2452 Cyber Australia 2020.Indd

2020–2021 CYBERAUSTRALIA

Australian Cyber Conference Safeguard your information With Australia’s Pioneer Cyber Emergency Response Team

Incident Phishing Security Security Management Take-Down Bulletins Incident Notiﬁcations

Sensitive Early Warning Malicious Information Alert SMS URL Feed

AusCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-proﬁt security group based at The University of Queensland Australia, AusCERT delivers 24/7 service to members alongside a range of comprehensive tools to strengthen your cyber security strategy.

Become a Member Today +61 (0)7 3365 4417 auscert.org.au [email protected]

507169A_AusCert I 2542.indd 1 8/9/20 12:59 pm foreword Alex Woerndle, Director, AISA

ommunity is a fundamental refl ective of current uncertainty or broader systemic pillar of Australian society issues that will eventually impact all vendors in the Cand for the Australian sector is a signifi cant unknown. Information Security Association’s One thing is certain – as a community, we need to (AISA’s) existence. As we navigate continue to fl y the fl ag together, and consistently, for through a perilous 2020, we greater investment by all organisations to collectively now set our attention on the raise our cyber capability and maturity. uncertainty of 2021. At a time like The government’s 2020 Cyber Security Strategy this – not just through the depths was headlined by a $1.67-billion investment over of the current pandemic, but into the next 10 years. While representing a signifi cant the coming year of unknowns and upli compared to the previous strategy, the general imbalances – community is crucial consensus of AISA members was that it won’t be enough. in so many ways. But the bigger issue is the unknowns that now arise AISA has been built over 20 years by like-minded from the strategy. individuals wanting to share, collaborate and support As we head towards 2021, anticipation is rising each other. In fact, in September 2020, AISA reached a around what will be considered ‘critical infrastructure’ new milestone of 7000 members. This clearly highlights and the impacts this has on a ra of Australian the rapid growth in importance of the cyber work that businesses. Potential new certifi cations present security professionals do to protect Australians. uncertainty for industry practitioners – both new Yet, it isn’t all rosy. While the impacts that COVID-19, and old – and unclear legislative and regulatory lockdowns and social distancing are having on parts changes create confusion and distrust. In an era of of the economy are plain to see, the perception until misinformation and geopolitical tensions, making now is that cyber has gone from strength to strength. decisive investment decisions is almost impossible. If we are to eff ectively counter the growing threat Coupled with anticipated economic impacts in 2021 landscape, investment needs to continue to grow, but the and beyond, the inability to invest adequately to meet imminent unwinding of JobKeeper will have unknown new benchmarks may result in organisations simply consequences for all businesses, regardless of the sector. accepting a higher level of cyber risk. Evidence is mounting that even within cyber, we have While this paints a pessimistic picture, it’s the a two-speed economy. In some quarters, members are AISA community that can collectively help Australia to reporting unsustainable working hours and burnout. In navigate the cyberthreat through uncertain periods. As others, job losses and unemployment have been reported. an organisation, our role evolves in these times to provide Those working in sectors most impacted by COVID-19 AISA members with greater access to information and (e.g., travel, entertainment and retail) are reporting opportunity – via research, job opportunities, education, budget and job cuts, regardless of the cyberthreat. collaboration with strategic partners, and events (both Likewise, among vendors, some are reporting online and physical). As a community, our role must focus booming growth while others have rapidly on supporting each other, being empathetic to individual disintegrating sales pipelines. This is not a refl ection circumstances, and collectively pushing the message on quality of those businesses – what is apparent is forward that investment in cyber must be maintained, if that organisations are much more likely to continue to not increased, in the immediate term to combat the ever- invest in resources, but less so in tools. Whether this is increasing threats. •

1 | CYBERAUSTRALIA PUBLISHED BY:

ABN 30 007 224 204 430 William Street Melbourne VIC 3000 Tel: 03 9274 4200

Email: [email protected] Web: www.executivemedia.com.au

PUBLISHER David Haratsis [email protected]

MANAGING EDITOR Giulia Heppell [email protected]

JOURNALIST David Braue David Braue is an award-winning technology journalist who has covered the ICT industry for 24 years. He has written for major technology journals in Australia, the United States and the United Kingdom, and specialises in enterprise technology and its convergence with business strategy. Recent years have seen him nurturing a deep focus on cybersecurity, privacy, risk management and related issues. Braue earned a Master of Criminology degree from the University of Sydney, where he wrote his thesis on evolving computer crime laws. www.braue.com

EDITORIAL AND DESIGN TEAM Kate Hutcheson, Simeon Barut, Alex Fleischer, Amanda Wong

The editor, publisher, printer and their staff and agents are not responsible for the accuracy or correctness of the text of contributions contained in this publication, or for the consequences of any use made of the products and information referred to in this publication. The editor, publisher, printer and their staff and agents expressly disclaim all liability of whatsoever nature for any consequences arising from any errors or omissions contained within this publication, whether caused to a purchaser of this publication or otherwise. The views expressed in the articles and other material published herein do not necessarily reflect the views of the editor and publisher or their staff or agents. The responsibility for the accuracy of information is that of the individual contributors, and neither the publisher nor editors can accept responsibility for the accuracy of information that is supplied by others. It is impossible for the publisher and editors to ensure that the advertisements and other material herein comply with the Competition and Consumer Act 2010 (Cth). Readers should make their own inquiries in making any decisions, and, where necessary, seek professional advice.

All stock images sourced from iStock.com

Vegetable based inks and recyclable materials are used where possible.

2 | CYBERAUSTRALIA CONTENTS 1 FOREWORD ALEX WOERNDLE 62 CRIME PREVENTION THROUGH ENVIRONMENTAL DESIGN 4 WHY THE DEMOCRATISATION OF SIMON HENSWORTH SIEM MUST HAPPEN NOW 66 SECURE FILE TRANSFERS WHEN 6 BUDGET ACROBATICS CRUCIAL IT MATTERS MOST IN POST-COVID-19 RECOVERY DAVID BRAUE 68 NATIONAL SECURITY OR PRIVACY? MICHAEL TROVATO, CHONG SHAO, 10 LEVERAGING A TRUSTED PARTNER SARAH BAKAR WHEN CYBER IS PART OF EVERYTHING 72 INDUSTRIAL CYBER SECURITY 16 IOT IN THE POST-COVID-19 WORLD FOR THE 2020S DAVID BRAUE 74 TRANSFORMING VICTORIA’S 18 CYBER SECURITY IN A HYBRID WORK TRANSPORT TELECOMMUNICATIONS ENVIRONMENT NETWORK BRUCE MOORE 20 PWC’S DIGITAL TRUST INSIGHTS 2021: 76 IS THAT REALLY YOU? THE NEED FOR CYBER RESILIENCE 80 THE FUTURE IS PASSWORDLESS 22 RANSOMWARE HITS NO LONGER AN ACCEPTABLE RISK DAVID BRAUE 82 THE EVOLVING INFORMATION SECURITY BODY OF KNOWLEDGE 26 IS IT SAFE? IS IT SAFE? IS IT SAFE? YVONNE WONG SIMON GALBALLY 85 SAY GOODBYE TO PHISHING WITH 30 RISK MANAGEMENT IN THE TIME POWERDMARC OF PANDEMIC WARREN BLACK 86 MANAGING THE MENTAL HEALTH 38 5G: A SECURITY LIABILITY? OF CISOS AND THEIR TEAMS DAVID BRAUE MARILIA WYATT 42 COLLABORATION KEY TO CYBER 89 THE CHANGING FACE OF RETAIL RESILIENCE DAVID BRAUE 44 THE ILLEGAL ECONOMY AND HOW 92 SPOTLIGHT: EDUCATION THE CYBER INDUSTRY CAN HELP 94 THE FUTURE OF TRAINING 46 WHERE FINTECH INVESTMENTS DAVID BRAUE GO, CYBERCRIMINALS FOLLOW DAVID BRAUE 96 WORLD-CLASS HOME FOR CYBER HUB 50 HARNESSING INNOVATION 98 THE ASD CYBER SKILLS FRAMEWORK 52 C OVID-19 AND THE INTRODUCTION TONY VIZZA OF E-VOTING DAVID BRAUE 104 CYBER SECURITY PIPELINE DELIVERS 56 AUSCERT AT THE FOREFRONT TALENT TO AUSTRALIAN BUSINESSES OF CYBER SECURITY 58 THE CHANGING ROLE OF THE CISO DAVID BRAUE

CYBERAUSTRALIA | 3 CONTENT PROVIDED BY RAPID7

Why the democratisation of SIEM must happen now

BY NEIL CAMPBELL, VICE PRESIDENT APAC, RAPID7

THE COVID-19 PANDEMIC has security information and event changed the way we work, educate management (SIEM). and interact – not just temporarily, The trouble is that SIEM is but likely forever. expensive. Only those who can truly Many of us have embraced remote afford it can sample the luxury of a working or learning, and this has huge full SIEM solution, and its high cost is implications for how we keep our also part of its downfall. Only slightly corporations and institutions secure. more than one-fifth of those who As a security lead in your organisation, use an SIEM solution say that they you’re likely faced with myriad derive value from it. While there’s challenges to ensure the continuity the promise of visibility across your and safety of your network and assets. entire network, that visibility comes For example, your traditional at a premium price. It also varies network perimeter is no more. You based on the number of security some go without. Those who have an have end points everywhere, and events your organisation would send SIEM service, yet find it impossible that comes with increased risk. Yet, to the platform. In short, the more to manage a variable cost, simply your people still need to access the events you have, the greater the cut corners and blind themselves to same sensitive data to communicate cost. Once again, only truly cash-rich security events to save money. important business decisions, and organisations can afford to write a When business continuity and will explore the web with the same blank cheque for what can be a highly the survival of the economy is vital, fearless abandon. With numerous variable cost. surely our most advanced security measures to put in place, a new Additionally, part of the challenge solutions should be readily available approach is required to improve your of gaining value from legacy SIEM to all. Now is the time to provide organisation’s security posture while tools has been their inability to a fixed-cost alternative to the keeping critical systems safe. transition well into the cloud. At a traditional SIEM providers. time when many organisations are All organisations should be able DIMINISHING VALUE transitioning to the cloud for greater to quickly and effectively deploy an For a number of years the IT agility, a lack of innovation in some SIEM solution with access to a range discussion has centred on innovation SIEM tools is hindering that initiative. of platform-led services and controls, and transformation; however, giving the required visibility, but COVID-19 has meant that security THE DEMOCRATISATION charged at an affordable and fixed cost. dominates the current IT agenda. OF SIEM Let’s take the SIEM tax off the Simply halting attacks is not In a time when security threats are table. • enough. A broader approach is likely to increase and continuity is vital, required, one that encompasses a SIEM is only a realistic option for those For more information, visit whole-of-business solution. Enter who can genuinely afford it. This means https://www.rapid7.com/c/IDR-ANZ/1/.

