Australian Security Magazine 2015
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au
Print Post Approved PP255003/10110
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au
Print Post Approved PP255003/10110
Print Post Approved PP255003/10110
THE CounTry’s lEading govErnmEnT and CorporaTE sECuriTy magazinE | www.australiansecuritymagazine.com.au
THE CounTry’s lEading govErnmEnT and CorporaTE sECuriTy magazinE | www.australiansecuritymagazine.com.au
Oct/Nov 2015
SKILLS CRISIS FEATURE
SPECIAL EVENT WRAP UPS AISA National Conference, Melbourne
The cult of the aware
Security in Government, Canberra
From Infosec to intelligence-based cybersecurity
Taking business security sky-high
ISACA State Conference, Perth
Apr/May 2015 Aug/Sep 2015
The human element in information protection
ASIS International Annual Seminar, Anaheim, USA
THE CounTry’s lEading govErnmEnT and CorporaTE sECuriTy magazinE | www.australiansecuritymagazine.com.au
June/July 2015
Outstanding Security Performance awards, the OSPAs
Why executives need to be much muchier
Print Post Approved PP255003/10110
Torrentlocker malware reported to the Australian cybercrime online reporting network BAE Systems Technical Director, Dr Malcolm Shore The stratum of work in the security industry
The modern ‘Sherlock Holmes’ of the cyber world…in Silicon Valley
Security 2015 Q&A ONVIF & COMPLIANCE
PART II Counter-Terrorism Feature Radicalisation, Role of the Media & ISIS Social Media Tactics
Mobile Messaging
It’s all about Cyber Security
IMPROVED BORDER SECURITY The Holy Grail for airports
Security & Risk Management the next evolution
Securing Mumbai: Tackling terror from the seas
Introducing the Australian cybercrime online reporting network (ACORN)
Water security in an urbanising Pakistan
$8.95 INC. GST
PLUS
TechTime l Cyber-TechTime
Radicalisation Process – Part III The paralysis over Syria
PLUS $8.95 INC. GST
$8.95 INC. GST
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more...
Managing risk with business intelligence Stemming the tide of radicalisation AISA: Mandatory breach disclosure
SMARTER SURVEILLANCE
THREATS ARE MOUNTING ACROSS THE TECHNOLOGY LANDSCAPE
INSIGHTS AND OBSTACLES
Talking trauma: Post-traumatic rehabilitation
PLUS
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more...
$8.95 INC. GST
PLUS
TechTime l Cyber-TechTime Movers & Shakers l Quick Q&A and much more...
Cyber Security
From Infosec to intelligence based cybersecurity Gone are the days when IT could be protected by implementing a standard set of security controls.
T By Dr Malcolm Shore BAE Systems Technical Director
2 | Australian Security Magazine
he complexity of national information networks is increasing faster than our ability to understand them and, on an internet that was never designed to be secure, to defend against them. It is sobering to realise that the most prevalent standard for security controls, ISO 27002: Code of Practice for Information Security Controls, has its roots in the UK Department of Trade and Industry’s PD0003 document, developed in the early 1990s – 25 years ago and prior to the internet as we know it. This became the British Standard BS7799, then International Standard 17799, and in 2005 was renumbered to the 27000 series, with a new version being released in 2013. A key reason for the longevity of these controls has been their adoption by the audit community as the basis for auditing the security aspects of IT General Controls used to ensure protection of financial systems. However, information security is not cyber security, and new frameworks are needed to address the unique characteristics and environments which make up cyberspace. The US National Institute of Standards and Technology in 2014 issued a framework for ensuring the cybersecurity of the critical infrastructure which provides an updated list of security categories and maps them to a range of controls from information security standards, including ISO 27000. One of the key controls in the cybersecurity framework which has no ISO equivalent is ID.RA-3: Threats, both internal and
external, are identified and documented. This is a key control for understanding security risk. With cyberspace increasingly looking like a battlefield, knowing who is attacking you, what their motives are, and how they execute their attacks is a key part of cyber situational awareness and an important input to designing an effective security regime. Sun Tzu said if you do not know your enemies but do know yourself, you will win one battle and lose one, if you do not know your enemies nor yourself, you will be imperiled in every single battle. Ideas in the kinetic world don’t always translate into the cyber world, but the value for an organisation in knowing its own disposition and the threats which it faces is significant. As the threats in cyberspace have grown, cyber threat intelligence has emerged as a key cybersecurity service, not only for government and critical infrastructure, but for all organisations operating in cyberspace. The value of cyber threat intelligence lies in its ability to change an organisation’s posture from being reactive, responding to attacks when it’s breached, to being proactive, where cybersecurity defenses are tuned to expect and deflect attacks. Cyber threat intelligence comes in two forms: operational and strategic.
The prevalence of polymorphic malware makes it difficult for operational threat intelligence to keep up with tomorrow’s malware. Strategic threat intelligence, on the other hand, will often be relevant for the life of the adversary or malware family. 1.
2.
Operational intelligence comes in the form of data which can be used to configure cyber-defense equipment such as intrusion detection devices to look for specific patterns or types of behavior which are characteristic of a threat. These are known as indicators of compromise. The effective use of automated operational threat intelligence feeds can also deliver timely response to rapidly evolving threats, substantially reducing the window of opportunity within which an attacker can exploit a known vulnerability. Blacklists (lists of compromised IP addresses) are also a popular form of operational threat intelligence. Strategic cyber threat intelligence is defined, according to Gartner, as ‘Evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard’. However it may be defined, strategic threat intelligence translates to knowing your enemies.
