THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 5, 2018
Now you see it, now you don't
Cognitive bias in security
Reinventing the SOC – curing alertfatigue
$8.95 INC. GST
54 | Australian Cyber Security Magazine
Quantum cyber security making breaches irrelevant
Stuff GDPR!
Bad things come in small packages
PLUS WIN A COPY OF 'THE FIVE ANCHORS OF CYBER RESILIENCE'
AUSTRALIAN SECURITY READERS SWITCH TODAY AND SAVE 20%* ON YOUR LIFE INSURANCE
NDING VA STA L UT
2016
CT IO N
EC DIR
T
UE
O
No advisers fees No surprises at claim time Canstar award-winning insurance Customer satisfaction score of 95.8% # Tailored offer for Australian Security readers
E IN COME PROT
Call NobleOak for a quote:
1300 108 490 and mention ‘AUSTRALIAN SECURITY’ or search NobleOak Professionals to switch and save.
nobleoak.com.au/professionals *Important information. Please contact NobleOak to verify your actual premium and to apply for cover on 1300 108 490 which will take into account your age, occupation, sum insured, health and pastimes. The savings quoted are the average savings when comparing NobleOak’s premiums for its Term Life cover under NobleOak’s Premium Life Direct to the average cost of Term Life insurance products offered by other Life Insurance companies, including products available directly from the insurer (24 products from 12 insurers included in this comparison) and those available for purchase through a financial adviser or broker (10 products from 10 insurers included in this comparison). The premiums are based on a non-smoking Australian resident with a Life Insurance sum insured of $500,000 at 5 year age bands from age 30 to 65 for advised products and 30 to 50 for direct products. In many cases the saving for an individual is higher than the 20% average saving quoted. Life Insurance rates for insurers, including NobleOak, may change in the future and this could change the outcome. The premium comparison was undertaken in March 2018 based on published premium rates. Legal statements. Premium Life Direct is issued by NobleOak Life Limited ABN 85 087 648 708 AFSL No. 247302. Address: 66 Clarence Street, Sydney NSW 2000. Phone: 1300 108 490. Email: sales@nobleoak.com.au. Cover is available to Australian residents and is subject to acceptance of the application and the terms and conditions set out in the Premium Life Direct Product Disclosure Statement (PDS). This information is of a general nature only and does not take into consideration your individual objectives, financial situation or needs. Before you purchase an insurance product you should carefully consider the PDS to decide if it is right for you. The PDS is available by calling NobleOak on 1300 108 490 or from www.nobleoak.com.au. Clients should not cancel any existing Life insurance policy until they have been informed in writing that their replacement cover is in place. NobleOak cannot provide you with personal advice but our staff may provide general information about NobleOak Life insurance. By supplying your contact details, you are consenting to be contacted by NobleOak, in accordance with NobleOak’s Privacy Policy. #2018 client survey by Pureprofile.
Building Security In An Ultra-Connected World 4-5 September 2018 | Sheraton Imperial Hotel Kuala Lumpur
IRA WINKLER Secure Mentem
DATO’ DR. AMIRUDIN A. WAHAB
DR. KEN BAYLOR
CRAIG SEARLE
RALPH ECHEMENDIA
REUBEN PAUL
DR. KEYUN RUAN
KEVIN DUFFEY
Seguru
CyberSecurity Malaysia
Cyber Shaolin
Computer Scientist
Hivint
Cyber Rescue Alliance
DHILLON KANNABHIRAN
MARY-JO DE LEEUW
TONY CHEW
ADNAN HENDRICKS
FLAVIUS PLESU
FLORIAN LUKAVSKY
CHRIS CUBBAGE
MANOJ KURUVANTHODY
Baringa Partners
SAZALI SUKARDI
SHAHMEER AMIR
ALOYSIUS CHEANG
Vendor Security Alliance
V-Key
Microspecialist
ZOE ROSE
Infosys
JACQUI MCNAMARA Telstra
Exclusively by:
Bank of Ireland UK
CyberSecurity Malaysia
ABHIJEET MUKHERJEE Downer Group
Supporting Organization:
Revnext
Hack In The Box
Sec Technologies
Veiliux
AATIF KHAN London
Media Partners:
My Security Media
CSCSS
DAVID PRINCE Baringa Partners
Supporting Partners:
Book Your Seats: T: +603 22606500 │ E: karen@thomvell.com │ W: www.cybersecurityasia.tech
MELBOURNE
Contents
7 8 12 14
Editor ASM Chris Cubbage
Editor ACSM Tony Campbell
The security implications of an aging population
18 20
Director & Executive Editor Chris Cubbage
24
Director David Matrai 7
Art Director Stefan Babij
8
MARKETING AND ADVERTISING
Reinventing the SOC
12 16
T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au
18 21
SUBSCRIPTIONS FOR AUSTRALIAN SECURITY MAGAZINE
22
T | +61 8 6465 4732 subscriptions@australiansecuritymagazine.com.au Copyright © 2017 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | myteam@mysecuritymedia.com www.mysecuritymedia.com
24 42 Bad things come in small packages
30 33
All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.
Print Post
www.a ALS |
ustrali
ancyb
SSION
ITY PROFE
ZINE FOR
ALIAN
AUSTR
N SECUR
MATIO
INFOR
THE MAGA
see it, Now you don't now you
rityma
gazine
.com.a
Issue 5,
THE COUN
TRY’S
2018
G GOVER
NMEN
T AND
CORPO
RATE SECUR
ITY MAGA
ZINE
| www.a
ustrali
ansecu
rityma
gazine
.com.a
Aug/Sep
Austral state ofian Governmen cyber t–
2018
Is you digital r VMS a fortress
Insider threats – tacticaloperational, & strateg ic insight s
nting Reinve – the SOCalertcuring fatigue
$8.95 INC.
u
Review of PMC’s paper’scabinet report
Interne impacti t of things manageng facilities ment
gs Bad thin ll sma come in kages pac
www.facebook.com/apsmagazine
PP100003227
LEADIN
Importa in securitnce of soft skills y
R!
Cognitive bias in Security
Approved
u
Mag
yberSec
@AustC
m cyber Quantu making y securit levant es irre breach
Stuff GDP ve Cogniti bias in y securit
CONNECT WITH US
ersecu
GST
PLUS OF COPY WIN A OF ANCHORS 'THE FIVE RESILIENCE' CYBER $8.95 INC.
GST
PLUS
n Cyber
Security
WIN A 'THE FIVE COPY ANCHORS OF CYBER OF RESILI ENCE'
Magazine
56 | Australia
@AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about www.youtube.com/user/MySecurityAustralia Applications of advanced data analytics
Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.
Correspondents* & Contributors www.asiapacificsecuritymagazine.com
www.aseantechsec.com
Jane Lo* www.drasticnews.com
|
Lionel Snell
Danielle Traino
Elliot Dellys
Also with www.chiefit.me
Milica D. Djekic Vikram Sharma Nigel Hedges James Jordan
|
www.youtube.com/user/ MySecurityAustralia
Kieth Suter
www.cctvbuyersguide.com
Jason Hilling 6 | Australian Cyber Security Magazine
Guillaume Noé
Federica Bisio
Patrick Stewart
Shannon Sedgwick
Editor's Desk
W
| Australian Cyber Security Magazine
elcome to the latest issue of the Australian Cyber Security Magazine. 2018 has been an interesting year so far. Australia is settling into our new privacy legislation, while the rest of the world went GDPR crazy for a few months, at least until the date passed and most of the hype died down. It seems that, for now, it’s back to business as usual and hopefully getting some real security done. I have a question, though. Why is that when a policy change like GDPR (or our own NBD scheme) is on the horizon, security vendors feel the need to resort to the playground tactics of fear uncertainty and doubt rather than providing good solid advice? Hackers want to steal your data and the only way to prevent being fined by the GDPR gods is to buy our product… Given the number of begging emails I received from companies not wanting to see my address drop off their mailing list, the real benefit GDPR brought to the public was we could opt out of junk mail without having to click on unsubscribe. To me this was a welcome public service, so thanks a lot, EU. In the last week we’ve also seen the second quarterly Notifiable Data Breaches Quarterly Statistics Report published by the Office of the Australian Information Commissioner (OAIC). Following the changes to our Privacy Act, Australia’s introduction of mandatory breach notification means the OAIC is finally getting solid data on the number of attacks, the style of attacks and the information assets the attackers were targeting. Since the OAIC committed to publish quarterly reports containing summaries of their findings, we can all benefit from looking at the numbers. This quarter’s report made for interesting reading as it represented a different story than the first report back in March. Most of the attacks reported to the OAIC at the beginning of the year related to the accidental release of
personal information – i.e. human error. This time things were very different. A whopping 59% of breaches were attributed to malicious or criminal activity, while human error dropped to 36%. OAIC also got more reports this time (242 up from 63 back in March) but we need to be careful about interpreting this as anything other than more organisations knowing what to do with the new legislation. I doubt very much that the number of hacks has gone up by 400% in a couple of months – people are simply understanding the law better and likely erring on the side of caution and reporting even small breaches to the OAIC. Another interesting observation is that the focus of security efforts is biased towards cyber and not enough time is spent on the other domains. The conversation over the past few years, since the Australian government released our national cyber security strategy, is all about cyber. Yet recent discoveries of government data appearing in second hand filing cabinets told a very different story. This latest report from the OAIC shows that physical security is as important as cyber, and that theft is as much a threat vector as anything digital. The lesson from this is we need to take security back to grass roots and remember it’s a business process that includes cyber, physical, personnel and business domains, underpinned by an approach to risk management that is appropriate for the organisation you’re trying to protect. Which brings me on to this issue’s content. We’ve covered a wide array of subject matter in this issue to make sure we’re not missing some of these important security domains. Convergence across all these different security disciplines is the only way to really stay ahead of the adversaries. Some of the articles we’ve chosen explain aspects of security than may be somewhat alien to cyber security professionals, such as Elliot Dellys’s Cognitive Bias in Security
discussion. Psychology, especially in business and the biases of managers is an important characteristic of the customers security professionals serve, so understanding how these biases factor into decision making, and making sure you use cognitive bias to your advantage rather than against you is a useful tool for the figurative security kit bag. Vikram Sharma’s article on how soon, quantum cyber security could make data breaches irrelevant is also an interesting viewpoint. His team is working on the cutting edge of quantum research, alongside some of Australia’s leading universities and the defence sector to mature this technology into the next generation of security products. We’d love to hear your feedback on this article as this technology will be a game changer when it becomes mainstream. Returning author Guillaume Noe echoes some of the sentiment I expressed earlier in his article flippantly titled, Stuff GDPR! As he says, “you could assess the real risk of noncompliance to your business and the opportunity that complying could provide. You could then make an informed business decision to either ignore it or make the most of it.” Finally, I’d urge you to read Nigel Hedges’ article on the importance of soft skills in the role of being a successful security professional. It’s not just about having great PowerPoint skills or being good at using Twitter. Rather, soft skills are the facets of emotional intelligence that allow you to empathise with those around you and deliver the right kind of communication at any level of the organisation. Importantly, security professionals need to ditch the techie mentality, where you scathingly tolerate users and look down on anyone who doesn’t understand the difference between AES256 and SHA1. It’s hard, sometimes, I know, but well worth trying. We hope you enjoy this issue, with some of our focus shifting from pure cyber to those other aspects of security in a more holistic treatment of the problem. As usual, feedback is welcome and should be sent to editor@ australiancybersecuritymagazine.com.au Stay safe and secure and see you next time. Tony Campbell Editor
7 | Australian Cyber Security Magazine
Australian Cyber Security Magazine | 7
Cyber Security
Applications of advanced data analytics : Cyber security challenges– an aizoOn approach
I By Federica Bisio
and Daniela Traino
Listen to our interview with The Authors
8 | Australian Cyber Security Magazine
n the last few years, passive analysis of network traffic has become a challenging task due to the high variability of organisations’ IT networks. This often makes classical signature or even statistical detection approaches not sufficiently accurate in detecting potentially anomalous or malicious traffic, due to the lack of focus on network users’ behavioral analysis. For this particular reason, the disciplines of machine learning and data mining have become increasingly appealing in solving several types of cyber security problems. In fact, passively analysing network traffic in order to identify and assess potential anomalies can be greatly assisted by employing tools obtained from the Big Data world. In this case, network traffic analyzers provide huge amounts of data per second, that can be used to train machine learning algorithms to learn what can be defined as “normal” behaviour of a network and determine what, instead, is distant from this baseline and can therefore be considered potentially malicious. Machine Learning can be considered a powerful tool to extract meaningful information and build models of users’ behaviour but it does have some drawbacks. Data might in fact be corrupted or noisy and models’ creation may bring a high false positive rate. This limitation can be mitigated first by choosing descriptive features to be given to the algorithm, and second by integrating the contribution of
different algorithms in order to make the structure more robust. Another possible solution is to create models not only of single network users but also of groups of users sharing some common behavioural characteristics. Nonetheless, the problem of false positives is particularly true when the models’ creation is unsupervised, i.e. no data labeling is required and no additional information is provided. In this case we might not know a priori if patterns are malicious or not. Although the supervised machine learning approach is usually more effective due to the additional information, the unsupervised approach enables identification of 0-day attacks and malware not seen before, for which no information can be provided. Therefore the unsupervised approach enables the creation of algorithms that self learn the behaviour of a network, spot unusual activity, and automatically detect patterns and relationships without a priori information or human input. In order to mitigate the false positives limitation with unsupervised machine learning, at aizoOn we employ an approach based on both the development of machine learning algorithms and the data mining techniques specifically tailored to the cyber security problem. We have defined “advanced cyber security analytics” as the threat knowledge that can be generated from the combination of three approaches.