A4 || CYBERAUSTRALIACYBERAUSTRALIA 2020

507593E_Rapid7 I 2542.indd 1 15/10/20 11:43 am Secure Today to Empower Tomorrow Innovate without slowing down. Get the visibility, analytics, automation, and expert guidance you need to securely advance.

Learn how we can help: Visit us at www.rapid7.com or email us at [email protected]

507593A_Rapid7 I 2542.indd 1 2/10/20 11:28 am Budget acrobatics crucial in post–COVID-19 recovery

BY DAVID BRAUE

CISOs must fi ght for relevance as businesses pivot towards digital transformation.

6 | CYBERAUSTRALIA CYBERAUSTRALIA | 7 ongues were wagging aer the hastily called 19 ‘Businesses in sectors of the economy that [were] June press conference at which Prime Minister hardest hit during the first half of the year will react by TScott Morrison declared that Australia was being delaying some purchases and projects, and the lack of targeted by a ‘sophisticated state-based cyber actor’. Yet, visibility related to medical factors will ensure that many as the implications of his statement hit home, more than a organisations take an extremely cautious approach when few executives would have taken note of his exhortations it comes to budget contingency planning in the near term.’ around patching and multi-factor authentication (MFA) – IDC anticipates declines in spending on hardware, and wondered how they were going to pay for it all. peripherals, servers, storage and network hardware; The importance of those practices is hardly news to however, cloud infrastructure spending is set to increase anybody working in cyber security, but chronically low by 5.3 per cent as some companies pivot towards new levels of actual patching – and spotty implementation digital strategies due to the impact of the pandemic. of MFA – have persisted due, at least in part, to a lack of Cloud ‘is a bigger factor than it was in any previous budget for the additional resources needed to implement global recession’, Minton notes, ‘and this should mean that them properly. overall spending is less volatile than in the last two major Such are the trade-offs of cyber security, where the art IT spending downturns’. of securing enough budget has become a specialisation of its own. But as pandemic-hit businesses watch SHIFTING TOWARDS COST-EFFECTIVE revenues plummet and cut spending in the fight back to INFRASTRUCTURE profitability, security executives may well find funding Even as IT and security executives confront the even harder to get. implications of leaner corporate IT budgets, businesses Early signs suggest that the cuts could be savage. may get some government guidance and support as The impact of COVID-19 will see a third of Australian they work together to navigate what a recent Australian enterprise IT budgets cut by around 10 per cent this year, Information Industry Association (AIIA) report calls a recent GlobalData survey found, while 16.7 per cent ‘a once-in-a-lifetime opportunity for major reform and of respondents said their business would be cutting IT restructure of our economy and society’. budgets by more than 20 per cent. That paper, called Building Australia’s Digital Future Such major reductions – which will outpace in a Post-COVID World, identified four key focus areas gross domestic product declines – would have been as the economy pivots in the wake of the pandemic: unthinkable during years of steady growth and building a national digital backbone; building digital investment in digital transformation; however, in the skills for the future; tax, incentive and government wake of massive economic disruption, they are likely to procurement reform; and building a ‘secure and become the norm for many companies – and technology resilient’ digital Australia. leaders will be under the pump as a result. ‘The demand for resilient, secure and innovative Ninety-two per cent of Australian IT leaders solutions means that ongoing focused investment in new said their companies have changed technology technologies will be required to ensure Australia remains priorities during the pandemic, according to a recent on the forefront of technology innovation,’ the report notes. AppDynamics survey in which three-quarters said their The AIIA proposes that helping businesses to meet organisations were under more technological pressure these requirements should translate into ‘enhanced now than ever before. support’ for Australian small and medium-sized Two-thirds of Australian technologists are being enterprises that need to redouble their investments asked to perform tasks and activities that they have in cyber security skills, particularly in the security never done before, while 72 per cent of respondents said of operational technology. This includes a proposed that the crisis had exposed weaknesses in their digital technology enablement tax incentive that would ‘assist strategies, forcing them to bring forward elements of small business to become better technology enabled’. their digital transformations. Such financial support, if implemented in government Faced with this dramatic change in operating terms, policy, could provide some relief for companies that security executives must get creative as they face up to are struggling to invest adequately in cyber security existing and new cyberthreats in a climate of declining protection as they fight to stay afloat by maximising their IT spending that IDC expects will decline 2.7 per cent use of slim revenues. this year. Yet, with Morrison recently warning that Australia ‘Overall IT spending will decline in 2020, despite would be paying off its COVID-19 debt for at least the next increased demand and usage for some technologies two years, IT executives shouldn’t tie their own futures to and services by individual companies and consumers,’ any government support that may or may not eventuate. says Stephen Minton, Program Vice President in IDC’s The disruption of this year’s ongoing events will slow Customer Insights and Analysis group. down spending but not completely eliminate its growth,

8 | CYBERAUSTRALIA according to Gartner, who predicts a ‘pause’ and a ‘reduction of growth’ in security soware and services. Gartner’s December 2019 estimate of 8.7 per cent in IT spending growth this year is down to 2.4 per cent, with agreement that investment will be focused on short-term demand in areas such as cloud adoption, remote-working technologies and cost-saving measures. Gartner believes that this short-term focus will increase cloud-security revenues by a third during 2020, with network security equipment purchases likely to drop the most – by 12.6 per cent – as businesses put off discretionary security spending. Those businesses will instead funnel budgets into more immediately pressing areas ‘Even worse, they may potentially be le behind when like data security (7.2 per cent growth), application the firm takes decisive steps to ramp up its digitisation security (6.2 per cent) and identity access management efforts. It’s important that they engage with the (5.8 per cent). business as quickly as possible to understand what the Specific technologies expected to decline the most organisation’s path is in coming out of the pandemic.’ include security information and event management In many cases, businesses will ramp up digital platforms, identity governance and administration, transformation as a way out of the pandemic’s application security, integrated risk-management disruption. A well-presented case around security systems, and security services. should lead to concomitant funding increases to support Some security spending will not be discretionary, this. Yet, despite having battle scars from fighting Gartner warns, recommending that any device needed for ‘tooth and nail to get the funding they have’, Addiscott remote access be configured with an endpoint protection says chief security officers will also need to engage platform for desktops and mobile threat defence tools for pragmatically with other business leaders in recognition mobile devices. The firm also recommends cloud-based of the unprecedented conflicting pressures that the secure web gateway services and the use of ‘zero trust’ pandemic has placed on business financials. soware-defined perimeter tools. This might, for example, see some planned security COVID’s spending impact will continue for several rollouts or upgrades pushed back in favour of initiatives years, with Gartner revising its spending growth related to currently critical areas, such as the security of predictions through to 2023 – when the original growth remote working. rate of 7.7 per cent has been dropped to 6.6 per cent. This strategy may also require strong initiative towards adoption of SecDevOps, which is emerging as a WORK WITH THE BUSINESS solution to internal functional disorganisation whose net In the short term, security executives must work closely effect – leaving security functions spread across an array with chief information officers (CIOs) to ensure that of operational units – was called out in ISACA’s recent IT and security requirements are well represented on Global State of Security 2020 analysis. the agendas of heavily committed business executives Funding reallocations should also, Addiscott warns, – some of whom may be actively pursuing digital be prioritised to recognise the very different digital transformation agendas thanks to relatively low environment that will emerge, as re-emergent businesses revenue downturns. double-down on digital transformation to recover ground ‘The CIOs who don’t recognise that their environment lost during the pandemic. has changed as a consequence of the pandemic will have ‘Each organisation is different, and they will all have a significant risk of having their programs’ funding cut a unique path out,’ he says. ‘The key thing that security unilaterally based on some arbitrary budget cuts,’ warns leaders should be thinking about is, “How do I aid in the Gartner Australia’s Senior Director, Security and Risk organisation’s recovery out of the pandemic without Management, Richard Addiscott. exposing us to unnecessary risk?”’ •

CYBERAUSTRALIA | 9 CONTENT PROVIDED BY DEAKIN UNIVERSITY

Leveraging a trusted partner when cyber is part of everything

BY DAMIEN MANUEL, DIRECTOR OF CYBER SECURITY RESEARCH AND INNOVATION (CSRI); AND PROFESSOR ROBIN DOSS, CYBER SECURITY RESEARCHER OF THE YEAR 2019 AND RESEARCH DIRECTOR OF CSRI, DEAKIN UNIVERSITY

