respect to the Assistant Commissioner Mr. Mark Jenkins (who is no doubt a highly capable Police Officer and a well respected commander in the Police, who is reported as having previously held positions in Police Media, HR and State Crime Command), the question we could ask is; “are the experiences of Police commanders providing the public with the very best profile for decisions that involve responding to a terrorist incident involving an individual espousing extremist views and holding multiple hostages in need of rescue”? It also drawers into question the level of influence the Police Negotiators and Psychiatrist had over the decision making and response to the siege and the fate of the hostages. If our decision making frameworks remain as they appear to be, then how will our next group of hostages feel when confronted with a terrorist related incident? Will they be wondering who amongst them must die in order for an attempt to be made to rescue them? Will they be abandoned

Australian Security Magazine | 17

National Security

"The 60 to 70 grain projectile travelling at approximately 3,000 feet / second with its high energy output (approx 1,325 ftlbs) was always going to have; over penetration, fragmentation and ricochet issues for those close by..." to their fate and therefore have to act as some did in the Lindt Café and take survival into their own hands and either attempt to escape or collectively try with all ‘able persons’ to overpower the hostage taker? Surely the mission on the night, which must be written down somewhere, would have said, “Save the lives of the hostages at all cost”. Senior ranking Police (AC’s) took operational command and responsibility for all decisions and actions on the night. Interestingly the Commissioner and Deputy Commissioner have disappeared behind a veil, beyond reproach and accountability. These are very senior Police; political and experienced bureaucrats familiar with navigating their way around a large machine bureaucracy and ascending its dizzy heights. (Note the recent public spats and the Police Integrity Commission investigation into the behaviour of the Assistant Commissioners and Deputy Commissioner over their wire tapping and public undermining of each other as they jostle for political clout). Experienced managers and policy makers yes, but does this make them the best operational commanders for terrorists/hostage incidents? It was noted that one of the operational commanders suggested, that by virtue of his having previously commanded the ‘Mosman hoax collar bomb threat’, that he was now capable of making the best operational (which is quite different from tactical) decisions around suspected explosive devices, which were supposedly in the possession of Man Monnis. Further stating that in his view ‘contain and negotiate’ was, and still is the best way forward for the resolution of any future terrorist incidents. In light of this revelation, compare Police operational

18 | Australian Security Magazine

commander’s backgrounds to that of a military operational commander (TAG COMD) East or West. Military forward commanders are Special Forces Soldiers normally a Lieutenant Colonel (LTCOL) or higher, from either the Commando or SAS Regiment with significant operational experience in Afghanistan, Iraq, East Timor and a host of other operational theaters of war, with real mission capable experience. They are not bureaucrats or political in nature, they are in effect the best soldiers Australia has, highly experienced, highly capable and mission driven. In reality, there is no correlation between commanding the hoax collar bomb threat and dealing with a terrorist who may or may not have explosives. That would in no way provide you with the experience needed to make sound operational decisions under pressure when hostage’s lives are at risk. Where tactics, surprise, speed and precision are of the essence to save hostages lives. A hoax collar bomb threat is a far cry from an ideological gunman prepared to execute hostages. If Police command believe that a dead man switch linked to a backpack full of explosives precludes any aggressive action by Police at any time, this further raises the issue of capability. Dead man switches are not used over long periods of time as they are actuated by pressure release. They are designed to be used by terrorists at targets/barriers/barricades etc. where they may be shot while driving /walking/ running or riding a bike on approach to the target to fulfill their objective. Alternatively the pressure switch is released when having reached their objective/target and needing to detonate the device. If they are killed, either way their hand releases the pressure switch, triggering the device. These devices are usually armed just prior an attack taking place. They are not armed for long periods of time i.e., 17 hours as it’s improbable to hold a pressure switch for that long without accidental actuation. There is a great myth around supposed explosive devices, because most people, Police included never get close to, use, or understand explosives unless they have been in the Military, Police bomb squad or a mining engineer etc. Once the activation method is properly appraised, regardless of whether Monnis had a bag full of explosives, an effective countermeasure would still be a carefully positioned marksman/ sniper, which is something I’ll address later. Snipers bring about a swift and violent end to an incident with no time for a terrorist to arm and then trigger an explosive device. This is something the military can contend with. So where does this leave us? Current command and control of ideological based terrorist related incidents where hostage lives are at risk on home soil, does not rest well with senior Police bureaucrats. I don’t believe Police command in its current form will ever hand over an incident to the Military. We simply can’t do what we’ve always done and resort to a ‘contain and negotiate’ strategy in the belief that it will always work. We need to focus on the best resolution means available to save the lives of the hostages. We also need to have the courage of our convictions to deploy our absolute best resources in a deliberate action and seize the initiative when confronted by this ideological based threat. Perhaps if we were bold enough we could move away from the current sovereign state based Police command and control model. Perhaps through a change of legislation a

National Security

"Beyond this most critical aspect of the review; ‘operational command’, there are some tactical considerations that need to be examined for future actions. A key one is the use of high velocity military 5.56 calibre ammunition inside a building constructed of mainly thick stone/block, concrete and marble walls at distances less than 40 meters." federal/commonwealth based model could be considered, well beyond what we currently have i.e., how the Europeans are engaging with combined Police and Military assets. A national agency, (not the Federal Police) i.e., Office of Homeland Security (for want of a better name), could be tasked with responding to terrorist/hostage related incidents across Australia. They would take full command for the activation and resolution of incidents in each state. This agency could combine at the outset the TAG Military commanders and state based Tactical Police resources, once a set of specific criteria have been met. The advantage being that it would relieve the Police of command and decision making responsibility, allowing them to focus on other important aspects of incident management i.e., public order, crowd management, perimeter control, traffic control and criminal investigations etc. Homeland Security could then have operational and tactical responsibility with Military and Police resources deployed in the most effective and unified way. The aim should be to remove bureaucracy, political hierarchy and ego or fear based decision making. Replacing it with tactical command and control decision making, based upon a sound appreciation of the situation, engaging the very best assets, specialised in responding to terrorist attacks. Beyond this most critical aspect of the review; ‘operational command’, there are some tactical considerations that need to be examined for future actions. A key one is the use of high velocity military 5.56 calibre ammunition inside a building constructed of mainly thick stone/block, concrete and marble walls at distances less than 40 meters. While Police have avidly defended their use of the M4 assault rifle and cited its military/parra military application, it’s a choice that perhaps now needs to be reappraised against other suitable alternatives for a confined close quarter’s engagement. The 60 to 70 grain projectile travelling at approximately 3,000 feet / second with its high energy output (approx 1,325 ft-lbs) was always going to have; over penetration, fragmentation and ricochet issues for those close by, whether the rounds hit the target or not. The alternative being the more traditional 9mm (or similar) weapon with its heavier 100 grain projectile travelling at closer to 1,100 feet / second (or less with heavier subsonic ammunition) and its much lower energy output approximately (383 ft-lbs). It’s still highly accurate and just as lethal in close quarters, without the high velocity and high energy output, reducing the unnecessary risks stated above at close range. I’m sure this aspect is now being more closely considered as it’s a question of, ‘fit for purpose’ over ‘one size fits all’.

A final contentious point which is worth revisiting is the use of marksman/ snipers in such circumstances. It was cited by Police that they couldn’t be used because of their unfavourable positions. While there has been some conjecture over this, it’s an option that will need to be seriously considered and addressed in the future. Snipers are one of the greatest assets a tactical commander has and possibly the best form of obtaining an immediate end to the incident. The Police marksman positions, as described, indicated that they couldn’t engage, (not that they would have been given the operational green light) because their locations restricted them due to having to fire from immediately behind a pane of glass, which would significantly effect the bullets form, stability and trajectory. Not to mention the bullet would then have to travel through a second pane of glass at the target, thereby reducing its effectiveness, accuracy and likely success. It’s a valid point, but it emphasizes the difference between being in a good Observation Position (OP) vs being in a good Firing Position (FP). If the OP and FP are both the same then that’s terrific, but that’s not always the case. Therefore the onus is on the tactical officers to have both positions covered or as the case may be, remove the glass/obstacle from immediately in front of their position. Marksman need to be taking the FP so they can effectively engage the target. (As mentioned in my previous article, a round can travel through one pane of glass close to the target and still be accurate and effective). To obtain a good FP marksman need to have exceptional urban camouflage and concealment skills, stealth and time. Good FP’s can be very difficult to achieve, particularly with media present and may require the marksman to maintain an uncomfortable position for long periods of time without relief. My views may sound biased towards the military. This is because like all families in Australia, we want reassurance that we have the absolute best available resources in the country to be able to respond to such an incident in the future, and protect the lives of our loved ones. In determining this, we need to identify at the operational and tactical level, which resources possess the very best skills. This will require government to examine the frequency and duration of time spent honing these specific skill sets, and the level at which this then enables skills to be further advanced through the benefit of application and repetition. We need to be confident that our commanders and resources are doing everything in their power to rescue the lives of the hostages, beyond having too much regard for the life of a terrorist, regardless of their perceived mental state.

Australian Security Magazine | 19

Corporate Security

What really happened? Why it’s so hard to get the truth when investigating an incident

S By Tony Campbell ASM Correspondent

omething that all incident responders need to be reminded of is that people lie. When you start to look into the root cause of a security breach, there will almost certainly be times when you ask questions of certain users, administrators and even external agents, where the answers are often intentionally not as accurate as they could be. Let’s take a look at a few of the reasons why this can happen and ways you can cut through the lies and get to the truth of the matter. Start with the Helicopter View… When the red lights start flashing and the warning claxon sounds, the incident manager sweeps in and starts gathering information about what happened, who it happened to and what’s been affected by the ‘event’. They would start by figuring out who was doing what when the problem was first detected, usually by asking simple questions like who was accessing the account that’s been compromised or finding out whether any new software (changes) had been rolled out to the affected systems. The details that the incident manager gets in these very early stages of the process are then used to

20 | Australian Security Magazine

frame and characterise the attack, which can then be used to find further clues that may lead to solving the case. This is where the problems can start. If a priority 1 incident has kicked off as a result of an administrator not doing something they should have done, or because a user has plugged in that USB thumb drive they found in the car park, their first reaction will be to lie to protect themselves. “Have you plugged anything foreign into that PC?” you say. “Ummmm, nope,” they reply, casually glancing at the door and scratching their nose. To try and coax people into telling the truth, try a different line of questioning, maybe starting with some irrefutable evidence from the systems that they won’t be able to deny. So, instead of saying, “Who’s put a dodgy USB drive in our computer system?” you could instead find out who was logged in at the time when the incident kicked off and tell them that attackers have been targeting businesses with USB disk drops, and we’re looking for that user to help in the investigation and to assist in determining how the attackers are targeting the business. This makes them feel part of the solution, thus instead of feeling guilty they feel empowered to help fix the problem and ensure others don’t end up in the

Corporate Security

Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel.