The prevalence of polymorphic malware makes it difficult for operational threat intelligence to keep up with tomorrow’s malware. Strategic threat intelligence, on the other hand, will often be relevant for the life of the adversary or malware family. For example, the Snake Campaign report issued by BAE Systems in 2014 noted that despite the McAfee ShadyRAT report being published in 2011, there had been no change to the characteristics of attacks from the group. The Snake Campaign report provides detailed threat intelligence on the malware known as Agent.BTZ and the group behind it. This malware was first discovered in 2008, with samples showing that the authors had variants known as snake, urobouros, snark, and sengoku. Recent malware samples have been found to be much more advanced variants of Agent.BTZ, though still sharing many similarities with the original. Despite spanning many years and numerous updates, the malware retains key characteristics such as the files and devices created when it executes, the way it cloaks itself, and the manner in which it injects into new processes. Similarly, the command and control infrastructure upon which the malware operates and the time-of-day at which variants have been compiled remain constant. This knowledge allows the security analyst to derive methods to detect the malware either as it arrives or when it attempts to execute. While developing operational threat intelligence can be done by analysis of the malware, developing strategic threat intelligence requires not only malware analysis but also many sources of human and technically sourced intelligence from open and darknet sources, as well as a team of analysts who can interpret and fuse the information into intelligence. This intelligence then needs to be supported with actionable advice
which is accurate and timely, and tailored to the specific intelligence requirements of the consuming organisation. Organisations can start to understand their adversaries by mapping the adversaries’ past activities and capabilities, historical and current affiliations, their readiness and objectives, and future ambitions. This allows informed priorities to be set for cyber defense investments, and by being able to attribute attacks to threat actors enables better response in the event of an incident. Honeypots and sinkholes are two key technologies which are deployed by researchers to attract attacks and redirect malware traffic. These provide a rich source of input into threat analysis. There are many open source feeds for operational threat intelligence, and many companies release malware and threat actor analyses. However, open source strategic threat intelligence often lags behind paid services, and real time displays, while visually appealing, provide little actionable threat intelligence. Cyber attacks are rarely carried out without clear motivation and rarely occur as a single action, so one of the key goals of threat intelligence is to anticipate them. The use of social media feeds to predict traditional activism and cybercrime has been successful, with Nathan Kallus from the Massachusetts Institute of Technology successfully demonstrating his model for predicting national-level unrest based on Twitter feeds. Another obvious source of predictive cyber threat information is monitoring of malware spread; the use of BlackPOS was seen many months in advance of its first sighting in the United States and the subsequent attack on Target’s POS system. The importance of threat intelligence is not lost on the United States Government. In February 2015, President Obama tasked the Director of National Intelligence to establish the Cyber Threat Intelligence Integration Centre as a national intelligence centre focused on “connecting the dots” regarding malicious foreign cyber threats, and providing all-source analysis of threats for US policymakers. Here in Australia, the establishment of the Australian Cybersecurity Centre will enable more effective threat intelligence integration by having government cybersecurity agencies and key critical infrastructure organisations co-located. Threat intelligence is an emerging discipline both for service providers and for consumers. In a survey carried out by the Ponemon Institute, released in March 2015, 80% of companies in the survey that had suffered a material breach said threat intelligence would have helped prevent or minimise the consequences of the attack. To successfully defend against contemporary attacks requires a focus on new areas of cybersecurity, including importantly, threat intelligence. Information security remains important, but in the age of cyberspace on its own is not enough.
Australian Security Magazine | 3
....with Dr Malcolm Shore
Technical Director, Australia, BAE Systems Applied Intelligence As Technical Director, Australia, BAE Systems Applied Intelligence, since October 2014, Dr Malcolm Shore’s career spans 30 years and with previous notable roles as Director Infosec, GCSB; Head of Security, Telecom NZ; and Principal Security Officer, NBN Co. How did you get into the security industry? I started with a request from a major accounting firm to do a technical audit of a banking system, and implement a DES encryption system – way back in 1983! How did your current position come about? I had completed a three year tour as a CSO in the telecommunications industry, and moved to the Technical Director role to take BAE Systems Applied Intelligence to the next stage of developing its technical offerings, with a strong research driven component. This leverages both the technical and academic components of my background and allowed me to contribute more directly to ensuring the cyber safety and cyber security of Australia. What are some of the challenges you think the industry is faced with? As it always has, technology moves faster than the associated thinking around risk and security, presenting Boards and executive teams with unprecedented opportunities for technological growth. One of the key challenges for the security industry is to maintain the confidence of business leaders whilst also protecting their interests. This is particularly the case with cloud and mobile technologies. Another key challenge is ensuring we have a workforce, properly structured and with the capacity and capabilities, to meet the needs of business. Where do you see the industry heading? There’s a mindset shift away from information security, as we knew it, to cyber security, and expanding from business into society as a whole with the emergence of the internet of things and autonomous technologies. We are likely to see the traditional risk and control approaches to security increasingly commoditised, and much more focus being put into understanding the motivations of our adversaries, the technical means they use to attack us, and the ways we can detect and eradicate their attacks. We’ll see a greater recognition that information is the focus of cyber security, and supporting more sophisticated data security
4 | Australian Security Magazine
mechanisms will be a key direction for vendors. We’ll still see security advisors and auditors, but we’ll see more focus on big data security analytics, technical inspection, and technical testing. We’ll see demands for more resilient technology and security will be a significant part of that design. What do you do when you’re not working? Running, reading, and teaching cyber security. When I get a chance, spending time on the orchard tending my trees. Spending time with family, and playing in a brass band with my daughter is a key delight!
