Cyber Risk Leaders Magazine - Issue 3, 2020 by MySecurity Marketplace

THE MAGAZINE FOR SECURITY & TECHNOLOGY PROFESSIONALS | www.cyberriskleaders.com Issue 3, 2020

Successful Business Strategies post COVID-19 Outlook for SD-WAN post COVID-19

Neurodiversity in Cybersecurity skillsets Cyberculture eats cyber strategy for breakfast

Defining the role of SASE in a connected future

Securing the Next Generation â&#x20AC;&#x201C; Blackhat Asia Highlights

Maintaining a resilient utility grid

Reverse Engineering Surveillance Capitalism

CYBER & COVID-19 Cyber security weekly highlights

PLUS NEW BOOK REVIEW

No Blind Spots

A broad portfolio of storage solutions for smart video surveillance LEARN MORE

The only product to overcome fire regulations and security requirements on a square bolt deadlock.

Self-Latching Lock Monitoring Box MSB62-333

Suitable for any door that requires dual locking: Secure Rooms Commercial offices High security buildings Critical infrastructure Airports Universities and schools Hospitals Major Utilities

The global standard in security hardware solutions www.amsaustralia.com.au

For My Security Marketplace Network:

Use promo code â&#x20AC;&#x153;563PJ3â&#x20AC;? to avail 20% discount on each registration.

2nd Annual

European Mining Convention 2020

Virtual Edition

rd D ec 2020 82thnd--3 9th Dec

EXHIBITION | CONFERENCE | NETWORKING

300+

REGISTEREDATTENDEES

www.europeanminingconvention.com

Cyber Security

S E C U R I T Y C O N S U LT A N T I N S I G H T S E R I E S

PART 1: HIGH SECURITY BUILDINGS - INSTALLATIONS, STANDARDS & FIRE CONSIDERATIONS SCEC REQUIREMENTS, GOVERNMENT INSTALLATIONS & SPECIFICATIONS

(3,62'(6: SP AEDT 129(0%(5

SUB

SCR HER IBE E

P R O U D LY B R O U G H T T O Y O U B Y

AU ST RAL I A N S E C U R I T Y M AGA Z I N E

MYS EC UR ITY M AR K ETP L ACE

The Australian Security Magazine is the countryâ&#x20AC;&#x2122;s leading government and corporate security news source with provoking editorial and up-to-date news, trends and events for all security professionals.

MySecurity Marketplace, powered by MySecurity Media, is a dedicated marketplace connecting industry and enterprise professionals to the latest events, education, technology and media platforms across a global security domain.

S E C U R I T Y C O N S U LT A N T I N S I G H T S E R I E S DR KEVIN FOSTER

DR DAVID BROOKS

Engineers Australia Representative on Standards Australia Committee MB-025 Societal Security and Resilience. Joint Drafting Leader, Standards Australia Handbook 188 - Physical Protective Security Treatment for Buildings Chairman, ASIS International (WA).

MARK JARRATT CPP Mark served as an Australian Customs Officer in Canberra and Sydney for 21.5 years, including as Chief of Security (agency security adviser). He is Board Certified in Security Management, and the only Australian Government endorsed SCEC (Security Construction and Equipment Committee) security zone consultant with agency security adviser experience. Mark provides practical, effective and cost effective client advice and integrated technical security options founded on Australian Government, national and international security standards.

David (Dave) Brooks is the Associate Professor in Security Science at Edith Cowan University (ECU). Dave commenced his career in the Royal Air Force electronic Air Defence, moving into the Electronic Security sector and later, Security Consultancy. During Dave’s industrial security period, he has worked within Defence, Critical Infrastructure, Resources and Corrections. David has strong industry engagement with active participation with ASIS International, the Australian security industry and with a private consultancy. He has published widely, with over 18 International Journal articles, seven book chapters and four books.

FRAZER HOLMES Frazer has over 20 years’ experience in the security industry, and specialises in providing security solutions for Critical Infrastructure, Commercial, Government and Defence agencies including the specialist design and planning advice, within the context of an agencies specific risk environment.

RACHELL DELUCA

RICHARD KATHAGE

Rachell leads the Melbourne Security & Risk team and brings 22 years’ industry experience to her role. She is dedicated to identifying holistic security solutions and has delivered projects both within Australia, and Internationally. Her experience covers a range of industry sectors and includes security risk management, strategy and policy development, management consulting, passive and active systems design and project management.

H O S T & M O D E R ATO R CHRIS CUBBAGE CPP With 30 years experience, Chris is a certified security professional with a 15 years policing background. Chris is co-author of Corporate Security in the Asia Pacific Region, Security Risk Management in Corporate Governance and Executive Editor for MySecurity Media, including the MySecurity Marketplace.

Richard is a project manager, BCA consultant and fire engineer on projects across Australia. He is interested in finding optimal solutions for building designs using an understanding of fire safety engineering and the Building Code of Australia. Richard is Western Australia Manager for Warringtonfire and has also worked in the ACT and NSW, providing him with comprehensive knowledge of regulatory matters across these states. He has worked on dwellings, residential buildings, hotels, offices, carparks, shopping centres, schools, hospitals and aged care facilities, and has an interest in heritage buildings and resolving fire engineering challenges for existing buildings.

SARA TRIMBOLI Sara Trimboli is a SCEC Endorsed Security Zone Consultant with over 17 years in the security industry. She currently specialises in the provision of physical security advice to Defence and Federal Government clients. She is well versed with the application of current industry security standards and security policies, such as the Australian Government Protective Security Policy Framework (PSPF) and the Australian Defence Security Principles Framework (DSPF).

SPONSORED BY

Self-Latching Lock Monitoring MSB62-333

Dual Lock Lever handle MLLH 35 T

Double Blocker Plate AMS DLBP

Cyber Risk Leaders Magazine | 7

Cyber Security

Fmr Ambassador to China GEOFF RABY

REGI STE HERE R !

China’s grand strategy and Australia’s future in the New global order. Book Review & Interview with Australia’s former Ambassador to China, Geoff Raby THURSDAY 12 NOVEMBER 2020 AEDT

Japan

Perth/Singapore

India

9:00pm

7:00pm

6:00pm

3:30pm

8 | Cyber Risk Leaders Magazine

OVERVIEW Special interview with Geoff Raby, author of a new book - ‘China’s Grand Strategy and Australia’s Future in the New Global Order’ Geoff Raby was Australia’s ambassador to China (2007–11); ambassador to APEC (2003–5); and ambassador to the World Trade Organization (1998–2001). He was awarded the Order of Australia in 2019 for services to Australia–China relations and to international trade. This interview will review Geoff’s work and the new emerging world order of competition and disruption, particularly in the APAC region with consideration to the impacts on Australia, ASEAN and US-China relations.

MORE FROM MYSECURITY MEDIA MySecurityTV Series Aerospace, Defence & Security Technology Market Trends 2020 India’s Reach Series (Episodes 1 - 8); Indo-Pacific Series (Episodes 1 - 10)

Book Reviews 2020 Contest for the Indo-Pacific: Why China Won’t Rule the Future – Podcast with Professor Rory Medcalf

Copies of the book for purchase are available HERE

COVID-19 & Its Challenges: Is India Future Ready – Webinar with Dr Amrita Jash, Centre for Land Warfare Studies & Dr John Coyne, Australian Strategic Policy Institute

Contents Editor's Desk

The key trends shaping successful business strategies for a post-COVID-19 world

(Cyber) Security Culture Eats (Cyber) Security Strategy for Breakfast

Neurodiversity in Cybersecurity skillsets

Collective Defence: Adopting a collaborative approach to cybersecurity

Reverse engineering surveillance capitalism

Securing the next generation digital infrastructure highlights from BlackHat Asia 2020

Australia’s Cyber Strategy: Navigating unchartered territories needs both caution & diplomacy

Plugging the gaps: Australian organisations are leaving their defence barriers wide open for attackers

A multi-hybrid cloud game plan to strengthen business continuity with proper data management

Cloud-native networking – the future of connectivity

Defining the role of SASE in a connected future

@MSM_Marketplace

NetFoundry and Fortress partnership and solutions

www.linkedin.com/company/my-securitymedia-pty-ltd/

The outlook for SD-WAN in a post-COVID landscape

www.youtube.com/user/MySecurityAustralia

Don't risk losing control of your network

Maintaining a resilient utility grid in the face of cyber attacks

Don't risk losing control of your network

Book Review

Maintaining a resilient utility grid in the face of cyber attacks

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Director & Executive Editor Chris Cubbage Director David Matrai

The key trends shaping successful business strategies for a post-COVID-19 world

Art Director Stefan Babij

Neurodiversity in Cybersecurity skillsets

All Material appearing in Australian Cyber Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

CONNECT WITH US www.facebook.com/MySecMarketplace/

Defining the role of SASE in a connected future

www.australiancybersecuritymagazine.com.au

www.mysecuritymarketplace.com

www.australiansecuritymagazine.com.au

Correspondents* & Contributors www.aseantechsec.com

www.drasticnews.com

www.asiapacificsecuritymagazine.com

www.chiefit.me

Jacqueline Jayne |

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

Astha Keshariya

Jane Lo Singapore Correspondent

Dr. Mark Pedersen Also with: Iain Strutt Syed Munir Khasru Joseph Failla

Nick SAVVIDES

Daniel Sultana,

Han Chung Heng, Guy Matthews, Kevin Nesdale Girish Ramachandran

Editor's Desk

ith our third edition of Cyber Risk Leaders Magazine closing out the year, there may be a degree of crisis fatigue setting in, but it is way too early for a break. The year has had sustained intensity, driven largely by an adaptation to a global pandemic but also with coinciding, heightened geo-political contestation, nation state sponsored cyber-attacks, and weaponisation of information, against populations, intended to defraud, disrupt and destabilise. Cyber facilitated fraud awaits the next crisis, corporate ransomware is fuelling funds back to the attackers, along with massive investments in cybersecurity; and sophisticated, nation state sponsored cyber-attacks, including against critical infrastructure and across the digital economy are, seemingly, crossing the line of national sovereignty with minimal, or visible, countering consequences. This edition’s book review, based on work from the Centre of Land Warfare Studies in New Delhi, proposed that with nations reeling from a heavy and serious impact of the pandemic, the initiation of an all-out conventional war is unlikely. However, concedes, “The coercive actions and policies pursued by China during the course of the pandemic clearly portray the signage of the events to come in the post-pandemic phase. China is operating in the ‘grey zone’ of warfare. In addition, technology has expanded the domain of warfare to space, with kinetic and non-kinetic warfare moving to utilise potent precision guided munitions, hypersonic weaponry, drone swarms, autonomous systems and stealth operational capabilities delivered by multiple modes— ground, air or projectiles. Likewise, information and cyber warfare, will continue to expand to each of these vistas. The measure of victory today can equally be measured by successful paralysis, as well as destruction.” Just two weeks out from the US federal election, the CISA-FBI jointly warned (AA20296A/B) that “Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, antiAmerican propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud. The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spearphishing campaigns, website defacements, and disinformation campaigns.

“Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in opensource reporting — has conducted a campaign against a wide variety of U.S. targets” National Cyber Awareness System Alert (AA20-296A) - Russian StateSponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets: October 22, 2020 The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.” Alongside this latest allegation Russia and Iran are again sponsoring attacks against US democracy and government information system infrastructure, the United States is also facing a third wave of COVID-19, reaching over 80,000 daily cases (25 Oct) and with some forecasts calculating that over 500,000 Americans will die from the pandemic by the end of February 2021. How the US responds to these issues, and a myriad of other significant domestic and international challenges is up to voters and the ultimate outcome to the election. The next four years will also see intensified space activity. New LTE/4G networks are scheduled to be installed on the moon as NASA seeks out the “tipping point” technologies to assist its next human mission to the moon in 2024, which include robotics and new methods of harvesting the resources required for living on the moon, such as oxygen and energy sources. The fourth industrial revolution is now underway in earnest and competing 5G networks will continue to roll out between those that chose western or Chinese based technologies. Our recent space focused episodes on the IndoPacific Series provided fascinating updates on how Australia, India and US are collaborating and moving forward with their space programs. Technology continues to fundamentally transform the character of human behaviour. This year more than any other has only accelerated digital transformation by demanding a remote, digital workforce – with all the challenges and benefits this brings. The very nature of work and human interaction as undergone an irreversible and significant digital shift. Hybrid models of work and education will emerge post COVID-19 and with the advent of low and middle earth orbit satellite communications circumventing the globe, humans will permanently transform

how they work, live and communicate. On Earth and the moon, with its own long-term human presence intended by 2030. Despite all that is wrong with 2020 and foreseeably to continue in 2021, the digital transformation is the positive lining. Though the glass is still only half full. There is a clear two horse race and all indications are that China is taking the lead across the key fields within the critical technology domain. 2021 can still diverge in several directions as the pandemic either continues and countries learn to adapt and respond, with the economic and social consequences; or, the magic vaccine is released and rapidly distributed, taking us all into a new, post-pandemic era. Overlaying the geo-politics, war gaming in the South China Sea and Taiwan Strait, rise in nationalism and shallow calls for sovereign capability, the tech battles will continue in space, cyber and communication platforms. The intent of the superpowers will be to achieve paralysis over the other and we will all need to raise our resilience against the economic impacts of the pandemic, realignment of supply chains and against the risk of digital or military miscalculations, incompetence or malfeasance. In this edition we again provide you the opportunity to deep dive into the cybersecurity domain, corporate risk management and our cover feature on the trends of cloud computing models in their native, multi and hybrid forms. We also include links through to our recent Indo-Pacific Series and the latest Cyber Security Weekly podcasts. On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Cyber Risk Leaders Magazine. Enjoy the read!

Chris Cubbage Executive Editor

App now available

on iTunes &

DOWNLOAD NOW!

www.CyberRiskLeaders.com 12 | Cyber Risk Leaders Magazine

The MySecurity Marketplace gives you the tools you need to grow as a security professional. Join our growing member base today.