Cyber Security
•
Rule-based knowledge (or “white box approach”): we integrate open source intelligence (OSINT) sources and any other valuable information in order to create rules to detect alerts or warnings for the network under analysis. • Analytics knowledge (or “grey box approach”): using Data Mining techniques to automate, in a near realtime manner, tasks/ knowledge that the human in the loop would undertake ie the cyber security analyst’s knowledge and general approach. • Machine Learning knowledge (or “black box approach”): using machine learning algorithms to learn the normal behaviour of the network and hence spot possible deviations from this behaviour. In this article, we discuss how methods two and three above can be extremely useful when applied in two different real use cases: covert channel detection (our most recent research) and Domain Generation Algorithms (DGA) detection (recently published). While not discussed herein, aizoOn also published research into Fast Flux network detection techniques (to be presented in September 2018, London UK).
Covert channel detection Nowadays covert channels are becoming increasingly challenging and a significant threat for organisations. For example, in late 2017, Advanced Persistent Threats performed by malicious organisations (e.g. FIN7 ) employed covert channels, in addition to phishing techniques and remote access trojans, to maintain access and exfiltrate sensitive data from a number of US organisations, with particular focus on personnel that managed SEC filings. Covert channels can be defined as ways to exploit network resources never intended for the purpose of communication in order to transfer data. The aim of such a technique is to extract meaningful information from an organisation’s network. There are currently two different types of covert channels: • Storage covert channels, where covert bits are strictly bounded to the communication protocols under
•
analysis (e.g., DNS, HTTP, SMB, SSL); Timing covert channels, based on the manipulation of timing or ordering of network events (e.g., packet arrivals).
The state-of-the-art techniques applied to detect these two types of covert channels are different: • For the storage covert channels: Markov Chains, Descriptive Analytics; • For the timing covert channels: statistical tests of traffic distribution (e.g., Kolmogorov-Smirnov), regularity tests of time variations within the traffic, entropy and conditional entropy calculation, machine learning (especially Support Vector Machines or SVMs, and Bayesian Networks) are typically deployed. In this article, we discuss our cyber security threat detection research into the first type– storage covert channels, while borrowing some detection techniques from timing covert channels. Covert channels still represent a significant concern for defenders & threat hunters mainly because: • Conventional intrusion detection & firewall technologies frequently fail to detect covert channels; • The high variability of an organisation’s network traffic often makes traditional statistical approaches not accurate enough; • Distinguishing covert channels among legitimate communications is difficult due to an absence of focus on behavioral analysis; • Current efforts to date have been focused on tunneling techniques, and less on data exfiltration analysis. In order to mitigate these issues, the general algorithm we developed for covert channel detection employs machine learning techniques in two phases, where we: • Assess the network under analysis and we use machine learning algorithms to create models able to describe the normal behaviour of the network (Training Phase) • Validate whether something anomalous and/or potentially malicious is occurring in the network (Test Phase).
Australian Cyber Security Magazine | 9
Cyber Security
The training phase includes: • Feature extraction process: where we passively extract from the network all the valuable information able to describe the problem at hand. Information is extracted by a network analyzer and includes but is not limited to: machine source IP, machine destination IP, ports contacted, number of bytes transmitted, queries performed, user agents employed, cookies. • Training phase: whereby a classifier (or “machine learning engine”) is trained using the extracted features. In our approach to this research, we integrated two well known start-of-the-art classifiers: Bayesian Networks and Support Vector Machines (SVMs). These techniques represent two different approaches in machine learning: the first is related to the probabilistic approach and builds a graph describing the probabilities between variables, while the second is related to the frequentist method and tries to maximize the distance between the classes that we want to separate (in our case legitimate and malicious).While bayesian networks can be used in an unsupervised way, SVMs are built to work as a supervised classifier, and hence we modified the algorithm (one-class SVM) in order to apply the algorithm in an unsupervised manner. Our test phase involved: • Filtering and white list removal (events that have known to be trusted). • An anomaly detection module: the previously trained classifier is applied to new data in order to validate whether they conform with the normal behaviour; where they do not conform, the patterns are assessed against the advanced analytics module. • An advanced analytics module: this is applied only to the patterns previously detected by the anomaly detection module as abnormal and employ analytics specific to the protocol under analysis (at this stage of our research, DNS and HTTP protocols). In the advanced analytics module, we considered selected anomaly indicators tailored to the protocol under analysis, and averaging them we built an anomaly index. If the anomaly index is highly statistically significant for an event, we report the event as potentially malicious. It is important to note than all our analysis was performed from a behavioural point of view: meaning that the event may not be necessarily malicious per se but it is abnormal compared to the models generated by the algorithm. This information could be useful not only for cyber security professionals, but also system operators in determining other non-compliant or inappropriate behaviour/ resource consumption.
Anomaly indicators used during our: DNS covert channel research • Number of hostname characters >=50 • Percentage of numeric characters >= 20% • Number of unique characters >= 27 • High percentage of repeated consonants in hostname • High entropy
10 | Australian Cyber Security Magazine
Precision False Positive Rate
DNS Covert Channel (3 samples)
HTTP Covert Channel (3 samples)
98.7%
73%
1.3%
27%* *few samples available to fully test algorithm
FN
1%
0.3%
RECALL
99%
99.7%
FSCORE
0.988
0.793
Fig 2. Average of initial results from our Covert Channel detection research
• •
High distance from distribution of frequencies of monograms of legitimate patterns High number of hostnames per domain
HTTP covert channel research Cookie analyses (defined as key-value pairs): User agent analyses: • Malformed cookie (no pairs key=value) • High length • High length of the key field • Missing user agents • High entropy of the key field • Presence of unallowed or special characters • High distance of the key field from distribution of frequencies of monograms of legitimate key fields • High variability of user agent tokens in the same communication (same couples source-destination) • High distance of the key field from distribution of frequencies of bigrams of legitimate key fields • Unique user agents • High variability of cookie in the same communication (same couples source-destination) in a small amount of time Our research approach here leveraged a recent Akamai study titled “Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol ” and went further by contributing: • A refined feature extraction phase • Two classifiers combined in the anomaly detection phase in order to further reduce false positives • Extended analysis to include HTTP covert channels • Improved (speed and accuracy) analytics as a result of these contributions So far, our research has shown promising and positive results (Fig 2). The effectiveness of our proposed augmented approach was confirmed by several experimental sessions on a production-like network infected with real malware samples over a period of time. Our covert channel research is ongoing with plans to extend and publish the analysis of other protocols (eg. SMB, ICMP) and encrypted traffic (e.g. SSL). This is part of aizoOn’s continuous R&D mission to further codify new
Cyber Security
passive techniques to better detect cyber security threats in near real-time (reduced malware dwell time) and among other things, saving significant threat analyst time
Detection techniques for Domain Generation Algorithms (DGA) We continue to see botnets (ie networks of compromised computers, also referred to as zombies or bots) controlled by a remote attacker (‘’bot herder”) play an increased role in cybercrime. Botnets are usually highly distributed and highly changeable, making tracking and recovery of all the infected components very difficult. A common way attackers locate their Command and Control (C&C) servers is by dynamic generation of domains using a Domain Generation Algorithm (DGA), also known as domain-flux. Here, each compromised host automatically generates hundreds or thousands of pseudo-random domain names that represent candidate C&C domains. The bot sends DNS queries until it connects to the IP address associated to a resolved domain. The advantage of this technique is that if one or more C&C are identified and recovered, the bot will query the next set of automatically generated domains and it will eventually get access to a relocated C&C server. DGA detection is therefore of critical importance in cyber security. A consistent number of different approaches to DGA detection have been implemented to date, and many recent works have focused on the use of supervised or signature-based approaches to the analysis of DNS traffic. Nonetheless, the highly dynamic DGA realm has often made these approaches limited to certain particular scenarios. In late 2017, the aizoOn team presented our research contribution to Domain Generation Algorithms (DGA) threat detection techniques. The method we deployed was unsupervised and characterised by two steps (graphically depicted in Fig. 3 below). The first step is represented by the detection of a bot looking for the C&C where it queries many automatically generated domains. The second step consists of the analysis of resolved DNS requests in the same time interval. The linguistic and semantic features of the collected resolved and unresolved domains are then extracted in order to cluster in groups and identify the specific bot. This experimental evaluation was tested on
different malware families employing several DGAs and had led to very successful detection results. For example, we observed a 100% detection rate over 40 DGA snippets belonging to different malware families (in a real case scenario, the false positive (FP) rate: 0.01% on unresolved DNS requests, 0% on resolved DNS requests). Further details of our techniques and approach are available in our published research paper [1].