WE ALL BENEFIT from today’s universities like Deakin, for a number universities for computer science and world of ecommerce, cloud services, of reasons, including: engineering (2020 Academic Ranking virtual collaboration tools, and • accessing a pool of industry- of World Universities). Its success near-instantaneous communication ready talent through internships has been achieved through building a of news and information through and work placements to stabilise cyber ecosystem, which includes the social media. Yet, this rapid growth wage growth and manage Centre for Cyber Security Research of technology adoption is also one of business costs and Innovation; CyRise, the Southern our greatest societal challenges. • partnering to develop innovative Hemisphere’s only dedicated cyber COVID-19 has illustrated the new services and products for security accelerator; the Institute fragility of the global economy, both existing and new markets for Intelligent Systems Research and highlighted poor coordination and • performing data analytics and Innovation (IISRI); Deakin Energy; cooperation between governments assessments to gain deeper the Applied Artificial Intelligence when dealing with a global crisis insights into markets, information Institute; and the Centre for Supply and exposed the fragility of flows, staff and customers Chain and Logistics (CSCL). interconnected supply chains. It has • building automation through forced the rapid adoption of digital the use of artificial intelligence TRUSTED AI AND AI SAFETY technology, enabling businesses (AI)–enabled systems to increase THROUGH THE LENS OF to pivot and adapt, but has also productivity and reliability UNCERTAINTY QUANTIFICATION introduced new risks that need to • retraining the workforce or With data now considered the new be managed. supplementing existing skills to oil, AI is the new electricity and it Business culture has evolved to help staff adapt to new challenges will have a profound transformative an asynchronous model of working and to give the business a role in our societies. AI is currently across extended hours, typically competitive edge offering unprecedented opportunities from 7 am to 11 pm where each • leveraging research capabilities to improve the outcomes and day blurs into the next. In the and expertise to reduce business reduce costs in all fields of science context of this environment and risks, optimise business processes and engineering. the uncertainty of what a ‘COVID and develop new technologies. Despite all the hype and hope normal’ world looks like, businesses Deakin University has been around AI, the key question that is need to continually adapt and providing businesses and the yet to be answered is, how much innovate to survive. community with cyber security can we trust decisions made by Businesses are turning to the education and research since 2003, AI? This trust is paramount when higher education sector, including and is now among the world’s top 100 AI models are deployed in safety-

A10 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

506985E_Deakin University I 2542.indd 1 29/10/20 4:20 pm CONTENT PROVIDED BY DEAKIN UNIVERSITY CONTENT PROVIDED BY DEAKIN UNIVERSITY

Securing this infrastructure is critical to maintain community trust, and to ensure energy market integrity and widespread adoption of hydrogen and renewables in Australia. Two key projects are: • Hycel Technology Hub – Deakin’s response to the Commonwealth Government’s 2019 National Hydrogen Strategy. A hydrogen hub located on Deakin’s Warrnambool campus, Hycel is dedicated to applications for hydrogen, rather than the production of hydrogen. Through demand-driven research and industry partnerships, Hycel aims to ready Australian industries and communities for the hydrogen economy and is targeting two of the biggest decarbonisation challenges in the Australian economy – SECURING SUPPLY CHAINS, • undertaking multimodal supply vehicleheavy applications; transport andstrong reticulated TRANSPORT AND LOGISTICS chain logistics assessments and authenticationgas. The development technologies; of safe, FOR THE FUTURE reviewing the contestability reductionstandardised of the risk and of scalable data Modern supply chains have faced between regions. tampering;solutions identity to these counterfeiting; challenges unprecedented stress in a sector andequals sensitive vast information cost and emissions disclosure that was already experiencing CYBER-SAFE CONNECTED fromsavings side-channel to all sectors attacks. reliant on transformational change. Now that VEHICLES – ENSURING our country’s freight and trucking the Australian Government has SECURE, TRUSTED AND ONLYnetwork, A HOLISTIC as well as industries, classified supply chains as critical ROBUST COOPERATION APPROACHcommunities CAN and SOLVE households THE infrastructure, there will be even As the vehicles of the future CYBERutilising CHALLENGE natural gas. more focus on building resilient take the form of complex mobile The• Microgrid only way –to in tackle partnership the cyber with systems and networks. Deakin’s computers instrumented to be securityAusNet challenges Services weand face Mondo today multidisciplinary CSCL works with automated, connected and, where is toPower, take a Deakin holistic completed approach, companies and governments to possible, intelligently shared, their leveragingthe build the of skillsits $23-million, and capabilities criticalrespond applications to the current or complexities, human-rich secureones. Flagged and trusted cases operation are then treated is of a7.25-megawatt trusted research renewable partner environments.and build supply Examples chain resilience include and criticalwith extra for caution,both community depending safety on the withenergy a multidisciplinary microgrid in October team medicalcapability diagnosis, for a more autonomous secure future. andapplication industry field, growth. and could require of experts in2020. Located cyber on security, Deakin’s AI, vehiclesThis includes: and cyber security gettingResearchers a second fromopinion Deakin’s in medical transportGeelong and Waurn logistics, Ponds energy, campus, systems.• mapping Fully multimodal trusting containerAI models Centrediagnosis, for reducing Cyber Security speed and Research business,the microgrid law, regulation, is built ‘behind policy and andfreight their decisions movements can across lead to andnotifying Innovation the driver are workingin autonomous human behaviour.the meter’, feeding directly into catastrophesAustralia’s portin these hinterlands applications, in withvehicles, the automotiveor quarantining industry an email to Workingthe campus together network. across A seven- as AIMelbourne, models often Sydney, do notBrisbane, know developmessage security in cyber technologiessecurity systems. government,megawatt industry solar farm, and two- the whatAdelaide they do and not Perth know. andAccordingly, associated proposed frameworks frameworks for community,megawatt-hour we can makebattery a storage • Researchersundertaking atscenario the IISRI planning at Deakin theoffer realisation a unique capability of cyber-safe for differencesystem to– locatedprotect onAustralians. 14 hectares • Universitywith industry have developed and government systems cooperativedeveloping and automotive deploying systems. trusted at the rear of the campus – and an andto processes better understand to systematically recent gauge TheAI solutions resilience in ofsafety-critical connected vehicles Contributors:additional 0.25-megawatt solar the freightconfidence and logisticsof AI models failures when as cannotapplications. be just about robustness Professorgeneration Saeid Nahavandi, and battery Pro Vice- storage makingwe transition decisions. to the ‘new normal’, and response to component failure Chancellorsystem (Defence have been Technologies) installed and on Oneand ensure mechanism sustainability is to use in FUTUREor malfunction, OF INDUSTRIAL but needs to also Director,existing Institute campus for Intelligent buildings. This Systems Research and Innovation predictivethe future uncertainty estimates CONTROLaddress security SYSTEMS and trust AND of the IOT asset provides research and during• working the inference with the Victoriantime, carrying Rail DEVICESsoftware systems. IN ENERGY SYSTEMS teaching opportunities to Deakin Dr Hermione Parsons, Industry Professor valuableTrack andCorporation critical information on a range DeakinSome is ofat the researchforefront problems of researchers and students, as well and Director, Centre for Supply Chain aboutof future the trustworthiness transport initiatives of the developingbeing tackled new include technologies, end-to-end andas Logistics community education and predictionsfor Victoria (decisions) generated processessecure firmware and systems and software to secure commercial opportunities with by• the developing AI model. an Quantified industry-led theupdates; underlying telematics; control infotainment systems and Dr Adrianindustry Panow, and Director, participation Deakin Energy in the uncertaintiesprogram to are deliver automatically end-to-end Internetdelivery forof Things connected (IoT) vehicles;devices used energy market. The microgrid appliedtraceability for screening in Australian all predictions food and insecure, critical trusted infrastructure, cooperation such and as For moreis integral information, to Deakin’s visit path to andagribusiness flagging any supply potential chains erroneous energydecision-making generation for and connected distribution. www.cybercentre.org.au.carbon neutrality by 2025.

B | CYBERAUSTRALIA 2020 CYBERAUSTRALIACYBERAUSTRALIA 2020 | |11 C

506985E_Deakin University I 2542.indd 23 10/11/2028/10/20 11:03 9:05 am CONTENT PROVIDED BY DEAKIN UNIVERSITY CONTENT PROVIDED BY DEAKIN UNIVERSITY

B12 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020 CYBERAUSTRALIA 2020 | C

506985E_Deakin University I 2542.indd 32 10/11/2028/10/20 11:03 9:05 am 506985A_Deakin University I 2542.indd 1 22/10/20 4:49 pm PROTECTION AGAINST CYBERASSAULTS PROTECTING COMPANY INFORMATION

BS 31111 ISO/IEC 27001 Cyber risk and resilience. Guidance for the Information technology – Security governing body and executive management techniques – Information security management systems – Requirements ISO/IEC 27032 and guidelines Understanding your Information technology – Security techniques – Guidelines for cybersecurity ISO/IEC 27002 Information technology – Security ISO/IEC 27033 techniques – Code of practice for Information technology – Security information security controls cybersecurity risk techniques – Network security ISO/IEC 27003 ISO/IEC 27034 Information technology – Security Cybersecurity is an issue for every organization across the world, regardless of Information technology – Security techniques – Information security techniques – Application security management system implementation size or focus. Over the past decade it has moved from a technical specialism to a guidance mainstream concern for individuals, businesses and government. ISO/IEC 27005 Information technology - Security espite this, many organizations are still not doing enough to From the biggest government department shielding critical DATA MANAGEMENT AND CLOUD techniques - Information security risk protect themselves. According to a 2019 cybersecurity study infrastructure 24 hours a day, to a microbusiness looking after its STORAGE management conducted by IBM, which surveyed more than 3,600 customer data, the right awareness and knowledge is needed to guide security and IT professionals from around the world, three- everyone in the workplace. D ISO/IEC 27701 quarters of businesses do not have a plan in place to respond to a cybersecurity incident. The most effective way to improve cybersecurity is by using Privacy Information Management – Security