EV EN T S Access to events, locally and globally

EDUCATION Access certified courses, webinars and labs

SOLUTIONS Access an eco-system of security and technology services, software, trials and demos

P RO F E S S I O N A L DEVELOPMENT Join a growing hub of security professionals. List as a Speaker!

OUR CHANNELS

Cyber Risk Leaders Magazine | 13

Cyber Security

The key trends shaping successful business strategies for a post-COVID-19 world By Girish Ramachandran, President of Asia Pacific, Tata Consultancy Services

14 | Cyber Risk Leaders Magazine

usinesses in Australia are assessing the damage wrought by COVID-19, but they are also seeking to learn the critical lessons and embrace any positives that have emerged. This is a long-term game. In this exceptional human and economic crisis, there are no quick fixes. Unlike previous recessions, there isn’t a rule book or a clear example of best practice. We’re looking at a long-term recovery in uncertain times, compounded by ongoing geopolitical, social and environmental unrest. Reframing the conversation from a challenge to an opportunity is critical. Most businesses are now seeking to adopt innovative strategies that will enable them not only to withstand, but thrive, should another global impediment strike. Some countries are starting to refocus on self-reliance, developing sectors crucial for self-sufficiency. In Australia, we've seen a significant shift as crucial sectors like finance, retail and exports all took a big hit. However, we've also seen an adjustment locally toward sustainable practices. Technology is now at the forefront of national agendas, with the potential to enable smarter cities, smarter citizens and more intelligent workspaces, beyond COVID-19.

Levelling up digital strategy When COVID forced businesses online, it revealed the lack of genuinely ‘digital workplaces’. For over a decade, Australian companies have celebrated their digital capabilities and mobile offices. However, the reality was that most businesses, including some of Australia's most significant, have been unable to support all their employees working from home digitally. In the next phase of recovery, while the pressure on businesses from the initial disruption eases, investment in digital solutions that drive mobility is vital. Fully-trained and equipped employees will also be a driving force of this change, as we enter a new phase of the digitally-

'Every country or organisation will look for citizens or employees who are motivated, resilient and adaptable. '

empowered workforce. Digital inclusion from both governments and businesses is essential. In Australia, we saw a complete shift in almost every sector to online services. COVID-19 has proven that although done in haste and against all the odds - we are capable of a significant digital transformation.

Digital Citizens COVID-19 has also highlighted that most essential services can be digitised, and to a certain extent, automated. But the key to economic survival is access to technology â&#x20AC;&#x201C; assuring that no citizen is left out, whether through expanding and enhancing digital access or promoting digital inclusion by design. The shift from traditional to digital channels is a win-win proposition for both citizens and governments, providing everything from a better user experience, convenience, and speed, to lower cost of service and greater inclusion. At the most basic level, while we cannot yet predict the long-term impact of COVID-19, we can be sure that we are entering a prolonged period of uncertainty. Companies that build a purpose-driven workforce, equipped with the

skills and tools to be resilient and adaptable, are not only ensuring their survival but also helping communities and economies recover and thrive. ongoing national efforts for digital literacy need to be set in place, with two concessions â&#x20AC;&#x201C; providing access to web-enabled devices, and a safety net for those who are unable to keep up with the digital transformation, for example, older Australians. Every country or organisation will look for citizens or employees who are motivated, resilient and adaptable.

Looking to the horizon As we emerge post-COVID-19, now is the time for governments, businesses and individuals to reform preconceived ideas and ways of working. While Australia has been able to navigate COVID-19 in a world-leading position, the opportunity should not be lost as a result of inaction or fear of the digital future. Now is the time to bridge the digital divide and provide everyone with the skills and tools they need to succeed.

Cyber Risk Leaders Magazine | 15

Cyber Security

(Cyber) Security Culture Eats (Cyber) Security Strategy for Breakfast

I By Jacqueline Jayne Security Awareness Advocate – APAC, KnowBe4

T professionals around the world have some thorough and detailed frameworks and guidelines to use when it comes to developing a robust information security strategy, but there is one thing missing – the human element. The cyber threat landscape is out of control across the globe and organisations can’t seem to get ahead of the curve. Cyber attacks are increasing as cybercriminals are becoming more and more sophisticated and their methods are quite frankly abhorrent. They continue to target our human vulnerabilities and leave a trail of destruction in their wake without a care in the world. Most organisations have a well-documented cybersecurity strategy. The Australian Cybersecurity Strategy 2020 was released in August with a focus on government, business and the community. The recommendations made are all great, however, achieving the desired outcomes will be challenging if there is no clear way forward as to how we as a nation go about creating a (cyber)security culture to support the strategy.

The missing link is the human element. Protecting systems and information is the core purpose of anyone working in the information security world, which includes cybersecurity. Yes, some people see these as one in the same and others see them as separate disciplines, but that’s a discussion for another day. Today, we are looking at the human operating system and what you can do to attract its attention, raise curiosity, get buy-in and have yourself a powerful culture of (cyber) security in your organisation. Context and understanding are important in this process, so let’s start with some definitions. Strategy is tangible and visible with clear guidelines. It’s the road map, the plan, the goals, the logical process of taking us from where we are to where we want to be. A place where outcomes are defined and results are measured and managed. Culture is tacit and elusive in its very nature. It’s often unspoken, based on behaviours, hidden in the thoughts

16 | Australian Cyber Risk Leaders Cyber Security Magazine Magazine

and minds of people. We have all heard things like ‘the behaviour you ignore is the behaviour you accept’ or ‘the fish rots from the head’ or ‘monkey see monkey do’. These sayings can all describe culture. We often see the framework of culture in an organisation’s vision, mission and values which can describe the attitudes they have towards various elements. For example, do they value innovation over tradition? Observable culture is the way an organisation welcomes new employees, comes together (or not) at a time of crisis, manages performance, celebrates birthdays, responds to change and ideas or treats its customers and vendors. It is also the way you go about your day-to-day work when no one is watching which has been highlighted as we moved to a remote working situation in this year of COVID-19. Strategy is usually an annual event -- ‘here is our 2020 strategy’. The road map for the year is clear and hopefully, we all know what our role is in it. Culture, if not defined, is formed by the people, their attitudes, values, unconscious bias and overall approach to the world. Unchecked, group thinking emerges, silos form and if you are not careful, you may find yourself amid a toxic culture. For organisations that are about to go through a lot of change, it is going to be important for them to understand what the culture-related change is for their people. Do they embrace change, or will they fight it every step of the way? This is the very reason many strategic plans fail because the culture was ignored or dismissed as being irrelevant. Big mistake! We can have the most brilliant (cyber)security strategy the world has ever seen, and it will never be completely realised if we fail to engage the hearts and minds of the people. Before we look at how to go about creating a (cyber) security culture, let’s look at the benefits of having one versus not having one. The following examples are situational and are from the point of view of the human, your users and represent what’s going on in their minds.

Situation One – Phishing (malicious emails) Without a (cyber) security culture

With a (cyber) security culture

OMG, an email from my bank – looks like someone has tried to illegally use my credit card. I better click on this link and update my password.

Hold on a minute, I know what red flags to look for that could indicate a phishing email and I know that I must not engage with it. I will call my bank to confirm.

This email looks suspicious, I don’t even bank with them. I’ll ignore it and delete it later.

I need to report this suspicious email to the cyber team. I better not delete it because I know they will want to look into it further.

Oh no. I don’t think I should have clicked on that. Nothing bad happened – phew.

Oh no. I don’t think I should have clicked on that. I better let the cyber team know straight away.

IT wants me to change my password again – this is getting ridiculous. I did this last week too.

Hmmm – IT wants me to change my pass-word again and I only just changed it. This could be one of their tricky phishing tests. I think it’s bogus and I will report it using the phish alert button.

Situation Two – USB devices Without a (cyber) security culture

With a (cyber) security culture

**USB found in carpark with ‘payroll’ written on it** LOL – this is going to be good. I’ll take this back to my desk, plug it in and show the guys.

As much as I want to look at this, I am going to take it to the cyber team.

**Vendor comes in for a meeting and wants to plug in their USB** Yep, I will plug it in and set that up for you.

Sure thing, I will just get the cyber team to scan it first. OR Unfortunately, our cyber policy is very clear with USBs – we can’t use them.

Situation Three – Phishing (malicious emails) Without a (cyber) security culture

With a (cyber) security culture

This is cool! Now my kids can use the work computer at home!

I wish the kids could use the work computer at home. However, I know that there are too many risks associated with that.

I can use free Wi-Fi on my work mobile – this is awesome!

I better make sure the VPN is on before I connect to free Wi-Fi.

I don’t need to lock my computer at home.

Even though I am working from home, I really need to lock my computer just to be safe.

you that this is exactly what your people are thinking and doing every single day. A (cyber)security culture is not just completing training or reporting phishing emails. It’s the unseen and sometimes unmeasurable situations that occur and the subsequent response. A non-cyber example is driving a car. You don’t get handed the keys and told to drive safely. There is documentation to read and absorb, rules to remember. Then there’s a process of familiarisation with the car itself. Preparing to drive away from the curb involves multiple steps that are hard to remember at the beginning. Your first drive is terrifying. Other cars on the road, pedestrians, street signs, weather changes, the rear-view mirror, side mirrors, accelerate, brake, indicate, clutch, slow down, speed up, windscreen wipers and so much more. It is only after time and practice and testing that it all comes together. Even then, there are constant reminders of the dangers and our role in keeping the roads safe for everyone. The same can be said for cybersecurity. You want a culture where your people are aware of their responsibility to keep things safe, the cyber threat landscape and the tricks cybercriminals use. You also want them aware of your policies when it comes to keeping everything secure, to understand what is acceptable online behaviour, how to spot the red flags and report any potential phishing emails.

How do you do it? By taking the time to define your (cyber)security expectations when it comes to the human o/s with these seven (7) questions: 1. What attitudes do you expect your people to have towards security? 2. What behaviours are you wanting to change or see? 3. Do your people have an understanding, knowledge and sense of awareness? 4. How do you go about communicating with your people? Do they feel like part of the solution? 5. Have you considered and included your people in your policies, and do they know what to do? 6. When it comes to the unwritten rules of conduct at your organisation, have you thought to include (cyber)security? 7. Lastly and perhaps most importantly as without it you are doomed to fail – do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play? Once you have the answers to these questions, you are on your way to developing your (cyber)security culture. Enjoy your breakfast!

Whilst these situations seem second nature to those of us who live and breathe information security and cybersecurity, they are not second nature to everyone else. I can promise

Cyber Risk Leaders Magazine | 17

Cyber Security

Neurodiversity in Cybersecurity skillsets

C By Dr. Astha Keshariya

ybersecurity is rather loosely used term with varying subjective definitions due to the different dimension of understandings and work experiences. In 2014 “Technology Innovation Management Review”, examined the multidimensionality of the cybersecurity spread across separate disciplines and different technical views and defined it as -“Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.”, by Dan Craigen, Nadia Diakun-Thibault, Randy Purse. It is this multidimensional aspect of cybersecurity that obscures resolution to some of the complex cybersecurity challenges.

What is Neurodiversity? Neurodiversity is described as a huge range of variations in neurocognitive functions of the brain and the behavioural traits in humans, like, information processing styles, differences in perspective & viewpoints, ways of thinking, and other cognitive abilities. On the other hand, neurotypicals usually behaves the way society expects of them. It does not refer to neurological deficit or any

18 | Cyber Risk Leaders Magazine

mental health condition, mental health problems can affect neurotypical and neurodivergent brains in the same way. Neurotypical may find a constantly evolving cyberthreat landscape stressful and burdening situation to deal with while, neurodiverse individuals may show functional impulsivity and a desire to explore unchartered terrain, ready to take on calculated risks. No matter whatever would have been the cause of classical or operant conditioning, neurodivergent individual seem to choose a distinctive modus operandi, and are stimulated when tackling uncertain terrain. They show profound cognitive abilities to think out-of-the-box, pattern recognition, knowledge proc essing, idea generation, problem solving and innovation which is a competitive advantage. It’s a well-known fact that cyberattacks or security breach have the potential to pose systemic risk by disrupting the business operations, thus demands highstakes of attention when dealing with it. Consequently, operational resiliency includes the overall resiliency of the system beyond the technology risks encompassing the underpinning operations, infrastructure, data (including crown jewels), and services of digital technologies.

Bad-Cyber Actors Let’s look into who are these “bad cyber-actors” behind these cyberattacks and what motivates them: Organized crime – are group(s) of hackers with specialized capabilities, they usually have some insider information probably acquired over a period of time to identify underdefended attack vectors, primarily motivated by profit or some kind of financial gains. Hacktivists – group of hackers with similar capabilities as those of organized crime but their motivation is driven by ideological beliefs rather than financial gain. Typically, they target governments or legal system, leaking insider information to the press, or seeking to interfere with social or formal processes as a protest to show their disagreements. Adversaries - group of hackers who possess enough resources both financial and technical with specialized expertise to conduct sustained and persistent attacks, their motivation spans beyond economic, financial and political barriers. Insiders – previously employed resentful employees, competitors, contractors, third-party vendors or business associates, who have some key internal information concerning the organization's security practices, trade secrets, data and systems that could be leveraged to gain unauthorized access to internal systems - to either launch cyberattacks themselves or to support or sell insider information to any of the above mentioned groups. Skilled individual hackers or Script Kiddies – individuals with some skills probably not to the level of specialized capabilities but are seeking to exploit known vulnerabilities to achieve either financial gain or gain some reputation as a serious hacker. This classification shows that these bad cyber-actors or cybercriminals are not bound to the stereotypical gains i.e. financial, reputational or monetary benefits, but also to show emotion in favour of intellectualism, even worse, just for the fun of seeing the world burn. Undeniably, the underlined fact is that organizations do not control cyberthreats, they can only manage them by controlling priorities and investments in cybersecurity readiness, which is of course a choice for an organization – A choice that is meant to be chosen! This emphasizes the continual need of cybersecurity readiness in managing cyber risks and the effectiveness of security controls to detect, prevent, contain and respond to the constantly evolving cyberthreats landscape.