Parting words... It is clear that advanced data science together with cyber security expertise enables defenders, analyst and threat hunters across increasingly complex operating environments to better detect, contain and respond to the evolving cyber attack methods. While this requires continuous research & development by the cyber security community, aizoOn continues to contribute to this collaborative effort both government- and industry-wide. About the Authors - References available upon request Daniella is cyber track leader for the Spark Festival (a NSW festival celebrating entrepreneurs and entrepreneurship), a non-executive director and strategic advisor to IoTSec Australia (a not-for-profit organisation influencing IoT cyber security innovation) and a member of the Research Advisory Committee for the Internet Commerce Security Laboratory (ICSL) – a cyber security research unit of Federation University Australia. At aizoOn Australia, Daniella is responsible for setting the strategy and leading the cyber security division across three areas of capability - product development, consulting and R&D for the Asia Pacific region. Federica Bisio is a senior Data Scientist in aizoOn Cyber Security Division. Federica’s expertise includes developing data-driven algorithms for anomaly and abnormal behaviour detection, which become codified in aizoOn’s threat detection platform. Federica obtained a PhD in Electronic Engineering, Information Technology, Robotics and Telecommunications at the University of Genoa (Italy), with an exchange program with the Nanyang Technological University of Singapore, and her thesis involved Machine Learning applications in Network Security.
Australian Cyber Security Magazine | 11
Cyber Security
Cognitive bias in security We have new tyres, but the car’s still burning…
H By Elliot Dellys
ad you believed the headlines over the last twelve months, some of our most commonly used technologies would now be unusably insecure, including Bluetooth, WPA2, and any Intel or AMD processor made after 1995. Add to that the constant, ominous threat of the latest and most terrifying form of ransomware, and you could be excused for thinking that securing your devices and networks is a lost cause. Yet just as quickly as these threats appear, they often seem to fade away. While of course this is largely due to the protection offered by security patches, I believe there is something more interesting at play. The Chicken Little syndrome that infects so many organisations in the aftermath of an announcement of a new vulnerability or malware strain, is undeniably pervasive and can cost organisations millions in wasted time and resources. In the last issue we looked at Spectre and Meltdown – attacks that leveraged speculative execution with potentially disastrous results, including sensitive information disclosure and browser-based remote code execution. However, we also uncovered why these vulnerabilities are unlikely to be your organisation’s most pressing cyber risk. Using the analogy of worrying about the tyres of a burning car, I proposed that security decision-makers can easily fall foul of paying disproportionate attention to the new and exciting, while continuing to overlook the enduring and mundane, exposing organisations to risks that are far more potent. In this issue, we will look at how the 24-hour news cycle may affect public debate and lead to security decisions
12 | Australian Cyber Security Magazine
that are unnecessarily influenced by hype. We will also look at trending security search-term data over the last 12 months, contrasted against breach and security expenditure statistics, to demonstrate how this cognitive bias may play out at scale. To continue the analogy from Issue 4, organisations are buying new tyres, but wondering why their cars are still burning. To help manage this risk, I will offer some structured analytic techniques that can counter cognitive bias or group-think to ensure your security strategy is delivering the best possible return on investment. First and foremost, the fact that vulnerabilities that are not being actively exploited in the wild can make front page news is a telling sign of the booming public interest in cybersecurity. While this trend has clear benefits for the industry and the communication of good security practices, there are some comparatively poorly understood drawbacks. One is that organisations that have not implemented basic security measures, have never conducted a phishing exercise, or are sitting on unactioned penetration test or audit findings, are consistently focussing time and effort on whatever vulnerability or malware strain is making the headlines. While wanting to know your organisation’s exposure to KRACK, BlueBorne or Meltdown/ Spectre is not inherently wrong, security budgets are finite. Considering many of the highly publicised vulnerabilities or attacks over the last twelve months are difficult to exploit – or are yet to be seen outside of a lab at all – why are they the focus of so much attention? This is particularly curious when adhering to commonly-known and relatively simple
Cyber Security
Google Trend data on cybersecurity search terms. From left to right: Wannacry, Petya, Krack, BlueBorne, Spectre and Meltdown. Note that each line represents relative and not absolute search volumes.
security practices (i.e. regular patching) is often sufficient for mitigation. At least in part, the cause simply seems to be that the high-end threats make for better news stories. A self-propagating zero-day attack, capable of jumping from device-to-device via Bluetooth is far more thrilling than an employee clicking on a link or improperly configuring an S3 bucket. Yet it is the latter that has been responsible for the leaking of hundreds of millions of records over the past 12 months. This disconnect between entertaining narrative and mundane reality is of course not unique to the security industry, but is the foundation of propaganda and (although I cringe using the term) “fake news”. It therefore makes sense to draw on a discipline not often seen in cybersecurity discussions to find an explanation. The study of media effects, a branch of communications theory that investigates how media consumption shapes human thought and behaviour, is clearly fit-for-purpose. The earliest studies of the impact of the media on behaviour emerged following the growth of Hollywood in the 1930s and the profoundly disturbing impact of propaganda in Nazi Germany. Unsurprisingly, the theories that emerged from this historical context stipulated that people were passive sponges who were easily swayed by the mainstream media. We know these now as “hypodermic needle” or “magic bullet” theories, due to the perception that the media had a direct and irresistible influence in shaping public thought. Over time, as more data became available and greater academic rigour was applied, more nuanced theories emerged. One of the more enduring, and credible, is known as the “Uses and Gratifications” theory, which posits that the public selects and consumes media from a wide variety of sources to achieve a particular goal. This in turn can reinforce bias, as pre-existing beliefs are strengthened by a prejudicial selection of media. In the context of security, only reading about the worst-case scenarios for a KRACK attack can solidify your existing beliefs or fears. This effect is no doubt compounded by the tendency of the media and security vendors to exaggerate or dramatise the impact of the latest security scare to boost readership or flog products. In the aftermath
of the publication of the Meltdown and Spectre papers, headlines referred to the vulnerabilities as a “train wreck”, for which vendors were “scrambling” and the patches were a “disaster”. Language like this does little to temper the paranoia that can mask a business’ actual risk exposure. What is more interesting still is the pattern of how we consume dramatic cybersecurity news. By plotting relative search-term interest (derived from Google Trends) for different security hot-topics over the last twelve months, it is possible to see a pattern of surging interest followed by an equally abrupt decline. Further, the frequency of these flurries of activity is so steady it almost resembles the intervals of a human heartrate on an ECG: While media attention and genuine risk exposure are by no means mutually exclusive, it is concerning to consider that strategic thinking could be driven by the 24-hour news cycle. A robust security culture is the product of diligence, patience and persistence in managing risks over time, with a keen eye for shifts in the threat landscape – not reactionary erraticism to whatever is on the cover of this month’s Wired (or the ACSM, for that matter!). So, how do these spikes in activity align with the causes of security breaches at large? In Australia, some insight can be found from the Notifiable Data Breach Scheme’s Quarterly Statistics Report, which reveals that of the 63 reported breaches between 22 February 2018 (when the scheme took effect) and March, over 50% were due to human error. These figures are also reflected abroad. According to Gemalto’s 2017 Year in Review, 76% of breached records were due to accidental loss. Shockingly, this figure represents an annual increase of nearly 580%. Mismanagement of cloud repositories was a leading factor for this growth, with typically securityaware organisations, such as the National Security Agency and Accenture falling victim to misconfiguring S3 buckets. Others, holding vast amounts of personally identifiable information, lost as many as 123 million (Alteryx) and 198 million (Deep Root Analytics) records due to AWS misconfiguration. Clearly, not getting the basics right can be disastrous. This is further reflected in the fact that only 3.12% of breach events affected encrypted data. At the very least,
Australian Cyber Security Magazine | 13
Cyber Security
implementing simple security measures can be a deterrent, by increasing the time and effort required for leveraging an attack, using the newest and most sophisticated techniques. This begs the question for those with an eye on the security budget: what is the comparative financial risk for newly discovered vulnerabilities or attacks, compared to misconfiguration or human error? The Ponemon Institute’s 2017 Cost of Data Breach Study indicates that malicious or criminal attacks are the leading single cause of breaches and also the costliest per compromised record (at $154). However, malicious attacks collectively constitute less than half of all breach events, as system glitches and human error constitute 24% and 28%, respectively. Furthermore, although the per-capita cost is greater for malicious attacks – 18% higher than system glitches and 27% higher than human error – the expenditure typically allocated towards mitigating these risks is disproportionate. I often encounter organisations that invest heavily in addressing technical vulnerabilities through FTE, penetration testing and sophisticated security products, while configuration reviews and security awareness training remains largely undeveloped. I would encourage the reader to compare what proportion of their security budget goes towards training and educating the workforce; few are likely to find it is only 27% shy of that which is spent on addressing technical risks. The 2017 U.S. State of Cybercrime Survey indicates adding new technologies and conducting audits and assessments alone constitutes for 74% of the security investment of surveyed companies. This is despite the fact that phishing remains both one of the most effective methods of compromise (independent of the vulnerability or exploit used) and the most commonly reported cybersecurity event (36%). Evidently, there is a disconnect between the key causes of compromise and where we focus our attention and effort. So, what can we do to limit the effect of this cognitive dissonance? Just as we leverage a technical solution for a technical vulnerability, cognitive vulnerabilities require cognitive solutions. In the last issue I referred to testing key assumptions, and there’s several established methods for doing so. One of my preferred techniques is known as the Analysis of Competing Hypotheses (ACH). Developed by Dick Heuer Jr, a long-term Central Intelligence Agency analyst, ACH allows the practitioner to explicitly identify a wide range of reasonable alternatives to a given position, to enable the identification of new threats types and actors. The exercise begins by preparing a matrix with hypotheses across the top axis and evidence along the side; ideally contributed by a variety of stakeholders with different skill and knowledge sets to minimise bias. Individual pieces of evidence are then evaluated based on their relevance and diagnostic value for each hypothesis – by putting the evidence front and centre, preferences for specific hypotheses is cast aside. This process is repeated for each evidence item, until a list is produced of the most likely hypotheses and the evidence items with the greatest diagnostic value. Finally, participants attempt to disprove (rather than prove) as many of the remaining hypotheses as possible in a structured and objective manner. The final result is a full spectrum of weighted hypotheses – those
14 | Australian Cyber Security Magazine
that are likely, those that are less likely, and those that may be susceptible to change. This process, while timeconsuming, can produce a uniquely comprehensive view of an organisation’s threat landscape, and can uncover assumptions or risks that may otherwise be overlooked. Another technique, better-known amongst the cybersecurity community, is red-teaming. This is the practice of assuming the perspective of the adversary, to challenge underlying assumptions and discover new attack methodologies. The value of red-teaming is not solely limited to penetration testing however, and can be invaluable for crafting a mature security strategy. Again, the efficacy of the technique is largely a product of the selection of participants – often, those without a background in security can provide valuable insights that are devoid of preconception, bias or ulterior motives. The exercise is then run through a Socratic dialogue, with one party asking a series of questions, ranging from those with a direct relation to the subject at hand (e.g. “What would be the simplest way for me to get access to our organisation’s most sensitive data?”) through to the more ideological or psychological (e.g. “Why would I want to harm our company’s reputation?”; or “How would I react if the department told me my information had been breached?”). By undertaking a detailed, structured and open-minded dialogue, errors in reasoning, unchallenged assumptions, or new threats and untreated risks can arise that even organisations with robust security practices can miss. Of course, no technique is perfect, and no organisation or individual is ever devoid of prejudice or bias. The key is to remain cognisant of the broader organisational context, so that when the media hype spikes, an unemotive and methodical approach to risk and vulnerability management is maintained. This is the most effective way to ensure that when the car starts flaming, your extinguisher is already at hand.