C internationally recognized standards to introduce processes which techniques. Extension to ISO/IEC 27001 and Also, a significant proportion (45%) of companies that do have such protect against both deliberate and chance incidents. ISO/IEC 27002. Requirements. M a process in place don’t test it regularly, or even at all, making it ISO/IEC 27017 Y impossible to keep up to date and exposing vulnerabilities in a fast- Standards help companies improve their cybersecurity levels in a moving environment. This is no longer just an issue for IT number of ways – from informing new processes to shield your Information technology – Security techniques Human error CM – Code of practice for information security Human error professionals – in today’s world, all organizations and their company to delivering more effective employee training, as well controls based on ISO/IEC 27002 for cloud MY employees must take responsibility for digital security. as introducing better data protection and assisting with services Recent research puts human error as one of CY legislative compliance. the top causes of cybersecurity incidents. CMY So, what are the key areas of cybersecurity risk for most companies, and which standards can Bring your own device (BYOD) K Criminals know to exploit individuals, rather than systems, because help organizations address them? they understand just how vulnerable busy, distracted people can be With the rise of flexible and home-based – especially those who might not have cybersecurity front of mind. working, many more employees are working remotely as opposed to gathering in a However, standards put security-awareness training at the Data privacy Cloud security forefront to help strengthen your cybersecurity chain, single location. empowering employees to become a ‘human firewall’. Using phishing simulations and knowledge assessment, organizations Every organization, public or private, runs on Cloud computing is another area which has A lot of companies use a bring your own device (BYOD) system can accurately assess specific training requirements, and transformed the way that most organizations which sees staff using personal mobile devices for work current risk – ideally at the individual user level. data – its own and that relating to its employees activities. Although this can improve efficiency it also adds a and partners, as well as customer or user data. store data, in just a few years. layer of risk, since these devices are connected to corporate Using this as a baseline, companies should then tailor plans networks. to an employee’s needs. The information security standard With new information generated every second, it’s imperative Although many businesses initially felt cautious about ISO/IEC 27001 helps companies create and structure training in Employee awareness and understanding of BYOD security to stay in control of how it’s stored, who can access it and transferring critical data and functionality to the cloud, it has accordance with international best practices, as well as define responsibilities are critical to organizational risk. how it’s managed. now become commonplace, with standards playing a key responsibilities and protocols in the event of a breach. supportive role. Creating a clear policy for all staff, in line with ISO/IEC 27001 Also, with GDPR now firmly in place, the financial consequences There are a number of standards that help organizations make requirements, is the best way to mitigate security risks As a leading business improvement partner, we work with for a significant data breach are very serious – not to mention the the right choices when selecting cloud service providers, and associated with BYOD arrangements. We also recommend organizations to both understand their development needs potential reputational damage. then control the resulting storage arrangements. referring to ISO/IEC 385,00 which provides guidance for and provide training programmes to help enhance business IT governance. performance . Visit our website to see our training courses. Businesses can use ISO/IEC 27001 to implement an overarching One of the most relevant is ISO/IEC 27017:2015 which outlines information security management system, while ISO/IEC 27701 guidelines for information security controls around the provision focuses on improved privacy controls. and use of cloud services – covering implementation as well as Work with us to manage data with confidence, strengthen your information governance and safeguard your management processes. critical infrastructure. You can get copies of every standard in our shop. Get in touch with our experts today

bsigroup.com/en-au 1300 730 134 bsigroup.com/en-au 1300 730 134

507592A_BSI Group I 2542.indd 1 29/9/20 12:57 pm PROTECTION AGAINST CYBERASSAULTS PROTECTING COMPANY INFORMATION

bsigroup.com/en-au 1300 730 134 bsigroup.com/en-au 1300 730 134

507592A_BSI Group I 2542.indd 2 29/9/20 12:57 pm IoT in the post-COVID-19 world

BY DAVID BRAUE

Internet of Things may promise faster post-COVID-19 recovery, but its risks are real.

t has been four years since Mirai malware took over A GROWING THREAT CLIMATE tens of thousands of Internet of Things (IoT) devices to For all their promise, IoT devices also pose a significant Ilaunch waves of distributed denial-of-service (DDoS) security threat that must be remediated – and COVID-19’s attacks that took down large swathes of the internet. disruption has made the threat even more challenging. The compromise marked the beginning of a new In a recent Extreme Networks survey, seven out of chapter in the evolution of IoT devices, but proof of their 10 surveyed IT executives said that they were aware of vulnerability hardly stopped their heady growth rate. successful or attempted hacks against IoT devices on Indeed, recent IDC figures suggest that while IoT their networks – and nine out of 10 said that they were not installations may ease slightly this year due to the confident that their networks are secured against attacks disruption of the COVID-19 pandemic, growth will return or breaches. to double digits next year. Mass home working has expanded the enterprise ‘IoT will be a key “return to growth” accelerator, with threat surface, forcing chief information security officers selected use cases being safe bets for end users to focus to consider the implications of granting increasingly open on in order to reach a new level of automation, remote access to remote employees whose homes have routers, everywhere experience, and hyperconnectivity,’ says intelligent voice assistants, family computers, smart Andrea Siviero, IDC Associate Research Director with lighting systems, smart watches, surveillance cameras, IDC’s Customer Insights & Analysis group. set-top boxes and myriad other devices. Many of these use cases will revolve around planned Each has become a potential point of ingress into the deployment of IoT remote sensors, connected devices, corporate networks of those employees – and rapidly flexible industrial-control systems, and other devices growing numbers of devices threaten to be overwhelming. that will be interconnected using low-powered wide-area A recent analysis by cloud-security firm Zscaler, for networks (LPWANs) or emerging 5G networks. one, flagged a 1500 per cent increase in IoT transactions An IDC survey earlier this year found that 44 per cent passing through its service between May 2019 and of Australian businesses have already implemented IoT February 2020 – surging to more than one billion devices – most frequently as a way of solving specific transactions per month, generated by 553 different IoT business problems and improving productivity, both devices from 212 different manufacturers. internally and for customers. This growth was led by manufacturing and retail IoT promises cost-effective solutions for many companies, with 83 per cent of the data transmitted by applications – Sydney Water, for one, recently moved to IoT devices being transmitted in insecure plaintext. The push thousands of IoT sensors into the field aer early company blocked 14,000 IoT-based malware attempts per trials of 1500 devices showed that they were highly month – up sevenfold since May 2019 – including a steady effective at improving detection and remediation of stream of new IoT exploits capitalising on vulnerabilities service issues. in networked IoT devices.

16 | CYBERAUSTRALIA Security ﬁrm ExtraHop saw similarly dizzying growth in IoT adoption, with its Connected Devices During COVID-19 security report noting the number of device connections surging by 89 per cent between November 2019 and March 2020. This included a 47 per cent increase in the number of connected IP cameras, a 15 per cent growth in the amount of networked storage, and a nine per cent increase in the number of connected network routers.

IOT SECURITY A BEAUTIFUL MIRAGE many IoT devices are rolled out by individuals or Each IoT manufacturer and device typically uses a small project groups with little or no oversight by combination of core technologies – oen sourced central IT organisations. from other providers – and soware and hardware Such ‘shadow IoT’ poses many of the same threats customisation that makes it hard for corporate security associated with bring-your-own-device (BYOD) programs specialists to know exactly what vulnerabilities are being in their early days – lack of control, lack of visibility, and added to their environment, and how to patch them. lack of any way to proactively remediate potential threats This year’s Ripple20 attack, which followed Mirai’s before they become real. lead by compromising large numbers of devices, The need to build an adaptive, proactive security confirmed that the IoT industry still has a long way to go environment that can cope with IoT’s changing to improve its security. exposure will drive many security executives to A combination of 19 different vulnerabilities bundled embrace ‘zero trust’ models that assume connected into a module that exploits flaws in a TCP/IP library from devices must not be trusted unless proven otherwise. Treck used in hundreds of millions of IoT devices, Ripple20 Zero-trust security frameworks will be crucial in was notable for both the breadth of its capabilities and the preserving organisational security despite the widespread extent to which it was able to compromise office equipment, dispersion of employee devices and operational technology industrial control systems and even connected medical – as has become commonplace in the COVID-19 era. equipment at Fortune 500 powerhouses like HP, Intel, IoT vendors are continuing to explore ways of Caterpillar, Baxter, and many others. providing better coordination between IoT components, Israeli security researchers at JSOF, which first devices, applications, and consumers, while researchers identified the weaknesses that Ripple20 exploited, are doing their part to invent new ways to rein in the have worked closely with IoT manufacturers to security threat that IoT is creating. address identified vulnerabilities – but with many IoT A team of University of New South Wales devices unlikely to be patched in the field, there is still researchers, for one, recently secured $1.3 million in a yawning gap in time between a device’s sale and its funding for an artificial intelligence–based IoT security eventual remediation. platform, called CyAmast, that examines data packets for That gap represents a clear and present danger for telltale threat signatures. every organisation that has built IoT devices into their IT Devices are profiled for normal operation and strategy – and that means most of us. deviations from this normal immediately raises flags, allowing security systems to quarantine the devices PLAN YOUR IOT NOW SO YOU HAVE A FUTURE from the network to prevent inadvertent damage from Financially proven use cases will prove tempting as the a compromise. world economy pivots around COVID-19, with companies Such systems are likely to become more common as seeking quick wins to drive economic recovery. businesses come to realise that it’s no longer adequate Despite the apparent benefits, security strategists to rely on IoT manufacturers’ security. By adapting cannot hide from the fact that a clear IoT security strategy security strategies to this reality and treating all IoT is critical to every organisation’s overall security posture. devices as potentially hostile, businesses can keep Focusing too much on beneíts and ignoring the IoT devices at arm’s length – and provide the service risks could be a recipe for disaster – especially since assurance that their business requires. •