AISA National Conference, Melbourne
Cyber Reveal Investigator - don’t drink from the fire hose
Adrian Blount, Sales Director, BAE Systems Applied Intelligence Cyber Reveal Investigator is our threat intelligence and threat analytics platform, based on big data analytics with advanced threat detection rule packs (or sets of analytics) – which we can extend to insider analytics and web-based analytics. This is absolutely advanced threat detection. What we saw in the market was a gap in capability beyond the traditional detection platforms out there. A product that looks for malware and incursion and can achieve detection for the longer-running, more subtle types of attacks; circumstances where you don’t know what the malware is, where it’s coming from, or what they’re trying to do. These are the type of attacks picking off the larger organisations. This is a highly effective tool for security operation centres and organisations with any large scale online trade and reputational risk that may be subject to complex attack. It provides wholly effective information for security analysts to quickly get across an attack. One of the differences is we’re not just learning of a new sinister IP address for example, we’re doing behavioural analytics, so it doesn’t matter where the IP address is—we are looking at the behaviours throughout an attack. We use machine learning to baseline risk ratings on connections, using the cyber kill chain to break down the analytics in our Advanced Persistent Threat (APT) pack, to look at behaviours for example such as infiltration and persistence, which might then pivot to different parts of the network to broaden the attackers’ foothold, and then perhaps beacon for command and control, and ‘phone home’ to let the malware take instructions. In each of those areas we have identified traits or behaviours that indicate the activity may be taking place so that is what our analytics is looking for.
Infiltration and iSight Infiltration is an interesting example, which generates a list of alerts and is ranked according to set algorithms and rules. An example is a phishing hit -- we can drag this into our visualisation pane and it will show a visual representation of the different pieces of information and actors around this phase of an attack. So a phishing email aimed at people in an organisation may be detected by various systems, but the Cyber Reveal Investigator provides the analyst with the necessary context around the attack to help them
be more accurate in diagnosing it, reducing the time needed to work out the response component. There are additional elements, such as drive-by alerts which indicate when people within an organisation have already downloaded the executable file, as well as where the email has come from. At the RSA Conference in the USA we announced a technology partnership with iSight Partners. This allows CyberReveal to leverage customer’s existing investment in iSight threat intelligence within CyberReveal visualisation. If iSight has identified an email address or other Indicator of Compromise (IOC), the system will pop up the piece of threat intelligence held on that email. We can also ingest other types of threat intelligence into the platform allowing the analyst to see the alert, associated threat intelligence and related alerts in one place. For example, a phishing alert, an associated ‘drive-by download’ alert and some related threat intelligence about that email all in one place. The analyst can then drill down into each of those to establish the full context, connections and behavioural activity of the attack, including which machines were involved and which users were logged into those machines. BAE Systems obviously has a broad range of customers across many different segments of the market. We see a variety of attacks around the world and what we do is incorporate that into the threat intelligence that we gain, and into the analytics. So the analytics is more about understanding the behaviours than it is necessarily looking for a specific threat actor. All of the information we collect can be used to hone the accuracy of the analytics, and as patterns change, we update the analytics to reflect that, which is another way the customer benefits from the system.
Cyber Security
already has about the events that are happening and giving your analysts a faster way to work it out and interrogate it, in addition to other analytics that are built to detect anomalous behaviour. There are a lot of threat intelligence vendors in the market, all providing completely valid, useful and important intelligence; who the threat actors are, what tools they’re using, where they’re coming from, who they’re attacking and when they’re doing it. All that information is generally available. The problem customers have is they are drinking from the fire hose as far as information flow. What we are doing is acknowledging all of that information, but giving customers a way to bring the information together and consume it in a way that makes sense to them and can be meaningfully applied and worked with.
The Big Data Approach The platform was built in the BAE Systems Security Operations Centre and is relatively new to the broader market. As an alert comes in from a detection platform, like malware detection, antivirus, or IDS, a SIEM aggregates and correlates it, which is critically important. Its real time, finger on the pulse, and very focused on looking for more advanced threats. But, imagine if someone has an attack against an organisation that runs over several months. It is very difficult for a SIEM to try and aggregate the disparate events and try and tie them together within a smaller window of time because it is looking at real time events. If you take a big data approach to that and run analytics over data you have collected over a long period, then keep running analytics over all the new data coming in, you are able to pull together those individual disparate pieces of information and tie them together into longer running patterns, and match that to baseline data generated from machine based learning. It is about using the data the organisation
Australian Security Magazine | 5
Women in Security Cyber Security
‘But you are a woman’
T By Kema (Johnson) Rajandran Correspondent
6 | Australian Security Magazine
o some, being in financial crime may seem like an area where you’re deskbound, staring at a computer screen and crunching numbers, but to Michelle Weatherhead, the variety couldn’t be more interesting. As BAE Systems Applied Intelligence head of financial crime ANZ, Michelle manages eight consultants and works primarily with financial institutions across the Asia Pacific. Her role takes her from Australia to Singapore, Malaysia, Indonesia, Thailand or the Philippines at any given time. She says the appeal of working with BAE Systems Applied Intelligence is the ability to work with military grade technology; cutting edge and sophisticated solutions to combat a variety of problems in security – from cyber and fraud to terrorist financing. “We help our clients detect fraud, comply with AML legislation and combat cyber crime through data, software solutions and professional services,” Michelle says. “I really enjoy the variety of the work. One week, I am doing a presentation in Manila for one-hundred employees and the next week I am working with a client in Singapore helping them to solve a complex and high profile financial crime problem,” she says. With an abundance of highlights to date, Michelle says she’s been very fortunate in her career so far and shares some memorable and noteworthy parts with us. “In July, BAE Systems Applied Intelligence hosted a women in cyber security and financial crime networking
event. Twenty women from a variety of roles across the industry attended and it generated a lot of positive conversations.” “As a networking evening, we placed an emphasis not on technical learning but on essential career and development skills and shared discussion. It demonstrated what the impact is of a positive mindset and the importance of networking.” Michelle shared a very personal story at this event about working as a woman in this industry and the difficulties she encountered. “Over the past ten years, I have worked in many countries and it hasn’t always been easy being a woman in this industry.” “Prior to working at BAE Systems Applied Intelligence, I was sent to on a financial crime consulting engagement in the Middle East. When I turned up, the head of IT looked at me and said: “I thought you were Michael, but you are a woman!” “Being a little naïve, my innocent response was: “Yes I am Michelle and I am a woman, but I am the best consultant to write your detection rules. Do you want the best consultant to solve your fraud problem or would you like to wait for Michael?” “He waited for Michael, his loss of course…” Ouch. “That was ten years ago and many things are different
Women in Security
“Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.”