'With ever expanding attacks and constantly evolving attack vectors, organizations have legitimate reasons to be concerned abouttheir potential vulnerability.' roles that demands cognitive intelligence, such as, cyberintelligence analysis & creation, assessment of threatintelligence, behavioural threat assessment, insider threat investigation, computer forensics, steganalysis, tradecraft analysis, fraud detection, potential real-time intrusion detection, incident analysis, vulnerability impact assessment, application security testing, malware impact analysis, etc. Neurotypicals are particularly suitable to handle scalable processes that require absolute conformity to standardized approaches befitting value to the organization. It does not mean that they do not possess cognitive capabilities rather they enjoy following more disciplined approach to problem solving. Neurodivergent adds strength in to the mix to explore alternative theories thus challenging set old patterns. With ever expanding attacks and constantly evolving attack vectors, organizations have legitimate reasons to be concerned about their potential vulnerability. Having both neurotypicals and neurodiverse groups together, working as a team will form a stronger workforce that adds dimensionality to effective cybersecurity defence. About the Author Astha Keshariya, PhD, MSCHonours], MBA, has consulted Commercial and Academic organizations in the field of Information Security and Cryptography for over 16 years. Awarded Top 20 Women in Cybersecurity - Singapore 2020 She is a visionary leader who grounds vision planning, and decision-making based on the skills of Conscious Leadership, Continuous Learning and Inner wisdom by empowering, inspiring and leading with a shared vision to identify innovative breakthroughs. She has accomplished many critical projects in the Financial and Payment Industry, and believes in achieving business results by applying best laid strategies for business objectives along with determination to thrive in adverse conditions.

Significance of Neurodiversity in skillsets The recognition of importance of cognitive diversity or neurodiversity in skillsets augments a promise to deal with such cybercriminals who continue to present complicated and pervasive cybersecurity issues. Combining neurodivergent along with neurotypical thinkers will not only expanded analysis beyond functional bias but will also accelerate learning, and better team performance. Neurodivergent may find themselves stimulated by

Cyber Risk Leaders Magazine | 19

Cyber Security

Collective Defence: Adopting a collaborative approach to cybersecurity

T By Dr. Mark Pedersen, Chief Technology Officer, KJR

20 | Cyber Risk Leaders Magazine

here is no doubt the global COVID-19 pandemic has had a significant impact on our everyday lives. In particular, we’ve seen a rapid shift to digital platforms for many of our daily interactions — from remote work to virtual schooling. Many organisations which previously had scant provisions for working from home have embraced the change with a majority of their workforce entirely online. According to a recent survey from ADAPT, half of private, public, and hybrid cloud organisations have increased their cloud workloads by more than 50% to enable remote working since the outbreak. Given the need to transition rapidly, many of those organisations are still in the process of updating their security posture and policies to reflect the “new” status quo of operating outside any kind of defined security perimeter. Similarly, just as the COVID-19 pandemic requires a coordinated and collective response, dealing with rapid escalations in cybercrime also requires an approach that

goes beyond the capability of any individual organisation working in isolation. As part of our own response to both the growing need and complexity of cybersecurity issues, KJR has partnered with the US-based cybersecurity firm IronNet in order to make its expertise in Collective Defence more accessible within Australia. The concept of Collective Defence is not necessarily new, as intergovernmental military alliance NATO has been using this principle to defend treaty members. However, the application of the strategy is a new approach to cybersecurity, where organisations are actively sharing cyber threat intelligence and collaborating with one-another to improve detection capabilities. During a recent webinar hosted by IronNet's APJ Vice President, Gaurav Chhiber, IronNet’s Chief Operations Officer Major Gen Brett Willams (Ret) notes: “As a collective group, we can come together to defend ourselves better,

by having full situational awareness and full visibility … we bring the strengths of each together, so we are all stronger as a group.” But what does Collective Defence mean for organisations and why should it be applied?

Collective visibility of a broader threat landscape Increased visibility of the threat landscape is possibly the most important aspect of Collective Defence. Many organisations are linked to others – either directly through partnerships and supply chains, or by virtue of being in the same industry sector. Having access to collective threat intelligence updates from similar companies at machine speed allows better insights and faster responses to cyber threats that could affect their own organisation. “The quickest way to remediate is to see that someone else was attacked, to see the characteristics and behaviours of that attack, and look at your own environment… and proactively make that adjustment,” says Major Gen Williams.

Real-time collaboration and threat-sharing to facilitate rapid response Many organisations are reluctant to share details of being under attack. While this is understandable, we must move past this resistance in order to respond faster to early warnings about the kinds of attacks others may be experiencing. In turn, sharing data means protecting industry sectors and/or networks of businesses across the company’s value chain. This is where encrypted data can be used to enable SOCs to securely share anonymised alert data to collectively amplify threat detection. Timely information about specific attack campaigns that may be underway can mean the difference between a successful defence that reduces dwell time and a full-on data breach. Collective Defence makes it more challenging for attackers to reuse the same techniques to “cherry-pick” enterprises individually as they do today. Ongoing, real-time collaboration is required so the industry can learn from one-off events on an individual organisation. Major Gen Williams suggests that “instead of every company having to look at every alert, you can crowdsource that…. Cyber specialists can collaborate and share expertise without putting their intellectual property at risk.”

Sophisticated behavioral analytics to detect unknown network threats While many organisations rely on endpoint detection and firewalls to protect the enterprise, the nature of today’s cyberattacks requires network defense as well. Network Detection and Response (NDR) solutions see unknown threats using cybersecurity analytics. These solutions are designed to focus on behaviours, rather than relying on signatures. NDR solutions can detect network behaviours that are hard for attackers to evade, as they currently do with

'Ultimately, sharing resources and anonymised metadata allows organisations to expand their capabilities without having to increase the size of their IT department. If a similar company investigates a potential threat and dismisses it, cybersecurity teams in other companies could utilise this knowledge to focus on more pressing matters.'

traditional indicators of compromise (IOCs), such as IP addresses, domains, and file hashes. NDR can pick up behaviours such as lateral movement, malicious use of standard protocols, beaconing, data loss, and DNS tunneling attacks. By identifying patterns in behaviour, organisations can collaborate and learn from similar behaviours that result in cyber-attacks.

A mindshift toward Collective Defence for a unified front At KJR, we increasingly find ourselves working with organisations that are having to rapidly improve their own security practices to meet the compliance requirements of their larger private enterprise or public sector customers. No organisation is an island. Even with the proper defences in place, breaches can still occur. For example, there have been recent data breaches in Australian organisations that originated from phishing campaigns spread from other related agencies which had less mature security capability. It’s not enough just to invest in your own internal capability: it’s important to mature collectively. Ultimately, sharing resources and anonymised metadata allows organisations to expand their capabilities without having to increase the size of their IT department. If a similar company investigates a potential threat and dismisses it, cybersecurity teams in other companies could utilise this knowledge to focus on more pressing matters. Collaborating between organisations, with teamwork that quite literally spans the globe, allows for a more seamless, safer environment. Therefore, the path ahead is clear: companies, sectors, and nations that share threat information can achieve a greater level of security against cyber-attacks than defending alone.

Cyber Risk Leaders Magazine | 21

Cyber Security

Reverse engineering surveillance capitalism By Iain Strutt About the Author Iain has been involved in military, police and private security in Australia for over twenty five years, and has significant supervisory experience as a team leader & manager. As a licensed consultant he has acted for a diverse range of clients ranging in areas such as critical infrastructure, private & state facilities & film & television production. He has a particular interest in building management security systems & their operation, Health, Safety & Environment & cyber security

22 | Cyber Risk Leaders Magazine

he advent of the COVID-19 pandemic has seen many of us working from home for extended periods. A corresponding rise in online fraudulent activity is attributed to the wider use of the inter net and organised crime continues to adapt to these changes. The Australian Competition & Consumer Commission has reported a 55% increase in identity theft on last year’s figures with criminals targeting superannuation payouts, & welfare relief benefits. Identity theft (IDT) is fraudulent and involves ‘the use of dishonest and deceitful conduct to gain an unjust advantage...it is not specifically defined in legislation.' IDT can be used to assume an identity with or without the consent of a living person. The stolen identity of a child can be kept for years, to be used when the identity matures. IDT can be used for a practice known as ghosting, whereby a person assumes the identity of a dead person. The methods range from theft and impersonation, to theft and sale, the 'renting' of an identity and the deliberate manufacture and sale of high-quality forged documents by organised criminal gangs. Once a criminal establishes a false ID they can use it to gain advantage by applying for financial services, defrauding superannuation accounts, money laundering and immigration fraud. Phoenixing, which is a more complex

form of IDT is a process to rid companies of their debt and avoid taxes 6,7,8,9,10. Obtaining false identity documents would generally be in cash and difficult to trace. Likewise, transactions are conducted on Deep Web sites which specialise in the sale of high-quality identities. Transactions of this type would usually be conducted in Bitcoins or a similar digital currency. Another untraceable way identity can be purchased is through the hawala network of Islamic financiers and it is believed that Islamic terrorists use this system. Money transferred via a hawala banking system is extremely private and is unlikely to be reported or discovered by anyone other than the hawaladar, the transferor and the transferee.

The local market A fraudulent Medicare card and a driver’s license can be bought relatively cheaply. A set of three; driver’s license, Medicare card plus a phone bill costs around A$500. These three combined are enough to establish a primary identity. High quality documents such as passports can range from A$1,500 up to A$30,000 for a genuine passport with false biodata details. Secondary identification can be used to

are not just increases in reporting. Another factor that was identified was that the courts were either unwilling or not sufficiently equipped to calculate how much has been stolen in largely civil proceedings. Further, prosecutions can only give an indication of part of the picture and the extent of undetected IDT is still unknown.

The big data problem

verify persons at international borders with no passport, with immediate entry denied until such times as the person’s identity can be positively verified. Supporting secondary documentation would give greater weight to a false identity if supporting a passport.

The hidden nature of offences The Australian Criminal Intelligence Commission (ACIC) produced intelligence to improve the understanding of business email compromise scams; malware; anonymity features in cryptocurrencies; encryption on the Darknet; cybercriminal exploitation of government systems. Whilst the ACIC has had success overall, IDT figures are estimates only, due partly to legitimate businesses not wanting to advertise data theft by reporting it to police, as this avoids a loss of confidence in their enterprise. Individuals may not report incidents due to the embarrassment felt by crimes committed in their name. The rate of reporting when it is combined with the incidence of offences does not give any more clarity to the issue as it is not possible to isolate these two features. This leads to a conclusion that the uncertainty in increases

The trend for large businesses and corporations to retain data is one area that has not been adequately addressed. Whether as users or customers, data is retained by businesses and corporations for their own purposes on an industrial scale due to the low cost of collection and storage. & the data farm concept has moved onto public networks which are being compromised. Any personal data, along with Facebook posts, tweets, app usage, phone records, website visits, licenses can be stored indefinitely and used for commercial advantage. Such data is acquired, analysed, packaged, sold, further analysed and resold. This data has been labelled ‘data exhaust.’ Presumably, once the data are redefined as waste material, their extraction and eventual monetization are less likely to be contested. Data collection is now linked to computer networks and systems and the vulnerabilities to data storage now affects computer security. A huge data theft occurred recently due to a combination of ‘hacking, ransomware, remote server access and unauthorised access to email accounts’ with the finance company RI Advice group being held responsible. What this indicates is that to hold data for some unspecified marketing purpose can be a liability, and that companies are increasingly responsible for the data they hold, because for a technically proficient criminal, data is a cyber gold mine. Capping the retention time on certain data held by private enterprise would assist in the curbing of IDT. There must be a shift from permanent and perpetual memory to one of being able to be forgotten, to have the ability to erase personal metadata.

Assessment With the evidence available an accurate size of the IDT market due to its clandestine nature is still unknown. The methods to acquire, trade, manufacture and use false identification are known. IDT as a crime has increased along with the growth of the Internet and authorities have no real answer to the problem. An accurate assessment is not possible due to several factors, underreporting being one.. Cheap data storage and the value that a company gains by using the stored data indefinitely for market research purposes is also a significant factor if compromised. The fraudulent ID market in Australia and its' negative flow on effects are, therefore, likely to continue. To mitigate the threat, the storage of metadata should have a time limit to counter the persistent and increasing threat posed by illicit data mining by criminal organisations. The indications are that IDT will be with us for some & the Australian false ID market is, and will continue to be, an income source for organised criminal enterprises into the future.

Cyber Risk Leaders Magazine | 23

Cyber Security

Securing the next generation digital infrastructure highlights from BlackHat Asia 2020

O By Jane Lo Singapore Correspondent

riginally scheduled for March, BlackHat Asia 2020 returned 29th September – 2nd October 2020 to a virtual stage hosted in the Singapore Time Zone. With an agenda that spanned from policy decisions, thought leadership to firsthand technical skill-building, the event offered unique opportunities to learn the latest exploit development, platform security, malware and more. Here, we highlight some of the discussions on securing the digital infrastructure that will be powered by the nextgeneration technology of 5G.

5G cybersecurity risks With 5G implementation gaining steam globally, the talk on “Cross-Protocol Attacks in the Era of 5G” by Sergey Puzankov (Telecom Security Expert, Positive Technologies) cannot be more relevant – for governments, industries and users searching for more information on the benefits and risks of 5G deployment. “Mobile networks have evolved. These days they combine several generations”, he said, to deliver seamless service to subscribers. For example, 5G networks with non-standalone architecture rely on a 4G LTE core network. Devices will connect to 5G frequencies for data transmission, but rely on 4G and even 2G/3G networks for voice calls and SMS messaging.