of incident management time before it’s called out as a red herring. Incident managers must always distinguish between first-person observations, like, “I read the log file and found…” and hearsay “Eric said he discovered … in the log file”. Don’t trust anything passed to you that might be hearsay: track down the source and check it. Spot the Difference: Observation or Hypothesis

same situation. Getting the widest possible viewpoint of the situation, taking that helicopter view, will help you look at the problem from another perspective, which in itself can help lead to the root cause. Call in a variety of subject matter experts to look at problems from different perspectives, since each of those viewpoints will yield its own special kind of intelligence for your investigation. A typical scenario might be that an administrator sees an unexpected spike of network traffic from a soon-to-be-retired server. If you know this, you can then go and grab the logs from that server and get one of your analysts to start looking for more clues. Generally, you should try and have a subject matter expert on the incident management team explore each of the viewpoints relating to the incident (network, servers, firewalls and other security systems, etc.), keeping their investigation as broad as possible at first rather than jumping down the rabbit holes they discover. Spot the Difference: Observation or Assumption The incident manager has to be able to distinguish between facts and assumptions. Assumptions are ideas or conjectures that are often stated as fact, rather than corroborated truths with proofs. If a lazy administrator says, “The attacker has clearly exploited a vulnerability in the firewall,” then by committing this to the incident management team, it becomes a fact. However, as a conjecture, this profoundly distorts the investigation, focusing team effort into the investigating the wrong vector of the attack. If you hear certain facts like that being stated by engineers and subject matter experts in certain applications or systems, dig into the proofs each time to see why they are stating this as a fact. Evidence requires proof that it is genuine so look for that evidence and take no ones’ word as gospel. Spot the Difference: Observation or Hearsay Have you heard of Chinese whispers? Most of us have at one point in our lives played the kids’ game where a sentence is whispered to the next person in a row and when the message gets to the end of the row that kid states what they thought was passed on. It’s often an extremely distorted version of what was originally said, especially as the chain gets longer and longer as more kids join in. This also happens in businesses. If a couple of engineers get together, let’s say, for example, a desktop engineer and an IPS manager, what the IPS manager tells the desktop engineer may sound like a load of nonsensical security speak. However, an incident has just kicked off across the desktop fleet and the desktop engineer repeats to the incident manager some of the misunderstood nonsense he picked up from IPS guy. This could turn an innocent false positive event he was investigating into what the desktop engineer might consider the root cause of the issues, which will invariably waste a lot

Sometimes when people are careless or untrained in certain situations, they find it hard to distinguish between what they saw and a conceptual construction of what they think they saw. In the example about the desktop engineer and the IPS guys, the desktop engineer has now taken what he thought he understood and rationally, in his mind at least, deduced that he now knows what the problem is. But that's an assumption. This can also occur when someone thinks that maybe there’s a flaw in the desktop and then proceeds as if that were true without testing their hypothesis. “So, this desktop vulnerability can be exploited by this kind of magic packet attack, which the IPS guys have already seen today, so we need to quickly patch all these right now to fix the problem.” This is, of course, a ridiculous example, but you see the importance of cutting through the assumptions, instead looking for real eyes-on observations of fact. Observation wins every time over a pseudo-expert’s hypothesis, especially as these engineering types can be so convincing. Maybe it’s a good thing to patch the desktop later anyway, but it doesn’t follow that it’s the priority you need to consider right now in the middle of managing this incident. Use a Hypothesis, Challenge it and keep Challenging it People often think in absolutes, with their perception of the facts being somewhat bounded by their own limited knowledge. Furthermore, people are often willing to accept the null hypothesis, being happy that there’s nothing there, without knowing for sure. Rejecting the null hypothesis does not prove that a specific alternate hypothesis is necessarily correct. The evidence instead is restricting the full range of reasonable hypotheses that we could use to dig further into the case. Instead, we like to come up with explanation after explanation until what’s left is just a smaller set of explanations – but that does not mean that one of them needs to be right. Scientists will tell you that they can never prove an absolute truth but that they currently, within the boundaries of what they know, have no evidence to the contrary. Conclusion Incident management is hard. But the job is often made harder by facts being skewed by conjecture, people’s unwillingness to admit when they did something stupid or when they don’t want to look like they don’t know what they are talking about. You need to find ways to cut through the hearsay, conjecture and lies if you are going to resolve an incident in a timely manner. Sometimes in cybersecurity, it’s more about the people than it is the technology.

Australian Security Magazine | 21

Corporate Security

2 T R A P

Deception detection uncovered: Truth seeking through interrogation The Role of your Body in Eliciting Truth

I By Sophie Zadeh Body Language Specialist

n part one of this article, in the previous issue of Australian Security Magazine, we looked at three nonverbal behavioural cues that can alert us to potential issues when observed in a suspect during interrogation. We looked at the meaning of the one sided shoulder shrug, the eyelid flutter and the tongue jut. You will have observed these nonverbal cues throughout life as they are relatively common, especially the one sided shoulder shrug. However, they probably didn’t register consciously, unless you were already aware of their meaning and significance. In context they can be very telling of a person’s true feelings or intentions. They are reliable indicators that can be instrumental in leading to the truth. If you read part one of this article, Identifying Nonverbal Cues, Clues to Dig Deeper, did you manage to observe any of these nonverbal cues, once you understood their meaning? Did this lead you to discover anything significant? Let me reiterate that these cues act only as red flags, indicating areas in which we may need to dig deeper and not as indicators of deception, since there is no ‘Pinocchio’s nose’ of deception; no single cue indicative of deception. How these red flags are addressed through questioning techniques and behaviour (of the investigator), is key to seeking the truth. Let’s explore the second component crucial to uncovering the truth; the role of your body in eliciting the truth. Fostering Feelings of Comfort Our own nonverbal signals have an impact on how successful we are in seeking the truth. Before looking at what we should convey with our body, let’s first consider this:

22 | Australian Security Magazine

“Astonishingly, more than 1 out of 4 people wrongfully convicted but later exonerated by DNA evidence made a false confession or incriminating statement.” — The Innocence Project That’s a staggering statistic, with most suggested reasons for this pointing towards extreme interrogation techniques and conditions. A false confession feels like an easy way out for the suspect. One that will put an end to the situational discomfort. If we also consider that most nonverbal cues associated with lying are actually indicators of stress (and not lying), it makes sense that an environment conducive to seeking the truth, is one in which conditions that could cause (additional) stress are limited. When a suspect feels more comfortable, we will see an increase in nonverbal cues that indicate stress, only at those times when their stress levels peak; potentially, but not always, when they are lying. On the other hand, if the suspect is under constant high pressure, these cues will be increased throughout the interrogation, making it harder to see the indicators that are important. So being aggressive, just doesn’t work. The discomfort of a criminal investigation is not limited to the suspect. When faced with a suspect who has (potentially) harmed others, the interrogator will, most likely, feel some kind of negative emotions stemming from the criminal act. It’s important to minimise these emotions and display body language that shows openness and trust, fostering an environment of comfort. A ‘true’ confession is more likely to be delivered to an interrogator who has built rapport with the suspect, in the same way that a salesman is more likely to get a sale from someone he has built rapport with.

Corporate Security

Fostering comfort through nonverbal behaviour: First Impression First Impressions are critical to any interaction or relationship, and can make or break the success of the desired outcome. Research shows that people form their perceptions within seconds of seeing someone, before conversation begins. Once that impression is formed it’s hard to break, due to confirmation bias; the tendency to interpret new evidence as confirmation of one's existing beliefs or theories. Therefore, if it’s a positive impression, all behaviour after that will be viewed in a positive light and vice versa. Yet most people aren’t aware of this and pay little attention to what they are communicating in those first few seconds. Understanding the importance of the first impression and paying attention to our nonverbal behaviour can be incredibly powerful, giving us the ability to form positive relationships more conducive to success. Whilst traditional perceptions, or connotations, of ‘interrogator' and ‘interrogation' may seem at odds with creating a positive impression, remember we’re trying to create feelings of comfort which are more conducive to seeking the truth. Would you be more open, honest and willing to cooperate with somebody you like, or dislike? We’re also trying to limit stress, so that nonverbal cues that indicate stress (e.g., nose touching, increased blink rate, self soothing), show up in the suspect at those times when the cognitive burden of deception gets stressful, and not throughout the duration of the interrogation. Let’s consider a few nonverbal behaviours that are essential to creating a good first impression and feelings of comfort. Show your hands Eliciting trust is crucial to forming a positive first impression and fostering comfort. To do this the interrogator must show their hands, quite literally, as our hands are our biggest trust indicators. Studies show that the first place we look, as we see someone approach, is their hands. If we can’t see them, we have trouble trusting them. Think of this from an evolutionary perspective, where a stranger approaching posed a potential threat. To establish whether the person was a friend or a foe, a quick look at the hands would indicate whether or not a weapon was being carried. Therefore to elicit trust hands must be clearly visible, not in pockets or under the table. Touch Touch is important for building relationships because when we touch our body releases Oxytocin, the hormone responsible for bonding and connection. One study found that waiters tips increased by 41% when they lightly brushed the hand or arm of their customer. Another study found that library user experience ratings increased, again with a slight brush of the hand. Whilst we all differ in our comfort levels when it comes touch, and we should be conscious that there are certainly no-go areas. The handshake happens to be an appropriate means of touch in the Western world. It’s also said to provide

the equivalent of three hours of rapport building time. It’s important to realise that the handshake isn’t universal, it’s a cultural gesture which reflects the culture or society in which we grew up. Handshake preferences differ between nations, cities and from person to person. Therefore, contrary to popular misconceptions, the handshake says nothing about a person’s confidence or power. A good handshake comprises of the following: • • • •

Straight, no twisting or turning power plays! Make eye contact Mirror the pressure you receive (show nonverbal respect) Don’t grimace if you don’t like the handshake you received, remember you’re trying to create a good impression and feelings of comfort (again, show nonverbal respect)

Smile There’s a reason that the smile is the only expression that can be seen from up to 90 metres away. The evolutionary bearing is, again, a survival mechanism; seeing somebody approach with a smile indicates friend, rather than foe. No need to smile throughout, but an initial and occasional smile at appropriate times is essential for building rapport. These nonverbal cues are the primary cues essential for creating a good first impression. They may sound obvious, yet their value is often overlooked, with many people not being aware of what they themselves convey. On establishing a good first impression, body language should remain open, with the use of open palm gestures and an open torso, avoid blocking behaviours such as arms across body. A good way to keep body language open is to get used to expressing with your hands as you talk. Using purposeful hand gestures prevents blocking behaviour, with the added benefit of keeping your hands visible (maintain trust) and engaging your audience. Research shows that we can better understand and interpret speech when listening to someone gesturing with their hands as they talk; communication on two levels. Used in the right way, nonverbal communication can give you control over how you are perceived and influence over the behaviours of others, because when someone likes and trusts you, they naturally buy into you. Added to this, a knowledge of nonverbal communication can help you to understand the true feelings of others. When you know which cues to look out for, and pay attention to where exactly they occur (they are always in direct response to a stimulus), you can identify obvious or concealed expressions that provide clues to deception and point you in the right direction of further investigation. The nonverbal cues mentioned in this article, are just some of many signals that you can look out for in others, or convey yourself. Practice identifying these cues in all interactions, so that you begin to get used to understanding their meaning. And start to pay attention to the signals that you, yourself, convey, noticing how others respond to these behaviours.