now, but it’s still an indication of the struggles we sometimes have in a male-dominated environment.” She never let these moments deter her from what she enjoyed and ultimately to an incredible career. Working with the best and brightest in their field has been very rewarding for her, saying it’s the people that make the job. “I love meeting new people, getting to know them, helping them with issues and becoming lifelong friends. People in this industry are very practical. They get the job done and I appreciate that. It’s also very close knit – the people I met in my first job are still in this industry.” This is one of the reasons why she says collaboration and relationships are so important. “Criminals collaborate; share what they are doing and what works on the dark web. They work together to conduct the crime, so we must do the same thing to combat it.” She also points out that she has two mentors that she uses as a sound board. “A mentor must have your best interests at heart. As a mentee, you must feel safe to share your heart and soul, tell them how you feel and ask for advice. If you can’t be yourself and are scared to ask questions because you’re afraid of being judged, I don’t think it’s the right fit.” “Both of my mentors have seen me at my worst, but they believe in me and guide me. They know my strengths and weaknesses, when to push me, which is important to me.” “It is so important to have a mentor that has your back,
but also knows when to push your boundaries. My mentors encourage me to do things that I would otherwise not do and it always turns out well and feels good afterwards.” But mentorship isn’t everything, and Michelle nominates two other key things in a company that help women climb the ranks: flexible and supportive working conditions and female role models. “Everyone needs someone to look up to, so if you can’t relate to someone in a leadership position it can be hard to encourage yourself and aspire to be one of them. Having a female role model also subconsciously affects others, as it influences their perception of women in power.” With hopes of being a mentor herself, Michelle definitely has a wealth of work and life experience to be a good role model for others and fuel the fire of change in the industry. A wife and mother, who wanted to be a clinical psychologist when she left school and ended up in IT without regret, offers the advice to women starting out to think about what you’re good at and reach out to people in the industry. “Join an association and decide where your strengths lie. If you love being surrounded by people then perhaps a front line fraud investigator may be a good option. If you’re inquisitive and like delving into data then perhaps Cyber Crime Analytics is right for you.” “Those who succeed in this industry are willing to take risks, give things a go and also know when to reach out and collaborate. Big networks rule.”
Australian Security Magazine | 7
BAE Systems Applied Intelligence Feature
BAE Systems supporting Australia’s next generation of cyber security professionals W
ith cyber security becoming a core concern for businesses and playing an increasingly important role in the everyday lives of Australians, supporting the development of local cyber security skills is paramount. The importance of promoting Australia’s cyber security skills was highlighted in November 2014, when former Prime Minister, Tony Abbott, announced the launch of the government’s Cyber Security Review, with a key objective of the review being to ‘look for ways to better address Australia’s cyber security skills needs’. BAE Systems Applied Intelligence has been actively involved in industry working groups as part of this Review, working closely with the Australian Government to determine how we can better protect ourselves as a nation, within industry and in our homes. In its formal submission to the Review, BAE Systems Applied Intelligence called for Government to invest in building cyber security capacity, including providing seed funding to support a cyber apprenticeship scheme as part of the National Cyber Security Strategy, arguing such a scheme would deliver muchneeded capacity and lower the cost of accessing cyber security advice entry for SMEs and larger organisations. Increasing Australia’s cyber security skill base will also be a strong driver for substantial future economic growth: Australia can be a consumer of cyber security goods in the future digital world, or it can be a supplier. There is a substantial economic benefit to creating an environment which encourages investment in cybersecurity research and development to produce cyber products for the world, the submission argued. Following the Victorian Government’s announcement of $4.7 million in Back to Work
funding for Box Hill Institute’s Jobs Engagement Team (JET) initiative in June, and in anticipation of the release of the Cyber Security Strategy expected later this year, BAE Systems Applied Intelligence has been working with the Box Hill Institute to develop the first Australian Cybersecurity Apprenticeship Scheme program. Malcolm Shore, Technical Director Australia, BAE Systems Applied Intelligence, said, “There is an increasingly worrying lack of cyber skills being developed in Australia and a growing dependence upon overseas sourcing of skills. Industry needs to support the development of Australia’s cyber security skills capacity. “This cannot wait any longer – the time for talking is over. Action is needed now, and we believe the Cyber Apprenticeship scheme is one way BAE Systems Applied Intelligence can contribute to the future security, wealth, and growth of Australia.” The Australian Cybersecurity Apprenticeship program will be launched as a pilot program in 2016 for 20 to 30 apprentices. It will have a similar structure to the successful Trailblazer scheme BAE Systems Applied Intelligence has been involved with in the United Kingdom. The apprenticeships in the program will be open to both school leavers and adults wishing to re-skill into the cyber security field. “As with any industry, the cyber security industry needs a range of skill sets to fulfil market requirements. While there’s a requirement for investing in many years of training to deliver graduates who can then embark upon a career leading eventually to positions as senior security managers, there is a substantial foundation of technician level skills which can be achieved through a blended work/study arrangement such as the Certificate IV apprenticeship course we
are developing with Box Hill Institute of TAFE.” “Now, more than ever, Australia needs to substantially boost its cyber security capacity and capability. The best way to do this is to build a strong local cyber securities skills-base. BAE Systems Applied Intelligence’s partnership with Box Hill Institute will provide an important template for achieving this goal across Australia,” Dr Shore said. The launch of the Government’s review into Australia’s cyber security standing followed comments in March last year by Australia’s Information and Communications Technology Research Centre of Excellence, NICTA, warning that Australia could miss out on the chance to build an internationally competitive cyber security industry if it doesn’t foster an agile ecosystem to create opportunities and challenging careers locally. Supporting apprenticeships has long been a tradition for BAE Systems Applied Intelligence, where in the UK it will be taking on a record 710 apprentices this year, a number of which are being taken into the UK e-skills Cyber Security Apprenticeship Scheme. Other recommendations BAE Systems made to the Cyber Security Review around skills development in cyber security included: 1. Encourage existing academic programmes to invest in more research through establishing a Cybersecurity Research Centre, supported with an incubation scheme to move successful research into private industry, 2. Invest in research internships, and 3. Provide incentives to encourage businesses to employ and train first-job graduates.