PODCAST HIGHLIGHT EPISODES R OVE 0 0 30,0 ads! nlo
dow
Episode 89 - Data mining techniques & machine learning algorithms applied to covert channel & DGA detection – interview with AizoOn’s Cyber Security researchers In this interview, we discuss how Data Mining techniques and machine learning algorithms can be extremely useful when applied in covert channel detection and Domain Generation Algorithms (DGA) detection. In the last few years, passive analysis of network traffic has become a challenging task due to the high variability of organisations’ IT networks. This often makes classical signature or even statistical detection approaches not sufficiently accurate in detecting potentially anomalous or malicious traffic, due to the lack of focus on network users’ behavioral analysis.
Episode 88 – When the hype actually delivers - Robotics' clear cost savings, efficiency gains & safety results for NSW security manufacturer & distributor This interview with DAVCOR Group Managing Director Marc Cohen discusses the business decision process around the introduction of the AutoStore Robot warehouse, which resulted in impacts on business efficiencies, cost savings in warehouse space and inspired the use of robotics in other aspects of the business, including the use of two Universal Robot arms for cycle testing on locking mechanisms. Payback on the AutoStore system is less than two years on rental space alone, including 75% reduction in power usage
Episode 82 – 4th Joint Cyber Security Centre launched by the Hon Christian Porter MP, Australia’s Federal Attorney-General In this episode Chris Cubbage speaks with the Hon Christian Porter MP, Australia’s Federal Attorney-General, at the opening of Australia’s fourth Joint Cyber Security Centre (JCSC) in Perth. The new Perth centre, part of the Turnbull Government’s $47 million JCSC program is the first of its kind in the west. It offers critical support to Australia’s business community, particularly the west’s vast energy and resource sector.
Episode 81 - Deep dive into the CyberLock electro-mechanical master key system courtesy of Davcor Group In this episode we speak with Geoff Plummer, Davcor Group’s Business Manager Technical Products and dive deep into Davcor’s twenty year journey from physical keys to cyber locking systems, in particular the CyberLock. CyberLock is an electro-mechanical master key system, effectively combining software, electronic keys, electronic cylinders and communicators. The software can be run locally or in the cloud and just as importantly, the power for the whole system is a battery in the Bluetooth enabled key. As a consequence the system is secure and flexible. Media independently of the Risk Management Institute’s National Conference. Recorded November 16, 2017, Canberra.
Episode 84 - Intent Based Networking & Apstra's hardware-inclusive, closed-loop intent-based distributed operating system In this episode we dive into Intent Based Networking with Mansour Karam, CEO and founder of Apstra, Inc., based in Menlo Park, California. Apstra has pioneered Intent-Based Networking and Intent-Based Analytics to simplify how data centre networks are built and operated. The privately funded company has recently announced a deployment by Awnix, a provider of cloud services and products, for the first AOS supported deployment of OpenSwitch (OPX) on Dell Z9100-ON switches in a Tier 1 service provider production network. AOS is a hardware-inclusive, closed-loop intent-based distributed operating system that automates the full lifecycle of network operations and enables the network to configure itself, fix itself and defend itself.
Episode 78 – Applications of Augmented Reality - DXC Technology This interview with Jarrod Bassan, Practice Partner for Mobility & IoT Lead (Australia/NZ) for DXC Technology discusses the application of Augmented Reality (AR). DXC Technology formed in April 2017 from the merger of CSC and Hewlett Packard and retains technology interests in AR/VR, gamification, blockchain and Internet of Things. Virtual Reality (VR) is an immersive technology and disconnects the person from real interaction. Augmented Reality (AR) is a display of information or audio whilst enabling interaction in the physical environment. The DXC case study on show at National Manufacturing Week concerns an excavator and how parts of the machine can be displayed in an augmented visualisation for damage and maintenance. The use of AR provides a level of insight that may not be otherwise readily available.
www.australiancybersecuritymagazine.com.au
Cyber Security
Now you see it, now you don’t
Y By David Stafford-Gaffney
ou wake up feeling toasty warm on a somewhat dreary and rainy day and you start to think about what you have on for the rest of the day. The business you started has grown from a one-man band to 5 employees and things feel pretty darn good. Customers are increasing, as are services and the upside is huge. Your team are incredibly capable and subject matter experts in their field, so services are of the highest quality. You have a few customer meetings and a sales presentation later in the day, to a large enterprise that would be the biggest customer, by revenue and profit, to date. Then the phone rings, one of the crew has identified a denial of service attack taking place on your servers, making your entire business offering unavailable for your customers and more importantly, their customers. Unbeknownst to you, things just took a turn for the worst and you will lose your entire business as a consequence. The troubleshooting escalates quickly and chaotically. Fast forward a few hours and the denial of service attack is over. The dust settles, but things don’t look right, in fact things look bad, disastrously bad. With further investigation the team realise, the denial of service attack was a distraction, the real attack was on your information and all
16 | Australian Cyber Security Magazine
that’s left are crumbs. The attackers, created a secondary attack to hide the real damage, they didn’t care about the unavailability of your services, they wanted your data or more importantly, they didn’t want you to have it anymore. Your stomach sinks and you feel sick as you come to the realisation that your back-ups are on site, you feverishly direct your teams to the location of the back-ups, and the look on their faces say it all. They’re gone. There is literally nothing more than crumbs of data, crumbs of an organisation and even the people are crumbling with the realisation that this is likely the end. Question after question fills your mind as you try to understand how this has happened. You’re not interested in why, just yet, but how. How on earth did we not have off site backups? How did this even happen? Slowly you work through each scenario one after the other. You’re all Subject Matter Experts, you live and breathe this, you built the business, you understand the technology, and still, things don’t make complete sense and there is one very good reason why. You completely underestimated the threat’s that your organisation faces and the steps required to effectively protect the organisation against them and ultimately, to respond when attacked by them.
Cyber Security
This story is based on a recent hack of the Cyanweb business and there are some key elements that suggest the attackers’ motivations, which may offer insights into who the attacker was. The first interesting and slightly different clue is that there was no ransom, so what is it they were after? And, what were their motivations? The attackers in this instance were most likely threat’s we refer to in the security community as Hacktivists or Black Hat’s. They operate in groups or individuals, are highly capable and can be incredibly motivated. However, let’s be very clear, it’s still highly possible that this was an opportunistic attack. A simple scan and vulnerability check on a Cyanweb external IP may have uncovered some glaring holes that really ticked off the attacker/s and they simply wanted to prove a point. Arguably, this motivation is the purest, one of ideology, they won’t stop until they’ve proved a point. If you can’t protect the information, we’ll delete it. It’s as simple as that. It is however also possible that a disgruntled ex-employee with tacit knowledge of the systems and its limitations performed the attack, or a competitor, perhaps using a gun for hire arrangement from the dark web. To me, it sounds more like the former, a Black Hat or Hacktivist wanting to prove a point. We’ve covered the who, now let’s take a look at the
what. There are some very simple clues that suggest security may not have been front of mind. The first glaring clue is that backups were not located off site or in a location disconnected from the systems being backed up. This is a very basic DR/BCP/Security Best practice step and one that mitigates this very specific risk, amongst others. This suggests that other basic controls may also have been lacking. The article confirms that attackers were said to have gained access to the server and elevated privilege, prior to completing their objectives. Gaining access to the server and privilege escalation can both be performed by exploiting a vulnerability. This brings patch management to mind. Patch management makes up two of the Australian Government’s Essential Eight, a list of mitigations that when applied collectively, are said to reduce the risk of a breach by 80%. Specifically, patching of operating system software and applications, as well as back-up and associated testing. This leads me to question the process of patch management; however, it also raises the question of the more holistic risk management and identification process. In even in the simplest form, the identification of vulnerabilities of the systems or services and the various mitigations to address them. So, we have a down to earth business of passionate employees just trying to make a few bucks and help people and we have a highly motivated and very capable adversary, all that separates them is a handful of processes. Firstly, this to me is a timely reminder to seriously think about the threats your organisation faces, the motivation of them, and their capability and do something about it. I mean, hold a workshop, engage a consultant if need be to assist with the process and rank your threats in terms of their probability, capability and motivation. Then, with the help of your IT team or again an external party, work out where your information is, who has access to it and what controls you have in place to protect it. If a highly motivated and incredibly capable threat (top of your list) could get past it now or within a reasonable time, you need to do more. This is where you may need some specialist cyber security skills from a 3rd party. If you’re unsure where to even start, the Essential Eight, as mentioned earlier in the article, is a terrific resource as it’s a generic list of controls to be applied to any business or organisation. Run through the list with your IT team or service provider and use the Essential Eight Maturity Model to map out your current implementation and maturity. From there, put together a roadmap for the implementation of the remaining controls or uplifts in maturity over the next period of time, be it 3, 6 or 12 months. Finally, let’s not also forget that this is a traumatic event, the impact of an incident like this doesn’t just remain with the business, people run the business, the personal lives of these people who worked at Cyanweb will be heavily impacted. Since the impact of a risk is on a business, personal and psychological damage are not generally listed as a consequence (Privacy Impact Assessments excluded) so spare a thought for them, while you contemplate your next move.
Australian Cyber Security Magazine | 17
Cyber Security
Stuff GDPR!?
W By Guillaume Noé
here are the hordes of cold and scary European privacy policy enforcers? Can you see them slowly roaming and moaning in French, German and other private languages in Sydney, Melbourne, Brisbane or in other parts of Australia? Look around! It is here! We should all be afraid and prepare for an ultimate onslaught of privacy regulation that has been compared to the upcoming winter in Game of Thrones. Not even Jon Snow and his feisty fellow Rangers of the Night's Watch could do anything to help the careless unprepared. It may be too late. You may already draft a cheque of €20 million addressed to the European Union. You may also consider ruling out doing business with those hypersensitive privacy European Unionist snobs! Alternatively, you could assess the real risk of noncompliance to your business and the opportunity that complying could provide. You could then make an informed
18 | Australian Cyber Security Magazine
business decision to either ignore it or make the most of it.