CYBERAUSTRALIA | 17 CONTENT PROVIDED BY MIMECAST

Cyber security in a hybrid work environment

BY GARRETT O’HARA, PRINCIPAL TECHNOLOGY CONSULTANT, MIMECAST ANZ

THE RECENT SPATE of data remote workforce. Additionally, breaches and reputational damages to many businesses still haven’t adapted companies globally is driving business their cyber security awareness, leaders to review and overhaul their training and education practices cyber security practices. Cyber to accommodate these changing security is of vital importance, workplace conditions. particularly when viewed through This state of affairs is leaving the lens of the current COVID-19 employees and organisations wide- business conditions. open to attacks and breaches. Given the current economic conditions, the last thing any THE HYBRID WORKFORCE organisation needs is a security We’re all hopeful for an end to the breach. Many employees are working current pandemic, but remote- remotely indefinitely, and, according working practices and a hybrid work to the Australian Bureau of Statistics, environment model will be here for a quarter of Australians would like the foreseeable future. As employees to continue this work trend after start returning to work, will they Garrett O’Hara COVID-19 restrictions lift. Yet many be walking through the door with Our Mimecast threat intelligence organisations are carrying on without compromised devices? Do businesses team analysed some of the most the normal security protections that have the right checks and balances to pervasive threats during the first enterprise networks need, as the ensure that cyber security hygiene is wave of the pandemic in our ‘100 ‘perimeter’ dissolves due to a largely top of mind? Days of Coronavirus’ report. The

A18 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507582E_Mimecast I 2542.indd 1 30/10/20 12:23 pm CONTENT PROVIDED BY MIMECAST

email filtering and URL scanning. Many block or quarantine suspected impersonation emails and scan inbound emails for tricks, such as domain or sender spoofing. So where does the problem lie? Whether it’s following a link, not patching the hardware or software, or not creating a robust framework, humans are involved. It is widely reported that human error and social engineering account for 90 per cent of all data and security breaches. By implementing a robust training process, you will enhance the presence of the ‘human firewall’, adding greatly to a layered security strategy within your organisation. It’s worth noting that the best- protected companies also make cyber security awareness training a regular event, not just a way to tick the box in terms of compliance. The old models of cyber awareness and training simply don’t work. As such, it’s vital to take steps – now more than ever – to lower your risk of succumbing to cyber threats by changing attitudes from the top to the bottom. As a result, any security awareness training programs must cut through report revealed a huge surge in 30 per cent of security training the noise of your employees’ busy coronavirus-themed phishing and attendees still admit to going around lives and you must tailor programs other malicious activity as attackers security policies. This means that to your intended audience – the took advantage of people’s shift to despite some employees doing the humans within your company. There remote working, the lockdown and right thing and supporting security is little point in telling your employees people’s desire for information. The best practices, the overall security what to do and how to do it. Instead, Mimecast Threat Intelligence Centre of an organisation is still being the training programs should focus noted that attackers have spoofed undermined by the staff who aren’t on the people, and on developing websites belonging to COVID-19 following procedures. With the behavioural changes and providing monikers, as well as major retail brand rapid shift to remote working, and employees with the right tools to help websites, in attempts to steal from security and IT teams scrambling to that behaviour change stick. unsuspecting panic buyers as they vet collaboration platforms, many The first step is to make sure that look to purchase necessities online. employees are working around senior leadership rallies behind it to Cyber security awareness training is security with shadow IT to get their create commitment for a strong and key now more than ever. jobs done. lasting cyber security program, as To date, no matter the industry you behavioural changes in a company work in, employee cyber behaviour THE TWO TS always start at the top. Be persistent, as still needs to dramatically change to What is the solution? The answer it’s been found that conducting training show an increased understanding lies in the two Ts – training and in short monthly bursts works best. of – and alertness to – cyber security technology. These reflect the Make sure that the training is engaging threats. In most organisations, the fundamental truth that human error is and fun, and keep the sessions short cyber culture simply isn’t top of in our nature. and sharp. If you can’t get your point mind. In our recent APAC study with Protecting remote workers usually across in three to five minutes, then Forrester Consulting, titled ‘Don’t starts as a technology discussion. you are missing the mark. • Just Educate: Create Cybersafe We surveyed Australian businesses Behaviour’, we surveyed 20 industry and found that many companies are To find out how your organisation sectors including government, using at least one solution to stop can combine training, education and health care, legal, marketing, energy, malicious emails reaching remote technology to create a safer workforce, telecommunications, transport and workers. More than three-quarters visit https://info.mimecast.com/work_ logistics. We found that more than of respondents reported the use of from_anywhere.html.

CYBERAUSTRALIACYBERAUSTRALIA 2020 | |19 B

507582E_Mimecast I 2542.indd 2 30/10/20 12:09 pm CONTENT PROVIDED BY PwC AUSTRALIA PwC’s Digital Trust Insights 2021: The need for cyber resilience

COVID-19 HAS CHANGED the way people work with employers, with employees embracing work- from-home models. In response, organisations are accelerating their digital transformation plans. With this backdrop, PwC’s Digital Trust Insights 2021 report surveyed 3249 businesses and technology executives around the world to find out what this will mean for cyber security. With only 19 per cent of Australian respondents saying that their staff are fully on site, it is understandable that organisations are digitising their operations at speed – 39 per cent say that they accelerated plans in response to Figure 1. COVID-19 changes COVID-19. Yet, for Australian businesses, digital ambitions have been set much higher than simply ‘making do’, with the majority citing their reasons for transformation being to modernise/access new capabilities or redefine their organisation and business model. Compared to global averages, far fewer businesses are undertaking transformation purely for efficiency. The speed of this change brings new risks, and cyber security measures need to keep in step. Nearly all respondents in Australia say that they are planning to shift their cyber security strategy due to COVID-19. In fact, 60 per cent reported an intent to bake cyber security and privacy Figure 2. Hiring skills implications into every business full-time cyber security personnel, Enterprises feeling the pinch decision or plan. though Australian executives see of this skills gap may find such They will need to, because 2020 far less hiring on the cards. The talent in their own backyards, has also seen a surge in intrusions, top roles they want to fill? Security with many turning to hiring from ransomware, data breaches and intelligence, cloud solutions within, offering upskilling to phishing attempts across the globe.1 architects and analytical skills. increase employee competencies. In response, businesses are shoring up Problematically, cloud security And if hiring isn’t likely (or able) their defences. Forty-five per cent of and security analysts are among to be substantial, upskilling Australian cyber executives say that the roles in shortest supply.2 Hiring will have to fill in the gaps to they will increase resilience testing to managers face tough competition ensure that organisations can ensure that critical business functions in the labour market, and globally, build the resilience they need to remain up and running in the event of some 3.5 million cyber security jobs ensure stability. • an incident. are expected to go unfilled in 2021.3 More than half of the global For more articles on digital cohort say that they plan to add 2 https://www.csoonline.com/ transformation, visit article/3571734/the-cybersecurity-skills- www.pwc.com/digitalpulse. For more 1 https://ia.acs.org.au/article/2020/cyber- shortage-is-getting-worse.html from the Digital Trust Insights report, visit attacks-have-peaked-in-2020.html 3 https://cybersecurityventures.com/jobs/ www.pwc.com.au/digitaltrustinsights.

A20 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507603E_PwC I 2542.indd 1 10/11/20 11:03 am Every day across the globe, PwC works together How can we keep with business leaders, governments, regulators and our own researchers to understand and your business protect businesses and society from the critical and our economy cybersecurity threats we all face. We translate our deep understanding of the threats protected? and risks on the security frontline and within emerging technology into meaningful insights that work for your business. By creating solutions By creating together to safeguard your organisation, you can pursue new opportunities and ensure your solutions together. business isn’t just protected, but thrives.

www.pwc.com.au/cybersecurity

507603A_PwC I 2542.indd 1 15/10/20 12:23 pm Ransomware hits no longer an acceptable risk BY DAVID BRAUE

As companies and insurers get more clarity around the cost of a data breach, business executives face stronger obligations to invest in breach avoidance.