Australian Security Magazine | 23

Corporate Security

Digital technology vs national security threats

I By Josh Kennedy

t’s no secret digital technologies have changed everything. These were once just predictions of the future. Now their rapid emergence onto the market means that governments, businesses and citizens expect high speed, secure access to the Internet, 24x7 online services, and near-instant global sharing of information is the norm. It’s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly oneand-a-half billion Facebook accounts, but also offers a new route to exploitation by threat groups. From extremism, to foreign state espionage, cyber threats, or proliferation activities, the use of online means to recruit and task vulnerable citizens is adding an unwelcome burden on the high-pressure workload of national security agencies. This is why it is more vital than ever to stay one step ahead of security threats through a paradigm shift in the core operating model of these government agencies. Traditionally, national security agencies knew what data they needed and where to find it. Today, gaining real-time insights from a large, fragmented and ever-changing pool of data is like looking for a needle in a haystack—one that is expanding at an ever-increasing pace. Current approaches to the collection, analysis, development and use of intelligence from opensource information (including social media, websites, blogs, online news, Web fora, and similar) are quickly becoming outdated as technology evolves at break neck speed. What’s changing? Today, national security agencies’ operational advantages are at

24 | Australian Security Magazine

risk from rapid advances in technology. Further, the maturity of opponents’ technical security tradecraft, and the struggle to keep up with these advancements is omnipresent across all regions of the world. Violent extremists have operational security (OPSEC) manuals and even a 24-hour help desk to aid in the worldwide recruitment and conduct of terror, an unprecedented and frightening prospect. Following the San Bernardino attacks that left 14 people dead, it was reported that authorities had failed to detect social media posts sympathetic to violent jihad on one of the killer's accounts during the immigration screening processes. Whilst a task such as immigration screening may seem instinctive for officers in such a role, without the time or resources for deep and accurate analysis of every case that arises, the ability to use advanced analytics to integrate covertly-acquired intelligence with open-source information becomes a highly limited proposition for national security agencies. Governments are slowly but surely becoming aware of the increasing difficulty in combating digital threats, and recognise a cross-agency picture is required. The Australian Strategic Policy Institute (ASPI) has echoed this and recommended the harnessing of communication, marketing and social media experts to fight new propaganda challenges. They’re also investing AUD $21 million to build a stronger social media counter-narrative capability. But where the disruption to market is so high and the outcome of not acting can be so devastating, the call to action must go beyond recognition and awareness alone. Governments need to enhance their capability to tackle traditional threats

Corporate Security

through smart investment in digital technologies to develop rapid response to either prevent future incidents or more effectively respond to those already underway. What can be done about it? Step 1. Use digital technologies to enhance informationsharing and collaboration Public safety technology can supplement existing approaches to information-sharing and collaboration to accelerate and enhance intelligence. Advanced digital and collaborative tools enable national security agencies to preempt threats, target violent extremists, and counter-extremist narratives online. The ability to collect, analyse and develop actionable intelligence from data shared between multiple agencies significantly increases capabilities without the need for additional resources. Using digital tools to share such data can elicit a response more effortlessly, securely and effectively than by sending and receiving unstructured text requests. Matching data models, ontologies and taxonomies, as well as the auto-processing of data and use of joint analytical tools can greatly increase the speed and scope of information-sharing. Taking advantage of secure, private cloud solutions can enable national security agencies to benefit from a larger, consolidated pool of data (as appropriate under law) to identify threats or avenues of enquiry. Step 2. Seize digital transformation opportunities There is no single solution to combat existing and emerging

threats, but by using the same emerging technologies that opponents are using, national security agencies can enhance operational effectiveness. Islamic State are currently using social media to reach out virtually to promote and recruit nationally and internationally and collaborate with potential future members. With 46 per cent of social media users actively discussing news items online, it is easy to see why digital makes an attractive radicalisation platform. But this vast data pool can be exploited by national security agencies, too. Historically, no-one questioned the effective analysis of call data records; today, social media and other digital and online sources of information are being assessed as ways to affect predictive policing or intelligence activities in the future. Applying public safety technologies that make use of a wide range of content analytics (including sentiment analysis, word analysis, opinion mining and natural language processing) to open-source information can help prevent and detect threats. National security agencies operate in a digital world where vast amounts of relevant information reside in the public domain. It is not a case of whether to use any or all of a range of public safety technologiesâ&#x20AC;&#x201D;but rather how to employ them in the right way to manage the growing diversity of both threats and data. By being pro-active and innovative in their usage of data and by adopting new digital technologies government leaders can support safe and secure nations and enhance national prosperity for the benefit of all. Joshua Kennedy White is Accenture Australiaâ&#x20AC;&#x2122;s Intelligence & Homeland Security Lead.

"Itâ&#x20AC;&#x2122;s exactly this enthusiastic embrace of digital technologies that is not only powerfully represented in the 289 million Twitter users and nearly one-and-a-half billion Facebook accounts"

Australian Security Magazine | 25

Corporate Security

Worrying statistics Inaugural cyber security survey for Australia

hile it’s natural to assume large companies with large revenue streams would have the right measures in place to protect their assets, preliminary results from BDO Australia’s inaugural cyber security survey prove otherwise. In a first for the industry, BDO has teamed up with AusCERT, the Australian cyber emergency response team to conduct an in-depth industry cyber security survey – the outcome of which will help the market understand the challenges businesses and organisations face in the online world. Following some recent high-profile cyber-attacks, more and more companies are now being urged to be extra diligent with their cyber security and put the right measures in place to protect their intellectual property and assets. However, what was most astounding from the recent survey results was the number of Australian businesses that aren’t protected, with nearly 85% of companies with a gross revenue greater than $1 billion fully exposed to cyber-risk. These are worrying statistics given cyber-attacks and data breaches are a very real concern and the implications for businesses of this scale can be catastrophic. It also shows that cyber security insurance is very much still on the agenda. The good news is, protecting your business is certainly not an unmanageable process and those businesses that are prepared are the ones that will prevail should a cyber-attack ever occur. Preparedness comes in a range of forms, and when protecting assets, insurance is the logical fall back. While purchasing insurance could act as a security blanket for your board and executive, it’s imperative to determine to what extent cyber insurance is required for your business.

26 | Australian Security Magazine

With that in mind, here are six simple steps you should take to better understand your cyber risks and determine whether you need cyber insurance for your business. 1.Perform a risk assessment of your environment to understand your current cyber risks The first thing decision makers need to be clear on is identifying the company’s critical systems and data information assets and understanding who—in terms of cyber criminals or hackers—would be interested in them. You cannot be expected to understand what level of protection you need if you are not clear about which assets may be vulnerable. 2.Quantify these risks and model the potential impact this will have on your business. For instance, what is the financial impact to your business if you experience a cyberattack you can’t defend? Once you have completed the first step, you should then start to consider real implications. Ask yourself what the implications would be if the information in those systems were under the control of cyber criminals. Once you understand the implications it gives you a much clearer picture as to what the risks associated with those assets are. You then need to assess the cyber security controls for your critical assets and determine whether these are working effectively. This will highlight the risk exposure you have for those assets. Using risk modelling techniques, such as Monte Carlo simulations, you can then model and quantify the financial impact this will have on your business if not remediated.

Corporate Security

3.Evaluate risk exposures and assess whether you are comfortable with the level of risk to your business. Or, do you need to get cyber insurance to cover this? For example, are you comfortable with the financial impact to your business or do you need insurance to cover this risk? Here is the real pinch point to decide whether cyber insurance is the right thing for your business; you are now at a point where you can evaluate the risk exposure. For example, what will the costs be to respond and recover from a data breach in one of your critical systems versus remediating or implementing stronger security controls to better protect the asset and the data records? This cost-benefit analysis needs to be repeated for all those risks and assets where there is a risk exposure to understand whether implementing stronger cyber security defences outweighs the cost of insurance to cover the risk. So, once you understand the cost to remediate versus insurance costs, your key decision makers need to assess the level of risk against the investment required to manage the risk exposure. 4.Implement a security risk remediation program to address the gaps you want to address Remediating the risk exposure is highly recommended, as this will allow you to establish better defences against cyber attacks, as opposed to only getting cyber insurance. This approach will allow you to be better prepared in the long run. Some of the key activities in a remediation program should include: • Implementing stronger security controls and defences for your critical assets, e.g. applying the latest security patches, enforcing stronger passwords, and implementing web application firewalls • Implementing security monitoring to detect security incidents on your critical assets early • Establishing a cyber incident response capability to allow you to rapidly respond to, and recover from, cyber incidents • Providing targeted cyber security awareness and education to your staff.

•

limited to Australia only? Incident response and remediation costs. Does it cover the costs of getting external assistance to respond to the incident, your legal costs, or regulatory penalties or fines? All special conditions and exclusions included in the policy statement.

It is also important to look at a number of cyber attack scenarios to see how the insurance policy will respond, e.g. will the policy provide you the required cover for data breaches at your cloud provider? Will the policy provide cover for a Denial of Service attack? Will the policy provide you cover for a Ransomware attack? Looking at all the cyber-attack scenarios that will be applicable to your organisation in relation to the policy will allow you to validate that the policy and cover is appropriate for your business. 6.Implement and validate your cyber incident detection and response processes to allow you to respond to cyber incidents when they happen As a final step, it is important that you have appropriate cyber incident detection and response processes in place. This extends further than just having an incident response plan in place, but testing and rehearsing your incident response plan across the organisation. This will ensure everyone in the organisation knows there role and responsibilities in detecting and responding to a cyber incident. It is recommended that this is done at least on an annual basis or whenever a new or critical system or business is added to your environment to make sure the process is current and effective. If you’re interested in understanding more about cyber insurance and some of the trends we see in the industry, stay tuned for more survey results, which will be released soon.

5.Evaluate cyber insurance policies for those risks that you cannot remediate and select an appropriate policy to provide the cover you need For those risks that are difficult to remediate, or where you want to include additional risk management strategies, you can meet with your insurance broker or insurance provider to understand the level of cyber insurance cover you need. It is important to evaluate and conduct proper due diligence on the insurance policy to ensure it provides the cover you need. This evaluation should, as a minimum, include reviewing: • Entities covered, especially if you are a large corporate group. Does it cover only the group or all of its subsidiaries? • Types and breadth of the cover offered. Does it cover both first and third party breaches? • Cover provided. Does it provide worldwide cover or is it

Australian Security Magazine | 27

Cover Feature

Artificial Intelligence & Cybersecurity: Scaling up for the Internet of Things

T By Chris Cubbage Executive Editor

28 | Australian Security Magazine

he world may only get one chance at making IoT, the Internet of Things, actually work. No one knows where this technology is ultimately headed. Had the Internet’s originators in the early 1960’s taken a glimpse into the year 2016 and attended the NetEvents IoT and Cloud Innovation Global Summit at Saratoga’s Mountain Winery, a relatively short drive from the Stanford Research Institute (SRI) where the first Network Working Group meeting was held in 1968, I wonder how different the Internet may have been or how shocked they would be at the machine they have unleashed. We know that the Internet lacks ‘security by design’ and hence why security remains the fundamental element of how we safely enable the unfolding IoT revolution. According to Dr. Glenn Ricart of USIgnite, a not for profit organisation born from the White House Office of Science and Technology Policy and the National Science Foundation, “we are entering the time when we take the Internet away from humans and hand it over to machine controlled ‘things’.” The goal is two-fold: getting firm employees to consult you early in the process and demonstrating your willingness the find solutions to meet their goals. Coming to terms with these ugly truths is not easy. But if you accept them and manage your expectations accordingly, you will decrease your stress level and be more effective in your job. Kathryn Hume heads up Fast Forward Labs, a specialist advisory firm operating across a range of industries including insurance, publishing, finance, media, and government on data product development, technology, and culture. Kathryn opened the two-day program by walking through the work they’ve done in natural language generation and deep learning in image analysis and text summarisation. As Katheryn impressively noted – the real impact of today’s technology lies in ‘making complex data simple’ and how the focus needs to extend beyond just the hype and find true, but often hidden value. There is a long way to go.