THE NEW ERA OF FRAUD; A CYBER-ENABLED APPROACH Modern cyber attack techniques are being applied to traditional frauds, from insider trading to basic confidence tricks. And these attacks are becoming more and more sophisticated as new techniques are added to traditional fraud campaigns by criminals.
Engage with
For more information visit www.baesystems.com/ai
8 | Australian Security Magazine
www.baesystems.com/ai
BAE Systems Applied Intelligence Cyber Security Feature
Protecting your company’s IP A
s online threats become more ubiquitous and damaging, protecting sensitive data such as intellectual property (IP) is becoming increasingly difficult. Firming up network and system security weaknesses can go some way to protecting sensitive information but employing data loss prevention techniques should also be considered to help protect data in the event that it is stolen or lost. The ever increasing list of significant breaches around the world has made companies aware they must take steps to mitigate the risks posed to their critical information assets. Intellectual property, including creative content, saleable commodities and design details, now sits on corporate risk registers, having been identified as critical to ensuring organisations maintain consumer trust and stability in today’s uncertain economic climate. Motivated groups including suspected statesponsored groups, industry competitors and criminals looking for financial gain are carrying out online attacks aimed at extracting IP for their own gain or to disrupt competition. No company, regardless of size or industry, is immune. Adrian Blount, Director Cyber Solutions ANZ at BAE Systems Applied Intelligence, said, “IP theft can result in substantial commercial losses and, in some cases, may even put lives in real danger if critical infrastructure is compromised. The secondary impacts of data loss events, such as reputational damage, legal action or regulatory intervention, can continue to manifest themselves well beyond the incident response and clean-up period.” However, despite the risks, few organisations consistently and effectively identify and protect all of their IP. The commercial reality is that security controls cost money and companies
must find the commercial balance between the cost of implementing a control and the consequences of a successful attack. Although there is no single solution to safeguarding IP, some security solutions and products are maturing and simplifying the task of tracking and controlling usage of digital assets. Data is generally defined into three groups; data in motion (DIM) such as data being transmitted across a network or via email, data in use (DIU) such as data presented within an application, and data at rest (DAR) such as data stored in a database or file repository. While there are many examples of data loss in each of these groups, by far the most common is DIM, particularly data contained within emails. Therefore email data loss prevention (DLP), involving content filtering policies and the blocking, encrypting or flagging of emails containing suspicious or sensitive data, is a necessary ingredient of any data protection strategy. Companies can use DLP measures to prevent and detect the use and transmission of data such as financial information, sensitive documents or intellectual property. From a compliance point of view, this can help companies comply with regulator requirements around credit card data transmission or protected health information, for example. While trying to prevent the leakage or loss of sensitive data is important, it is a requirement of doing business that sensitive data is exchanged with business partners, customers, shareholders and a range of other entities. The use of encryption technologies to protect these data transfers can ensure messages falling into the wrong hands doesn’t have to mean the content it is exposed.
THE RETURN OF PHISHING AND MORE: WHY OLD ATTACKS ARE MAKING A COMEBACK BAE Systems is seeing a re-emergence of old fashioned security threats.
www.baesystems.com/ai
“Email encryption ensures privacy of sensitive communications, meaning you can send sensitive data to trusted parties securely. New technology allows messages to be automatically encrypted based on policy, or on demand,” added Adrian Blount. Historically email encryption has been cumbersome to implement; requiring complex public key networks to underpin it. This has limited its uptake due to the burden it places on end users. “To ensure ease of use doesn’t put people off using email encryption, it is important that both senders and outside recipients don’t need unmanageable keys, add-ons or external programs; allowing recipients to read and reply through a simple and secure web-based interface overcomes this “It is inevitable that we will see further attacks on, and new vulnerabilities in, the defences we put in place today. However, having systems in place to protect your data and flag suspicious activity, can go a long way to giving you peace of mind,” Mr Blount concluded.
SIEM RELATIONSHIP ADVICE: FOUR TIPS FOR PARTING ON GOOD TERMS WHEN THE TIME COMES Like breaking up, transitioning away from reliance on legacy technology is hard to do. But affording a dignified departure from the reliance on Security Information and Event Management (SIEM) capabilities has to be planned. For more information visit www.baesystems.com/ai
Australian Security Magazine | 9
BAE Systems Applied Intelligence Feature
The changing threat landscape: the rise of the Zero-Day attack and how to prevent them New data breaches are uncovered almost daily – any one of which can jeopardise your company, place your intellectual property at risk, and cause monetary and reputational damage in minutes. Cyber criminals are increasingly aggressive, well-funded and persistent, and these days, no company can ever be perfectly safe from the most determined attackers. As the threat landscape continues to evolve, and malware detection becomes more advanced, cyber criminals are forced to create ever more sophisticated and specialised malware. As traditional signature based anti-virus scanners evolved into traditional signaturebased and heuristic-based malware scanners, the amount of spam and viruses caught with signature alone has reduced, but the amount of total malware has increased. In 2005, seven ‘families’ represented 70 per cent of all malware activity , and the types of viruses were mainly mass-mailing ‘worms’ with backdoor capability, including for example Nigerian email scams. In 2014, 20 ‘families’ represented 70 per cent of all malware activity ; with today’s malware much more sophisticated and unique, including for example stealthy command-andcontrol botnet membership, credential theft, and often also including some form of fraud such as bitcoin mining. And now, with 70 to 90 per cent of malware unique to any single organisation , the most difficult attacks to defend against are Zero Day attacks – attacks that are unknown or have not previously been seen and therefore cannot be recognised and blocked by their ‘signature’. Email is the single most important entry point for malware insertion, as it is the centrepiece of business communications and is the most common egress and ingress point for information within most companies. It is also the single most important entry point for targeted attacks, spear phishing, ‘longline’ phishing, and advanced zero day exploits.