22 | CYBERAUSTRALIA CYBERAUSTRALIA | 23 t is telling to note that Australia’s insurance companies The growing body of experiences have been among the most fastidious chroniclers of has opened insurers’ eyes to the Idata breaches in this country. potential impact of ransomware In recent years, running lists from the likes of and other cyber attacks, which were Business Insurance Specialists (BIS) and Webber painted in stark relief when myriad Insurance Services not only provide a reminder for multinational operators found their business leaders about the intensity of ransomware and cyber security insurance coverage other malware compromises, but they also make it clear to be inadequate for cleaning up in that insurers are now deeply interested in the financial the wake of 2017’s WannaCry and risks associated with a potential data breach. NotPetya attacks. The dramatic disruption of education, government Mountains of new data have and business services throughout the COVID-19 pandemic painted a much clearer picture of the has provided more than enough learning examples – and risks not only from the immediate scrolling through the insurers’ lists is a reminder of just compromise, but also from the how real a risk malware continues to pose for the ongoing aermath of a ransomware attack. operation of Australian businesses. That clarity is crucial in shaping In recent months, ransomware compromises have businesses’ security response, with created major issues for firms such as Canon, cruise the overall cost of Australian data operator Carnival Corporation, fitness brand Garmin, breaches increasing by around drinks maker Lion, appliance manufacturer Fisher & 10 per cent annually for the past Paykel, retailer IN SPORT, manufacturer BlueScope Steel, three years, says IBM X-Force aged-care provider Regis, and others. Incident Response & Intelligence If it seems like you’ve been hearing more about Services lead Stephen Burmeister. ransomware attacks recently, you’re not imagining it; ‘It’s not just that this is an anomaly ransomware attacks are up 10 per cent in Australia since or that we had a bad year – it’s a the beginning of the COVID-19 pandemic and 20 per cent trend,’ he adds. worldwide, according to security firm Avast. The average Australian data breach now costs $3.35 Business consultancies report surges in contacts million, the Ponemon Institute-IBM Security Cost of a from companies asking for help preventing attacks Data Breach Report 2020 found, with data breach losses or recovering aer being hit. This has led to an by Australian companies lower than the global average explosion of advice from firms like KPMG, which of $5.2 million (US$3.9 million) but increasing faster than have recommended that business and security leaders global averages. proactively work together to review their incident Costs per record increased by 3.8 per cent year on year, response plans and consider how these might be with breaches now costing $163 per record on average. impacted by physical lockdowns. Furthermore, Australian companies were, on average, Companies should weigh the potential operational taking longer than the global average – 296 days, compared impact of having key systems, such as remote-access to 280 days – to identify and respond to data breaches. tools or collaboration platforms, brought offline due to a Costs in companies that had not introduced security ransomware strike. They must also consider issues such automation were much higher than those that had – an as the logistics of replacing and cleaning devices from average $8.2 million (US$6.03 million) versus $3.3 million afflicted remote workers, plan recovery sequences to get (US$2.45 million) – suggesting that investment in afflicted servers back up and running, develop a formal automated security response and threat-intelligence tools policy about whether to pay ransoms or not, and weigh up was already paying off by reducing companies’ financial strategies for managing the impact of business services exposure to security compromise. that may be offline for weeks. This demonstrable difference had made security automation ‘a huge game changer’, Burmeister explains. THE REAL COST OF A BREACH ‘One of the key things we have noted in the report is the Business interruption is only one of the potential growing cost of the divide and the cost of a breach if you consequences of a ransomware attack, with the likes of do have something versus not having something. More Canon and Lion scrambling to recover aer terabytes than half of the cost of a breach is saved just by having of data were leaked online when they refused to pay the something like security automation in place,’ he explains. demanded ransom. IOOF subsidiary RI Advice Group Other security habits that organisations can adopt faced a different sort of consequence when its failure to to reduce the potential impact of breaches include the secure company data facilitated repeated hacks, and the creation of incident response teams and regular testing of wrath of targeted ASIC action. company incident response plans.

24 | CYBERAUSTRALIA Forming an incident response team shaved an average dictates such as APRA’s Prudential Standard 234 – which $557,000 off the cost of an Australian data breach, while threatens financial penalties for directors that fail to regular incident response testing cut $499,000 and the properly secure their company data – security executives use of artificial intelligence (AI)–based automation tools. can use the increasing clarity around data breach costs to Conversely, data breach costs increased in support business cases arguing for increased spending companies with complex security systems ($488,000 on on particular cyber security areas. average), compliance failures ($387,000) and third-party Given the ongoing losses to business email breaches ($366,000). compromise (BEC) – the particular form of malware that uses social engineering to manipulate well- PUTTING A NUMBER ON ACCEPTABLE RISK meaning employees into sending large sums of money With a local premium pool estimated by Aon Australia to pay non-existent invoices or redirect holding at just $60 million in 2018, the growth of ransomware deposits for capital equipment – companies would also this year has increased the likelihood that a strong hit be well advised to ensure that their security spend by cybercriminals could translate into a sizeable cyber includes AI-based solutions specifically designed to insurance claim. parse incoming emails for telltale language of the In the cold, hard vocabulary of actuarial science, BEC attack. this growing body of data breach evidence inevitably Australian companies reported losing $132 million translates into higher premiums, more exclusions, and to BEC scams in 2019 alone, according to the ACCC’s a broader set of expectations placed on businesses to ScamWatch service, and those losses may be hard to claw proactively prevent breaches that carry sizeable potential back from insurers that are more likely to point to a lack risks for cyber insurers. of appropriate internal financial controls than they are to Growing clarity about the nature and cost of cyber simply pay up with a smile. security breaches – as well as specific factors that Ransomware has become big business for attackers, increase or decrease overall costs – is likely to help and its proven success has emboldened them to try newer guide these expectations, with insurers pushing to and more daring attacks that many companies simply adjust companies’ security practices by, for example, can’t prevent until it’s too late. By taking the right steps offering premium rebates for the implementation of AI- in advance, however, security executives can ensure that based automation. their companies are prepared for the worst – and have With company directors already facing increasing the best possible chance to minimise their company’s pressure to address cyber security risks through exposure to the depredations of online cybercriminals. •

CYBERAUSTRALIA | 25 Quantum Qubit

Is it safe? Is it safe? Is it safe? BY SIMON GALBALLY, SENETAS

From cyber threat to history’s greatest cyber security threat.

ho could forget the 1976 suspense-thriller sophisticated attacks by cybercriminals, rogue states Marathon Man? Not only did it give a and other bad actors. Yet, successful data breaches, W generation phobias around visiting their malware, ransomware and other damaging hacking dentists, but it also coined the shuddering phrase ‘Is attacks continue to increase despite cyber security it safe? Is it safe? Is it safe?’, as the Nazi war criminal technology developments. From encryption of (Laurence Olivier) interrogated the unexpecting network data and data at rest, to anti-malware and postgraduate student (Dustin Hoffman). mobile security solutions, to firewall and endpoint Today, we must ask ‘Is our data safe? Will our data be security, hacking and other attacks continue to breach safe tomorrow? How will it be quantum-safe?’ and exploit millions of records. Whether breaches Today, while businesses and governments continue involve citizen identity, financial and health records, to wrestle with cyber resilience, the biggest threat lies in sovereign Australian intellectual property and one word – quantum. defence secrets, or scientific and medical research Australian businesses and government agencies data, the economic costs and long-term harm caused have been warned about increasingly frequent and are enormous.

A26| |CYBERAUSTRALIA CYBERAUSTRALIA

507532E_Senetas I 2542.indd 1 10/11/20 11:25 am TODAY – CYBER RESILIENCE AND SOVEREIGNTY towards the first practical quantum computers are The Australian Government, Australian Signals reported to be by bad state actors. Directorate and cyber security agencies have recognised and publicised the increasing threats to the economy, THE EVOLVING QUANTUM-THREAT LANDSCAPE businesses and national security, at all levels of Since the 1980s, science, medicine and mathematics have government and businesses, by bad actors and, notably, sought computing power well beyond anything we know those that are state sponsored. They highlight increasing today, enabling the most complex computations and sophistication and frequency of cyber attacks. processing of enormous data volumes at lightning speed. Hence, cyber resilience and sovereign cyber Fast forward to a breakthrough by MIT’s Professor security solutions have become key Australian Peter Shor, which proved that quantum mechanics Government security themes, emphasising the need enables what a classical computer can’t. In short, for all organisations to be resilient and adopt sovereign a quantum computer could decrypt the strongest Australian solutions where possible. That makes obvious encryption algorithms in minutes, hours or days, sense. Just as food production, energy, defence, science rather than the thousands of years required by the most and medicine are critical sovereign national capabilities, powerful classical computer. so, too, are sovereign cyber security solutions. Businesses The now famous Shor’s algorithm implies that public and government agencies must have immediate access to key cryptography – using this technique to generate world-class sovereign cyber security solutions without encryption keys – could be easily broken by a sufficiently dependency on external sources. powerful quantum computer. An essential message, however, is an organisation’s In 2019, Google and NASA claimed to have achieved cyber security resilience. No longer can prevention ‘quantum supremacy’, solving problems that are (against hacking attacks) and protection (from encryption practically unsolvable by classical computers. of breached data) be considered by management, IT and telecommunications, and security professionals as an CRYPTO-AGILITY – WHEN THE STATUS QUO add-on feature. They must be designed in from the outset. WON’T CUT IT Ultimately, in this information age, all data and cyber Whether a practical quantum computer arrives in three security issues are matters of national security. National or 10 years is not the point. The critical cyber security infrastructure; defence, science and technology sectors; issue is that whenever bad actors have access to all financial services; all levels of government agencies; ‘classically encrypted’ data – previously encrypted and intellectual property–driven businesses; exporters; and stored, as well as new encrypted – it will cease to be safe. online services are critical to our economic wellbeing. The solution lies in quantum-proof encryption for They face relentless cyberthreats and successful long-term quantum-safe data in a post-quantum world. breaches, and are all high-value targets. Whatever Essential to an organisation’s future cyber resilience, the intent – be it financial gain, national harm, the of quantum-proof encryption will require a quantum- high-tech intellectual property or business disruption resistant algorithm (standard). This is in progress. In – these sectors’ systems and data networks are exposed the United States, the National Institute of Standards to multiple attack vectors, where vulnerabilities are and Technology has short-listed evaluated candidates. maliciously exploited. On the horizon lies an even Other beneficial features will be high random number greater threat. generation and quantum key distribution. The bad news, however, is that few network data TOMORROW – QUANTUM’S GREATEST THREAT and data-at-rest encryption solutions offer true TO CYBER SECURITY crypto-agility, meaning most won’t be able to transition Tomorrow, businesses and governments alike face the and will become redundant. Crypto-agility enables greatest threat to cyber security in history – quantum minimal cost/disruption transition to quantum-safe computing. It will enable more powerful cyber attacks encryption. This will begin with ‘hybrid encryption’ at blistering speeds – decrypting today’s strongest where both classical and quantum-resistant algorithms encryption in minutes or hours. When today’s cyber are used. Many current classical solutions will become security defences fail, encryption is the last line of redundant, however, because their base technology defence, rendering stolen data useless in cybercriminals’ just won’t cut it, requiring customer reinvestment in unauthorised hands. That will all change in the post- quantum-safe solutions. quantum world, whether that is three, five or 10 years Where to now? In the face of an evolving quantum away. Today’s classical-mathematics-based secure computing threat landscape, today’s security solutions encrypted data will no longer be secure when faced with must be crypto-agile, enabling quantum-readiness the incredible speed and power of quantum-mechanics- to ensure long-term future data protection in a post- based computing power. Worryingly, the fastest advances quantum future. •

CYBERAUSTRALIACYBERAUSTRALIA | |27 A

507532E_Senetas I 2542.indd 1 10/11/20 11:08 am Senetas encryption solutions deliver security without compromise:

SOVEREIGN - High-assurance, low-latency network data encryption CYBERSECURITY - Enhanced security for mobile and remote workers - Certified secure by the world’s leading independent authorities SOLUTIONS - Patented protection against all forms of malicious content

FROM STATE-OF-THE-ART ENCRYPTION HARDWARE TO THE MOST SECURE FILE-SHARING AND COLLABORATION APPLICATION WITH 100% CONTROL OVER DATA SOVEREIGNTY.