One shining light being shone on the security dilemma though is the application of Artificial Intelligence (AI) and how it is applied to solving the security challenges of today, and hopefully tomorrow. There are between 5 to 10 startup companies being created each week in Silicon Valley, California within the domain of AI and each focusing on the almost limitless applications across every industry. Stuart McClure, founder and CEO of Cylance, has moved security applications to beyond programming and in what is hyped to be a game changer, is teaching security systems to predict, prevent and detect cyber threats. Similar somewhat to the early application of actuarial science, Cylance is applying AI in the form of pre-execution algorithms to prevent, detect and respond to malicious code and anomalous online behaviour. As McClure points out, “if it’s blocked we don’t care and if it’s not blocked we want to understand why it wasn’t blocked.” Then Cylance sets to replicate and improve, training itself to look automatically and instantaneously for features that are going to be indicative of being good, bad and in between, and using millions of signatures, features and behaviours to initiate unsupervised learning and then move to supervised learning of all known clusters of bad profiles and continue to extract features and classify between good and bad. The approach is to build security systems to achieve prevention to 99% and the 1% they can’t prevent they want to detect 99% of the 1% and then develop the response to 99% of that 1% - and so on. Sounds straight forward and as this approach is applied on a massive scale, it is understandable why Cylance has emerged as one of the most effective cyber security companies on the internet. “Without AI, we can’t possibly scale to meet the demand” McClure asserts. But even at full scale in the Internet of Things – is 0.0001% risk, or an adversary’s opportunity, enough to cause a major catastrophe? To understand how AI is being applied, anyone who has raised children or trained a dog to fetch a ball will understand the concept. Kathryn and Stuart’s opening

Cover Feature

discussion helped simplify the requirements. “An average person will need to see three cats and be told each time it’s a cat before they will recognise a fourth cat, but for AI, the computer needs 50,000 cats to start to recognise a cat. But accessing the data, CPU power and bandwidth is getting better and therefore so will AI.” When Cylance is applied to 100,000 node networks the system immediately starts detecting and then reverse engineering existing malware attacks. Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear. Despite my initial hesitations to the application’s market take up, Cylance is making rapid and significant inroads, with Series D funding raising around $100M, taking it to a total of $177M. Current valuation is believed to be at US$1.2B – putting Cylance into the unique ‘Unicorn’ category. The most recent announcement has been from Wedge Networks, and the newly released Wedge Advanced Malware Blocker, or WedgeAMB, the first product in the Wedge Absolute Real-time Protection (WedgeARP) series of enterprise solutions. The WedgeARP series provides fully self-contained, security platforms in the form of virtual machines that orchestrate real-time hyper-inspection engines. WedgeAMB applies Cylance’s AI technology to detect and block viruses and advanced malware, such as ransomware, at the network level, preventing them from entering enterprise networks. The combination of Wedge’s hyper-inspection with Cylance’s machine-learning engine and WedgeIQ threat analytics, WedgeAMB promises to be a break-through in malware prevention. According to the Federal Bureau of Investigation, ransomware is on the rise in 2016, with one group estimated to have been paid over US$120M in just 6 months. Ransomware-as-a-service is now also available. Advanced malware and ransomware attacks also account for millions of dollars in lost productivity and theft by cybercriminals

"Most traditional systems are detecting 40% compared to 99% for Cylance and the closest competitor has only achieved 52%. So the choice appears clear." operating on a global scale to exploit endpoint devices with increasing levels of sophistication. Unless solved, this malicious activity will put IoT at serious jeopardy of being hijacked before it begins. With millions of cyber-attacks occurring daily on networks around the world, cybersecurity seems the perfect area to apply AI. There remains just three key methods to a cyber-attack - denial of service to cause failure, execution based attacks and authentication based attacks. “AI can be applied to all three in a very meaningful and effective way”, but as McClure notes further, “you just need the data and we are a long way from automatic classification in AI”. As we come to understand where this technology will take us, the battles will continue, as the IoT revolution unfolds alongside the growing sophistication of attackers. We are yet to see where this all takes us but it will be an exciting journey nonetheless.

NetEvents 2016 opening panel discussion - Kathryn Hume, Stuart McClure and Ovum's Paul Jackson

Australian Security Magazine | 29

Cover Feature

SMART DEVICES

NETWORK CONNECTED DEVICES

INFRASTRUCTURE DEVICES

Without security the Internet of Things is doomed and could kill millions!

By Chris Cubbage Executive Editor

30 | Australian Security Magazine

re we setting up the Internet of Things to fail, and potentially with a massive and catastrophic consequences? Cybersecurity researchers Charlie Miller and Chris Valasek caused the recall of 1.4 million vehicles after hijacking the Chrysler Jeep’s digital systems over the Internet. The pair remotely hacked into the car and paralysed it on a highway whilst in traffic. They were able to disable the brakes, cause unintended acceleration and turn the vehicle’s steering wheel at any speed. Other vulnerabilities have been discovered in Tesla vehicles and more is reportedly yet to come. In late September 2016, Pharmaceutical firm Johnson & Johnson wrote to diabetic patients using one its insulin pumps advising that it was at risk of being hacked, after Jay Radcliffe, a researcher (and diabetic) with cybersecurity firm Rapid7 discovered he could access the communications between the pump and the RF frequency remote – in theory allowing a hacker to administer unauthorised injections. This follows rising concern on connected medical devices, with Kaspersky Labs revealing in February it had hacked into a hospital’s IT infrastructure and was able to access a MRI device. These selective examples in the automotive and healthcare sectors highlight the biggest focus areas in Information Technology (IT) coming together with Operational Technology (OT) and how security will remain the key to enabling or disabling the industrial tsunami unfolding in the form of the Internet of Things (IoT). When you consider the IT space, a majority of hacks are often abstract in their affect, such as lost or compromised data. But like the examples above, when you consider the type of industrial assets that you see in the OT space, they will invariably have a physical impact were they to be hacked. The impact of attacks against connected OT equipment

has the potential to impact on human safety, environmental damage and cause massive disruption in a way that we aren’t necessarily seeing on the IT side. OT security has a much different priority when you look at what we need to safeguard, as opposed to IT. According to Tom Le from GE Digital WurldTech, speaking at Structure Security in San Francisco, we can look at the entire universe of connected devices in the form of a pyramid. At the top of the pyramid is the typical end point devices that we all use, such as laptops, smart phones, with the security on these devices being ‘pretty good’, as long as the operating systems are regularly patched. In the middle of the pyramid we have the devices we may only use occasionally, such as the HVAC (heating, ventilation, air conditioning), smart lighting in the home, increasingly smart refrigerators and televisions, and connected cars. Then beneath these two layers, we have a wide array of devices that we don’t even notice but are everywhere because we tend not to interact with them, such as CCTV cameras, transport system nodes, power generation stations and manufacturing equipment. At this lower level, although we don’t see them, they will impact us should they be successfully attacked or compromised. The primary concern is that the devices at the top of the pyramid has good security but the other two areas have much less integrated security and as of today, the integrated security design reduces as you move down the pyramid. Air gapping between the operating system and the Internet has been touted as a workable solution but as Tom Le asserted, “this is potentially a myth and is certainly not the ‘holy-grail’ solution.” There have been reports that aviation Wi-Fi systems could be hacked via the entertainment Wi-Fi systems and the FBI has begun investigating these claims. Any industrial facility, be it a power plant, manufacturing

Cover Feature

facility or city management system, even if it was to ‘air-gap’ them off and say none of these assets are going to be allowed to be connected to the Internet, there will still be indirect connections. There are contractors coming in to the facility with transient assets such as their own mobile devices, laptops and a common vulnerability is a USB key, now a common attack vector. A recent highlight of this is Victoria Police are investigating malware infected USB devices being left in residential letterboxes. So even if we have assets that we don’t believe are connected to the Internet, they are very likely to remain exposed because of the indirect connectivity. Taking it one step further, the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet. Now we’re saying that even if you’re not currently connected or indirectly connected, the Internet of Things is going to seek to bring many millions of these industrial OT assets online so we can experience the benefits of innovation, efficiencies and analytic tools – but that’s a huge swing from where operators think they’re safe today to approaching the reality of the short-term future where we are going to see more and more connected assets that are being brought online. Even after 20 to 30 years of IT security, we are still trying to get it right and are still experiencing breaches on a regular basis. There is something in the news every day, every week and the breaches aren’t getting any smaller, from the Sony hacks (2011, 2014, 2016) to the Yahoo hack discovered last week, with up to 500 million accounts compromised – since as far back as 2012! We are still not getting it right. Ducks & Swans: IT Security does not apply to OT Security There are significant and fundamental differences between IT and OT assets, with the IT assets tending to have a very short life span, be it like the iPhone where every couple of years you change and get a new one. Or your laptop computer than needs software patches or even a whole new OS installed and upgraded. We’re willing to disrupt these small device operations and go through a full system reboot, patching process or a complete OS upgrade, including multiple system reboots and take the risk of experiencing annoying system bugs, yet to be fully ironed out. In stark contrast, OT assets have much greater operational life cycles, many around 15-20 years, with some traditional systems even being as long as 40 years. Likewise, the maintenance and upgrade times is not just a matter of minutes, hours or even days, sometimes it will be a four to five year process. So the concept of applying an IT security patch system or end point security applications to the OT asset infrastructure environment is very difficult to apply, if not completely irrelevant and misleading. The other critical aspect is that some of the systems in operation within our critical infrastructure, particularly for our power generation and transport systems are no longer able to be updated and a majority are obsolete. As an example, thousands of industrial facilities still operate on Windows XP hosts that are the basis of software management systems for these facilities and it has been sometime now that Windows

“...the common prediction is that by 2020 we’re going to have between 20 billion to 50 billion connected devices to the Internet." XP is even being supported. Patches are needed to be paid for out of the normal band and subject to individual commercial agreements. Some companies may choose not to pay. Many of these systems are now starting to experience malware type attacks that have been eradicated some time ago on the IT side but are being re-propagated on the OT side. And even amongst the many factories and plants that are in operation, it isn’t possible to apply many of the patches that are potentially available because the threat of system change is greater than the threat of a cyber-attack, in that any change or upgrading patch may not actually work and could bring down or compromise that critical asset or piece of critical infrastructure. So the strategy around the OT side needs to be around the containment and mitigation more so than remediation. It becomes that operational safety is of paramount importance and human safety and operational availability are the two primary missions on the industrial side. The challenge is now that it’s not just about cyber-attacks, in fact nearly 80 per cent of the issues caused in the industrial assets are misconfigurations more so than a targeted attack. Thereby the priorities that we are accustomed to on the IT side, like confidentiality, integrity and availability are completely different on the OT side. The question is not if and how the two technical disciplines of IT and OT are to be melded, the reality is when will this actually occur. These two areas continue to converge and already we have 6.5 billion to 8 billion devices connected to the Internet, and a majority of these are the higher end of the pyramid. But the fastest growing area of connecting devices will be the industrial assets. A recent study out of Princeton university, cited by Le, identified 13 per cent of imbedded devices that were directly connected to the Internet had retained the default root password, so that number was calculated to be 540,000 devices across 144 countries. The study had focused on only subsets of devices across subsets of the entire Internet’s connected devices connected today. To scale this up to the predictions of between 20 – 50 billion devices by 2020, if we remain anywhere close to 10 – 13 per cent of default accessibility to the devices then just this one vulnerability alone, let alone the wide ranging of other configurable or inherent vulnerabilities will inevitably exist. We are going to be a long way away from a safely converged IT and OT environment. In a follow-up study, it was found as much as 60 percent of Internet connected imbedded devices that had any kind of user interface were vulnerable to attack – in simple terms, sixty per cent of these devices would fail a routine penetration test. When we appreciate the scale of vulnerabilities today, then scale this up between 2 to 3 times by 2020 - 2025, we are literally setting up the Internet of Things to fail, and potentially with massive and catastrophic consequences.