GDPR is Confusedly Here! Welcome General Data Protection Regulation (GDPR)! Congratulations to the European Union, the proud collective parent of the awaited privacy regulation. The regulation weighs 88 pages (in English) and is now enacted following months of apocalyptic level warnings. We have certainly be warned that “GDPR is coming!” and "The biggest change you’ve never heard of", asked “Are you prepared?”, and reminded “It’s not too late to get ready”. You may also have been confused on the subject and wondering whether you should care about it at all. For example, an article published on the Australian Computer Society (ACS) website quotes a cybersecurity vendor representative, supposedly positioned as a GDPR expert, on the criteria of applicability of the regulation. The article
Cyber Security
states that "Officially, GDPR will only apply to companies with over 250 employees". It is unfortunately inaccurate and illinformed. The regulation provides no provision for such full exemption. It officially applies to all businesses managing EU residents' personal data, independently of the business sizes and at least for the most part of the regulation requirements. The only exception applies to some record-keeping requirements under specific conditions. Other “advisors” also provide misleading information on social media, such as, that the applicability of the regulation would depend on whether a business would have a local office in the EU. There is also no such provision in the regulation. To avoid any confusion on GDPR, consult: • The official regulation text from the EU Law website; or for a shorter version • The excellent summary provided by the OAIC under Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation.
Ruling out business with the EU? I got privy to a passionate debate on the subject of GDPR held within an Australian FinTech start-up community, where a CEO said he was considering excluding the EU from his business plan. GDPR would bring his business challenges, outweighing potential business benefits in the EU region in the short term.
of making it harder for me to develop my product”, but “the ‘right to be forgotten’ adds substantial overhead to the management of legitimate collection and use of data (it might even make it impossible to legally run some businesses!).”. He also added that the EU only represented 10% of his target market globally. The CEO conducted a thoughtful assessment of the implications of GDPR compliance on his business and tested those implications against potential business return in the EU. He made an informed business decision to deprioritise the EU market, for now, in view of the effort and cost of complying with the regulation.
What is the risk to Australian companies? Businesses may find it difficult to appreciate how GDPR sanctions could eventually be enforced upon them in Australia, and consider disregarding the regulation because: • Local privacy sanction precedents are few and minor; • Local maximum sanctions poorly compare with the EU; • The protocol for GDPR sanction enforcement to non-EU members relies on a desired international collaboration (good will); and • For Australian organisations with a turnover lower than $3M: they are exempt from complying with local privacy regulation.
Sanctions Key GDPR challenges The CEO shared his assessment. He would face the following two biggest GDPR challenges: 1. ‘Right to be forgotten’, “which causes all sorts of issues when trying to design systems where payments (for which data must be kept) and non-payment information (which users can demand to be deleted) is involved”; and 2. ‘Access to own data’, “you have to give people access to their own data. Sounds easy, right? Unless you transform their data in a way that reveals internal business processes, and even worse, if you create data that joins individuals who can both demand their data be released yet are required to have their data kept secret.”. The start-up assessed that “Both of the above will require you to create new interfaces, new business processes and new security systems to prevent abuse (e.g. when someone asks for all their data, how do you give it to them if they can’t access their account for whatever reason?)”.
EU Privacy Compliance vs AU Business Priority Challenged on his assessment, “can you really ‘afford’ not to care about the privacy of your customers as a priority?”, the CEO added: “I care about my user’s privacy deeply, to the point
In Australia, the maximum penalty for breaching the Australian Privacy Act is $2.1M. What organisations have been sanctioned in the past? • Telstra was fined $10,200 in 2014 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online. • Freelancer was fined $20,000 in 2016 by the Office of the Australian Information Commissioner (OAIC) for damages to a European former account holder and for breaching the Privacy Act. • Any other disclosed cases.
Other “advisors” also provide misleading information on social media, such as, that the applicability of the regulation would depend on whether a business would have a local office in the EU. There is also no such provision in the regulation.
In comparison, EU countries have numerous cases of example-setting sanctions. For example in France, the CNIL (French local privacy watchdog and supervisory authority under GDPR) maintains a public list of sanctions (23 cases at the time of writing), including hefty fines such as €100,000 (~$155,000) for Darty in January 2018 (before GDPR). The maximum penalty under Australian regulation also poorly compares with the scale of the GDPR regulation administrative fines by a factor of 15 (€20 million ~$31M or 4% global turnover, whichever is greater with GDPR vs $2.1M with the Australian Privacy Act). In addition, the Australian Privacy Act provides an exemption of compliance for Australian organisations with a turnover of less than $3M. There is no turnover threshold under GDPR.
Australian Cyber Security Magazine | 19
Cyber Security
Enforcing sanctions in Australia Under GDPR, the applicability of administrative fines or sanctions to non-EU jurisdictions relies on a desired international cooperation based on reciprocity. "supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders... there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts". GDPR clause (116). OAIC resources on GDPR, such as this article, provide no clarification on a potential enforcement protocol, aside from a generic statement of commitment to internationally coordinated approaches to privacy regulation. I enquired directly to the OAIC and asked in writing: "How would GDPR sanctions be enforced in Australia?". The OAIC kindly replied that in essence they could not advise on the subject (well, who can then?). The Bright Side of Consumer Data Protection Complying with consumer data protection and privacy regulations, such as the EU GDPR or the Australian Privacy Act, may come at a cost of changing processes, technologies and importantly organisational cultures. Australian businesses doing, or contemplating doing business overseas, have the choice to comply with local regulations such as GDPR, disregard them and accept a risk,
or forfeit doing business in some countries. It is a business risk decision. Whether opting to comply or not with privacy regulations, investing in better consumer data protection practices has a very bright upside, because customers have growing privacy concerns and business is lost over privacy concerns according to the OAIC's Australian Community Attitudes to Privacy Survey 2017 (ACAPS). Mounir Mahjoubi, the ‘geek’ who saved Macron’s French presidential campaign from cyber attacks and now French Secretary of State for Digital, brilliantly called the opportunities that GDPR and better consumer data protection practices provide to businesses. Mahjoubi suggests (in a speech) to make the most of compliance requirements. With better data protection, businesses can: 1. 2.
Serve their clients in better ways; Build new services and innovative ways to manage data; Optimise the usage of data; and very importantly Improve data security and better manage business risk.
3. 4.
When it can be prioritised and afforded, complying with consumer data protection and privacy regulations, such as GDPR, can be a very valuable business risk management practice and a valuable business differentiator at the same time.
RMIA Annual Conference 2018
Major Matina Jewell Paul Chivers Risk Advisor - “I’m a Celebrity... Get (Retired) CSP Me Out of Here!”
Robb Eadie
Chief Risk Officer - BHP
Chris Gatford
Director & Founder - HackLabs
Dr. Hilary Lewis
Division Director, Head of Risk Culture - Macquarie Group
David Piesse
Global Insurance Lead & Chief Risk Officer - Guardtime
Deborah Goldingham Marketing & Communications Strategist
FOR MORE DETAILS AND TO REGISTER, VISIT US ON THE ALL NEW WWW.RMIACONFERENCE.COM.AU
20 | Australian Cyber Security Magazine
Peter Deans
Chief Risk Officer - BOQ
David Coleman
Assistant Minister for Finance Federal Government of Aus.
Grant Hehir
Audtor General - Australian National Audit Office
RISK MANAGEMENT INSTITUTE OF AUSTRALASIA
Cyber Security
How quantum cyber security can make data breaches irrelevant By Vikram Sharma, Encryption Expert and CEO and Founder of Quintessence Labs
F
or me, this is a particularly exciting time in the history of secure communications. Recently, we've seen the effects of cyber-attacks on the business world. Data breaches have caused losses of hundreds of millions, if not billions of dollars. It wouldn't take many large attacks to ravage the world economy. About 15 years ago, when I learnt of a newfound ability to create quantum effects that don't exist in nature, I was excited. The idea of applying the fundamental laws of physics to make encryption stronger really intrigued me. How does this work? Well, there are three important elements in encryption:
1. An encryption key 2. The key exchange 3. The encryption algorithm The encryption algorithm is like a lock, which encodes and decodes the document. Using the key, it encodes the text in the documents, converting them into random numbers. If someone were to open the document without the encryption key and the algorithm, they wouldn't be able to read the documents; it would simply look like a bunch of random numbers. Most security systems rely on a secure method for key exchange to communicate the encryption key to the right place. However, rapid increases in computational power are putting at risk a number of the key exchange methods we have today. In recent years, there's been a growing body of research looking at using quantum effects to make encryption stronger. With advances in quantum computing, which leverages the microscopic properties of nature to deliver unimaginable increases in computational power, it’s never been more important to encrypt. Quantum computers are so powerful that they will crack many of the encryption systems we use today. Random numbers are the foundational building blocks of encryption keys. But today, they're not truly random. Currently, we construct encryption keys from sequences of random numbers generated from software, so-called pseudo-
random numbers. Numbers generated by a program or a mathematical recipe will have some pattern to them, however subtle. For years, researchers have been looking at building true random number generators, but most designs to date are either not random enough, not fast enough, nor easily repeatable. But the quantum world is truly random - devices that can measure quantum effects can produce an endless stream of random numbers at high speed. At QuintessenceLabs, our quantum random number generator is the world's fastest. It measures quantum effects to produce a billion true random numbers per second. It is used today to improve security at cloud providers, banks and government agencies around the world. But even with a true random number generator, we've still got the second big cyber threat: the problem of secure key exchange. Current key exchange techniques will not stand up to a quantum computer. The quantum solution to this problem is called quantum key distribution, or QKD, which leverages a fundamental, counterintuitive characteristic of quantum mechanics: that the very act of looking at a quantum particle changes it. Consider again the encryption “lock.” Instead of two parties directly exchanging a key to decode a file, we instead use quantum effects on a laser to send the key over standard optic fiber. We assume a bad actor is trying to hack this exchange, but any attempt to intercept the quantum keys while in transit will leave detectable fingerprints, and allows those intercepted keys to be discarded. The retained keys can still be used to provide very strong data protection. And because the security is based on the fundamental laws of physics, a quantum computer or any future supercomputer will not be able to break it. My team and I are collaborating with leading universities and the defence sector to mature this exciting technology into the next generation of security products. The internet of things is heralding a hyper-connected era with 25 to 30 billion connected devices forecast by 2020. We're betting that quantum technologies will be essential in providing this trust, enabling us to fully benefit from the incredible innovations that are going to so enrich our lives, and a day when the breach is completely irrelevant.
Australian Cyber Security Magazine | 21
Cyber Security
BAD THINGS COME IN SMALL PACKAGES D By Jason Hilling Senior Director for NETSCOUT Arbor, Asia
istributed Denial of Service (DDoS) attacks come in many guises. One of the more popular these days is the application-layer attack, sometimes called a layer seven attack, because it targets the top layer of the Open Systems Interconnection (OSI) model, which supports application and end-user processes. Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, applicationlayer attacks are more subtle and insidious – and much more difficult to detect and block. Posing as legitimate application users, attackers target specific resources and services, sending repeated application requests that gradually increase in volume and eventually exhaust the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional flow-based monitoring solutions. While service providers can detect and block volumetric attacks as well as larger application-
22 | Australian Cyber Security Magazine
layer attacks, smaller application attacks can easily escape detection in the large Internet Service Provider (ISP) backbone, while still being large enough to cause a problem for the enterprise network or data centre.