24 | Cyber Risk Leaders Magazine

“This mishmash of technologies, protocols, and standards in telecom has implications for security,” he said. In other words, 5G networks in such deployments are exposed to legacy vulnerabilities inherent in these previous generation networks - such as the Diameter and GTP protocols, commonly used in the telecoms industry for 3GPP, GSM, UMTS, and LTE networks. Of particular concern are the “standards reliant on SS7 (Signaling System 7), a technology developed in the 1970s”, Puzankov explained, which “still continue to dominate.” Developed “in an era when only fixed-line operators had access to networks, and the stakes were much lower for questions of security,” he said. “It contains architectural flaws that make it vulnerable to a whole range of threats. These flaws can even be utilized to listen in on calls, intercept SMS messages, and instigate various forms of fraud.” Misconfiguration and software bugs also become points of compromise for potential attacks. “Intruders are attacking mobile networks from all possible angles, in part by leveraging multiple protocols in combined attacks,” he said. Securing the next generation digital infrastructure highlights from BlackHat Asia 2020 Highlighting a few scenarios of potential exploits – including bypassing firewall and tampering with data packets – he said, “an attack starts with actions in one protocol that are continued by actions in a different one,

requiring particular combinations of actions for the attack to succeed.”

5G and threats to IoT Devices While inherited threats are concerning, another challenge lurking on the horizon is the security posture of IoT devices. With the increased capacity and bandwidth offered by 5G, more IoT devices will be online. And attacks such as Mirai malware which caused some of the largest DDoS attacks – including the October 2016 Dyn cyberattack – have the potential of becoming more common. Clearly, in today’s increasingly interconnected era (exacerbated by Covid-19 and stay-at-home guidelines), secure IoT devices are critical to a trusted digital infrastructure. In his keynote “Engineering Cybersecurity for a Nation: What Singapore is Learning from Cars and Sanitation”, Gaurav Keerthi (Deputy Chief Executive (Development), Cyber Security Agency of Singapore) gave an insightful view into defining a new way forward for cybersecurity in Singapore. “Singapore wants to be a Smart Nation and wants to shift the paradigm of cybersecurity in order to achieve that. Doing so will require us to challenge some mental models: Should cybersecurity be a public good? Should it be an engineering problem or a policy problem? Should users be solely responsible for it? Should it be seen as a cost or a

benefit to a company?” Drawing on the food labelling scheme as an analogy, he proposed that it is not unreasonable for consumers to expect the same for IoT devices. “If you care about your diet, you can take a look at the label and avoid sugary drinks,” he said. “But today, if I look at the router, I have no way of deciding that this router is more secure than that router. It is invisible to me. Customers cannot pay for what they cannot see. So we started thinking, what if we can put a nutrition label on IoT devices?” “And this is what we will be doing. We will be introducing the Cybersecurity Labelling Scheme (CLS) on network connected devices”. (The details are announced during the Singapore International Cyber Week to be held 5th-9th October 2020).

Looking Ahead Covid-19 has accelerated the digital transformation across societies and businesses at an unprecedented rate in the last 6 months. In the coming years, 5G will play a pivotal role in further transforming the ways we live, work and play. Applications in virtual reality, robotics, autonomous driving are attracting excitement. As the attack surface further expands alongside the growth of 5G use cases, conversations on 5G risks and policy direction will no doubt attract increased and urgent attention.

WoSEC Singapore CTF For Girls Singapore 2020

he youngest is 18 years old... 67 female hackers spent the weekend #hacking in September during the #CTF For Girls in #Singapore 2020, organized by Women of Security (WoSEC) Singapore . The event was part of SG Women in Cyber Series with Cyber Security Agency of Singapore (CSA) Five female hackers won the #competition with fabulous results. Some did not sleep the whole weekend, trying to solve the challenges, and capture the #flags, because that is what CTF is all about! There are girls and women who are passionate about #cybersecurity, and all what they are looking for is learning, and practicing their #passion. For whoever says or thinks that women have made a choice not to start a #technical #career, ask them, do not assume. It all is about giving women an egalitarian opportunity to choose. Be part of the change ! The change starts with actions, and not only words. The CTF received a fantastic #support from Hack The Box, Marsh Asia, SECO Institute, and MySecurity Media. Congratulations again to the winners - we are proud of you keep going - Le Jing Chia (1st place), Jia Wen Zheng (2nd place), Monika Talekar (3rd place), Elizaveta Busygina (4th place), and See Min Lim (5th place).

Cyber Risk Leaders Magazine | 25

Cover Feature Cyber Security

Australia’s Cyber Strategy: Navigating unchartered territories needs both caution & diplomacy By Syed Munir Khasru

26 | Cyber Risk Leaders Magazine

s Australia grappled with a second wave of COVID-19 and consequent economic recession, the government unveiled its 2020 Cyber Security Strategy, while an update to its strategy on International Cyber Engagement is expected to be unveiled soon. The Strategy has been unveiled at a time when Australia faces a sharp spike in the number of cyber-attacks, a major portion of which have been state-backed. Speculations suggest China to be the perpetrator, which comes at a time when relationships between the two is already deteriorating in both the political space and trade. Given the geopolitical and economic realities that Australia face, the need for a robust International Cyber Engagement Strategy has never been more important as the country needs to deftly navigate the cyber threats through smart diplomacy. While Australia ranked a respectable 10th in the 2018 Global Cybersecurity Index, crimes in the cyberspace has been rising at an alarming rate. Cybercrimes have cost the Australian economy an estimated AU$29 billion – a staggering 1.9% of its GDP! A 2018 CISCO report found

that 81 percent of Australian companies faced more than 5,000 attacks every day, significantly higher than the global average that can be attributed to Australia being an attractive destination for hackers due to the country’s economic status. While most Australian companies have contended well with these attacks, the average cost of each of these attacks has been the highest in the Asia Pacific region with 52% of the victim companies reporting a toll between AU$ 1.3-6.9 million. Being one of the leading developed economies, Australia is not only targeted by top hackers across the world, but also by politically backed agencies. The Australian Intelligence already speculates that China was behind the cyber-attack on its parliament and three political parties prior to last year’s election. Defence Minister Linda Reynolds warned earlier this month that, cyber attacks by a national government (presumably China), have increased recently, with the country’s cyber security centre reporting an attack every 10 minutes. The COVID-19 has exacerbated this issue with around 1 in very 6 Australians

having experienced a cyber-attack during the lockdown. Such international cyber threats have increasingly become a critical challenge for the country, with the government being forced to issue a technical advisory earlier this year, detailing the most common ways that attackers might penetrate Australian networks. As the international political battlefield gradually shifts towards the cyberspace, Australia faces a situation where it not only has to protect its own systems, but also work together with its international allies in diligently balancing its international cyber engagement based on mutually agreed rules and norms. In this regard, Australia’s current International Cyber Engagement Strategy complements its national cyber security strategy by providing a blueprint of the country’s plans and activities in Asia-Pacific and beyond. The strategy pushes for increased global transparency based on existing international norms and standards of conduct, as agreed by the 2015 UN Group of Government Experts. In addition, it also details Australia’s conduct and authorization in terms of offensive military cyber capability when required.

However, as recent incidents such as the host of speculated state-backed cyber attacks originating from China show, Australia needs to ramp up its efforts and strategies in the international cyber arena in cooperation with its allies. Foreign Minister Marissa Payne’s naming and shaming countries like North Korea, Iran, Russia, and China on state backed attacks is unlikely to deter the delinquent. While the government is shoring up an investment plan of over AU$ 1.6 billion in cybersecurity defences, the battle cannot be won only through internal reinforcement, as can be gleaned from Australian Signals Directorate (ASD) boss Rachel Noble’s admission that the country is facing a “near-impossible” task in fighting crime and espionage. The benefits of cyberspace can also be the source of its flaws. With all its advantages, an interconnected global network opens up scope for hackers from all over the world to place a malware that can wreak billions of dollars of havoc while endangering lives. The solutions are neither quick nor easy, as Australia needs to proactively work with its international counterparts, to establish clear, binding rules and regulations on international cyberspace norms and operations. Australia played a key role in developing the 11 international norms for nation-state behavior in the cyberspace for the UN; it needs to follow up with more robust regulations based on transparency, that would help it work in coordination with both allies and adversaries in the cyberspace. Particularly regarding China, the issue becomes delicate as despite the recent waning of relations, China remains Australia’s largest trading partner and one pf the major foreign investors. The political and economic realities of this relationship can’t be ignored and any reckless offensive strategy in the cyberspace may not serve well Australia’s interests. Smart diplomacy is key and Australia’s upcoming international cyber engagements need to reflect that. Privacy regarding popular Chinese apps is another major issue, due to China’s controversial 2017 cybersecurity law that gives the government the right to user data upon request. Australia needs to develop robust guidelines for the operation of such entities whereby partnerships and cooperation with Australian companies for Australian users is reinforced. In this regard, key security points need to be under Australian watchdogs. The imbroglio surrounding WeChat and Tiktok in US needs to be avoided and guidelines need to reflect balance of interests. The federal government is already working to enable ASD access privately-owned critical infrastructure networks, but privacy concerns need to be addressed first before any such measures are taken. The world stands at a critical juncture where the cyberspace is increasingly becoming the battlefield between superpowers, and Australia is right at the centre of it. While Australia’s previous International Cyberspace Engagement Strategy provided a good starting point, the emerging political, economic, & military realities have necessitated a strong, robust, and realistic revision of the strategy. As Australia looks to fortify its defenses from an increasing number of state-backed cyber-attacks, the true test of the government’s craft and mettle depends on its ability to navigate the geopolitics of cyberspace.

Cyber Risk Leaders Magazine | 27

Cyber Security

Plugging the gaps: Australian organisations are leaving their defence barriers wide open for attackers By Joseph Failla leads Accenture security practice within Australia & New Zealand.

hen the Australian Government became a major target of cyber attackers in June 2020, the Prime Minister didn’t pull any punches in warning that all levels of government, critical infrastructure and essential services are under increasing attack by criminal hackers. Worryingly, Accenture data shows that only 43% of Australian organisations are actively protected, and only 58% of breaches are being found by security teams. Yet, many of the criminals succeeding in stealing data or infecting enterprise systems with ransomware are not particularly sophisticated. They are simply walking through the gaping holes in Australia’s organisational defences – gaps that leadership teams don’t even realise are there. There are multiple recent incidents where attacks were totally preventable and where companies were materially affected because they didn’t have the basics right:

•

28 | Cyber Risk Leaders Magazine

If you can’t see it, you can’t defend it – Having as much visibility as possible across the IT environment is essential. Gaining visibility might not be cheap – but it’s worth the investment. Threat hunters can help identify where the organisation lack logs for specific artefacts, before ensuring all logs are ingested by a

•

SIEM (security information and event management) tool that provides real-time analysis of all the security alerts generated by applications and network hardware. Backups won’t save you from ransomware – Many executives think their backups and offline copies are protection against ransom demands. If service is denied, they’ll simply reopen by spinning up the backup system. But now criminals have evolved their modus operandi. Domain admin access attacks are becoming more vicious. Perpetrators are selling access to other bad actors. Before deploying ransomware, they are exfiltrating sensitive information and threatening to leak the stolen data if their ransom isn’t paid. You can spot attacks before they happen – Criminals love ransomware because it’s easy to use and devastatingly destructive. In 2019, the cost of ransomware to organisations around the world increased by 21%. The good news is we can now detect moves to install ransomware in time to stop deployment. Before ransomware is rolled out, hackers need to spend weeks or months inside the system planning the attack. Threat hunters can detect traces of these actions. They look for tiny anomalies in the noise of the system and follow these ‘breadcrumbs’ to

'Understanding what you’re dealing with from the get-go improves the speed of the crisis response, reduces panic and provides confidence when briefing the market and employees. ' struggling with physical constraints, such as limited access to data centres and employee laptops, lack of a war room to convene incident response teams and limited forensics capabilities. In this environment, security leaders may need to change how they train people on cybersecurity best practice. Response teams must establish and train for new processes to mitigate attacks and security tools must match the new operating model – whether that’s in the cloud or relying on home networks. What’s more, organisations’ pre-COVID response playbooks almost certainly need updating. Regulators are demanding documentation on how enterprises are responding to breaches in the current environment, particularly when it comes to escalating ransomware attacks. Victim companies are in a difficult position, but regulators – and insurers - are not taking a kinder, gentler approach.

Do your homework now – not during a crisis

identify and stop attackers before they hit. •

•

You need to clean the house before reopening for business – Once an attack occurs, security teams are under enormous pressure to get systems up and running. But ransomware needs to be completely cleaned out or backups risk getting reinfected. The priority should be getting everything clean and 100% in working order before bringing the business back to normal operations. You should shut the stable door after the horse has bolted – Weathering an attack and getting systems back up and running is not the end of the story. Oftentimes, attackers return to the scene of the crime to see if they can get in again so continuously monitoring the compromised indicators prevents criminals using the same ‘door’ to sneak back in and do more damage.

By the time an incident is over, the executives and directors involved may wind up better versed in cybersecurity and incident response than they’d ever imagined. But, it goes without saying, they always wish they’d been as clued up before the attack hit. Getting acquainted with cyber security strategies in the half hour before the media find out the company has been hacked only adds to the stress of the moment. Understanding what you’re dealing with from the get-go improves the speed of the crisis response, reduces panic and provides confidence when briefing the market and employees. Most importantly, understanding and then putting in place the essential ‘get rights’ of cyber security – strong visibility, good tools and threat hunting – will help close the gaps and ensure the organisation is not an easy mark for opportunistic criminals.