In fact, 95 per cent of cyber attacks start with an email message . ‘Phishing’ campaigns mostly target Common Vulnerabilities & Exposures (CVEs). These attacks can spread through an organisation like wildfire, with 75 per cent of attacks spreading from victim 0 to victim 1 within 24 hours, and 40 per cent of attacks hitting a second organisation in less than one hour .
•
The challenge
Post-exploitation: Interrupting the command and control and actions on objectives phases
As malware evolves, traditional anti-virus software is struggling to cope. For example, sophisticated malware can now recognise when it is being ‘sandboxed’ by looking for files associated with the sandbox environment. Companies need a strategy that reduces their security exposure and protects them from reputational damage and intellectual property theft from cyber threats with fast and effective attack detection, containment, and response.
The technology solution Companies need a strategic systems approach to protect against today’s evolving cyber threats. A systems approach requires multiple layers of technology that help protect an enterprise at every phase in the Kill Chain. These components work together as cooperative, compensating controls to interrupt attackers as they attempt to move from one phase to the next. These technologies are appropriate before an attack succeeds (pre-exploitation) and afterwards (post-exploitation).
Pre-exploitation: Interrupting the delivery phase •
Email security: Strong, redundant anti-virus and anti-spam engines, with controls to throttle high-volume senders and detect directory brute-forcing
•
Web security: Inline web security filters to prevent visits to sites that are known to or likely host malware used in attack campaigns Zero Day Prevention: Heuristics, analytics and sandboxing to stop targeted attacks, spear phishing, “longline” phishing, and advanced Zero Day exploits that anti-virus and anti-spam controls can’t detect.
•
IDS/IPS: Monitoring and analysis of complex network traffic in real-time; blocking of malicious internal traffic and sophisticated attacks that cannot be prevented with firewalls alone • Security information and event management (SIEM): 24 x 7 monitoring of critical devices on the network by a trained security team. Log management: Regular reviews of security logs from critical devices to understand security events across the network, detect suspicious activity and respond quickly to prevent malicious attacks • Insider Threat prevention: Content aware policy filters to ensure that sensitive and protected information stay inside the organization - where they belong. A systems approach connects the dots and those connections ensure that information gets in the hands of those who need it as quickly as possible - whether it’s a system component or a human being.
The people solution The most insecure parts of any security infrastructure are the living, breathing human beings tapping on keyboards. Intentionally or not, we all make mistakes now and then. Phishing emails can masquerade as friends,
PROTECT AGAINST ONLINE QUOTE MANIPULATION How can Insurers address attempted fraud and dishonest manipulation at point of quote, while minimising friction for genuine customers?
Engage with
For more information visit www.baesystems.com/ai
10 | Australian Security Magazine
www.baesystems.com/ai
BAE Systems Applied Intelligence Feature
or as a popular retailer or businesses. Phishing emails cloak their origins by using masked URLs that only show the true URL if you hover your mouse over it. Ultimately, phishing emails are designed to induce recipients to ‘click’ and visit malicious destinations controlled by the attackers. Phishing emails are hard to stop unless recipients are vigilant. While there are numerous tipoffs a user can employ to detect a phishing scam, employees must be trained to recognise them.
How to spot a ‘phish’ It’s not always straightforward, but there are a few steps employees can take to avoid being drawn in by a phish. 1. Looking for misspelled words and lousy grammar: Hackers are notoriously bad spellers. Some marketers are too, so it’s not always the case that a typo-laden email is a phish, but it’s a good tipoff 2. Looking before they click: Before clicking, hover over a link to make sure it goes to the site you think it does. Often, a phishing email will spoof the URL of a well-known brand - or just camouflage a nasty IP address under that URL 3. Only opening the familiar: If employees receive emails from people they don’t know, or offers from companies they never subscribed to, they shouldn’t open them. And if you do open them, don’t click any links 4. Paying attention to ‘link bait’: Attackers want victims to click on their links and will exploit every human failing to get them to do it. The more strongly an email appeals to employees’ curiosity, charity, urgency, prurience or vanity, the more likely it is to be a phishing attack.
Protecting against zero day attacks
techniques that analyse unknown objects with malware engines while applying advanced techniques to detect and prevent attacks, even without signatures. 1. Stops sophisticated threats, including Zero Day Attacks and Advanced Persistent Threats 2. Arms CIOs and IT managers with new, comprehensive detection techniques to reduce their company’s attack surface and vulnerabilities 3. Provides protection at the time of click through real-time detect and block capabilities by rewriting URLs 4. Uses ‘in-line’ inspection and prevention techniques to stop payloads before delivery 5. Inspects all known and emerging malware contained in messages, headers, metadata, links, and all potentially malicious attachment types and returns minimal false positives 6. Provides a holistic view of incoming threats, so it can be rapidly assessed, evaluated and acted on by human analysts. If one component detects something, it alerts the other components. Putting everything under the same watchful eyes protects assets and helps a company understand the risks more acutely 7. Addresses the entire ‘kill chain’ by providing companies the support and intelligence they need, when they need it Cyber security is no longer just about keeping the lights on – businesses need to protect their corporate IP, their reputation, and keep the trust of customers, investors and the public. By developing a partnership with their supplier and combining that with ongoing training of staff, companies can increase their understanding of the threat landscape, and where they can’t prevent each and every attack from happening, they can increase their chances of dealing quickly and effectively with an attack, thereby minimising detrimental outcomes.