CN Series Hardware Encryptors Certified high-assurance encryption for core IT and communications network infrastructure.

SureDrop, Encrypted File-Sharing Effortless file-sharing and collaboration with the benefit of end-to-end encryption security.

Senetas, is an Australian public listed company (ASX:SEN) and a leading developer of high-performance encryption security solutions. Senetas solutions protect enterprise, government, defence, technology service provider and critical national © SENETAS CORPORATION LIMITED | WWW.SENETAS.COM infrastructure customers against data breaches and cyber-attacks. Leveraging end-to-end encryption and state-of-the-art key management, they provide long-term T: +61(03) 9868 4555 data protection without compromising network and application performance, or user experience. E: [email protected]

507532A_Senetas I 2542.indd 1 8/10/20 2:20 pm Senetas encryption solutions deliver security without compromise:

FROM STATE-OF-THE-ART ENCRYPTION HARDWARE TO THE MOST SECURE FILE-SHARING AND COLLABORATION APPLICATION WITH 100% CONTROL OVER DATA SOVEREIGNTY.

CN Series Hardware Encryptors Certified high-assurance encryption for core IT and communications network infrastructure.

SureDrop, Encrypted File-Sharing Effortless file-sharing and collaboration with the benefit of end-to-end encryption security.

507532A_Senetas I 2542.indd 2 8/10/20 2:20 pm Risk management in the time of pandemic

BY WARREN BLACK, MEMBER, RISK MANAGEMENT INSTITUTE OF AUSTRALASIA

COVID-19 may be the stress test that fi nally unmasks the myths, vulnerabilities and follies of the global risk- management discipline.

30 | CYBERAUSTRALIA he COVID-19 pandemic is now being called the most Tsignificant global threat since World War II. The virus first emerged in late 2019, and within six months more than nine million cases had been reported in over 180 countries, resulting in more than 400,000 deaths, with no immediate end in sight. The pandemic has since led to massive socio-economic disruption, including widespread societal fear, supply shortages and economic instability. There is no denying that COVID-19 has become the ultimate stress test for our global community, and how we respond to this pandemic will ultimately determine Figure 1. Image: World Economic Forum our species’ future – yes, our chosen responses are a big deal. institutions due to their perceived lack of proactivity in Although it is still presumably early days in our fronting up to our planet’s most prominent threats. global fight against COVID-19, what is almost certain ‘Global risks are intensifying, but the collective will is that the pandemic is going to test the validity of the to tackle them appears to be lacking,’ the WEF said in 2019. global risk-management discipline. As governments, At the time, the WEF appeared particularly concerned organisations and communities worldwide grapple with that our world’s leading governments had become far both the societal and economic impacts of this pandemic too distracted by less material phenomena, such as threat, more and more will look towards the practising Trump politics, Brexit and Chinese trade wars, and risk-management community for help in developing had subsequently taken their eyes off of high-impact valid mitigations. From the theoretical to the practical, threats that really mattered. The WEF argued that there all aspects of risk-management better practice will get an was a lack of cohesion in addressing such potentially opportunity to stand before the spotlight at some point catastrophic global threats as climate change, growing during this trying time. economic disparity, strained natural resources and our COVID-19 thus may very well be the high-profile population’s increasing exposure to infectious diseases. case that brings long overdue credibility to the global In fact, for at least five years prior to 2019 (when it was risk-management discipline, or equally this could be the rated number 10 for impact), the WEF had been warning load test that completely obliterates the myth of it all. It’s on the plausibility of a mass-scale global pandemic. still too early to say for sure which way the pendulum The report ominously warned that despite the will swing, but already we are starting to see certain increased intensity of the global risk landscape, anomalies emerge, which at the very least will have to be comparatively few organisations had invested in the reflected on in the risk profession’s post-mortem analysis risk-management capabilities required to respond of how we all dealt with the virus. effectively to emerging global threats – as a result, many organisations now existed in a state of self- SLEEPWALKING INTO CRISIS – HOW THE induced vulnerability where they were ‘sleepwalking GLOBAL RISK-MANAGEMENT COMMUNITY into crisis’. One year later, COVID-19 brought home just FAILED TO PLAN FOR THE INEVITABLE how bad it was. For the past 15 years, the World Economic Forum (WEF) Aer decades of repeated institutional warnings of has published an annual Global Risk Report, which it the inevitability of a mass-scale global pandemic (from releases around February. the World Health Organization, WEF and UNICEF) – as In most years, this report presents a factual, albeit well as numerous dry runs and near misses (SARS and cautionary, tone to highlight those big-ticket global MERS) – when COVID-19 did eventually come along, the risks that organisations need to be paying particular only mitigation we had ready was to place billions of people attention to. The February 2019 version, however, carried under house arrest, destabilise the economy and put our a significantly more sinister tone. It would seem that by children’s futures at risk. There are many who now argue 2019, the WEF had lost patience with the world’s major that the mass lockdowns and enforced social isolation

CYBERAUSTRALIA | 31 Figure 2. Source: CDC; Christina Animashaun/Vox

the world subsequently experienced indicates a systemic In its simplest explanation, our global response failure in proactive planning. That is, we were forced into is proactively trying to avoid what is referred to in these intense measures because it became too late to do probabilistic risk theory as a ‘fat tail’ – that is, an anything else. emerging threat with a relatively high probability of an Whether this is true or not is a matter for further extreme outcome (in this case, a catastrophic number discussion, but it is ominous how at the end of February of deaths). Probabilistic risk methods seek to quantify a our world leaders were still telling most of us to ‘keep range of scenario-based outcomes, such as best, median calm and carry on’, but within two weeks were all and worst case – a fat tail is oen the most extreme suddenly demanding we ‘self-isolate, now!’ Regardless, scenario. Probabilistic risk techniques are not new, COVID-19 exposed that despite all the historical warnings, but they are contentious. The idea that we can predict when it came down to it, our governments and supporting complex and uncertain outcomes to any degree of institutions really did not have a coordinated response confidence, through some form of mathematical crystal for all of this. As a result, the WEF was right – we were ball, has been attracting debate for centuries. Regardless, all just sleepwalking towards crisis. This prompts us now there is no doubt that right now, it is the proponents of to wonder: what other major threats are we currently probabilistic risk management who have the speakers’ sleepwalking towards? podium on how to combat COVID-19. The keynote speaker, When everything adjusts to a new normal, the global in turn, appears to be Nassim Taleb (author of The Black risk-management discipline will have to conduct a serious Swan and Antifragile), who has long argued the need to post-mortem on exactly how it is that we all collectively aggressively mitigate fat tails by ignoring traditional cost- failed to prepare for a known, inevitable threat. Most versus-benefit analysis. importantly, however, we will need to review our An academic paper submitted by Taleb as recently as planned responses for all those other inevitable threats mid March 2020 on the ‘Systemic risk of pandemic via that are still lingering out there. novel pathogens – coronavirus’ argues that conventional deterministic risk approaches (e.g., cost versus benefit) LIES AND STATISTICS – HOW PROBABILISTIC are inadequate for dealing with an extreme fat-tailed RISK MANAGEMENT BECAME THE LOUDEST pandemic. Therefore, decision-makers need to act quickly VOICE IN DETERMINING OUR GLOBAL RESPONSE in executing an aggressive probabilistic risk strategy By mid March 2020, almost everybody had heard of our (social distancing), as ‘failing to do so will eventually cost need to ‘flatten the curve’. It was believed that by limiting us everything’. It now seems that it is the proponents travel, closing borders, quarantining communities of this line of thinking that institutions worldwide are and banning mass gatherings, we could proactively listening to in their sanctioning of social distancing and slow down the virus’s contagion rate. Social distancing, flattening the curve. The sheer speed and aggression with geographic isolation and institutional lockdowns have which social distancing has been applied in recent times since become our world’s primary response to mitigating across many countries reflects heavily on Taleb’s ‘ignore this pandemic, but what is the actual science behind this the cost and go all in’ point of view. approach, and how did it become the loudest voice in our Although Taleb’s fat tail argument may be theoretically global response? perfect, it is practically flawed. No real-world organisation,