A Growing Threat Application-layer attacks figure prominently in the DDoS threat landscape. HTTP and secure HTTPS services are targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications. For a bank or an online retailer that depends on its web presence to attract and serve customers, the impact can be catastrophic. Not only does the attack prevent the normal operation of the business, but it can also make a site invisible to search engines, or at least bump it from the front page of search results.
Cyber Security
Application-layer attacks contradict the perception of DDoS attacks as large-scale threats that overwhelm defences and incapacitate networks through sheer brute force. attempts to gain access to servers or data. But they are vulnerable to state or resource exhaustion. The problem is that what starts as a trickle of legitimate-looking app service requests eventually turns into a flood, and application-level defences won’t recognise the flood of legitimate requests as an attack at all. Another problem is that the applicationlayer attack is often just part of a larger “blended” attack employing multiple attack methods, which may not be targeting the application layer that a WAF is analysing. For these reasons, a DDoS perspective is necessary to detect and thwart application-layer attacks. Without a dedicated DDoS solution, security teams may not even realise they are under attack when their site goes offline. They’re left scrambling to restore service on the fly, diverting IT resources and eating up hours or even days that can translate into millions of dollars of lost business.
The First Line of Defence
DDoS attacks have changed significantly in size, frequency and, most importantly, sophistication. They’ve also changed in terms of duration, as identified by NETSCOUT Arbor's 13th Annual Worldwide Infrastructure Security Report, the average duration of a DDoS attack in 2017 was around 46 minutes, down from 55 minutes last year. However, do not equate length with risk because the impact could last much longer. For example, say an online retailer’s website is brought down by a DDoS attack during a busy sales period. The multiple back-end systems which rely on it to communicate can take much longer than 30 minutes to synchronise and come back up.
Protecting Apps is Not Enough IT security teams are often under the mistaken impression that a Web Application Firewall (WAF) provides adequate protection against application-layer attacks. Since applications are the targets, this seems logical on the surface. And WAFs are certainly necessary to filter or block
An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloudbased defences through cloud signalling. The best place to deploy application-layer DDoS detection and mitigation measures is at the traffic entry point at the edge of the enterprise data centre or ISP infrastructure – ideally outside the firewall. Because of the small scale of these attacks, they are harder to detect and stop once they have worked their way into the data centre or network. Application-layer attacks contradict the perception of DDoS attacks as large-scale threats that overwhelm defences and incapacitate networks through sheer brute force. Network guardians need to be on the lookout for these smaller but smarter threats that can work their way through the slightest openings. One final point, on-premise doesn’t just mean the enterprise network itself. It’s also about the migration to “the cloud”, and the need to provide the same kind of on-premise protection for assets hosted in either public or private cloud environments, which have the same application layer vulnerability to DDoS that you have in the on-premise datacentre. Enterprises should make sure that as they move critical assets to the cloud, they are providing the same level of application protection there.
Australian Cyber Security Magazine | 23
Cyber Security
Insider Threats: Operational, tactical and strategic insights By Milica D. Djekic
A
ccording to a definition, the insider threats are that potential of individual to misuse his authorized or unauthorized access to some community in order to affect so in the quite negative manner. The insider threats are usually correlated with the cyber security, because the majority of operations in the developed economies would seek from their staffs to use computers, internet and mobile technologies. As it’s well-known, the insider threats could be unintentional and malicious by their nature. The unintentional insider threats are those community’s members who would so carelessly release so confidential information. They would not expect any financial reward for such an action and they would not get correlated with any malicious actor’s group. On the other hand, there would be the real malicious actors getting the part of some enterprise who would do everything and anything to cause harm to their employer. These folks would get paid for their arrangement and they would commonly get a support from some organized crime or terrorist group. So, if we talk about this sort of crime schemes, it’s important to mention that such a case would need the detailed investigation, because those guys would so frequently deal as a team being organized at operational, tactical and strategic levels. At the beginning, we could try to review how cyber
24 | Australian Cyber Security Magazine
technologies could get misused in order to make some way of advantage to the malicious actors being the part of some organization. The fact is that the entire globe is getting internetized and there are the billions of the world’s network users on the planet. These people would deal with their accounts, multimedia platforms, social media and so on. In such a case, it’s getting clear that anyone gaining the access to some company’s infrastructure could attempt to share his privileges with someone being outside of that community. That’s how the organized crime and even terrorism enter the legal system. The good question here would be what their aims in such a case are. We can say that their goal could be to weaken some business and if we observe that from the quite wider perspective – if you make one business collapses, you could do so with many of them applying such a criminality scenario. What is the motive to the bad guys to do so? In our opinion, it’s the desire for power. If some country’s economy goes down, that society would get suitable for the organized crime and terrorism. We know that the poverty and lack of the proper education could be the key factors in developing the bad social habits and negative selections. Once you get such a situation, your community would become the paradise for the crime. Additionally, this sort of
Cyber Security
What is the motive to the bad guys to do so? In our opinion, it’s the desire for power. If some country’s economy goes down, that society would get suitable for the organized crime and terrorism.
a threat could cause the existence of the conflicting zones in the world and that would also mean the crime’s boom! The best methods how we could prevent some organization getting the victim of the malicious insider threats is following the best cyber security practice and coping with the welldeveloped awareness raise training and programs. If many businesses shrink, the entire economy would shrink and as no society is isolated from the rest of the world – there would be the possibility that such a situation could get reflected to the entire region and, further, the rest of the world. This may appear as a quite handy scenario how to trigger the Great Recession and in the reality there is the huge feasibility that things work like so. So, what’s also important to know about the malicious insider threats is that they would operate as the part of some malicious organization and so often they would serve at the operational level to their patrons. As we got the strict hierarchy within the defence and intelligence communities, we would cope with the quite rigid hierarchy amongst the organized crime and terrorist syndicates, too. Every malicious organization would deal with its masterminds who would formulate the strategies of its actions and the bad guys being at the bottom of the scale would execute those plans. The members balancing between the strategists and
operational folks would be recognized as the tactical level criminals. These guys would be familiar with the strategy at some point and they would also so skilfully manage the operational members on their tasks. The big question here is how the criminal enterprises got the information about the selection process within some company. The answer to this question is quite clear – they would use the service of cybercrime underground that would make so many breaches to so many organizations in order to assure as much as possible information from the outside from that asset. Hope it’s obvious why following the best cyber defence practice could get from the crucial significance to get those cases being prevented. If we add that the cybercrime could cost the global economy several trillion dollars per annum so soon, it’s getting clear that the hacker’s operations could get the convenient method to shake the global economy as well. So, operational, tactical and strategic guys are those who would conduct the entire scenarios and try to make all of us shrink in front of them. Apparently, it’s also important to highlight the role of the law enforcement agencies that should cope with the good skill, experience and expertise in order to recognize and resolve such a situation. In other words, we need the helpful mechanisms to prevent such a crime, resolve it in case it happens, and finally – use some crisis management skills in order to recover our organization from a disadvantage. In conclusion, this discussion could get understood as an attempt to make the better insight into the quite challenging topic such as the insider threats. This effort could serve as the good starting point to the future research and also raise our awareness about that ongoing concern. It’s not that easy to recognize the insider threat within today’s so complex and dynamic environment, but we hope that some coming studies could support us in our attempt to protect ourselves from the crime. At least, this could be the useful direction to security professionals how to manage that sort of a risk. About the Author - Milica D. Djekic is an Independent Researcher from Subotica, Republic of Serbia. She received her engineering background from the Faculty of Mechanical Engineering, University of Belgrade. She writes for some domestic and overseas presses and she is also the author of the book “The Internet of Things: Concept, Applications and Security” being published in 2017 with the Lambert Academic Publishing. Milica is also a speaker with the BrightTALK expert’s channel and Cyber Security Summit Europe being held in 2016. Her fields of interests are cyber defence, technology and business.
Australian Cyber Security Magazine | 25
Cover Feature Cyber Security
Reinventing the SOC: Solutions for improving security and curing the alert-fatigue epidemic
C By Lionel Snell, Editor, NetEvents
Listen to our interview with Greg Fitzgerald!
all it alert fatigue. Call it information overload. Call it mind-killing and soul-destroying. The sheer number of alerts coming into a modern security operations center (SOC) can overwhelm even the most dedicated security analysts. Alerts pour in from many dashboards and security information and event management (SEIM) platforms, with some focused on the network, others on endpoints, some on the firewall and outside-facing servers, and others on critical infrastructure. And with the vast majority of alerts being (fortunately) false alarms, it can be easy to overlook the real warning signs… which may be subtle indications of malicious reconnaissance or an actual breach. As SC Magazine’s Greg Masters writes in “Crying wolf: Combatting cybersecurity alert fatigue,” nearly three-quarters of security teams stated they were overwhelmed by the volume of vulnerability maintenance work assigned to them. When security teams were queried about contending with threat alerts, 79% said they were overwhelmed by the volume. And according to Ryan Francis in “False positives still cause threat alert fatigue,” published in CSO, “The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are
26 | Australian Cyber Security Magazine
remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day.” What can you do? What must you do? Reinvent the SOC. Business as usual simply can’t cut it. Fortunately, there are companies working on this very challenge. Cylance pioneered the application of artificial intelligence (AI), algorithmic science, and machine learning to prevent the most sophisticated security threats. Demisto’s security operations platform combines security orchestration and incident management with machine learning from analyst activities, and interactive investigation. JASK too applies enhanced AI and machine learning to automate the correlation and analysis of threat alerts. Other companies like CA Technologies have specialist departments addressing these issues. CA’s SVP Central Software Group, Dr Vinod Peris, points out that data has typically been something to look back on with hindsight: “What we are doing with AI is to be more predictive. We're looking not just at what you've missed as red flags, but alerting you that you're likely to miss”. In the case of card payment security, they use behavioural analytics to assess the gap between the transaction and expected behaviour and warn the bank.
People first Neither Demisto nor JASK make alert fatigue their starting
Cyber Security
point. Their first concern is human resources – the lack of qualified security analysts, and a company’s sheer inability to recruit, retain, and afford them. And of course, keep them from burning out. “The biggest problem that SOCs are having right now is talent,” says Greg Fitzgerald, Chief Marketing Officer at JASK. “One is recruiting just people. Second of all is having the skillsets to just place in those jobs, and then the third piece is the experience, those that actually know what to do when they find something inside the SOC.” Demisto’s CEO, Slavik Markovich, agrees. “When you talk with analysts and you see them day in and day out, just handling all those incoming alerts, and going through, like, tens of different tools, it burns them out.” Markovich continues, “We looked at how analysts are working, and man, they’re not happy. After six months, they’re ready to run away. The average, probably, for an analyst is less than two years. The reason is that, because they’re doing the same thing over and over again. Just, nobody wants to operate like that.” In addition to the tedium, says Fitzgerald, is the lack of opportunity in many organizations. While there are many analysts, there aren’t many spots for promotions. “What needs to happen is the same thing that would happen in any job, which is they want career advancement.,” he says. “What we are seeing today is that the security operations person who has that initial job, once they get educated to
understand both the process and the experience, even with a year or two, quickly leave the company. So, organizations spend a lot of time and effort getting a person up to speed, and then they leave. The solution there, Fitzgerald says, “Make it so they have an upward career path within where they are so they can get out of the mundane job, and start doing something much more proactive about threat hunting, or actually just seeking resolution to the problem they have, or being a part of an incident response team. It’s much more like the elite staff that any IT and security personnel wants to do.”