BAE Systems’ Zero Day Prevention leverages leading-edge statistical analysis techniques, static and dynamic analysis, machine learning and innovative exploit detection sandbox
Anatomy of a phishing attack So what are the stages of a ‘phishing’ attack and how does it work? 1. Spear-phish email with link Compromised enterprise servers are used to send the emails. This has the advantage of by-passing reputationbased spam detection filters as well as tricking the recipient with a recognisable sender domain. 2. Malware delivery The email asks the victim to click a link. These links send the recipients to compromised websites hosting zip files containing the malware payload. 3. Malware ‘Command and Control’ (HTTPS) Once the payload is downloaded and executed, the malware communicates over HTTPS to a compromised server hosting a PHP script which provides a gateway to a custom task/log database file. 4. Victim information and tasking The attackers access the Command and Control (C&C) server through the same gateway script. They can then retrieve logs of victims connecting back to the server, and add tasks which the malware retrieves. This can include general tasks like password stealing or taking screenshots, but also arbitrary commands and scripts to execute. 5. Document exfiltration The attackers will then extract the documentation from its location. Often, they make use of cloud storage service OneDrive (part of Microsoft’s Live service). The VBS script adds OneDrive as a mounted drive, moves the stolen documents there (where they are synchronised with the cloud), and then un-mounts the drive. 6. Document retrieval Using OneDrive is beneficial as it is free and anonymous for the attacker to setup, but also unlikely to be blocked from enterprise networks and has encryption by default. Once the stolen documents are synced with OneDrive, the attackers can log in and quickly retrieve the stolen data through an anonymous internet service such as TOR.
Sanjay Samuel General Manager APAC, BAE Systems Applied Intelligence
WHITE PAPER - THE DATA LAKE - READY TO TAKE THE PLUNGE? We live in a time of uncertainty for the traditional Enterprise Data Warehouse (EDW).
www.baesystems.com/ai
WHITE PAPER - 5 STEPS TO IMPROVED OPERATIONAL SECURITY In the modern world, for many of us working to tackle cyber crime, the goal of building effective operational security is not only to be able to identify, investigate and re-mediate cyber attacks and crimes conducted in cyber space which impact on the real world, but to prevent such attacks from occurring in the first place.
Australian Security Magazine | 11
BAE SystemsFocus Applied Intelligence Feature Technology - CCTV
Why digital security must become a boardroom issue Mikko Hietanen, Board Director, BAE Systems Applied Intelligence gives his views on how to get buy in from the company board on cyber security investment, from his perspective on the board of one of the world’s largest defence and cyber intelligence companies Digital attacks can threaten an organisation’s global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act noncompliance and sabotage. Company Boards need to recognise that a cyber attack will happen at some stage and that cyber security is a matter for the entire business. The organisation’s IT department alone is unlikely to effectively protect every digital asset of the company without executive support. A 2014 World Economic Forum and McKinsey report said cyber resilience can only be achieved with “active engagement from the senior leaders of private and public institutions.” BAE Systems Applied Intelligence Board Director Mikko Hietanen said: “Cyber attacks are operational business risks, not just IT risks. Most boards are not made up of security experts, so it is crucial for IT and senior executives to frame the problem in terms of those business risks.” For effective governance and accountability, businesses should implement processes to identify attacks early and then respond to these in a structured and repeatable manner, with a clear delineation of responsibility. “Unfortunately, traditional methods of cyber security, centred on trying to block a known threat from entering the IT estate, don’t always work; companies are finding their networks and assets just aren’t protected sufficiently, and becoming frustrated with the issues that slip past their traditional defences,” Mr Hietanen said. “Investing in cyber security is ramping up
globally, but traditionally it has been somewhat of an afterthought for boards. “Take M&A for example; if your company is thinking of acquiring another company, cyber security capability might not have traditionally been part of the due diligence process. Boards are now learning that it needs to be part of the acquisition strategy, because if a company’s IP and data have been compromised, there isn’t much value in acquiring it, is there? “Cyber criminality used to focus mostly on the financial sector, but has widened significantly in the past few years. “Boards that have never had to focus on cyber security are now finding themselves in sticky situations. Any company that has large swathes of data and personal information is a target. And companies with significant IP to protect, and who have managed to find efficiencies their competitors haven’t, are open to industrial espionage. “It’s important to widen the focus to unknown threats, new threats, and on understanding unusual behavioural patterns identified in data, otherwise known as threat intelligence. Threat intelligence gives us rich information on new malware, previously unknown perpetrators, trends that are emerging and more. This can fuel our analytics and provide a better understanding of the threat environment. “Not only companies, but also Governments, are increasingly realising that they need advanced threat detection capabilities. At the heart of these is solid and comprehensive threat intelligence. BAE Systems Applied Intelligence is a significant contributor to both the UK and US Governments, and works with a number of agencies and departments here in Australia. “Because a company’s security is only as strong as its culture, it is up to the executive leadership to set the standards and expectations that will help the entire workforce maintain strong security measures. To do this, companies must allocate the right resources, which can only happen when the board fully supports the need for an effective security posture. Creating a strong business case for security relies on measuring and articulating the potential
return on investment (ROI) appropriately. “Having a solid business case, and explaining ROI in terms of business impact is necessary to achieve buy-in for critical security investments. It creates a bridge between the business and technical teams, giving them a common language and understanding. “Once this happens and the business risks of inadequate cyber security are made clear, companies are more likely to successfully implement effective, appropriate and scalable security measures. “This is becoming a boardroom topic, and boards are looking at cyber in a much more strategic way. “The benefits of doing so are far-reaching, extending beyond simple operational continuity to protecting the company from financial losses, litigation, fines and more,” he said. About the Author Mikko Hietanen is on the board of BAE Systems Applied Intelligence, part of BAE Systems; a global defence, aerospace and security company. He is visiting Australia meeting with key clients and businesses and sharing his global expertise on combating cyber security and financial crime. BAE Systems Applied Intelligence delivers solutions which help our clients to protect and enhance their critical assets in the connected world. Leading enterprises and government departments use our solutions to protect and enhance their physical infrastructure, nations and people, mission-critical systems, valuable intellectual property, corporate information, reputation and customer relationships, and competitive advantage and financial success.