Australian Security Magazine | 31

Cover Feature

National Security reforms needed before the Internet of things The half way approach putting all Australian’s at risk: Why it’s time to decide if security technology should or shouldn’t be regulated by Police and Fair Trading Departments

T By Chris Cubbage Executive Editor

32 | Australian Security Magazine

his article concerns the inadequate and unworkable legislation affecting the physical and cyber security sectors in Australia, with State based legislation being applied when a national approach is required and urgent reform needed as the convergence of physical and cyber security systems continue rapidly towards the Internet of Things. In early October, the US government formally accused Russia of hacking the Democratic party’s computer networks and said that Moscow was attempting to “interfere” with the US presidential election. The accusation marks a new escalation of tensions with Russia and came shortly after the US secretary of state, John Kerry, called for Russia to be investigated for war crimes in Syria. Then there is Ukraine. The December 2015 Ukraine power outages, referred to in the ACSC Threat Report 2016, highlight the “vulnerabilities of critical infrastructure to sophisticated adversaries. In a well planned and highly coordinated operation, an adversary successfully compromised and affected the systems supporting three power control centres, taking down 30 substations and leaving over 225,000 Ukrainians without power for several hours. The adversary also delayed restoration efforts by disabling control systems,

disrupting communications and preventing automated system recovery. These effects were the result of over six months of planning and involved a range of activities, including compromise through spear phishing, the theft of user credentials through key loggers, and data exfiltration.” In late September, security researcher Brian Krebs' site KrebsOnSecurity got knocked offline by one of the biggest DDOS attacks ever recorded, which peaked at 620 Gbps. But the most crucial distinction from a normal DDOS strike: These bots were mostly IoT devices. The majority of the estimated 145,000 devices were CCTV cameras and DVRs. Many of these were using either default passwords or easilyguessed ones ("1234," "password," "admin"). In the ACSC Threat Report 2016 a case study described how the ACSC was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The report informed that “CERT Australia led the ACSC’s incident response, working alongside the AFP and ASD to determine the extent of the compromise and the identity of the responsible actor. Working onsite with the victim, the AFP identified a significant amount of data had been stolen from the network, including sensitive information relating to the organisation’s

Cover Feature

physical security and layout. The ACSC’s investigation revealed the actor used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise. The actor was able to escalate their privilege to administrator level, enabling further compromise.” Physical access to information processing and storage areas and supporting infrastructure must be controlled to prevent, detect, and minimise the effects of unintended access. Buildings containing a designated data centre for example, will necessarily employ stricter access controls than those that do not. There are also minimum physical access controls, which should be practiced to govern access to all buildings in an effort to protect information resources. So it forms that any Information Security Consultant designing, auditing or reviewing a corporate information system, such as to ISO 27000 standards, is going to advise on the physical security components of that system. But by doing so these consultants are breaching their respective State Government’s Security and Related Activities Acts. These legislative breaches are occurring across the country. When this was raised during the review of the legislation in Victoria, the Victorian Police Minister responded to decline any attempt to reform the legislation yet confirmed enforcing the legislation would be

overly burdensome and police will continue to ignore the breaches. The question is why not remove security technology from attempts of legislation and focus on the intention of these laws to control the public interface between security officers, crowd controllers and bodyguards. Why are police trying to continue to regulate security technology such as CCTV, access control and intruder detection systems in a physical environment when these systems are now controlled in an IP network environment? The convergence of IP based systems is effectively complete, despite legacy systems still around. We are now seeing the emergence of security robots and artificial intelligence in security systems – is this technology subject to legislation? By 2020-2025 the Internet of Things will be too big for police (or anyone) to control or regulate from a technology perspective. Otherwise police should start requiring Information Security Consultants to get licensed, fingerprinted and audited in each of their respective state operations. Welcome to my world! So should the cyber security profession be regulated? In a the study, Tackling Cyber Crime: The Role of Private Security - A Security Research Initiative Report by Professor Martin Gill and Charlotte Howell ( June 2016) the research addressed four key areas – the current approach to managing

Australian Security Magazine | 33

“a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. cyber security, the relevance of convergence between physical and cyber security, perspectives on law enforcement, and the potential role of private security in responding to cyber crime. There is now a wealth of information on the scale of cyber crime, including on the so called Dark Web, and there are a host of authorities confirming that the costs are astronomical, not least the cost of protection, that the impact can be significant, affect many, and appear to be increasing. In addition, there is evidence that the response is inadequate, and often under resourced, leaving businesses searching for the right solutions. Eric Hansleman speaking at IFSEC 2015 highlighted the current problematic position, ‘In the last year, businesses spent $70bn on cyber security. Meanwhile criminals will have made 10-20 times that amount’. The threat is international and just by way of example, the ACSC Threat Report 2015 summarised ‘the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of iceberg’. So what are our police and government regulators doing about this whilst stilling trying to regulate the physical security sector? Not much other than effectively restricting physical and cyber security professionals from cooperating and working together at a national level. To highlight continued breaches of state security legislation, most commonly around the element of security technology, a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. The Fund guidelines stipulate compliance to the Security and Related Activities Act. The Project Management company does not hold a security agent or security consulting licence. In WA, the security industry is bound by a WA Police Code of Conduct formulated under the provisions of Section 94 of the Security and Related Activities (Control) Act 1996. The Code of Conduct requires to follow all the parameters to be professional, truthful, ethical and with the public interest in mind and Part 8 places the obligation on the licence holder to inform the Regulator of non-compliance with the Act. Having raised this breach with WA Police licencing, the confusing and wilfully inaccurate interpretation from the Officer in Charge read as follows: “The State CCTV Strategy has been developed following analysis of crime trends involving offences against the person, not property. I have been advised the main purpose of the Strategy is to provide a surveillance role to protect against offences against the person, to create a safer community. The future positioning of cameras is based around this goal. The Security & Related Activities Act (the Act) requires an installer to be licensed to install CCTV equipment for a security purpose.

34 | Australian Security Magazine

While a ‘security purpose’ is not individually defined in the Act, a security officer and a security consultant is defined as a person who for remuneration watches, guards or protects property, or advises on such matters. To this end, I have interpreted a security purpose as watching guarding or protecting property, not persons. Watching persons could be described as surveillance, which is not covered by the Act. The WA Police have drafted amendments to the legislation to make the Act clearer and remove such ‘loopholes’. The drafts are not expected to be introduced before parliament until well after the State election next year, and it is intended the industry will be consulted about the amendments before that occurs in any event. While the Strategy is structured toward a surveillance purpose, they recognise the knowledge and experience of the security industry and as such have included requirements for suppliers of services to be licensed, notwithstanding the surveillance purpose rather than a security purpose. As a result, I believe no offence has been committed.” This interpretation is intentionally confusing, wilfully inaccurate or otherwise shows police don’t understand the very legislation they are duty bound to enforce. Reports from ASQA earlier in the year on the security training sector confirmed that licensing was “a mess”. In Queensland last month the state government directed its interim training ombudsman to review security training following the deregistration of a security training organisation and advising 236 former students that their qualifications were no longer valid. ASQA had found the RTO was essentially handing out certificates without providing any training. The industry called for the inquiry to be extended to licensing and for the federal government also take a “serious look” at the mutual recognition law, and give states more power over licensing. The frustrating aspect to this is the Federal Government was willing to call a snap meeting of state and federal energy ministers following the South Australian statewide blackout, which prompted calls from the Coalition for a nationally consistent approach to energy security and was seen as a ‘wake up call’. Regrettably this meeting only resulted in another review but the point here is those conducting this work should have the wisdom to link energy security to public safety in the full context that ‘security’ deserves. The security sector does deserve and should continue to demand this attention and having asked for reform now for the last ten years, continuing to ignore it for the next ten will only result in the formation of other crises events and yet other ‘wake up calls’. As regional and military tensions rise along with the risk of war, Australia’s national security is interdependent and requires a holistic approach – there is no point regulating a security officer at the front door but letting an information security consultant enter without probity and vice-versa. Nor is there any point in regulating the installation of the physical intruder detection system and ignoring regulation of the network’s IDS – doing so makes the entire approach a halfhearted farce. The responsibility rests with our legislators to adopt a national approach to Australia’s security, that includes energy as well as social, physical and cyber security. Anything less is clearly inadequate and derelict of the government’s duty of care to all Australians.

Cover Feature

Scalable optics: New lanes laid for the 'Internet of Things' super-highway

S By Chris Cubbage Executive Editor

ince I can remember, the digital world has always needed, or better, wanted more bandwidth. For the Internet of Things (IoT) to scale to two to three times the current size of connected devices over the next four to five years as forecast, major leaps in bandwidth will be needed. These leaps forward are indeed being taken – and they’re big! Thanks to the NetEvents IoT and Cloud Innovation Summit held in Saratoga, in late September, I visited the only company dedicated to designing and manufacturing large scale IP photonic integrated circuits (PICs), Infinera, based in the heart of Silicon Valley’s Sunnyvale, California USA. Infinera has taken a US$300 million stake in the game, having amassed over 500 patents since 2004. “We don’t sell hardware or software - we sell networks” says David Welch, PhD, President and Founder. “This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. I expect that instead of holding up two of our PICs

that are doing 2.4TB, I expect in 10 years we will be doing 50TB coming out of something on the same size. In that sense, Moore’s law in optics is alive and well!” Listening to David Welch, it’s easy to succumb to the charm of a technical genius. Welch simplifies the complex down to this, “Consider you have two axis to watch in driving more bandwidth onto an element and thereby drive cost structures down. You can put more wavelengths on, which is what we do, or you can drive your electronics faster. But if you drive your electronics faster you make it harder to take advantage of less efficient modulation architectures. Right now, the subsea bandwidth is being increased by deploying more new fibres in the trans-Atlantic to trans-Pacific architecture than has been in the last several decades. So a lot of the growth has been driven by the Googles and Facebooks and Internet content providers. Typically, however, they share that bandwidth with regular service providers, so the sign on the door may be Facebook but they may only have a fraction of the fibre being deployed and the rest of the bandwidth may

Australian Security Magazine | 35

Cover Feature

“This is what I’ve seen as stunning when looking back” said Welch, “in the past decade we’ve seen a 24x increase in the bandwidth in the same watt per cubic centimetre footprint. be owned by other service providers, mainly because their business traffic is driving that demand. The space is too big and the application space for the range of customers is too vast for it to be controlled by just a few providers.” Cloudification is the biggest area of network growth and datacentre interconnect (DCI). We are in a rapid upward trend of new datacentres, with mega datacentres being built and now more metro datacentres are being driven by position applications and getting content closer to consumers – server to server (East-West) traffic – data centre to data centre (north south) traffic – need to be positioned to follow the user around the globe. Google has said their datacentre to datacentre traffic is increasing significantly and consumer traffic is also increasing. Amazon’s growth and most of their profits and business is coming from their cloud infrastructure with an incredible amount of video being uploaded. This is driving more and more demand on networks. Infinera operates across three key markets, long haul and subsea communications, being number one in North America, datacentre interconnect, being number one for ICP/ CNP (Internet Content Providers/Carrier Neutral Providers) and Metro datacentres, being number three in 100G Ports with their XTM series. Within these markets the company endeavours to build intelligent networks which are scalable, flexible and high performance, which are also faster to deploy, highly reliable and combine unified management and application-optimised design. The 5G network will be deployed in 2019/2020 and will drive 100G off a cell tower and when the edge of the network is 100G the centre of the network will be in Terabytes (TBs). Trends in the optical networking market have two basic drivers. The metro to metro datacentres, with the number of disbursed datacentres rapidly increasing in order to reduce latency in communications between humans and machines. Then the real multiplier is the machine to machine traffic, which is about 1,000x multiplier than what you will see on a screen, as seen by an individual. The amount of traffic wanting to come online with operational technology (OT) can be seen with driverless cars alone, with between 10GB – 25GB per car needing to be uploaded per hour. These trends also include distributed buildings with more and more capacity going to be leaving the building back to the network. Infinera’s senior management team were given the opportunity to brief global media, including MySecurity Media, on their announcement of the Cloud Xpress 2, a second generation purpose built DCI optical link. It became increasingly clear that Infinera is set to achieve their vision

36 | Australian Security Magazine

Cover Feature

“We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement to “enable an infinite pool of intelligent bandwidth”. Optics has become a true enabler of the foreseeable future and all the growth of the Internet will ride upon optics – and the optics in the ground is insufficient. For the Internet of Things to become a reality, we need to put more in. Here comes the next generation of super highways! The new Cloud Xpress 2 delivers a 1.2 terabit per second (Tb/s) channel in only one rack unit while enabling a fibre capacity with up to 27.6 Tb/s on a single fibre pair. The Infinite Capacity Engine is powered by Infinera’s next generation FlexCoherent® Processor and the cutting-edge photonics of Infinera’s fourth-generation PIC. Cloud Xpress 2 incorporates software-activated bandwidth delivery technology that is configured to lower operational costs. In addition, the Infinite Capacity Engine supports low power consumption and security is designed in with in-flight wirespeed data encryption. Encryption is a critical requirement for network operators and Infinera was the first to deliver a compact DCI solution with built-in encryption on the Cloud Xpress. The Cloud Xpress 2 now extends the same encryption solution and scales it to a new level of capacity. Like the previous Cloud Xpress products, the Cloud Xpress 2 is designed for plug-and-play with simplified provisioning and support for data centre automation. With built-in optical amplification the Cloud Xpress can transmit 1.2 Tb/s up to 130 kilometres using a single fibre pair without

an external multiplexer or external amplifier, resulting in fewer fibres and less space. Alternative solutions will require at least six fibre pairs fed into an external multiplexer daisy chained into an external amplifier which results in more complex configuration and maintenance. Infinera continues to innovate with the Cloud Xpress 2 enables automation and scale to data centres, delivering topology auto-discovery, zero-touch provisioning support, standard application programming interfaces for programmability and streaming telemetry, and stackability with multiple chassis to be managed as a single system. By minimizing the number of components in the system and using PIC technology, Cloud Xpress 2 delivering DCI with high reliability. According to Welch, “We have a number of customers excited about this because they’ve been buying 500GB boxes and now they’re going to be buying 1.2TB boxes with 2.5 times more capacity and half the size. It is truly a phenomenal advancement in the optics and it’s the start of the advancement of that optical engine as it proliferates across all the networks. This is the biggest, fastest growing metro application on the market and its enabled by the vast majority of the market share based on photonic integration technology, which has transferred the whole concept of datacentres. Why? Because it takes 15 minutes to deploy a box, plug it in, establish the bandwidth, get the software to roll up to the interface and when you’re making a mega datacentre, that’s what you like to hear.” In early October, Infinera announced it has joined the Optical Internetworking Forum (OIF) and the Open Networking Foundation (ONF) to demonstrate multi-vendor, multi-layer software defined networking (SDN) Transport Application Programming Interface (T-API) interoperability with the Infinera Xceed Software Suite and the DTN-X Family of packet optical transport platforms. Global carrier participants hosting the interoperability testing include China Telecom, China Unicom, SK Telecom, Telefonica and Verizon.