COVID-19 makes incident response more complex than ever COVID-19 has created an additional layer of difficulty around cybersecurity practices and it’s not limited to COVID-related phishing efforts. Lockdowns and work from home have slowed breach responses. Security teams are

Cyber Risk Leaders Magazine | 29

Cyber Security

A multi-hybrid cloud game plan to strengthen business continuity with proper data management By Han Chung Heng, Senior Vice President, Systems & Alliance, Channels & ISV at Oracle JAPAC

30 | Cyber Risk Leaders Magazine

ven before the pandemic, Singapore has long highlighted the importance of digital transformation as a key driver for continued economic success. This was further reinforced in Singapore’s Fortitude Budget, where Minister Iswaran said that this crisis has crystallised the need and opportunity for digitalisation, and Singapore can only emerge stronger by making a decisive push towards a digital future. Enacting this digital readiness for business continuity effectively involves laying the groundwork and investing heavily into infrastructure now, which may seem counterintuitive during a period of uncertainty. Even on the path to recovery, disruptions can come at any moment, and businesses need to double down on extracting every ounce of value from the core ingredient of today’s digital economy – data. As an overarching strategy, there is a no doubt that leveraging systems such as the cloud puts businesses in an advantageous position. Yet, significant operational barriers do exist, and the increasingly complex and multi-hybrid IT environment that we live in add a further complication towards successful digital transformation. Legacy systems and a growing application landscape also leave companies with a rigid base, locking data into tight silos. When business teams cannot find the insights they need to make relevant, contextual decisions in, or close to, real-time, they are left relying on “gut feeling” which generates uncertain business outcomes.

So, what’s the answer? According to a 2020 Forrester Consulting study commissioned by Oracle, Moving the Needle: Data Management for The Multi-Hybrid Age Of IT, the only way for organisations to move beyond this predicament is to build an effective data management strategy that encompasses the right facets of data unification, security, and governance, all within the multi-hybrid complexity of the IT environment. In fact, multi-cloud is becoming increasingly common – with 36 per cent of the data being hosted on-premise, 19 per cent on a public cloud, and 18 per cent on a private cloud. Despite this, most – 64 per cent - are grappling with the challenges of managing a multi-hybrid infrastructure. Only one in two organisations have data preparation and pipelining that works with several stakeholders, and just 35 per cent of organisations can make data available through managed APIs and quickly generate capabilities for moving it from stores to AI and machine learning models. The survey responses also show that most organisations only have a moderate maturity in terms of data management practices, and unfortunately, moderate is not good enough to optimise the role of data in transforming businesses. And while firms are approaching data management in the right way, simplifying processes, aligning data to business priorities, and establishing frameworks for security and governance, more work is needed. In addition, the intense focus on these areas is

Cover Feature

blinding them to the opportunities of multi-cloud. This leaves them missing key ways to reduce costs, diversify – essential for business continuity – and gain the unique capabilities that multi-cloud can provide.

Cloud economics Obviously, there are economic benefits associated with cloud computing to achieve one of the ultimate goals in business continuity; the need to moderate costs and streamline budget to cater more to important operation needs. This can be further enhanced by vendor selection, given that not all clouds are created equal. For instance, the fully elastic and serverless Generation 2 cloud that allows you to only pay for what you use, is finding popularity amongst a number of users from Zoom and 8x8 to 7-Eleven Philippines (operated by Philippine Seven Corporation), JNE Express (Indonesia) and Forth Smart (Thailand) in the ASEAN region.

Making multi-hybrid cloud an asset for you So how should you approach data management in the multi-hybrid cloud era to ensure that you turn it into an asset in the long run? Here are some recommendations from the Forrester study that organisations can adopt right now: 1.

Assemble the right stakeholders: Bringing together the relevant subject matter experts across all functions and divisions within a business will help understand key requirements and identify ownership across the organisation. This prevents and eradicates siloed data strategies, which was reported by the majority of organisations (73 per cent) to be an inhibiter of better IT management strategies.

Perform a needs assessment that aligns business and IT objectives: It’s all in the technical details. With all the right people gathered in one place, the current position of the organisation can be ascertained, such as where the data lives and how it flows through the technical architecture. From a technology standpoint, this helps identify any challenges and possible improvement opportunities.

Building your implementation roadmap: While business imperatives drive change in various functional areas to streamline data access and sharing, the technology architecture enables such change to happen. A secure foundation in technology architectures should be a high priority when creating the roadmap, for example, incorporating elements of zero-trust in the IT ecosystem.

Prioritising options to build a holistic data strategy: When shortlisting options, high priority areas such as data governance and privacy have been identified in three out of every four companies, and hence should take precedence in the prioritisation process. Thereafter, leveraging on integrated platforms and solutions that simplify the IT environment are vital for businesses to create a consistent experience in a multi-hybrid-cloud world and improve business outcomes.

Diversification and innovation A multi-hybrid cloud approach can also add to these benefits and play a pivotal role in a data management strategy. For a start, it helps companies meet surging enterprise demand for multi-layered cloud data management and cross-cloud data analysis. Take the example of Nomura Research Institute (NRI), Ltd., the largest consulting firm and IT solutions provider in Japan. They have recently adopted Oracle Dedicated Region Cloud@Customer. This is to be built in the customer’s own datacentre, allowing them to use Oracle Exadata as a cloud service, which matches it’s on-premises environment to achieve greater agility and seamless expansion, while maintaining high availability at the same level as on-premises. This hybrid solution enables them to not only provide SOC2 reports based on Japanese security standards in financial industries, but it also allows access to broader cloud services and tools provided by Oracle and further increase its business value for their customers. Using Oracle’s Dedicated Region, NRI can also significantly reduce its on-premises costs and invest more in digital transformation. The adoption of multi-cloud helps satisfy the need for diversification and gain access to unique capabilities. Indeed, external technology providers play a key role in organisations’ innovation and ability to leverage new technology capabilities (such as machine learning, AI, data virtualization, containerisation) to enable new business capabilities. It also helps organisations access the multitude of data needed for generating insights and innovation. This is essential as the report particularly shows how the nature of the data collected by these organisations is changing – only a third is structured, with the remainder being a semi-structured or unstructured mix of text data, images/ video, machine-generated data, streaming data, and more. These different data types are also typically stored and managed by an array of technologies and platforms, often on different clouds.

In short, modern businesses know that adaptability depends on data, and their digital business strategies depend on effective data management. However, they must now execute this vision in an increasingly complex and multihybrid IT environment. Together with these best practices, organisations can emerge as true survivors and not only weather the storm but also open up new possibilities.

Cyber Risk Leaders Magazine | 31

Cyber Security

Cloud-native networking – the future of connectivity By Guy Matthews, Editor of NetReporter

The world is shifting its applications and workloads to the cloud as never before. This migration embraces public cloud, private cloud, hybrid cloud and inter-cloud, all of which have to be connected by the right sort of network. It’s time to move on from old school legacy options. A multi-cloud environment demands a cloud-native approach. Right now, the hottest topics in the world of enterprise-level connectivity are multi-cloud and cloud-native networking. Every CIO needs to formulate a strategy that takes account of important developments in these areas. Scott Raynovich, Chief Technology Analyst with independent analyst firm Futuriom, has been tracking some of the trends in the cloud universe, and recently shared his findings with a panel of leading industry experts in a lively virtual group discussion: “We’re seeing the great cloud shift,” he noted. “It's in the news every day, if you're reading the business or the technology sections.” Raynovich is not alone in identifying the disrupted nature of 2020 for much of the current focus on cloud, with restrictions on travel and restrictions on physical presence driving a need for remote access to vital applications and data. “This has highlighted a shift that was already going on towards the cloud,” he points out. “I called it the phase two transition to the cloud where more and more enterprises and organizations are moving applications into public cloud environments or shifting private cloud to public cloud. Zoom

32 | Cyber Risk Leaders Magazine

activity is going through the roof, with everybody using more online collaboration tools. Enterprises have gone from 80% physical presence to 20% physical presence, or less. This is highlighting the need for a flexible and elastic cloud infrastructure.”

Figure 1: Where cloud migration is at

In a complex, multi-cloud, hybrid cloud world, we need network solutions to match. Raynovich argues for a more dynamic, software-defined networking approach, based on open technologies and interoperability at the level of the API. “You need network-as-a-service, and you want to look outwards not inwards at other clouds and applications,” he argues. “A cloud-native model is much more software driven. It offers a much more dynamic way to create networks, with no need to talk to a service provider about an MPLS circuit that's going to be there for the next three years. You are configuring the network on the fly with software, which is important as we build these multi-cloud networks.” “Customers are looking for the operating models that they are used to in the cloud to be brought on prem, and everywhere else,” notes Vijoy Pandey, VP & CTO, Cloud,

Cover Feature

Figure 2: The cloud-native model

Cisco “They're looking for application and service connectivity awareness, which means they want their infrastructure to be aware of all the applications that sit above it.” Pandey also identifies a shift to edge compute, involving mobile devices and other sorts of computing elements, with centralized cloud data centres now just one entity in a whole continuum of compute capabilities. Cloud-native connectivity, he says, is about connecting all of these things together. “We are moving from bare metal applications to virtual machines, and from monolithic infrastructure and monolithic apps to composable apps and micro services,” he adds. “Networks must connect the mobile edge, and cloud-native

connectivity must connect cloud-native services.” Metcalfe's law says the value of the network is proportional to the square of the number of users, reminds Galeal Zino, Founder & CEO, NetFoundry: “Now we need a new law around distributed applications,” he adds. “It should state that the value of the network is now also proportional to the square of the number of distributed applications. This is not only on the user side, with mobile and edge and IoT, but also the back end of the applications - microservices from multiple parties across multiple clouds and across multiple administrative domains. Our job is to make the network as agile and flexible as that application environment.” The vision of Amir Khan, President, CEO & Founder, Alkira, is slightly different: “We see that public cloud and private cloud environments are providing an opportunity to create a completely flexible environment which is consumed similarly to how applications are consumed in the infrastructure,” he explains. “You need a completely elastic environment which is highly available, and which is on demand as a service, so that you can deploy your network globally in minutes and provision it in minutes, and manage and create a secure perimeter around your infrastructure.” Zino of NetFoundry notes that modern networks are now software, in particular cloud-orchestrated software: “The new edge is the application itself,” he says. “It’s about the ability of the network to be embedded into that application in a way that the application can spawn multiple

Cyber Risk Leaders Magazine | 33

Cover Feature

Cyber Security

Figure 3: Drivers of multi-cloud networking

environments, edge, cloud and so on. The challenge for us and other next gen cloud native networking providers is to abstract that for the customer and to make it simple.” Raynovich points to a cloud-native survey that Futuriom has recently conducted: “We talked to 150 communications cloud enterprise network operators and IT specialists, professionals and practitioners in the field,” he says. “We wanted to find out what multi-cloud networking represented in the minds of users.” "Our customers have one way of doing things on prem in their data centres, and they have different ways of doing things across multiple clouds,” comments Khan of Alkira. “Some are struggling with adopting a multi cloud environment, so we need to have seamless connectivity between the on prem and multiple cloud environments.” Networking has to enable innovation and agility, says NetFoundry’s Zino: “It needs to be more like a platform for use across all networking use cases. Agility is the number one requirement we hear from customers, and number two is security. The answer is to be secure by design with zero trust security. Anything else is too reactive, too slow and too expensive. AI and ML are taking decisions based on a predicted state. Imagine trying to keep up in that type of world with firewalls and reactive ‘day two’ security measures.” For a business, what matters is how quickly they can develop their apps, argues Pandey of Cisco: “The experience behind developing that app is also critical,” he continues. “Nobody wants to adopt and manage their own cloud-native networking solution. But unfortunately what’s happening is a plethora of solutions. There's complexity there and people are struggling with that. We need a seamless developer experience where somebody who's trying to build a line of business app can pick and choose the services they need.” So has the term ‘cloud-native networking’ yet achieved wide recognition as an industry category? After all, there

34 | Cyber Risk Leaders Magazine

are a lot of networking vendors that would call themselves vendors of cloud solutions but does that necessarily make them cloud native? “Cloud native networking and its definition will vary, but I think at the heart of the definition is what are we trying to enable,” believes Zino of NetFoundry. “It’s agility, it’s simplicity, it’s innovation, it’s security, it’s performance. When we say cloud native, we're talking about making networking as simple and powerful as the cloud providers have done for compute. We're talking about that same paradigm, but for networking. Go and spin up a secure high-performance network as simply and powerfully as you can spin up cloud computing.” Just because you might sit on a cloud doesn't make you cloud native, agree Pandey of Cisco: “I think we should be clear about that. And I'm not just talking about networking, I'm talking about applications, I'm talking about infrastructure in general, a VM sitting on a cloud infrastructure is not cloud native. Cloud native networking is a network that connects various components together, that connects API endpoints, service endpoints, microservices all of these cloud native components together.” Amir Khan, President, CEO & Founder, Alkira “We like looking at the use cases of customers, and what the customer needs,” says Khan of Alkira. “Our ultimate focus is on what the customer’s requirements are. When you are building an infrastructure which caters to their needs, which is a platform for networking, which is simple to consume literally in minutes, you should be able to seamlessly connect all the this infrastructure together. You need to offer a solution, which is very clearly defined. So as long as you build a platform which caters to the needs of the customers and is very simple to deploy and consume, customers are going to be happy.”