PROTECT AGAINST ONLINE QUOTE MANIPULATION How can Insurers address attempted fraud and dishonest manipulation at point of quote, while minimising friction for genuine customers?
Engage with
For more information visit www.baesystems.com/ai
12 | Australian Security Magazine
www.baesystems.com/ai
BAE Systems Applied Technology Intelligence FocusFeature - CCTV
Why intelligence-led penetration testing needs to be the proactive defence in every business As the cyber threat landscape evolves, so too does the need for more robust defences, as well as realistic, or ‘real-life’ testing of those defences. The increasing speed and variety of digital threats and defence mechanisms has led to the rise of threat intelligence as a specialism within the security field. In turn this has ushered in a new model for testing enterprise networks: intelligence-led penetration testing. Dr Malcolm Shore, Technical Director Australia, BAE Systems Applied Intelligence, said, “Intelligence-led penetration testing delivers information that companies can use to provide meaningful insight into how vulnerable the organisation’s network is to cyber attack, as well as the likely consequences of a successful attack. As a result, this type of testing can help business leaders make the right decisions to create a proactive defence.” “Intelligence-led penetration testing specifically mimics existing, up-to-the-minute threats, so it gives businesses a clearer picture of their risks, strengths and weaknesses. These tests involve replicating the work of sophisticated cyber criminals that threat intelligence has identified as presenting a significant risk,” Dr Shore said. “In the cyber age, security testing should be based upon rich contextualised threat intelligence, which informs and guides how the testing should be conducted, what attack methods should be simulated and where testers should focus their resources. “This method of testing provides a more structured and effective approach for companies to mitigate their cyber risk and understand the real effectiveness of the key technical security controls they have in place. “Our company in the UK recently became the first company in the world to secure Bank of England approval to deliver both threat
intelligence and penetration testing services to the UK financial services sector under the CBEST scheme. “In an environment where the amount of information being stored and processed has exploded, big data is the norm, and companies are interconnected, there are more hiding places and vulnerabilities than ever before. Keeping track of and protecting against all the relevant threats is a massive undertaking that is only going to get more complex. Businesses must evolve to an intelligence-led security programme or risk being unprepared for the next wave of cyber crime,” Dr Shore said.
Public Wi-Fi networks a threat to your businesses’ data Recent announcements around free and open public Wi-Fi being rolled out in towns and cities across Australia is great news for consumers, but may expose businesses and their employees to data breaches if companies don’t protect against it, says Rajiv Shah, General Manager, Australia for BAE Systems Applied Intelligence. As it becomes more common for employees to BYOD (Bring Your Own Device) and for businesses to allow employees to use their own devices to connect to corporate networks, associated security risks to the enterprise are also increasing. Organisations that fail to protect themselves against these risks and secure their information may be putting company data into the hands of cyber criminals. Dr Rajiv Shah, said: “When users access unencrypted networks, attackers can easily hijack the session and not only gather all sorts of sensitive information, including passwords, but also potentially inject malicious code to compromise the device.” “This makes everything on the device vulnerable – including any corporate data. If an employee then connects a compromised device to the corporate network this can be a backdoor route to let a determined criminal mount an even wider-ranging attack,” Dr Shah said. BAE Systems Applied Intelligence suggests
WHITE PAPER - THE DATA LAKE - READY TO TAKE THE PLUNGE? We live in a time of uncertainty for the traditional Enterprise Data Warehouse (EDW).
www.baesystems.com/ai
three steps for businesses to protect their corporate networks: 1) Implement and enforce a strong security policy. Organisations should conduct a prioritised assessment of the risk that any mobile device, whether company owned or BYOD represents and develop a clear policy explaining how employees should use devices and setting out the security measures to protect information. Properly thought-through security will provide benefits to employees without unnecessarily impacting on the use of their personal devices. 2) Educate employees. Businesses must educate employees about the risks of using their own devices and prioritising convenience over security. An obvious step would be education about the risks of using open, unencrypted Wi-Fi connections. This is one part of getting employees to care about security and understanding that they have an important role to play in keeping the organisation’s cyber security risk to a minimum. 3) Implement appropriate security controls. Traditional mobile device management solutions will go some way to protecting companies, but there is much more that businesses can do. Businesses should install a multi-layered security model that includes device configuration and management, appropriate secure connection methods, on-network content filtering solutions, and ongoing monitoring of corporate networks. For example, an appropriately encrypted VPN service could be used on untrusted networks. This can be combined with a global, cloudbased security solution that can scan the content and source the destination address by using specialised detection methods which block security threats and unacceptable content. “Companies need to consider appropriate security measures to protect against cyber criminals accessing their information and networks through activities staff may think are seemingly harmless,” Dr Shah said.
WHITE PAPER - 5 STEPS TO IMPROVED OPERATIONAL SECURITY In the modern world, for many of us working to tackle cyber crime, the goal of building effective operational security is not only to be able to identify, investigate and re-mediate cyber attacks and crimes conducted in cyber space which impact on the real world, but to prevent such attacks from occurring in the first place.
Australian Security Magazine | 13
PROTECTING BUSINESS AND GOVERNMENT WORLDWIDE. • • • • •
Cyber Security Solutions Advanced Threat Intelligence and Investigation Sophisticated Cyber Analytics Managed Security Services Cyber Security Consulting Services
For more information, contact us at learn@baesystems.com
baesystems.com/ai twitter.com/baesystems_ai linkedin.com/company/baesystemsai