Australian Security Magazine | 37

Cover Feature

What’s causing the cybersecurity skills gap? How the Industry is Strangling Cybersecurity Career Development

I By Steve Cottrell

38 | Australian Security Magazine

t seems that not a day goes by without another news article cropping up bemoaning the global cyber security skills shortage, but very few cut to the root of the issue. Part of the problem relates to the term ‘cyber’ and the mystique associated it. All but the security industry seems to hold a widespread view that ‘cyber’ is a new term, and the issues of computer security have only manifested within the last five years. In reality, security (or a lack thereof ) has existed for as long as we have had computers, networks and the Internet; we’ve simply rebranded what was once computer and network security to its more media friendly new name of cybersecurity. In looking at the large talent pool of information and network security specialists out there, it seems strange that there is a cybersecurity skills shortage, but the issues lies in the fact that our industry is not doing a great job in attracting, harnessing and nurturing new talent – i.e. building tomorrow’s cybersecurity workforce. Many companies don’t seem to understand how to align their security functions with the rest of the organisation. The responsibility for security often gets rotated around the business like a never-ending game of pass the parcel, in an attempt to find an executive willing to take ownership of the problem (which often is seen as the proverbial hot potato). Without wishing to get into an ideological debate relating to

the optimal reporting line for the cybersecurity function and where the CISO should sit within the executive team, the skills issue has disrupted the development and maturation of cybersecurity career paths. We see organisations attempting to align cybersecurity professionals’ careers to existing IT architecture or IT/network support disciplines (or sometimes Enterprise Risk or General Compliance), which simply doesn't work. The attributes and experience needed to develop and grow a cybersecurity career are markedly different from those required to be successful within a general technology function. Adding to the problem, pay scales are often benchmarked and aligned to existing technology careers, making ill-founded assumptions that roles such as IT architect are analogous to a security architect. If you consider this point along with the fact that many of these benchmarking exercises ignore the law of 'supply and demand', factoring in the number of suitably experienced and skilled professionals available within the market, then it’s a wonder why organisations are surprised that cybersecurity vacancies go unfilled for months, or even years, on end. Businesses are obviously in the market to make money and, ultimately, compensation packages are set at a level to keep the bottom line healthy and profitable. This is prudent

Cover Feature

"I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains" and makes perfect sense, but as organisations consider cyber and information security to be a generic IT discipline, this is partially contributing to the skills shortage. Step outside of the IT department into Legal, Regulatory, HR etc. and different frameworks apply, recognising the unique functions being performed and the market rates of those areas. The niche and currently scarce nature of the cybersecurity skill set needs to be recognised and salaries need to rise in line with the specialist status. This will help attract new talent to the discipline, by encouraging existing experienced IT and network professionals to cross-skill and specialise in cybersecurity, as well as encouraging highcalibre school leavers to enrol in cybersecurity courses at university (as they can see an exciting and lucrative career ahead). This point is crucial in helping address the skills shortage over the short to medium term, while ensuring that organisations attract the calibre of individuals needed to be successful in these roles. How often do you see an advertisement on a job board that reads, “High calibre Senior Cybersecurity Manager required. Must have extensive proven experience, ideally will have CISSP, CISM, BSc/ MSc. Fantastic package on offer - $120k base plus exceptional benefits” - clearly the company won't find anyone for this kind of salary, or they'll have to compromise and ultimately take the first person with some of the skills they need to deliver what should really be a role delivered only by absolutely suitable candidates. I’ve seen government departments pay as little as $120,000 for a CISO level cybersecurity professional, then they wonder why they’ve made no progress on improving their security posture two years later, with no significant gains. Looking ahead over the next few years, there are undoubtedly strategic initiatives that need to be undertaken where we begin to 'grow our own' security professionals within our organisations rather than demanding the finished product from the job seekers market. I would like to see the broader information security and cybersecurity industry (and especially the numerous professional bodies) coming together to agree a multiyear professional development curriculum, building experience in general security risk, cybersecurity operations, security architecture and risk management. All with a view to delivering a 'well rounded' security practitioner who can then ultimately specialise in different areas, as their career progresses. This works in other industries, such as medicine. Medical doctors are required to build a firm foundation of knowledge in numerous physiological disciplines, gaining a level of practical post-graduate experience before ultimately specialising in one area. This represents a different approach from the norm (and often abused) 'badge of honour' certifications prevalent within the technology and security industries today, the ones that are typically one-off

exams to be passed, sometimes backed up by a level of formally validated or self-certified demonstrable practical experience. There are now some fantastic degree and Masters’ courses being offered by universities all around the world, specialising in all aspects of cyber and information security, but they can't provide 'on the job' practical experience, which is often what’s really required to truly excel and deliver real security value and risk reduction in the real world. The two to four years following graduation are perhaps the most critical for a professional cybersecurity career, which is where our industry should be looking to nurture and develop the skillset by providing a structured modular career framework, which is recognised across the industry and around the world. Too many recent graduates become disillusioned early on, so we need to keep their motivation high by providing plenty of variety and structure whilst making it easy for them to gain the valuable business context and skills they need to carve out a successful career as a professional. Providing clear attainable short and long-term goals and the ability to switch between multiple cyber career tracks is really important. As with all ‘supply and demand’ equations, as supply increases I would expect to see a levelling or braking effect in terms of the compensation packages required to attract top cybersecurity talent, but if we add in the modular career framework, it will be simple to gauge appropriate remuneration levels with regards to experience, rewarding truly niche high-end skills as appropriate. As we all know, it is not as easy as saying ‘I need a cyber security professional’; it’s often more a case of ‘I need a cyber security professional with an operational background who understands risk in a business context’. We cannot afford to be complacent, assuming that the large number of cyber and information security university courses now available will ultimately solve the longerterm skills issue. As an example, looking at engineering (mechanical, electrical, civil etc.) graduates in the UK from the 1990s, what is the percentage of graduates that are actually ending up pursuing careers related to their degree versus moving to an industry sector which was perceived to be more lucrative with better career opportunities? I don’t know the answer to this question, but by the volume of graduates I interview with qualifications in these areas, and also by the people I meet across the broader industry qualified in these areas, I would say the percentage is likely high. Let’s not allow history to repeat itself within the cybersecurity industry. About the Author Steve is the regional Chief Information Security Officer / Security Director role at Aviva has end-to-end accountability for security risk management, incident response, compliance, and cyber security transformation across all UK & Ireland regulated businesses (Life, GI, Health, AGC, Investors).

Australian Security Magazine | 39

Women in Security

Championing for open source collaboration

H By Chris Cubbage Executive Editor

40 | Australian Security Magazine

aving been fortunate to be in California’s Silicon Valley courtesy of NetEvents Global IoT and Cloud Innovation Global Summit, I took the added opportunity to stay on for a few extra days and catch up with our June/July 2015 ‘Women in Security’ series participant, Prima Virani who was scheduled to speak at the Structure Security Conference in San Francisco. When we first me this 25 year old Security Engineer graduate at an Australian Information Security Association meeting in Perth, Western Australia, in 2014, she was just 23 years old and starting out her cybersecurity career having graduated from Murdoch University and with the aspiration to head off to San Francisco. Within just two years, Prima has not only found herself on a small security team for a major American brand in Pandora Media, a music analysis application that personalises music according to the listener’s taste, but alas we find her speaking on stage being interviewed Bob McMillan, computer technology reporter with the Wall Street Journal and fellow security engineers Nick Anderson of Facebook, Hudson Thrift of Uber and Leigh Honeywell, security lead with the collaboration tool, Slack. Open source software and security collaborations are being increasingly advocated for small to medium sized

companies that are essentially growing so fast and at such a speed that their focus is on developing their product and they primarily also have to be working on product security. As Prima elaborated, “they have to protect their infrastructure but with a small team that don’t have expertise or resources in all areas, and so there is a need for more support and this is where open source can contribute a great deal for fast developing commercial products.” This thinking is supported by the likes of Facebook’s Nick Anderson who has also seen the advantages of open source, highlighting that “with the build up of open source communities, there are bonds being built, with problems being solved and often with the common intent of improving a product so it works better for them, just as much as for you.” As Prima also asserted, “one of the biggest advantages of open source communities is giving the capability of scaling. It doesn’t come with a hefty price tag and it makes the company better prepared if the product takes off quickly.” One of the key outcomes of the Structure Security event was to highlight that there has never been a greater liberation of information and a greater variety of choice for infosec workers and this is in contrast to the traditional ‘lock it down’ and ‘restrict access’ approach. Some of the favourite open source tools being touted included OSQuery, touted as

Women in Security

'Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie'

having a Swiss army knife capability, while others included Box and BlastAlert. Aside from the championing for open source adoption, the panel also showed that Women in Security is a little more balanced in the US than possibly Australia – we still see industry panels made up on only men. Having spent a couple of years in the USA now, Prima has found there is really a different attitude to security engineering in the US than in Australia. She points out that a lot of the companies in the US are ‘huge’ brands and super resourceful in terms of the kind of people they hire and the creativity they are prepared to try. “There is a younger workforce and the transition out of college and university into the industry is quite straight forward. Whereas Perth and Australia may be tending to just follow the template. Perth was also very focused on just a few key industries, such as Oil and Gas, where in Silicon Valley there is a multitude of industries but a majority of them here are in the technology domain. If you threw a stone in San Francisco, 70% of people you hit would be a techie.” The approach taken in the USA is likely to be different to that to the company next door and there is greater diversity in thinking and openness to different forms of thinking. Despite that, being in America you do need to be careful of group think and ‘over’ Americanisation. With Prima’s current role on a five member security team, her tasks include infrastructure security, incident management, endpoint and network security and information security program management. For a young adventurist and an average Aussie who wanted to head out and see the world, it hasn’t been that much of a challenge. “My move to the USA wasn’t so much about the job, it was more about the lifestyle and the experience as a whole. I travelled to San Francisco about six months before moving here and stayed for a week, which was enough time to fall in love with the place. When I got here I stayed in a hostel for a week and then a friend’s place before I set myself up in a studio apartment.” “After I had made up my mind that this is where I wanted to come to, it took about four months before I got a positive interview. Most of the companies weren’t even considering my resume because they didn’t understand the

visa requirements and the ‘Valley’ has enough engineers being developed that they don’t really have to be looking outside of the country, unless the company is being very particular about who they’re looking for. Despite a lot of talk about the cybersecurity skills gap, there is still limited risk being taken to employ from outside the country and how immigration and work visas can be in America. I was fortunate to get an E3 Visa for Australians living and working in the US.” Prima highlights the importance of developing a local network, having had a friend in San Francisco through whom she was able to connect with more friends and by keeping in touch, this network continued to grow and become a support and friend based network. One channel that proved most useful was ‘Meet-up.com’ which connects industry professionals and special interest groups. Prima took a focused approach, “I like to attend events that are of interest and meet people that way, rather than randomly showing up and meeting people at random.” Importantly, Prima confirms her education in Australia grounded her very well and established her with the required skills to at least 70 per cent in some areas but like any graduate, achieved only 50/50 in some other areas. “I was fortunate to have had some experience first in Perth where I laid my foundation. Had I been thrown into this pool at the outset then I may have not had the perspective as I do now, as I now have a wider perspective and it helps to a degree with a global brand like Pandora. But the relevance is subtler than a direct skill base.” Parts of San Francisco can be intimidating and took a while to get acclimatised. “The gun situation in the US still frightens me to a degree and in that sense Australia is so much better. But that aside there is so many more opportunities here outside of work in technology.” Prima has an active and expanding interest in Art, poetry and performance dancing and she is multi lingual in English, Hindi and Gujarati. Despite being young, she has taken on coordination roles, including for an industry group called ‘Ladies who Linux’. “There is a great sisterhood building here and a key mentor for me as been a fellow Aussie, Tammy, and I find my interests and work feed off each other and supports each other.” With this type of dedication, participation and skills development, we’re proud to have an opportunity to follow up on Prima’s progress and success. We hope this inspires other Australian women and cyber security professionals to get active and seek out their aspirations, be they local or overseas. The opportunities abound!