Search and find all upcoming featured courses

Plus many more! www.mysecuritymarketplace.com

Cyber Risk Leaders Magazine | 35

INDO PACIFIC SERIES

AEROSPACE, DEFENCE & SECURITY TRENDS

Series Partner October 20, 2020 - Episode 10

AI DRIVEN BIOMETRICS & SURVEILLANCE – PLUS SERIES WRAP-UP • Chris Bishop WATCH HERE • Rocky Chow

October 13, 2020 - Episode 9

AUGMENTED REASONING & CRITICAL COMMS – Interfacing Humans to Machines – CITIES & INFRASTRUCTURE DOMAIN • Simon Lucey WATCH HERE • David Nicol

October 12, 2020 - Episode 8

AEROSPACE & SPACE DOMAIN SPACE SYSTEMS & OPERATIONS • Andrew Bowyer WATCH HERE • Andy Koronios

September 29, 2020 - Episode 7

DEFENCE & NATIONAL SECURITY DOMAIN – Robotics & Autonomous Systems (29 Sept) • Martin Keetels • Andrew Yue • Stefan Hrabar WATCH HERE • James Angelus

September 22, 2020 - Episode 6

CYBER-SECURITY DOMAIN AI X Cyber Collaboration, OT Security, Threat Landscape & Critical Supply Chains • Dr Jonathan Goh • Srinivas Bhattiprolu • Andrew Ginter WATCH HERE • Feixiang He

36 | Cyber Risk Leaders Magazine

September 15, 2020 - Episode 5

DRONES & ANTI-DRONE TECH Advancements and Key Industry Players • Dr. SK Vasudeva • Air Marshal Daljit Singh • Dr Nagendra Babu Samineni • AVM Ashwani Kumar Nabh • Jacob Klain • Group Captain WATCH HERE Vikram Chauhan

September 8, 2020 - Episode 4

SPACE TECH & LEADING TRENDS Opportunities across the region • Dr Malcolm Davis • Dr Subba Rao Pavuluri • Yoichi Kamiyama WATCH HERE • Glen Tindall

September 1, 2020 - Episode 3

COVID-19 & ITS CHALLENGES Impacts on National & Regional Security • Dr Amrita Jash WATCH HERE • Dr John Coyne

August 25, 2020 - Episode 2

NATIONAL CYBER SECURITY STRATEGY • Ron Gauci • Sean Duca • Ian Yip • Vandana Verma WATCH HERE • Dr Carrine Teoh

August 18, 2020 - Episode 1

SMART CITIES STRATEGY & PUBLIC SAFETY • Dr Ian Opperman • Vi Le • Codee Ludbey WATCH HERE • Sangeeta Garg • Dr Chinmay Hegde

www.CyberRiskLeaders.com

PODCAST HIGHLIGHT EPISODES

October 18, 2020 Episode 225 – Protect & Assist – Interview with the Head of the Australian Cyber Security Centre Executive Editor Chris Cubbage speaks with Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre (ACSC). DOWNLOAD HERE

October 11, 2020 Episode 224 – DTEX Systems strong growth in alignment with Australian Cyber Collaboration Centre (A3C) Interview with Mohan Koo, Chief Technology Officer and Co-Founder of DTEX Systems and Hai Tran, Chief Executive Officer of the Australian Cyber Collaboration Centre (A3C). DOWNLOAD HERE

October 1, 2020 Episode 223 – Global Resilience Federation and the cyber threat intelligence information sharing landscape Bill Nelson is the CEO of Global Resilience Federation (GRF). Previously, Nelson was the President and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). DOWNLOAD HERE

September 22, 2020 Episode 222 – Researchers disclose vulnerability – Code replay attack on the myGovID Scheme Interview with Ben Frengley (Masters student, University of Melbourne) and Vanessa Teague (CEO, Thinking Cybersecurity Pty Ltd and the A/Prof (Adj.), Australian National University) DOWNLOAD HERE

September 14, 2020 Episode 221 – Cyber Power Index highlighting Australian Government’s gaps in cyber capability Tim Watts MP, Shadow Assistant Minister for Communications & Cyber Security, comments on the Cyber Power Index released by Harvard’s Belfer Center which shows Australia is ranked 8th for intent but 16th for capability overall. According to Tim, the report highlights significant gaps in Australia’s capabilities on a range of objectives including offence and commercialisation and is further confirmation the Morrison Government has over-promised and never delivered on almost every metric when it comes to Australia’s cyber security capabilities. DOWNLOAD HERE

September 14, 2020 Episode 220 – An IT security perspective to Cyber Physical Systems – CISCO Systems #GTACS2020 Interview by Jane Lo, Singapore Correspondent with Joshua McCloud, National Cybersecurity Officer, Security and Trust Organization, CISCO Systems following ISACA Singapore Chapter’s GTACS 2020 conference. Taking a dive into Cyber Physical Systems for an IT security perspective. DOWNLOAD HERE

September 6, 2020 Episode 218 – Women in Cyber Security in Singapore & Malaysia – Interview with Shuchen Hu of Black Panda, Dr Magda Chelly & Jane Lo Interview with Jane Lo, Singapore Correspondent, MySecurity Media, Dr Magda Chelly, Organiser and Judge, founder of Women of Security (WoSEC) Singapore Chapter and one of the winners of the Top 20 Women in Cyber Security in Singapore – Shuchen Hu, Black Panda, Digital Forensics & Incident Response Specialist. DOWNLOAD HERE

www.CyberRiskLeaders.com

Cyber Risk Leaders Magazine | 37

Cyber Security

Defining the role of SASE in a connected future

T By Nick Savvides, Senior Director of Strategic Business APAC, Forcepoint

38 | Cyber Risk Leaders Magazine

he onset of the COVID-19 pandemic has catapulted Australian businesses towards digital transformation at a rate CIOs and CISOs around the country previously thought impossible. The mass closure of physical workspaces not only created an immediate need for remote working solutions, but also major changes and compromises in business continuity plans and security practices. Very quickly the market was flooded with those racing to the cloud. The move to cloud is not new and has been gaining significant momentum over the last 5 years. As offerings have continued to mature and diversify, more and more activities are being delivered from the cloud. It hasn’t just changed applications and systems that we use but has also changed the way we build and even think about building applications. Whether it’s storing data, team collaboration and task automation, supply chain optimisation, or controlling IoT devices, most things have been touched by the cloud. However, cloud use suddenly needed to be significantly more integrated into day-to-day operations when the working-from-home army was unable to use their employers’ onsite connections.

This gave rise to three problems for IT teams across the country: How to extend their company’s networks and resources to all remote workers; how to optimise delivery of on-premises and cloud apps in use for remote access; and how to monitor and secure all their users and network traffic efficiently. Limited on both resources and time, IT personnel quickly instituted a multitude of solutions, and often bypassed established security controls to make sure data flow and productivity wasn’t hindered. It was an important moment for many IT and cyber-security teams to learn that the business always wins – when presented with an existential threat, no matter the objections, the business will demand agility and flexibility on things that would normally be non-negotiables. Now, a few months in, most of us are in a good place vis-a-vis remote working. However, the ad hoc solutions that got us here aren’t necessarily suited for the long-term, and few companies have implemented a permanent solution that would mitigate disruption from future calamities. A solution to our current predicament presents itself in the form of a 2019 proposal by Gartner, known as ‘SASE’ (pronounced ‘sassy’).

Cover Feature

•

To maintain performance, many organisations with multiple sites and remote users are connecting directly to the internet and cloud apps using technologies like SD-WAN, bypassing centralised premises-based security gateways. This evolution in network and cloud access requires a new approach to information security that can work everywhere users need to access and interact with data. The focal point of networking and security has shifted from the data centre to the cloud - networking teams can now improve performance, consolidate the number of devices deployed, and regain visibility and control of data at the user level.

Why SASE and why now?

What is SASE? The Secure Access Service Edge (SASE) framework is an emerging security and networking architecture model which promises to converge network, web, data, and cloud app connectivity and security to be delivered via the cloud at the edge of the cloud. The new architecture is the result of an inversion of traditional network and security stack design patterns caused by a number of shifts in business requirements: • People now work remotely, from more places than ever before – more business now happens outside the boundaries of the traditional enterprise than inside. More traditional jobs are expected to be performed remotely, such as software development, IT administration, cloud operations and support using cloud-based applications and services. • Business data, and applications using that data, are rapidly moving to the cloud - old approaches such as backhauling through a central enterprise data centre with legacy appliance-based security architecture are no longer feasible.

The race to set up cloud infrastructure during the disruption caused by COVID-19 has changed the way business is conducted. The ability to access files and data off-premises has become a major asset in the effort to maintain business functions. However, in the push to move processes online, loopholes and gaps have been created which can be exploited by malicious actors who aim to use this time of “pandemic panic” to their advantage. The gaps also exist because organisations opted to extend traditional networking and security stacks for use in the cloud even when those tools don’t translate well into cloud architecture - thereby reducing the visibility, manageability, and efficacy of those solutions. SASE, on the other hand, represents a modernised approach that extends the cloud model to security. The model has been designed and optimised to help security and risk management leaders address the challenges posed by digital transformation. It also offers security and IT leaders a way to reduce complexity in their environments while ensuring security and connectivity for organisations. It’s more efficient to create a straight path to the applications for users - a “direct-to-app” approach - which will achieve better performance and user experience. SASE’s true cloud-native approach paves the way for simplified network and security administration through a centralized management hub - providing improved visibility and protection of users and data wherever they’re located. This approach improves performance as users and branches connect directly to the cloud through a single converged security layer. Finally, SASE, due to its converged nature, allows IT teams to create, monitor, and implement an agile security architecture that becomes a foundational part of digital transformation which can swiftly adapt to the needs of any business - regardless of size or complexity. It’s become increasingly clear over the past few months that traditional security product boundaries won’t deliver what’s required in a cloud-native world where people and data need to connect anywhere, any time. SASE is at the forefront of an age-defining leap in cyber security which is bound to change how we view, protect, and interact with data.

Cyber Risk Leaders Magazine | 39

Cyber Security EVENTS PARTNER FEATURE

NetFoundry and Fortress partnership and solutions By NetEvents Partner Contribution

40 | Cyber Risk Leaders Magazine

etFoundry and Fortress Data introduce the first solution to enable end-to-end, cloud-based orchestration and delivery of edge and IoT applications, regardless of how many underlay networks and clouds they traverse. The Universal Connected Compute Service simplifies networking, enabling Intelligent Edge application developers to innovate, and provides an operational structure built for the continuous compute paradigm in which apps are composed of distributed microservices, APIs and databases, with the workloads processed on compute spanning many edges and clouds. Edge Computing is the extension of the cloud computing paradigm at the edges of the network. As the Linux Foundation’s LF Edge (LFE) organization outlines, “In essence, Edge Computing is distributed cloud computing, comprising multiple application components interconnected by a network.” 1 Cloud-native applications are becoming more dynamic and distributed as they leverage advances in Edge Computing and IoT sourced data, so a simple, extensible orchestration plane and delivery fabric which can provide network-agnostic control, security and quality is becoming critical to innovation of intelligent edge applications. Modern Edge and IoT use cases where application response time and reliability is critical for success, requires compute, storage and networking capabilities to be as close as possible to the devices where data is generated and consumed. Determining the ideal edge location(s) to place these infrastructure resources involves multiple performance and economic variables across location(s), edge device compute, storage, and networking. Securing these distributed, heterogeneous compute environments

Figure 1: Cloud native applications are distributed across multiple clouds and edges

requires zero trust security be inherently designed into the networking fabric – rather than trying to bolt on a collection of disparate technologies. Fortress Data Centers and NetFoundry have teamed to provide the Universal Connected Compute Service. The Service provides instant, secure, performant, and scalable connectivity across edge and IoT app devices, Fortress Edge data centers, enterprise cores and public clouds by integrating NetFoundry's zero trust Network-as-a-Service (NaaS) platform with Fortress’s edge data center capabilities. Workloads are managed by a single cloud orchestrated set of policies and routing, regardless of all the underlying networks. Universal Connected Compute Service simplifies the implementation of advanced future leading-edge use cases such as augmented and virtual reality (AR and VR), artificial intelligence and machine learning (AI and ML), and spatial computing.

EVENTS PARTNER FEATURE

Figure 2: Cloud native applications are distributed across multiple clouds and edges

Here is an overview of how the NetFoundry – Fortress Data Centers’ Universal Connected Compute Service operates and its components and capabilities. Today’s advanced applications (IoT, AR/VR, AI/ML) are data-intensive - they push and pull data to and from devices at the Edge and to and from cloud(s), and to and from data centers. And all this needs to happen at incredible speeds. These data push and pull scenarios typically include applications, compute, and networking combined into systems and sub-systems. This “system of systems” is then inter-connected to combinations of clouds, private data centers, mobile and wireless infrastructure. An example system of systems could look like this: • Applications running on an Edge device (e.g. VR headset, laptop, mobile phone) do some local processing and then automatically route data to low latency Edge compute at a local Fortress Data Center site. • Often simultaneously, Edge applications are processing parts of the workload (e.g. video streaming and analysis) on local devices, parts running at servers at the Fortress site and parts running in clouds. NetFoundry provides zero trust security and low latency performance across this distributed compute environment, unifying all the routing, policies and controls into a single, cloud orchestrated management plane, regardless of the different underlay networks.