Addressing Alert Overload You’ve got to address alert fatigue. Before enterprises can offer more interesting and challenging projects for security analysts, that fire hose of SEIM notices and log anomalies must be made more manageable – both in quantity and in the ratio of false alerts to real incidents. In the words of Greg Martin, JASK CEO and Co-Founder we need: “to filter the advanced attacker from all of the noise of automated lower-level cybercrime attacks. This is where the industry is really struggling right now: how do I identify what I should care about versus the malware that I see every Monday?” Cylance’s Kumad Kalia pointed out that, despite the publicity about sophisticated attack innovations, the more
Australian Cyber Security Magazine | 27
Cyber Security
common tactic is simply to overwhelm security with a flood of more basic attacks: “Multiple exploits put together so, even if you detect one, you might not think to look in the other place. Sometimes, one attack will be used to overwhelm some resources to hide another stealthier attack underneath”. Such automated attacks are best dealt with by automated response: “The future is going to be where AI is at the heart of the solution so that you're not being overwhelmed by that amount of information, that the AI engine in the prevention tool is doing all that heavy lifting.” “Technologies for preparing and triaging and responding automatically,” are key for Demisto’s Markovich. “Those technologies orchestrate and automate across hundreds of different security tools, and bring the data, fully prepared and analyzed, to the analyst.” With that data, the analyst can review the recommendation from the security tool, and either allow automation to continue to handle the incident, or choose human intervention. “Triage would be look at the threat intelligence info about the incident, look at the file properties, maybe detonate the file, do all of those things,” adds Markovich. “Then the analyst says, okay, yeah, I think it’s malicious, and then the response automation should be, okay, eradicate this email, block this end-point, block this IP, and so on and so forth.” The upshot: The technology takes boring, tedious manual labor out of the equation, and “and just allows the analyst to focus on what he’s good at, which is the decisionmaking and the actual smart hunting and thinking about security,” says Markovich. Smarter tools can also help with a key element of triage: choosing which alerts to focus on first. “Analysts are overwhelmed with what they have to see today, and they need some sort of prioritization,” says JASK’s Fitzgerald. “It’s not just what’s important. It’s also where to start. Because an attack or a compromise can be caught at any point in the sequence, and so they need some guidance to say, help me, and that’s what happening.”
AI to the Rescue Leading cybersecurity companies are leveraging artificial intelligence and machine learning in their next-generation SOC platforms. These technologies will enable automatic filtering of threat reports, allow correlation of alerts across platforms, evaluate the dangers, present recommendations – and lead to automatic remediation. Machine learning is a key component, because malware moves too fast to allow security systems to be trained after the event. Kumad Kalia gave the example of a Cylance system that had not been updated for two years yet could still detect the latest attack patterns. “That's a profound demonstration of the efficacy of AI within cybersecurity… our code had never seen these types of software – probably hadn't even been written in the combinations that were then released for attack – and the software stopped these on machines.” Where will this go? To a solution that reinvents the SOC, with triage and front-line reporting done in real time by
28 | Australian Cyber Security Magazine
software – not by burned-out humans. Imagine, says Markovich, a SOC with a single pane of glass where the analyst gets alerts already ordered in a queue. All the alerts are already processed by AI, and are presented with all the context and data needed for a human judgment. “The analyst makes a quick decision, almost like Tinder: Swipe left, swipe right, block or it’s okay.” The action is then done by the SOC platform, so the entire response is being done automatically. Goodbye, non-stop information overload. Goodbye, mind-numbing and soul-destroying alert triage. Finally, we can cure the alert-fatigue epidemic.
Episode 79 – Autonomous Security Operations Centre (ASOC) platform – JASK’s application of AI & ML in the SOC In this episode Chris Cubbage interviews Greg Fitzgerald, Chief Marketing Officer of JASK. Chris and Greg talk artificial intelligence, cloud, and big data in the company of planes, trains, and cutlery. It’s a great interview, and being in California, has some Hollywood-esque special effects. VISIT https:// australiancybersecuritymagazine.com. au/episode-79-autonomous-securityoperations-centre-asoc-platform-jasksapplication-of-ai-ml-in-the-soc/
4
Cyber Security in GOVERNMENT Digital ID SHOW
Co-located with:
EXPO OPENING TIMES 7 August 2018 - 8:30am - 5pm 8 August 2018 - 8:30am - 3pm National Convention Centre, Canberra
REGISTER YOUR FREE EXPO PASS Join 2000+ IT leaders at Australia’s largest government technology event. What will you see?
ATTEND FREE SEMINARS
120+ EXHIBITORS
VISIT THE START-UP ZONE
Sample of FREE seminars you can attend: DATE & TIME
SEMINAR SESSIONS
SPEAKER
11:00 - 11:20 7 August
Sharing & Collaborating on classified content via a protected cloud service
Martin Tucek, Product Manager, archTIS Debbie Tucek, Marketing & Product Design Executive, archTIS
11:30 - 11:45 7 August
New age of digital buildings
Paddy Kelly, Technical Systems Engineer, Panduit
12:15 - 12:35 7 August
Digital Customer Onboarding in Finance and Government
Peter Martis, Director of Products, Innovatrics
12:40 - 12:55 7 August
Machine Learning and analytics using and open data science approach
David Levy, Systems Engineer, Cloudera
2:30 - 2:50 7 August
Encryption Is Key: manage threats and reduce risks in the new era of data protection
Jilei Jiang, ANZ Field Sales Manager, Kingston Technology
10:15 - 10:30 8 August
The Future of Government Digital IDs
Christian Kazamias, Chief Experience Officer, Founder, cc2GO Wireless Technologies
10:55 - 11:15 8 August
Real-time Automated Biometrics Identification System for Large Scale Deployment
Matus Kapusta, Delivery & Solutions Director, Innovatrics
1:05 - 1:20 8 August
Are you equipped to fight Email Fraud?
Marc De Frontignac, CISSP, Senior Sales Engineer Proofpoint
1:25 - 1:40 8 August
The importance of and strategy around cybersecurity within government organisations
Ashoka Rajagopal, Director of Cyber Security, Belkin John Minasyan, Director of Product Management, Belkin
REGISTER ONLINE NOW
www.cyberingov.com.au Australian Cyber Security Magazine | 33
TechTime Cyber Security - Cyber The Gorgon Group: Slithering between nation state and cybercrime Palo Alto Networks Unit 42 researchers have been tracking a group of attackers, which they are calling Gorgon Group. In addition to numerous targeted attacks, Unit 42 discovered that the group also performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. Starting in February 2018, Unit 42 identified a campaign of attacks targeting governmental organisations in the United Kingdom, Spain, Russia, and the United States. Additionally, during that time,
machines based in mainland China. Worryingly,
also frequently targeted via similar means. Before
for, and infecting, computers running software that
the South Korean Winter Olympics, sophisticated
monitors and controls satellites with the aim of not just
attackers targeted ski resorts, organising committees,
spying but disrupting these critical systems in SEA.
and tourist boards with an apparent alert from South
Recently, ASEAN agreed to establish a regional
Korea’s National Counter-Terrorism Center. The email
infrastructure pipeline to match rising Chinese
contained malware which would give attackers remote
influence in the region, and there have been calls for
access to infected machines. Underscoring the trade
the Australian government to help ASEAN countries
craft of this campaign, the emails coincided with real-
design better infrastructure. In this environment, cyber
life terrorism drills.
espionage campaigns such as these offer a timely
often using shared infrastructure with their targeted attack operations. Using numerous decoy documents and phishing emails, both styles of attacks lacked overall sophistication, but the effectiveness of this group and campaign cannot be denied.
can expect an accompanying phishing campaign.
and operators in securing our nation’s first line of
Exploiting the public interest in major events is an
defence.
efficient and effective form of social engineering.
Nick Savvides, Chief Technology Officer at
FireEye has released research detailing how the malware TRITON works and was created. TRITON was identified late last year by FireEye’s Mandiant team following an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems and targets Industrial Control Systems (ICS). Since TRITON was discovered, FireEye wondered how the threat actor created the malware. This report provides insights into that. They reverse engineered a Triconex controller using legitimate software to learn the protocol, and built the malware speak in that language. FireEye has learned the development process was easier than previously thought. In light of this, the company expect other threat actors to take similar approaches in their development of tools to exploit ICS.
New cyber espionage group infiltrates satellite, telecom and defence orgs Symantec has exposed a never-before reported cyber espionage group that has infiltrated satellite, telecom and defence companies in Southeast Asia and the US. Called Thrip, the campaign originated from
30 | Australian Cyber Security Magazine
Consider the fervor that will descend upon
Symantec APAC, is available to provide expert
Australia during the last weekend of September.
commentary on the impact of targeted cyber
Saturday will see the AFL final decided, while on
espionage attacks in Australia and across the region.
Sunday, the NRL finalists will face off against each other. Fans and punters across the country will be
Major world events a playing field for hackers Just like the old-fashioned pickpockets and scalpers we’ve learned to avoid, cyber scammers are exploiting
Creation of TRITON malware – FireEye research release
Any time these significant events roll around, we
warning for Australia’s critical infrastructure owners
members of Gorgon Group were also performing criminal operations against targets across the globe,
Organisers and contractors of these events are
Symantec has uncovered that Thrip has been looking
major world events to target their victims. The World Cup, the Royal Wedding, and the Winter Olympics are recent events they’ve tried to benefit from in this way, and it’s an incredibly effective tactic. Usually, the cyber attacker modus operandi during these events is the tried-and-true combination of social engineering and phishing. Generally an email – along with a malicious attachment or link – is sent out in a spam campaign to thousands of potential victims. The body of the email will exploit interest in the event and point the user to the malicious element — alluding to a special offer or other detail related to the event. An interesting example occurred during the recent
eager for any updates in the lead up to both matches and could be seen as easy targets. If a spam email went out claiming to contain last minute injury updates or special odds from a betting agency, I think we all know someone who would open it. By feeding on the frenzy before these events, attackers know there’ll be enough people who can’t resist to make the campaign worth their while. This doesn’t mean you should live in fear any time an event of national or international significance rolls around. Basic cyber hygiene is enough to ensure you enjoy these events safely; only use trusted sites, only download official or verified apps, don’t click on emails or attachments from unfamiliar sources, and apply the latest patches as soon as possible. These are very simple steps one can take to level the playing field against attackers. Forewarned is forearmed, and knowing to expect such tricks can help even the most ardent fan think twice before entering their mother’s maiden name and favourite colour to find out their ‘footy nickname’.