Australian Security Magazine | 41

Corporate Security

Obstinately clinging to iconic obsolescence

A By James Wootton Director, Protega Technologies Information Security Consulting www.protegatech.com

42 | Australian Security Magazine

s those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case! I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’. It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection! But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism. I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security. Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy.

A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us. Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap): • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good? • Working Fire alarm? • Working Smoke alarms? • Secure safe for high value assets? • Secure Doors? • Secure Windows? • Secure garage door? • Adequate and appropriate Insurance? Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking,

Cyber Security

I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security. ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one! So, why do we cling to broken technologies that are woefully inadequate in cyberspace?

of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’. From an organisational standpoint, consider elements of the following, balancing bang for buck: • Policy overhaul and possibly security accreditations to focus your efforts; • User awareness training; • Sandboxing and content analysis technologies; • Much as I hate the phrase, application aware, next generation firewalls; • User and Networking behavioural analytics. And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust.

Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them if they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!) Enough rhetoric, present me with a solution already! Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and

Australian Security Magazine | 43

Available online!

10110

55003/

Y’S NTR

AND

ENT

RNM

OVE

DIN

LEA

ATE

POR

ZIN

AGA

URIT

SEC

ed PP2

Approv

See our website for details ma

lian

sec

urity

.a www

ustr

alia

Post

000032

nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1

Approve

ine.

com

.au

te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia

nsec

uritym

agaz

ep 20

Aug/S

RNM

OVE

DIN

LEA

.au

ov 20

s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE

Oct/N

rity in Secu ment, rn Gove anberra C

of cult The ware the a

’S TRY

ne.c

URE

FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote

THE

gazi

S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust

R CO

Post

N COU

ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95

INC.

ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech

GST

Time Tech

erl Cyb

1 YEAR SUBSCRIPTION

city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr

TO THE AUSTRALIAN SECURITY MAGAZINE

Get each print issue per year for only $88.00

A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc

$8.95

INC.

GST

SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐

AUSTRALIA

88.00

(inc GST)

1 YEAR

☐

INTERNATIONAL

158.00

(inc GST)

1 YEAR

Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to

www.australiansecuritymagazine.com.au/subscribe and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

44 | Australian Security Magazine

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059

Email subscriptions@mysecurity.com.au

GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.

DCS-960L Wide Eye HD 180Ë&#x161; Panoramic Camera

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products Australian Security Magazine | 45

TechTime - latest news and products

Farpointe partners with Cypress on wireless mobile, handheld card readers Farpointe Data, announced that handheld mobile reader (WMR) systems using Farpointe reader modules are now available from Cypress Integrated Solutions. The handheld reader combines a Farpointe card reader and a wireless Cypress Suprex Reader-Extender in one portable unit so that the user can perform reads at any place versus readers in only a fixed location. As a result, the WMR can remotely verify credentials, check IDs in trucks and buses, create emergency assembly points/muster stations, verify staff attendance at training sessions and create access control points away from buildings. "We get 'oos and ahhs' with our handheld wireless mobile readers," emphasizes President Paul Ahern of Cypress Computer Systems. "They are used to reading credentials in applications where it just would not be practical to use a fixed reader. Whenever we offer one to a prospect who uses it for the first time, we always get a big smile." The handheld unit transmits card data to a Cypress WMR base unit that is connected to an access control panel from a distance of up to 150 feet (45.7 m) indoors and up to 250 feet (76.2 m) outdoors. Challenging installations are simplified with the addition of RF expanders and repeaters using the Cypress bridging architecture. Vehicle-mounted readers for employee and/or visitor logging and tracking are also available. The WMR system includes a Wiegand or serial panel interface for real-time verification. AES Encryption for secure communications is available upon request. No channel selection is

required as the units are preconfigured at the factory. A diagnostic indicator on the central unit determines the operational status. Up to eight units can operate in the same area without factory modifications. Multiple grip colors accent the WMR. "Truly versatile, the Cypress WMR is a terrific incremental addition to any wireless electronic access control system," adds Scott Lindley, President of Farpointe Data. "We would encourage any access control manufacturer, integrator or user to consider the various enhancements it brings to a security system." About Cypress Integrated Solutions Cypress Integrated Solutions is a recognized leader in the design and manufacture of electronic security products and technologies. Cypress specializes in unique and secure communication solutions for physical and logical access control. Since 1983, Cypress has been the industry leader in providing wired and wireless solutions to connect virtually any access control and security manufacturer's hardware. http://cypressintegration.com/ About Farpointe Since 2003, Farpointe Data has become the global partner of choice for premium RFID solutions. Encompassing a broad range of access control readers and credentials, these solutions include 125-kHz proximity, 13.56MHz contactless smartcard and 433-MHz long-range technologies. Electronic access

control system professionals around the world count on Farpointe's exacting designs, superior manufacturing, competitive prices and excellent performance to enhance their access control systems. www.farpointedata.com

Robots invading ASIS 2016 Easy to implement and powerful to use, Gamma 2 Robotics’ RAMSEE works with Hexagon’s safety and monitoring software to combine mobile sensor data with other static data sources into a map-based common operating picture — enhancing human capabilities while significantly reducing labor costs. “Sensor data and video feeds provided by RAMSEE are integrated into Hexagon’s safety software suite. “ RAMSEE is equipped with a wide variety of sensors that feed data on intruders, motion, heat, fire, smoke, gas, and more into the Hexagon-based command-and-control environment in real time.

46 | Australian Security Magazine

PATROL – Provide autonomous and manual patrolling, even in total darkness MONITOR – Display real-time video from four cameras, including forward-looking infrared (FLIR), 180 degree forward-facing camera, 180 degree rear-facing camera, and head-mounted PTZ camera. RESPOND – Detect and respond to alarms triggered by RAMSEE and/or other third-party sensors and systems. ANALYZE – Measure performance and recap daily activity of RAMSEE and other sensors with activity reports

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

New Unifly 1.6 release which introduces new features and extended compatibility New Logbook The new Logbook on your smartphone gives you an overview of all executed flights. It displays the drone, date, take-off time and duration of the flight. Search and Validate Remote Locations With the new Search bar on Launchpad you can look up specific locations. Simply enter the location you are looking for and the app will navigate to that particular spot. It is now also possible to do the validation for a location other than your current location.

Detailed Rules Information Tapping View Rules will give you detailed information about the local rules and regulations. It also offers additional instructions and advice with regard to the local flying criteria. With Launchpad you have all the local legislation in the palm of your hand! Unfily Webinars Are you new to Unifly Pro or are you considering subscribing to our services? Then register for one of our free online training sessions and learn how to work with our application!

Extended Compatibility The Unifly Pro application is now also available for Mac users! In addition to getting the Mac version up and running, great efforts were made to get our applications compatible across all possible platforms. So as of now, our applications run on all tablets, smartphones and all operating systems including Linux. Besides on Google Chrome and Firefox Unifly Pro is now also compatible with Internet Explorer 10+ and Edge.

Australia’s Civil Aviation Safety Authority makes amendments to drone laws CASA has announced amendments to Part 101 that came into effect on 29 September 2016, reducing the cost and legal requirements for lower-risk remotely piloted aircraft (RPA) operations. Learn more about the amendments to Part 101. As part of the amendments to Part 101 that came into effect on 29 September 2016, CASA also created an excluded category of remotely piloted aircraft, allowing private landowners to carry out some commercial-like operations on their own land with: • a small RPA (2-25kg) without needing anRPA operator’s certificate (ReOC) or a remote pilot licence (RePL) • a medium RPA (25-150kg) without needing a ReOC. (You will require an RePL). Australia’s safety laws for drones, or more technically correct, remotely piloted aircraft

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

(RPA), as defined in the Civil Aviation Safety Regulations Part 101, vary for flying commercially or recreationally. From 29 September 2016, if you are flying for money, or any form of economic gain, you need to have an RPA operator’s certificate (ReOC), or if you’re flying an RPA weighing less than two kilograms, you simply need to make a notification (notify). If you are flying for recreation purposes only then the regulations are less restrictive and allow you to fly an RPA without needing to be certified, providing you follow some simple safety rules. Holders of UAV operator’s certificate

(UOC) can continue to operate as per their certificate and will only be issued a ReOC from 29 September 2016 if the certificate is varied or renewed. Full details available at https://www.casa. gov.au/aircraft/landing-page/flying-dronesaustralia

Australian Security Magazine | 47

TechTime - latest news and products

Brisbane’s premium student accommodation location secured with SALTO

The decision to study away from home is never an easy one, so a new accommodation brand Student One, has launched in Brisbane to provide a premium dedicated student living solution that allows students and parents to make that choice with confidence. As the newest entrant in the Australian student accommodation market, Student One’s new $110 million 687-bed redevelopment of the former Boeing House at 363 Adelaide St in the city, is paving the way for up to 2400 new beds to be developed over the next three years in Brisbane’s city centre. Surrounded by Universities, English Language Schools and Pathway Institutes, the 158 storey Student One on Adelaide Street residence features a mix of 55 five-bedroom share apartments, 196 studios and 108 twin bed-studios protected by a smart access control system from SALTO, as well as nonintrusive CCTV technology. Installed by local security specialists Toplock Locksmiths, the access control is fitted to student bedrooms, administration areas and student common areas. Director Mark Bowater

48 | Australian Security Magazine

says “SALTO was a great choice for this project and we’ve fitted quite a bit of kit, including 673 AElement locks and 589 Energy Saving Device’s (ESD’s) as well as controllers and wall readers located in eight strategic hotspot points. Controlled via contactless smartcards(which the students also use for cashless laundry services) the AElement locks provide a wireless standalone networked system through SALTO Virtual Network (SVN) technology. This captures individual student audits and battery status every time they badge through an offline door, with the data then downloaded at one of the hotspot points on one of the residences 3 lifts or in other common areas. The in-room ESD’s meanwhile help save a considerable amount of the room’s electricity consumption. These work when the students insert their smart ID card into the ESD and it activates the air-conditioning system in the room.” Student One CEO Tim Weston said “I had previously used SALTO technology on other student accommodation projects and was impressed with its ease of use and advanced ‘Data

on Card’ and Virtual Network operating system. With our Student One on Adelaide Street property now open we’re already at work constructing our next two locations, at 38 Wharf St and 97 Elizabeth St, which will provide an additional 1600 plus beds. We were happy to go with SALTO to provide our access control, as we knew it could grow with us as we added more sites to our portfolio in Brisbane.” Scott Fraser, SALTO General Manager Australia & New Zealand, concludes “SALTO is in use around the world in educational environments where it provides security, access control and campus management and we’re delighted to add Student One to our growing customer base. In Australia we’ve now installed thousands of our standalone electronic locks in universities, student housing, schools, research institutes, academies, kindergartens and more making it the number one choice of flexible security solution providing a secure environment for all their students and staff.”