Figure 3. Edge-core-Cloud Continuum

neutral colocation and dense fiber interconnection designed for Edge operations. Fortress Data Centers offer 5G enabled Data Center Colocation space. The solution automatically routes local edge apps to SF1 for simple, automated, low latency compute access. Simple as-a-service model: The solution offering is a turnkey service integrating Fortress Data Centers’ capabilities with NetFoundry’s zero trust network access, cloud orchestrated platform, delivered as Network-as-aService (NaaS). All the underlying network fabric is operated by NetFoundry. All the data center capabilities are operated by Fortress Data Centers. Our clients focus on designing, building, and implementing innovative applications and software. The Universal Connected Compute Service from NetFoundry and Fortress Data Centers delivers continuous compute services for mission critical, low latency applications with strong security, and IoT and Edge computing. This joint solution enables our clients to drive innovation at scale by implementing emerging applications such as IoT, content delivery networks, AR/VR, AI/ML, gaming, video streaming, smart city, autonomous driving, blockchain, media and entertainment. LF Edge paper: Sharpening the Edge: Overview of the LF Edge Taxonomy and Framework https://www.lfedge.org/ wp-content/uploads/2020/07/LFedge_Whitepaper.pdf

The NetFoundry – Fortress Data Centers’ solution thus creates a hybrid system which orchestrates workload processing across local, Edge, private data centers and cloud sites. This is the intelligent Edge; an interconnected Edge–Core–Cloud continuum that has exponential potential for delivering new innovation for IoT and Edge distributed applications. This hybrid system is characterized as follows: Universal compute continuum: This Service offering is designed to support distributed, dynamic, low latency applications that process workloads across IoT, edge, data centers and clouds - regardless of how many networks they traverse – with unified routing, policies, and controls. Securely connected: Supporting applications operating in the Edge – Core – Cloud continuum requires a zero trust network access (ZTNA) paradigm. Legacy network security models based on carrier network boundaries, IP addresses, firewalls and VPNs simply can’t keep up with dynamic, borderless, distributed apps. Low latency compute: Fortress Data Centers’ San Francisco site (Fortress SF1) provides high density, carrier

Cyber Risk Leaders Magazine | 41

Cyber Security

The outlook for SD-WAN in a post-COVID landscape By Guy Matthews, Editor of NetReporter

SD-WAN has unquestionably been one of the most important developments in enterprise connectivity in the past several years. But given the impact of the COVID-19 pandemic what lies ahead for this market? The last few years have seen increased demand for the kind of flexibility, scalability, efficiency and security that SD-WAN can enable. It has been a dynamic market for start-ups and veteran networking vendors alike. We’ve seen the acquisition of hot new players by established names, with CloudGenix, VeloCloud, Viptela and Nuage Networks acquired by Palo Alto Networks, VMware, Cisco and Nokia respectively. Key players such as Versa Networks, SilverPeak, Fortinet, Aryaka are also currently thriving. So what’s next? Scott Raynovich, Chief Technology Analyst with analyst firm Futuriom believes the future looks good: “There are

42 | Cyber Risk Leaders Magazine

so many different applications and use cases for SD-WAN,” he points out. “At Futuriom we try to nail down why people are buying SD-WAN and what they see as the benefits. This year people see SD-WAN increasingly as a security tool.” “We found that 64% of people we asked said the main benefit was to improve security tools and orchestration of security,” adds Raynovich. “SD-WAN is also often seen as a way to compliment MPLS circuits or other private circuits and give you a cheaper way to leverage broadband or internet in a secure fashion and lower the cost of your bandwidth.” Erin Dunne, Director of Research Services with analyst firm Vertical Systems Group, views the market through a slightly different lens: “We are focused on carriermanaged SD-WAN services,” she explains. “We define that as a carrier-grade offering for business customers that's managed by a network operator, meaning you are paying a bill to a network services operator on a monthly basis.” “If you look at a timeline of what's happening in the

Cover Feature

SD-WAN carrier managed services market, we saw triple digit growth in 2019 - a very healthy and robust market,” she adds. “We saw that continue into January and February of this year. In March, we start to see the demand side stifle due to the pandemic. Installations couldn't get into the building, enterprise customers all went home, implementations are starting to either be deferred or cancelled. The hope that later in the year we'll start to see revenue kick back up and pipelines start to recover.” Shin Umeda, Vice President and Analyst, Dell’Oro Group, agrees that there has definitely been a major impact from COVID-19 on the market. He notes also that the market has become a complex mix of companies: “Some are just software based, some are analytics based and moving into SD-WAN,” he says. “It's hard sometimes to decipher exactly what companies are doing. It’s difficult for smaller players to gain momentum and to gain the installed base to be able to sustain the business. That’s perhaps why we are starting to see consolidation around a relatively small number.” Brandon Butler, Senior Research Analyst, Enterprise Networks, IDC is bullish about SD-WAN in the longer term: “This has been one of the fastest growing markets within the enterprise networking market that we've been tracking at IDC over the last couple of years. And while 2020 will dampen the market because of COVID, we believe that growth will return towards the end of this year. And then back to a fairly robust growth next year. I think some of the drivers that we see in terms of how businesses are responding in COVID times, relying more on cloud-based applications, for example, will also help to drive SD-WAN adoption into the future.” So what of the nearly 30% of Futuriom’s respondents who have not as yet made an SD-WAN move? Given all the advantages described by experts and analysts, what is holding them back? “It's probably money,” concludes Scott Raynovich, Chief Technology Analyst, Futuriom. “Most technology investment cycles are driven by upgrades. Most of the people I've talked to, who are implementing SD-WAN are evaluating branch office routers. Do they buy a new router or buy SD-WAN, which does routing and a bunch of other stuff too. The people that are stuck are probably looking for budget to go through this upgrade cycle.”

“We found that 64% of people we asked said the main benefit was to improve security tools and orchestration of security,”

Cyber Risk Leaders Magazine | 43

MEDIA CHANNELS

Cyber Security

Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

A dedicated channel for Boards, C-Suite Executives and Cyber Risk Leaders to highlight cyber threats as a key business issue.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

promoteme@mysecuritymedia.com 44 | Cyber Risk Leaders Magazine

www.mysecuritymedia.com

CYBER RISK LEADERS IMMERSE YOURSELF IN THE WORLD OF A CISO (CHIEF INFORMATION SECURITY OFFICER)

“This large and diverse group paints an interesting narrative of the state of play in enterprise cyber risk.” Foreword by M.K. Palmore, Retired FBI Assistant Special Agent in Charge, FBI San Francisco Cyber Branch

“With experience and insight, Shamane has written a really useful book for existing and aspiring CISOs. I loved her unique voice, highly readable style, and wholeheartedly recommend this book.” CEO, Cyber Security Capital (UK)

“She has explored many topics long considered on the fringe of traditional security with great storytelling and insights from industry leaders.” CISO, Telstra APAC

ABOUT THE AUTHOR SHAMANE TAN advises C-Suite on uplifting their cyber risk and corporate security posture. She is an international speaker and Founder of Cyber Risk Meetups, a platform for security executives to share innovative insights and war stories.

GET YOUR COPY HERE! Proudly Published by

www.mysecuritymarketplace.com

Cyber Risk Leaders Magazine | 45

Cyber Security

Don't risk losing control of your network

T By Daniel Sultana, Asia Pacific Regional Director at Paessler

oday, every organisation ranging from those in small scale industries to large multinational banks, are dependent on their networks to connect them to the internet. Essentially, this enables them to provide all the web-based services that serve the personal and professional needs of the people and organisations they connect with daily. All organisations rely on technology to achieve optimal productivity and efficiency to drive their business success, so if the availability and performance of their network are impacted the collateral damage can be far-reaching. They need to ensure that their employees, management, customers and partners have constant ac cess to the company’s services and the network is the linchpin to all of this.

The impact of IT outages How do organisations get a handle on the impact of a failure of any part of their IT infrastructure though? For instance, what damage occurs if a mail server crashes? How much do two hours of downtime of the entire IT infrastructure cost? And how high are the financial losses and reputational damage if a website is offline for a day or longer? The fact is that the average cost of an IT outage is more than $8,000 (AUD) per minute, and because there are so many differences in how businesses operate, downtime, at the low end, can be as much as $200,000 per hour, $430,000 per hour on average, and as much as $770,000

46 | Cyber Risk Leaders Magazine

per hour at the higher end, according to Gartner. In March 2019, Google experienced a global outage that affected its Gmail and Google Drive services, which caused “error messages, suffering high latency and other unexpected behaviour” messages on users’ screens. The outage lasted for around 4.5 hours, which is about half a working day for many. But Google is not alone as there have been major outages that have caused havoc in the past year for Facebook, Slack, Zoom, Salesforce, Southwest Airlines, MyBudget and China Telecom.

Monitoring the cloud and the use of cloud apps IT teams need to protect numerous and varied network entry points, including mobile and IoT devices, Wi-Fi hotspots and cloud apps. The IT department may not always be comfortable with the cloud apps employees use at work, but they need to not only ensure the integrity of corporate systems but also set standards for the acceptable use of consumer tools that boost staff productivity, such as Facebook Messenger, Google Hangouts, Zoom and WhatsApp. Cloud apps are an important aspect of business today and the recent shift of many employees now working from home has compounded the issue further. Organisations should find the right balance between being innovative and collaborative while maintaining the right level of data security. The first step is to set up a cloud policy for the

Risks can be partially mitigated through a policy outlining the permitted use of personal devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations. should register their devices with the IT department before they can connect them to the network. This process should include enabling the appropriate security settings, including being able to wipe a device if it gets lost or stolen. Risks can be partially mitigated through a policy outlining the permitted use of personal devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations.

Mitigating the risks to the network

organisation and its employees, so they know which apps are approved for corporate use and which are banned due to poor data privacy standards and servers being located in another country. Moving storage and business software to the cloud has been so convenient for all employees, particularly now many are working remotely and the admins love it as they don't have to deal with issues over disk space and software updates anymore. Then suddenly the internet connection fails, and no one can get any work done until the connection is up again.

Personal IoT devices are todayâ&#x20AC;&#x2122;s Trojan Horses We now use private devices much more naturally in the workplace, perform certain work tasks using them, and are generally much more flexible. But what are the consequences if growing numbers of employees bring their Internet of Things (IoT) devices to work? The big issue is that attackers are now trying to exploit vulnerabilities in personal IoT devices. Some of the most spectacular IoT-related security incidents were based on exploiting vulnerabilities, although patches were already available for many of them. Patch management is an important issue for organisations to address to ensure employeesâ&#x20AC;&#x2122; personal devices have the latest software updates installed. During the employee onboarding process, employees

Security has always been one of the key concerns for networks since they first developed and today it is more important than ever to have a comprehensive strategy to mitigate risks to the network. The use of a monitoring solution as a meta security tool is a vital part of IT security and will ensure organisations have the correct security posture. Monitoring controls the functionality and reliability of all security tools and serves as a fallback to give organisations a central overview of their increasingly complex network infrastructures. If organisations can continuously monitor the performance and functionality of all components of their IT infrastructure, whether it be hardware, software or data streams, they will ensure they will be protected against data loss. It will not only provide the optimum working conditions for their employees to excel, but it will also ensure customers and partners have constant access to the companyâ&#x20AC;&#x2122;s online services.

Cyber Risk Leaders Magazine | 47

Cyber Security

Maintaining a resilient utility grid in the face of cyber attacks By Kevin Nesdale, General manager of Power Distribution, Eaton ANZ

he recent spate of malicious state-backed cyber activity directed at Australia has been a sobering reminder that without a resilient cyber security framework in place, all critical infrastructure is vulnerable. About 31% of industrial control systems have experienced a cybersecurity incident or an attempt in the past 12 months, a significant number of attempts are targeting commercial, industrial, utility and government networks, making virtually every system vulnerable. The recent attacks come as a reminder that cyber-attacks are here to stay and that certain measures must be implemented from the outset to ensure utilities are resilient in the event of a breach.

Cyber secure by design A resilient utility grid with a trustworthy cyber-network is required to mitigate the impacts induced by cyber-attacks. To eliminate the impacts of cyber-incidents, a three-phase Cyber Resiliency framework, including attack detection, response, and recovery is needed to couple cyber and physical layers along with advanced algorithms developed and implemented in each phase. As a critical element in the cyber-incident defense framework, post-contingency recovery, which belongs to the phase of attack mitigation,

48 | Australian Cyber Risk Leaders Cyber Security Magazine Magazine

acts as a last step in cyber-defense framework and plays a significant role of maintaining healthy and uninterrupted operation of modern distribution systems. Utilities should ensure that equipment purchased has cybersecurity principles included from the initial design phase. It is crucial to understand the difference in nature between IT systems and Industrial Controls for physical systems when it comes to security measures and data traffic. Cyber Resiliency Framework considers â&#x20AC;&#x153;Cybersecurity by Designâ&#x20AC;? as a principle to operational technology (OT) defence mechanisms. An example of the difference is the nature of what we are protecting - for IT systems, customer data and organisational information is the main concern for cybersecurity. On the other hand, system operations and protection against equipment damage are the sole concern when cyber resiliency plays a significant role, to ensure system availability and fallback planning when a cyber incident occurs. Connected devices and the vast amounts of data they generate create opportunities and risks for organisations; from manufacturing and testing to installation and service, which dictates a secure development lifecycle applying a defence-in-depth approach to their field devices. Utilities need to work with equipment suppliers to ensure

'cybersecurity techniques that are effective today may not be tomorrow. Administrators of industrial networks must be ever-alert to changes in their OT networks and constantly working to prevent operational exploits' Holistic approach

all intelligent electronic devices (IEDs) meet industry cybersecurity standards, regardless the location where these IEDs are deployed, from the substation level and down to microgrid level. History has taught us that utilities should increase the supply chain vendor participation in their response plan. This will create a new era of resiliency in the market and boost attention to the response. The state-of-the-art practice on system level security is bound by isolating organisational IT infrastructure and the Supervisory Control and Data Acquisition (SCADA) system using a firewall. Although this provides standardised assurance against potential attacks through the organisation IT infrastructure, the attack vectors through the OT layer is remarkably wider, due the possible lack of physical security for edge level cyber assets. At the IT level, intrusion detection is carried out by identifying an attack or vulnerabilities through monitoring access logs, audit logs, self-identification (e.g. version number and installation dates), configuration monitoring by comparison a predetermined baseline. It is also performed by monitoring software and firmware file integrity checks to identify potential tampering or design issues.