World Cup. Hackers developed a malicious scoretracking app, called “Golden Cup”, and convinced Israeli soldiers to download it from the Google Play store. The app in fact contained spyware which gave the attackers access to the soldiers’ GPS location, phone cameras and microphones, and revealed the locations of images and videos stored on their phones. The Israeli military blamed the Palestinian group
Cisco Start sets out to target the Australian SMB sector Over the last 18 months, Cisco has developed a
Hamas. What made the malware especially dangerous,
purpose built portfolio called ‘Cisco Start’ which allows
the Israelis said, is that the app looked legit — it was
SMBs to adopt enterprise class technology at an
downloaded from an official app store.
affordable cost, that is reliable, simple and secure. The
It’s not only sport fans that need to be wary. We
concept is they can subscribe to a managed service
witnessed another cunning tactic before the wedding
and pay as they grow for flexibility to adopt and scale
of Prince Harry and Meghan Markle, whereby cyber
as required.
criminals launched the “royal wedding guest name”
Opening with a briefing to media by Ken Boal,
data mining scam. This scam tricked people into giving
Vice President for Cisco ANZ, SMBs are the small to
up key personal data by inviting them to find out what
medium sized enterprises with 250 users or more.
their ‘aristocratic name’ was. And what did people
Cisco, along with its strong commercial focus, is
need to do to find out their ‘aristocratic name’? They
seeking to help Australian business accelerate and
had to enter the name of one of their grandparents,
help the SMB market thrive. “We’re committed to
their first pet’s name, and the name of the street they
leading digital in whatever realm they play”, Ken said.
grew up on. If these questions sound familiar, it’s
With 2017 turnover reaching AU$1.9B in the last
because they’re three of the most commonly used
18 months, the SMB share of that grew from 9% to
security questions.
13% of the business and the aspiration is to grow to
20% and beyond with AU$15M growth per annum. Referring to the Deloitte Access Economics
right you will fail. Selling to small business needs to be clearly and simply communicated. We have to trust
report, Connected Small Business 2017, sponsored
people. In the main, big business and small business
by Google, there remains significant opportunity in the
get on pretty well. SMB need the likes of Cisco but
SMB segment of the market. “This report finds that
likewise, Cisco needs SMB. We need to work and trust
Australian SMB’s are increasingly digitally engaged,
each other.”
and that their take-up of digital tools has been
“Within the Supply chain, you’re only as strong as your weakest link. We have to work together and we
accelerating over time.” Ken highlighted, “With headlines every week and even today of news of a breach against a SMB provider to regional airports, and the recent Pageup
can’t have big business saying ‘get your act together’ without assisting.” Nykaj Nair, Head of SMB, Distribution and
breach, shows that cybersecurity is equally important
Channels at Cisco is providing the strategic approach
for SMBs as it is for larger companies. All sectors need
to the SMB market through simplicity, affordability,
to think about cybersecurity.”
trust and scalability – so as a SMB grows, the
Partnering with the Business Council of Australia and the Council of Small Business of Australia, Cisco
technology scales with them. A portfolio has been purpose built for SMBs,
is seeking to provide clarity, standardisation and
which involves building capability and capacity for
requirements of expectations for cybersecurity. A
routes to a diverse market segment and building trust.
security capabilities benchmark study (links to previous
A key area of investment is digital communication and
report) showed that many SMBs given up in trying to
marketing, to educate SMBs on the importance of the
keep up with the threat landscape. The study showed
digital network environment.
many of the 100 surveyed had experienced a 17-25
The four key routes to the SMB market involves
hour outage due to a security breach. Cybersecurity
reaching out to the system integrators and Cisco has
compromise is laying dormant in small business for at
trained over 1,000 system integraters, to build trust
least 100 days.
with their customers and have reached over 50,000
Ken said, “With Cisco Start, for cybersecurity, it will provide a validated design and a reference
customers over the last 12 months. The second market route is via the telcos and
architecture to industry, so security is fully integrated
managed service providers, which have a unique ability
vertically. What we will do is provide best practice
to provide technology as a service. It is easier for Cisco
architecture, however user behaviour and culture is a
to provide a catalogue of technology as a service,
big part, where we are working with the BCA on the
leveraging Cisco Start as a platform. The third scope is the alternative channel,
technology aspect”. Ken confirmed, “Our play is therefore, simple,
such as retailers like JB HiFi and build a catalogue of services. An example shown was the Victorian
smart and secure.” “There is no such thing as small business, that
Famers Federation. And the fourth route is alternative
is an economist term,” said Peter Strong, CEO of
marketplaces, including an Australian pilot underway
the Council of Small Business of Australia, “small
with a Cisco Start marketplace, with seven partners
business is people. So the process has to be simple
signed and the concept being as part of partner facing
and if you can’t communicate a process, like we say to
store front. In closing Samuel Lewinson, COO and co-founder
government about policy, it will fail.” Nor is there a compliant small business in
of Jar Aerospace, received a AU$40,000 Cisco
Australia. “It is impossible to be compliant in the
Start package as part of the Cisco Start marketing
regulated environment in Australia,” Peter said. “So
campaign. Winning from a pool of 60 competition
don’t talk about the features, talk about the benefits
applicants, Jar Aerospace is focused on advanced
– and cybersecurity provides stress management.
autonomous flight platforms and drone integration,
The personality traits of small business is they
which includes the supply of education programs to
are optimistic – if you’re a pessimist you go into
schools for coding and hardware for drone integration
government.”
and engaging students in STEM.
Mimecast unveils second-annual State of Email Security report More than 90 percent of global organisations reported the volume of phishing attacks have increased or stayed the same in past 12 months Mimecast Limited has released its second-annual State of Email Security report. The report identifies the latest email-borne threats facing organisations of all sizes and industries globally. Cyberattacks are on the rise. In fact, more than 85% of Australian organisations reported seeing the volume of phishing attacks increase over the last twelve months, while 41% said they saw the volume of impersonation attacks rise. Making cybersecurity a priority should start from the top, yet this isn’t always the case: 33% of respondents said their C-level executive sent sensitive data in response to a phishing attack, and 58% admitted that their management teams aren’t knowledgeable enough to identify and stop an impersonation attempt. “Email-based attacks are constantly evolving and this research demonstrates the need for organisations to adopt a cyber resilience strategy that goes beyond a defence-only approach. This is more than just an ‘IT problem,’ said Peter Bauer, chief executive officer of Mimecast. “It requires an organisation-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk – to be the last line of defence.” Mimecast conducted the research with Vanson Bourne on the state of organisations’ cybersecurity, their expectations and needs and what attacks they’ve seen increase. Findings within the report are based on responses received from 800 IT decision makers and C-level executives globally and reveals attitudes, behaviours, confidence and preparedness levels of security professionals – and the C-suite – when it comes to dealing with these threats.
“Communications is vital. If you don’t get that
App now available
DOWNLOAD NOW!
on iTunes & Google Play www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 31
WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •
Reac h over out to 10 indu ,000 profe stry s per msionals onth !
Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)
If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au
Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry
professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au
BOOK REVIEW | by CHRIS CUBBAGE
Five Anchors of Cyber Resilience: Why some enterprises are hacked in bankruptcy while others easily bounce back, - PHILLIMON ZONGO Broadcast Books (www.broadcastbooks.com.au)
Five Anchors of Cyber Resilience: Why some enterprises are hacked in bankruptcy while others easily bounce back, Phillimon Zongo Broadcast Books (www.broadcastbooks.com.au) “Enterprises cannot afford to delude themselves about the current state of affairs – protecting against the oaring threat of cybercrime has never been more important. Discounting cybercrime is not just negligent; it’s dangerous.” In addition to an accurate, growing and obviously concerning list of case study cyberattacks to underline the context and importance of this book, Zongo provides the origin of their predicament lies in many factors, but particularly the following five; Limited executive buy-in into cybersecurity programs; a growing list of poorly secured business partners; a gullible or poorly trained workforce; heavily diluted, one size-fits-all strategies; and a consistent failure to bake security into digital transformation programs. The Five Anchors of Cyber Resilience details, in key chapters which details the manner in which enterprise build their cyber security strategy centred on high value assets. Rather than start with a predefined set of controls, and then build security controls based on best practice, cyber resilient enterprises think differently – they lace the customer at the centre of everything they do. The next key anchor is putting people’s hearts and minds, not technology, at the centre of their cyber security strategies. The third key anchor is baking cyber security into innovative programs. They are constantly thoughtful and diligent about security decisions they embrace disruptive technologies, anticipating major pitfalls early and embedding security deep into design work. With the fourth key anchor, cyber resilience enterprise implement a risk-based assurance program over suppliers, but they don’t enter these alliances blindly, the major of debilitating cyber attacks have emanated from poorly security third party environments. Finally, the fifth anchor is they create highly effective, lean and efficient governance structures, with a consistent message throughout the book being there is no one size fits all- there is no universally right cybersecurity strategy. Zongo continues to deliver the insight as the chapters roll through, including insights into cloud computing, artificial intelligence, blockchain; and as businesses move into adopting these technologies, or merge and acquire unrelated entities the task of protecting high value digital assets ‘becomes complex and daunting, particularly if those entities were smaller organisations without the capabilities to defend themselves. “In the end, there is no such thing as a risk free innovation.” There are solutions, despite the challenges. Rethink the cyber governance models, and if needed, a dedicated role to reduce vulnerabilities within suppliers and supply chain stakeholders, maintain an inventory of business partners, segregate suppliers based on risk, implement
differentiated assurance controls and apply suitable standards to measure and benchmark against. The primary aspect that leaped out from this high quality body of work was the encouragement of greater and deeper board-level cybersecurity conversations and the important questions boards should be asking. In addition to the conversation, the board should also be monitoring the cyberrisk metrics to inform about the organisation’s vulnerabilities as well as the strength of its defences. In conclusion, Zongo cleverly casts back to 1864 and the attack by the 1,700 43rd British regiment solders against 235 New Zealand Maori warriors. The span of technology and tactics has not been lost in time, and with reference to the Art of War, “in warfare there are no constant conditions” and in today’s technology environment, quoting the World Economic Forum, “the speed of current breakthroughs has no historical precedent.” This book is superbly written and crafted, thereby sufficiently enticing and insightful, written with the enterprise executive and board front of mind. With publications such as these, there really is no excuse for a company director not to be cyber-informed and cybersecurity aware. It is their fiduciary duty to be so. Well done Zongo. Highly recommended read!
Download the MySecurity Media App and have the chance to WIN 1 of 10 copies of 'The Five Anchors of Cyber Resilience'
DOWNLOAD NOW!
App now available on iTunes & Google Play
Australian Cyber Security Magazine | 33
App now available on iTunes & Google Play DOWNLOAD NOW!
www.australiancybersecuritymagazine.com.au
Print Post Approved PP100003227
THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2018
Importance of soft skills in security
Review of PMC’s cabinet paper’s report
Australian Government – state of cyber
Is your VMS a digital fortress
he t g in e d n i a z e r a g n i a g m e b y t o i r u Internet of things ICK t c Insider threats e L S C n impacting facilities a – operational, i l a r t management tactical & strategic Aus insights
$8.95 INC. GST
PLUS WIN A COPY OF 'THE FIVE ANCHORS OF CYBER RESILIENCE'