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

Cyber TechTime - latest news and products

Palo Alto networks introduces new guide for Australian directors and officers. Palo Alto has announced the publication of “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (Australian Edition)” to provide Australian boards, executives and officers at enterprises, government agencies and other organisations with practical, expert advice on how to best protect them from cyberattacks. Building on the success of the US Edition launched in October 2015 with the New York Stock Exchange (NYSE), the Australian Edition was written in conjunction with Australian thought leaders from the public and private sector together with Forbes. The contributing authors include: – Mike Burgess (Chief Information Security Officer – Telstra) – Rachael Falk (Cyber Security Expert) – Ben Heyes (Chief Information Security & Trust Officer – Commonwealth Bank of Australia) – Tobias Feakin (Founding Director – Australian Strategic Policy Institute) – Adrian Turner (CEO – Data61) – Maj. Gen Stephen Day (Former Head of the

– – – – –

Australian Cyber Security Centre) Jennifer Westacott (CEO – Business Council of Australia) David Irvine (Chair – Australian Cyber Security Research Institute) Cheng Lim (Partner – King & Wood Mallesons) Arno Brok (CEO – Australian Information Security Association) with the foreword by the Honourable Dan Tehan MP assisting the Prime Minister for Cyber Security.

Collecting the expertise and experience of CEOs, CISOs, lawyers, consultants and former government officials, this Guide is intended for those new to the cybersecurity topic as well as seasoned leaders in the field. It contains practical and expert advice on a range of cybersecurity issues intended to enable business leaders to start having the conversation on topics such as compliance, skills gap, incident management, prevention and response. To learn more about cybersecurity from leading experts and contributors, and to

download your own copy of the Guide, visit: http://go.paloaltonetworks.com/nextgen For more best practices, use cases and expert advice on managing cybersecurity risks, visit: www.securityroundtable.org To learn more how Palo Alto Networks helps organisations prevent successful cyberattacks with its next-generation security platform, visit: www.paloaltonetworks.com. About Palo Alto Networks Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our gamechanging security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Find out more at www.paloaltonetworks.com.

Seagate launches new backup plus hub for all your digital needs Seagate Technology has announced its Seagate Backup Plus Hub is now available in Australia. Based on Seagate’s award-winning Backup Plus Desktop, Seagate Backup Plus Hub is the world’s first external storage hub to provide a complete solution for your digital life whilst playing as a desktop organiser too. This sleek drive boasts up to 8TB capacity and it includes two integrated USB 3.0 ports for connecting and charging your devices. For typical digital data-loving computer users, this drive provides up to 8TB capacity to better manage data rather than juggle it across multiple USBs or devices. Its intelligent two-port USB hub makes Backup Plus Hub a charging station. The integrated USB slots allow users to charge two USB-connected devices, such as phones, tablets, cameras, Fitbit, etc. at any time, even if their computer is not powered on. Users can also easily connect their devices directly to the Backup Plus Hub for data transfers and access two USB-connected devices just like if they were plugged directly into the computer. With the new Backup Plus Hub, Android and iOS

Information presented in Cyber TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

device users are able to easily backup photos and videos, and free up their mobile device memory at any time. Seagate Backup Plus Hub includes the Seagate Dashboard software with two years 200GB free Microsoft OneDrive® cloud storage so users can back up, access and share their favorite files from any device or location.

from “links.erelease.com.au” claiming to be www.seagate.com. Follow Seagate on Twitter, Facebook, LinkedIn, Spiceworks, YouTube and subscribe to our blog.

Pricing and Availability The new product is now available in Australia at leading retailers. The RRP for 4TB Backup Plus Hub is AU$229 and AU$419.00 for 8TB Backup Plus Hub. About Seagate Seagate creates space for the human experience by innovating how data is stored, shared and used. Learn more at MailScanner has detected a possible fraud attempt

Australian Security Magazine | 49

EDITOR'S REPORT REVIEW

2016 THREAT REPORT

Australian Cyber Security Centre (ACSC) Threat Report 2016 www.acsc.gov.au

n first glance this looks like a well worthwhile report and in the similar category to that of the Australian Crime and Intelligence Commission (formerly the Australian Crime Commission) reports on national and significant organised crime, illicit drug activities and fraud, but I question which doors these reports are being used as ‘door stops’ for. Like the ACSC Threat Report 2016, all these reports simply advise us that the problems are getting worse and bigger. The ACSC Threat Report mentions ‘legislation’ only once and the word ‘reform’ doesn’t appear at all. If you want to know there is a problem then just read each issue of the Australian Security Magazine (ASM) – I question why our federal government agencies are spending tax payers money on highlighting the problem but without offering any effective solution or response. This is the second Australian Cyber Security Centre (ACSC) Threat Report. It claims to contain mitigation and remediation advice to assist organisations to prevent, and respond to, cyber threats. The ACSC advises “the current hype associated with the proliferation of ‘threat

50 | Australian Security Magazine

intelligence’ can be a distraction from what really matters: the motivation to allocate effort and resources to improving your cyber security posture by implementing technical controls. If you are relying on threat intelligence to respond to threats already discovered, it is too late for you and your organisation.” This is hardly constructive advice. The ACSC is the focal point for the cyber security efforts of the Australian Signals Directorate (ASD), the Defence Intelligence Organisation (DIO), the Australian Security Intelligence Organisation (ASIO), Computer Emergency Response Team (CERT) Australia, the Australian Criminal Intelligence Commission (ACIC), and the Australian Federal Police (AFP). Note the AFP is also the ACSC’s conduit for State and Territory law enforcement. These are all federal agencies yet the State police are excluded from being mentioned. The report is also contradictory to itself. It states “a range of states now have the capability to conduct cyber attacks against Australian government and industry networks. However, in the absence of a shift in intent – which could occur relatively quickly – a cyber attack against Australian government or private networks by another state is unlikely within the next five years.” Excuse me? It goes on, “the absence of effective repercussions following past cyber attacks internationally will embolden some states to continue developing and using cyber capabilities as a coercive tool. A continued lack of international consensus on proportionate and appropriate responses to offensive cyber activity makes the threshold for response ambiguous, raising the risks of miscalculation.” Note that at the time of writing the US is planning counter cyber attacks against Russia. In contradiction to this statement, the report confirms, “Australia continues to be a target of persistent and sophisticated cyber espionage. The cyber threat to Australia is not limited by geography; adversaries with even a transitory intelligence requirement will target Australian individuals and organisations regardless of physical location. Our knowledge of adversaries who target Australia continues to grow – particularly for sophisticated adversaries that target government networks and key industry sectors. The ACSC is aware of diverse state-based adversaries attempting cyber espionage against Australian systems to satisfy strategic, operational and commercial intelligence requirements. But the number of cyber security incidents across the breadth of Australian non-government networks either detected or reported is highly likely to be a fraction of the total.” “The extent of cybercrime is a significant

concern. High levels of misreporting and underreporting make it difficult to accurately assess the prevalence and impact of cybercrime. While it is very difficult to establish an accurate figure, the actual costs of cybercrime at the systemic level include the costs of immediate responses, system remediation costs, and flow-on costs to government and support programs that assist cybercrime victims.” There is no recommendation or even discussion around the introduction of mandatory reporting. Instead there is an admission that “the ACSC’s visibility of cyber security incidents affecting industry and critical infrastructure networks is heavily reliant on voluntary self reporting. Some companies may be hesitant to report incidents to the government due to concerns the disclosure may adversely affect their reputation or create legal or commercial liabilities. For example, in some cases victim organisations have sought legal advice before reporting an incident. Many cyber security incidents across the private sector are undetected or unreported.” As discussed in detail in this edition of the ASM, the report confirmed that “despite the many benefits internet and ICT connectivity provide, administrators of critical infrastructure need to remain alert to, and protect against, adversaries seeking to interfere with networks supporting critical infrastructure. Industrial control systems (ICS) support the automation and management of physical components used in production and distribution for critical infrastructure networks, and underpin the delivery of essential services to the Australian population. The prevalence of ICS technologies in critical infrastructure – and the evolution towards greater connectivity and dependence – presents opportunities for sophisticated adversaries. For example, with adequate access, knowledge and capabilities, a sophisticated adversary could modify ICS systems to achieve a disruptive effect on critical infrastructure.” It took a catastrophic power outage event for the Federal Energy Minister Josh Frydenberg to call a snap meeting of state and federal energy ministers following the state wide blackout in South Australia, only to get as far as agreeing to an independent review to provide a blueprint for energy security. Had these Ministers read this report they would understand it isn’t just climate change bringing massive energy security storms our way – it is also the connection of these critical infrastructure systems to networks, either directly or indirectly – why do we wait for a ‘wake up’ call event instead of using reports such as these for the purpose they are intended – to instigate effective and coordinated national response and reform.

TechTime - latest news and products

Drones Robotics Automation Security Technology Information Communications

news.com

www.drasticnews.com Like us on facebook! www.facebook.com/drasticnews Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

Integrated Security Fabric delivers business continuity Fortinet’s end-to-end Security Fabric delivers: •

World-class security

•

Tightly-integrated management

•

Transparency at the granular level

•

Business continuity

Driven by industry-leading secure operating system FortiOS and powered by the thirdgeneration FortiASIC SOC3 (System-on-a-Chip) architecture, no other security vendor comes close to providing the depth and breadth of security solutions. With the lowest latency on the market and real-time security updates from the global FortiGuard Labs, Fortinet is the security solution of choice for enterprise-level data centres.

Fully-integrated Fortinet’s Security Fabric solutions work together seamlessly to provide trouble-free installation, centralised configuration and ‘single pane of glass’ management. Combined with the FortiGuard Labs’ real-time security updates, Fortinet’s Security Fabric will always be armed with the very latest threat intelligence and detection / mitigation algorithms.

Extending security to business continuity When you install Fortinet Security Fabric solutions, you are investing in business continuity. With Fortinet’s Security Fabric, nothing that happens on your network goes unnoticed. Intrusions, data leaks, DDoS attacks, system slowdowns or simply business

as usual. Fortinet gives you unprecedented visibility into your network’s performance and virtually eliminates the ‘window of vulnerability’ that can result in interruptions in service delivery.

Validated performance NSS Labs has awarded Fortinet’s Security Fabric their highest recommendation. NSS certified that Fortinet’s ATP solutions detected 100% of exploits delivered by social media and drive-by downloads. Fortinet has also received NSS Labs’ recommendations for the FortiGate data centre intrusion prevention system, FortiClient endpoint protection and FortiWeb web application firewalls, amongst others. NSS has validated Fortinet’s security effectiveness above 99%. That, combined with industry-leading performance, delivers what you need to ensure fast, secure operations and business continuity.

AT A GLANCE •

Enterprise Firewall

•

Advanced Threat Protection

•

Cloud Security

•

Application Security

•

Secure Access

•

Security Operations

FORTINET AUSTRALIA Level 8, 2-10 Loftus Street Sydney NSW 2000 TEL 02 8007 6000 anz_marketing@fortinet.com

www.fortinet.com

FORTINET SECURITY FABRIC CORE SOLUTIONS Fortinet’s Security Fabric is built around a core set of solutions, anchored by the FortiGate firewalls, that provide security from the server to the smartphone, into the cloud and everywhere in between. •

FortiGate next-generation enterprise firewalls / data centre intrusion prevention

•

FortiSandbox, FortiMail and FortiClient advanced threat protection (ATP)

•

FortiWeb web application firewalls

•

FortiAP, FortiSwitch and FortiCloud secure access solutions

•

FortiSIEM, FortiManager security operations and network optimisation

•

FortiGuard Enterprise Service Bundle real-time subscription-based security updates

FORTINET SECURITY FABRIC PERVASIVE & ADAPTIVE SECURITY FROM IoT TO THE ENTERPRISE TO CLOUD NETWORKS