In a recent publication of the World Economic Forum, it was revealed that 54% of global utilities expect a cyberattack on their operational system. Whether the objective is to disrupt operations or create an entry point to higher value business assets (intellectual property, email, customer data), the tools and the techniques used for unauthorised network access are becoming increasingly sophisticated. Utilities would benefit from a broad-based defensive approach with an unwavering focus on the endangering malware, spyware and ransomware present across the globe. Many of the latest vulnerabilities are originating on assets with limited security oversight; electrical breakers, generators, industrial gateways, elevators, automatic transfer switches, fire protection systems, and motor controllers to name a few. A vulnerability on these provides access to higher value targets on the primary IT network, such as customer and personnel information, emails, financial records and more. Therefore, utilities should seek strategic collaboration with the vendor to employ current system level cyber resiliency measures and devote specific leadership attention to OT security so that awareness is amplified and capabilities to thwart attacks continue to evolve. In conclusion, cybersecurity techniques that are effective today may not be tomorrow. Administrators of industrial networks must be ever-alert to changes in their OT networks and constantly working to prevent operational exploits - using equipment that is secure by design is one of the keyways in which utilities can combat this using vetted equipment, while advancing their grid modernisation process.

Cyber Risk Leaders Magazine | 49

EDITOR'S REVIEW | by CHRIS CUBBAGE

COVID-19 & ITS CHALLENGES: IS INDIA FUTURE READY? Edited by VK Ahluwalia & Amrita Jash

Publishers Centre for Land Warfare Studies and Pentagon Press LLP

espite being amidst a dynamic start to the COVID-19 global pandemic, it was CLAW’s endeavour to publish an editorial and scholarly book, based on the events that unfolded until the month of June 2020; “as also to crystal gaze beyond the horizon and to shape a secure and brighter India.” True to its vision, CLAWS promptly set out to produce deep and timely guidance for appropriate policy formulation, dealing with one of the world’s most significant events in a century and with the commensurate national security issues that a pandemic brings. In context, with a population of 1.3 billion, India was always a country of concern as COVID-19 reached around the globe. Released in July 2020, this publication may be viewed as a work in progress, or Part 1, as it sets the scene on how India should and will treat the pandemic and the challenges the country faces post COVID-19. It should be noted, by September 30, India became the world’s fastest growing outbreak of the virus, crossing over 6 million infections and over 100,000 dead. The issues identified by the Editors have highlighted the aspect that

50 | Cyber Risk Leaders Magazine

old methods of quarantine and isolation cannot fully cater to India. “As is obvious, the safety only accrues to the privileged while more than half of the population is forced to face the challenges of starvation, unemployment, no-cash situation compounded with the burden of lack of heath care facilities and support.” With 11 contributors across nine chapters, culminating in ‘Making India Future Ready’ this book provides critical insight into India’s strategic challenges in 2020 and importantly, the recognition that ‘human security’ remains the preeminent domain for national security. “The security aspect needs a multi-domain approach, as non-traditional threats today pose a far greater challenge. What lies at the core, is the aspect of human security and well-being of the people. Every nation must realise that its people or human capital is its core strength. Hence, the need of the hour is to ‘realign the priorities’, such that human security takes precedence in the gamut of national security.” General Ng Vij, former Chief of the Army Staff notes in his Foreword, “The need of the hour calls for a “Re-Think and Refining” India’s national security issues and policies in practice- both at home and abroad, it is time to push the security envelope, rather than fold it further.” VK Ahluwalia, in his chapter, ‘India’s National Security: Old Threats: Imbalanced with New Challenges’, COVID-19 has brought the world to its undeclared ‘Third World War’, caused not by any kinetic action, but by an invisible enemy. Calling for a global health emergency, the coronavirus outbreak has emerged as a deadly weapon of mass destruction, bringing the world to a standstill. He correctly identifies, “Did we really learn some lessons from SARS and MERS-CoV, and did we implement them to avert future crisis? The answer is ‘No’, as the world was deeply unprepared in combating the catastrophe of COVID-19. For the reality lies in the fact that so far countries were mainly focused on the military aspect of security. This is evident from the increasing global military expenditure, which reached US$1,917 billion in 2019—the largest annual increase in a decade.” According to a WHO report, between 2011-2017, 1,307 epidemics were recorded across 172 countries worldwide. COVID-19 is a perfect example of a ‘non-military’ threat or as commonly denoted a ‘nontraditional security’ (NTS) threat that has affected the entire world, posing a threat to the survival of states and its people. Threats to human security are no longer just personal or local or national, but are transnational and beyond regional boundaries. What is noteworthy is that despite its growing vulnerabilities caused by air and water, India has not given due importance and seriousness to address these issues in its annual budget, which has increased from Rs. 2,658 crore to Rs. 3,100 crore in FY 20 -21. However, this sum is too little to address the increasing environmental security concerns

It is time for bold decisions and bold investments, and not for conservative approaches. This also is the time to move from command and control economy to plug-and-play and to build a competitive global supply chain”. — Prime Minister Narendra Modi, ICC Plenary Session, 11 June 2020. which affects human health and the natural ecosystem. In view of this, it can be argued that if survival needs of the people (water, food and health care) are affected by environmental degradation, atmospheric pollution or biological factors resulting into infectious diseases like SARS, MERS CoV and COVID-19; this could trigger social unrest.

India faces serious external threats India can leverage its strategic advantage to increase its sphere of interest and influence in the new security architecture under the Indo-Pacific. However, to achieve its rightful place, India must first identify the prominent threats and challenges that it faces or is likely to face. India faces serious external threats, the prominent ones being from Pakistan, China, the Sino-Pakistan nexus, presence of nuclear armed states, maritime security and more recently, Nepal’s claim to portions of Indian territory in Lipulekh area. What looms large in India’s security matrix is Pakistan, which itself is faced with several complex issues in the domains of politico-socio economic, civil society, judiciary, and media. However, despite its own fragility, Pakistan continues to hinder India’s national security interests. Pakistan has reduced its budgetary support to jihadis and terrorist groups due to the recession, but with support from China, it has been upgrading its military systems, information warfare systems, missiles, and nuclear arsenal capabilities. This, along with presence of Chinese security personnel in Gilgit-Baltistan region and along the ChinaPakistan Economic Corridor (CPEC), makes the aspect of collusion a grave concern for India. What significantly adds to India’s security dilemma is the China factor, wherein the threat is increasingly getting magnified. China aspires to become not only the world’s largest nation in cyberspace but also among the most powerful. However, India’s asymmetry with China is not just limited to the military capability but pervades in all domains: economy, science and technology, innovations, information and cyber capabilities, outer space, and nuclear capabilities. Notwithstanding, India has been one of the fastest growing large economies of the world. It has the potential to develop its economy to US$ five trillion in the next 4-5 years, as also upscale its comprehensive national power (CNP) to become a

global power in the years ahead. Does economic slowdown affect China’s great power ambitions? As Michael Beckley notes with caution: “When rising powers have suffered such slowdowns in the past, they become more repressive at home and more aggressive abroad” – as validated by examples from history. Applying Beckley’s assessment to the changed security scenario under COVID-19 and the resultant global recession, China could then be more aggressive in asserting its claims in areas of disputed territories as a tactic to divert the attention of the Chinese people. This would then remain an area of concern for the international community at large, and India in particular, as it shares an unresolved border with China. In the recent past, China has been aggressive on its periphery in the South China Sea (SCS), East China Sea (ECS), and the Taiwan Strait. For India, the tension has already manifested with new military flareups being witnessed along the Line of Actual Control (LAC) in Eastern Ladakh and Sikkim. Given the severity of COVID-19, it should be India’s endeavour to exploit the opportunities by acting with a sense of urgency. To seize the opportunities created by the current crisis, India needs to adopt a technology-centric approach to identify focus areas and act simultaneously on several fronts as part of its national strategy. In this perspective, as UN forecasts suggest, India’s projected economic growth is expected to slow to 1.2 per cent in 2020—a further deterioration from the already slowed growth of 4.1 per cent in 2019. The Government focus is on eight sectors: Coal, Minerals, Defence Production, Airspace Management, Social Infrastructure Projects, Power Distribution Companies, Space Sectors and Atomic Energy. India’s National Military Strategy: A Task in Hand Rakesh Sharma’s chapter. India’s National Military Strategy: A Task in Hand highlights it is imperative to understand and assess the adversarial environment that India is likely to face in the post-COVID world. The queries that demand attention are: Will this environment remain as status quo of the previous years and decades, or that a newer paradigm is created by the catastrophe wrought by the pandemic? With the warfare in the subcontinent transiting to a modern technological plane, a paradigmatic shift in India’s National Military Strategy in the postpandemic world is highly imminent. China will have a modern military capable of modern war in the future. India can ill-afford to ignore China’s increasing economic and military might, its assiduous strategic bases in Indian Ocean Rim nations, lack of progress in the Sino-Indian border talks, and close economic and military affiliations with Pakistan. Thus, India needs to revamp itself accordingly. Hence, COVID-19 has not halted China in the pursuit of its revisionist policies and geo-political

ambitions, even by use of force. If the world, wary of China’s involvement in the pandemic, were to take strong measures that would significantly put a brake on the ‘Chinese Dream’. If so, then China would prepare itself to undertake measures of strong response—also to convey to its own nation. India may then be at the receiving end of PLA’s wrath. Undoubtedly, prospective wars, whenever prosecuted, will be in multiple domains, some already evident and many off the horizon, in the process of development or under wraps.

Rakesh Sharma’s offers the following broad parameters of strategising become imperative: First, contested, unsettled borders and territory will remain important contentious issues in future wars, although the larger basis may be related to geo-political rivalries or power struggles. The likelihood of conventional force-on-force kinetic warfare will exist, and must require simultaneous planning. Second, as reliance and preparations for modern conventional kinetic war cannot be put on the back burner, substantive offensive capabilities in the form of duly acclimatised, trained and kitted force, must be available for achieving ‘across the hump’ success and consolidation. Substantial enhancement of third dimension capability will help provide requisite deterrence, and reduce reliance on massed combat power.

Third, kinetic and non-kinetic warfare may also go well beyond force-on-force engagement on the territorial sphere as well. It may utilise potent precision guided munitions, hypersonic weaponry, drone swarms, autonomous systems and stealth operational capabilities delivered by multiple modes—ground, air or projectiles. It must be unequivocally stated that with nations reeling from a heavy and serious impact of the pandemic, the initiation of an all-out conventional war is unlikely. The coercive actions and policies pursued by China and Pakistan during the course of the pandemic clearly portray the signage of the events to come in the post-p andemic phase. China will choose to be a calculative coercer and may rely on grey zone warfare. In addition, as technology has expanded the domain of warfare to an arena unheard off, such as space, tensions will also arise in new domains. Likewise, information warfare, precision weaponry and autonomous systems and many more will continue to expand to newer vistas. This makes it obvious that the measure of victory in future wars will be the successful paralysis over destruction. Assuredly, warfare has a future; the allimportant question is the typology of warfare, and what it would take to accept it as inevitable, and assiduously work to acquire the capabilities. The strategic conclusion is that technology has

fundamentally transformed the character of war, and maybe its nature too, in a significant measure. However, future wars may be without extreme violence, aggression, destruction, and mortality, and yet cause enough suffering to achieve political success. Situational Preparedness VK Ahluwalia & Amrita Jash “Making India Future Ready” bring the book’s broad discussion to the watchword for India, namely ‘situational preparedness’. In the pre-COVID phase, the global debates centred on US-China trade war, instability in the Middle East, pressure on Iran, Afghan peace process, complexities in the South China Sea, India-Pakistan tensions and increasing protests worldwide- thus, highlighting the dominant trend of instability caused by state-centric factors. An ineffective health care system, lack of understating of the social concerns, the magnitude of migrant labour workforce and its aspirations, and, above all, the preparedness to combat such an allencompassing emergency inflicted on a dense 1.3 billion population nation. In summing up and providing policy direction, the book clearly outlines ‘What India Needs to Do’ which may be easier to document than to actually achieve in the following domains:

I. II. III. IV. V. VI. VII.

Organisational Changes: Co-ordination and Integration at all levels Prioritising Health in Security Appendix Re-booting the Economy by Re-vitalising Indian Industries Leading, Engaged and Proactive Foreign Policy & Diplomacy Tap the Potential of Medical Diplomacy Defence Preparedness at All Times Finding Solutions to Practical Problems

In the current context of September 2020 and much of the pandemic and its longer term impacts yet to unfold, the book’s closing statement leaves a lasting message, "The time to act is now and not give into any further delay. For speedy recovery, the government should work in tandem with private organisations, NGOs, major Think Tanks in the country-maintaining a symbiotic relationship between policymaking and academia. The recovery process demands India to be proactive, agile, informed, responsive and responsible. As only then will India be future ready in terms of safety, security, and sustainability. Therefore, we all are at a moment of nation building and making history."

Cyber Risk Leaders Magazine | 51

Cyber Security

Search and find all upcoming featured security reports

Plus many more!

52 | Cyber Risk Leaders Magazine

www.mysecuritymarketplace.com

E TUN IN ! NOW

www.CyberRiskLeaders.com

Cyber Risk Leaders Magazine | 53

The ‘go-to’ tool for leading professionals WEBINARS WHITEPAPERS UP COMING EVENTS CONFERENCES

promoteme@mysecuritymarketplace.com

Cyber Risk Leaders Magazine - Issue 3, 2020

Articles inside

Book Review

NetFoundry and Fortress partnership and solutions

The outlook for SD-WAN in a post-COVID landscape

Maintaining a resilient utility grid in the face of cyber attacks

Don't risk losing control of your network

Cloud-native networking – the future of connectivity

Defining the role of SASE in a connected future

A multi-hybrid cloud game plan to strengthen business continuity with proper data management

Reverse engineering surveillance capitalism

Securing the next generation digital infrastructure highlights from BlackHat Asia 2020

Plugging the gaps: Australian organisations are leaving their defence barriers wide open for attackers

Collective Defence: Adopting a collaborative approach to cybersecurity

Cyber) Security Culture Eats (Cyber) Security Strategy for Breakfast

Australia’s Cyber Strategy: Navigating unchartered territories needs both caution & diplomacy

Neurodiversity in Cybersecurity skillsets

The key trends shaping successful business strategies for a post-COVID-19 world