32 | CYBERAUSTRALIA with its limited resources and lessons-learnt analysis of how competing priorities, can afford Complex systems we legitimately approach (and to ignore the cost of executing one prioritise) our risk-management particular strategy over another. are highly energised responses to rapidly emerging Also, by going all in, organisations entities, comprising extreme events. tend to exhaust their resources an advanced number quickly, while simultaneously THE EDGE OF CHAOS – HOW creating vulnerabilities elsewhere. of contributing parts COMPLEX SYSTEMS THINKING What this means for our fight against that are all continually APPEARS TO BE LAGGING COVID-19 is that if our global leaders IN OUR LEADERSHIP’S don’t weigh our short-term flattening- interacting with, RESPONSES the-tail decisions with longer-term and adapting to, I have long argued that as our economic security decisions, then modern working world gets more the next epicentre of the coronavirus their changing and more systemically complex, the will not be any specific geography, environmental more the invested risk-management but rather our global economy. community will be forced to start Our economy is critically circumstances looking at risks with a complex dependent on large numbers of systems’ mindset. The COVID-19 people freely travelling, interacting, earning and phenomena has demonstrated why this argument is true. spending – social isolation now threatens this. Even Consider how the pandemic, our human society at the time of writing this paper, economists are and the global economy are all scientifically valid, warning that aggressive social distancing could create complex adaptive systems. Thus, any institution that the greatest global recession in human history – a desires to better understand how to control the complex situation that will have detrimental, long-term impacts interactions and relationships that emerge between these on societal unemployment, poverty, debt, crime and three collaborating systems will need to look towards even suicides. It would thus seem that by going all the complexity sciences for answers. Without getting in on one fat tail threat, we have potentially created too deep into the theory, complex systems are highly a second fat tail threat. So, which of these fat tail energised entities, comprising an advanced number of threats should be our primary focus? Do we choose contributing parts that are all continually interacting to protect those who are vulnerable today, or do we with, and adapting to, their changing environmental choose to protect those who might become vulnerable circumstances. If you can understand this basic tomorrow? It’s the classic ‘runaway trolley’ decision- description of a complex system, then you can perhaps making dilemma taught in ethics classes worldwide – begin to understand (and possibly even control) complex which lever would you pull? risk phenomena. Unsurprisingly, aggressive social distancing is For example, consider how Edward Lorenz’s now being challenged by those analysts who argue that we famous ‘butterfly effect’ concept might help to explain are making the most extreme of mitigation decisions how a seemingly insignificant event in one area of a based on incomplete data. Consider how nobody can complex system (a viral outbreak in remote Wuhan, say for certain what the true infection rates are, when China) rippled and compounded to create momentous, this pandemic will peak, how long social distancing possibly even uncontrollable, impacts elsewhere within needs to last in order to be absolute, whether this tactic the global system. Equally, the complex systems concepts will prevent follow-up outbreaks, what the systemic of nonlinearity and fractal relationships might help to impacts of aggressive social distancing will be, or how explain why COVID-19 appears to have spread much much isolation our economy can bear? It would thus quicker and more intensely in those countries with appear that we are implementing these Draconian- greater resources and controls (i.e., Europe and North style risk tactics with some degree of trial and error, America), but slower and more sporadically in those which ironically is exactly that which probabilistic risk with limited resources and weaker controls (i.e., Africa, methods seek to avoid. Central Asia, and Central and South America). Further, Clearly the global risk-management community the complexity concepts of emergence and strange has not yet ironed out all the wrinkles associated attractors may help to explain how the COVID-19 with probabilistic risk responses to mitigating fat tail outbreak has led to a worldwide shortage of toilet paper, threats. Only time will tell what transpires from this but not of tinned goods nor bottled water. Clearly there particular approach to mitigating COVID-19, but at is some unique irrationality at play within complex some point in the future the global risk-management systems that cannot be controlled by conventionally community is going to have to do a post-event linear risk methods.

CYBERAUSTRALIA | 33 protesting the infringement on their personal freedoms? Governments will need to tread particularly carefully from here on out, as one poorly informed move could ignite a series of chain reactions that could escalate over the edge of chaos. Building on this, no institution (nor risk professional) can seriously Perhaps, however, the most important complexity claim to be adept at controlling complex phenomena concept in addressing this global pandemic is ‘the edge if they don’t understand what the basics of complexity of chaos’. The edge of chaos is a theoretical tipping point management are. Thus, if the global risk-management inherent within all complex adaptive systems – it is that profession has any hope of succeeding in our future point where the system tips over from being reasonably working world, then once things settle down to a new controllable (stable) to becoming wildly uncontrollable normal, we are all going to have to ask some serious (chaotic). Consider how a seemingly peaceful school questions as to how well our profession understands the of fi sh reacts violently to the sudden emergence of a management of complex situations. predator, or how a stock exchange trading fl oor erupts when receiving a new piece of market news. This is RESILIENCE – HOW ‘BOUNCING BACK’ WON’T the edge of chaos in action, and what it suggests is that HELP IN THE FIGHT AGAINST COVID-19 even a stable system is potentially chaotic – it just needs Resilience is the ability of an entity to respond a catalyst to unleash. This particular phenomena is intelligently to changing environmental circumstances. believed by many complexity theorists to be the most Unsurprisingly, resilience has now become the goal of all important of them all, as it helps to explain what the our global COVID-19 risk-management eff orts. purpose of management control within a complex The need for our society and participating situation should be: to prevent the entire system from organisations to become resilient in the face of potentially tipping over into chaos. disruptive COVID-19 forces has been spoken about Unfortunately, this key concept does not appear extensively from almost every political podium, news to have translated well into our global leadership’s broadcast and personal blog (mine included). The current responses nor communication. There seems to be an challenge for the risk-management discipline, however, inherent failure to recognise that every message and is that this profession has historically promoted an tactical response that they endorse sends signals (yet incomplete and limited view of resilience – one which another complexity concept) rippling through our will not suit our fi ght against this global pandemic. More complex societal systems, which either encourage us all to specifi cally, the risk profession has historically described take one step closer to, or one step farther from, the edge resilience as being an organisation’s ability to bounce of chaos. It is only the quality and validity of these signals back to a business-as-usual state a er experiencing some that determine what direction we step. It has thus always form of disruptive event – a view that is most commonly been critical that leaders consistently communicate a evidenced in the pages of many business continuity and clear, credible plan to their populace for dealing with disaster recovery plans. COVID-19 in both the short and long term. Unfortunately, The problem with this particular view of resilience, the short-term plan has been quite blunt and intrusive, however, is that it ignores the possibility that perhaps the whereas the long-term plan has been an ongoing mystery. reason the disruptive event was allowed to manifest in World leaders need to understand that right now, the fi rst place was because the organisation’s business- our society is potentially edging ever closer to that as-usual state was actually fl awed or vulnerable. In chaotic tipping point. People are isolated, uncertain such a case, bouncing back to a pre-existing state of and anxious – all factors that could easily unleash vulnerability isn’t really a resilient solution. Clearly this societies’ most extreme behaviours. By imposing particular defi nition of resilience does not suit the way aggressive social distancing, millions of people have our society, nor our participating organisations, should been forced into involuntary isolation without any respond to COVID-19 – a more contextually valid view of consultation, exploration of alternatives, nor agreement resilience is thus required. of an acceptable time limit. How long will these people In his book Antifragile, Taleb argues that resilience is willingly self-quarantine, keep their businesses shut commonly assessed by how well a body resists shocks to or remain unemployed before they start aggressively stay the same; what we should rather assess is how much

34 | CYBERAUSTRALIA the body improves aer the shock. Taleb’s argument to an existing state of vulnerability will have to give way echoes much of the new-age academic thinking on to methodologies designed to make organisations more dealing with disruptive phenomena – it is not enough to dynamically agile in the face of disruption. just recover from a disruptive event, one also needs to become stronger for the experience. Unsurprisingly, the A SILVER LINING – HOW COMPLEX SYSTEMS historical roots of such thinking can be traced back to GROW STRONGER FROM DISRUPTION the study of natural complex systems, such as biological COVID-19 has to date (and will continue for a while yet) ecosystems, animal food chains, rainforests and the like. been our generation’s biggest test. As tragic as it has been Natural complex systems have been able to endure for many, there is a silver lining. billions of years of planet shaping, disruptive phenomena Every complex ecosystem (including human society) in the form of asteroid strikes, tectonic shis, global benefits from a little revolution now and then – it is freezing, global warming, floods, droughts and even what makes such systems stronger for the long run. pandemics. So, what makes these natural complex Disasters, disruption and systemic shocks force us systems so highly resilient? In a nutshell, it is their to acknowledge our vulnerabilities and evolve our ability to respond intelligently to emerging changes existence to a higher state. COVID-19 will almost certainly in their surrounding circumstances. In the natural do the same for the human species, as well as for our systems universe, resilience is all about the ability of a contributing organisations, making us all collectively system to recognise, respond and adjust to the emerging stronger for the experience. For the risk-management phenomena that surrounds them. profession specifically, COVID-19 is going to provide Herein lies the critical learning for modern a monumental case lesson in what can legitimately be organisations and our fight against COVID-19 – the considered effective risk management in this modern age complexity sciences do not recognise resilience as being of increased systemic complexity, social connectivity, and the ability to ‘bounce back’ to one’s existing state, but perpetual disruption. rather the ability to ‘bounce forward’ to a newer, stronger This global pandemic will undoubtedly force state. Natural complex systems are not resilient because our profession to acknowledge our retained myths, of their ability to retain their original state, but rather vulnerabilities and follies – it will also force us all to because they have an intelligence-driven ability to evolve engage in new thinking and practices, something that to a new state, when indeed a new state is required. This is the risk profession has not always excelled at. At the very the original and truest goal of resilience, and it is the goal least, COVID-19 is going to force governments, institutions that our fight against COVID-19 must adopt. and organisations alike to take a serious look at their Already, we are starting to see how the most resilient invested risk-management capability, and ask one simple of organisations are those that can adapt their business question of it: do we currently retain a risk-management model to suit the current circumstances. Consider capability that enables us to respond intelligently to our the whisky distillery that has started producing working world’s most complex challenges? alcohol-based hand sanitiser or the vacuum cleaner In turn, practising risk managers are going to manufacturer producing hospital ventilators, or even need to do some serious self-reflection as to where the high-end, gourmet restaurant now delivering sealed their particular capabilities lie. Those who don’t have food parcels to shut ins. Also consider all those office- demonstrable understanding and skills in uncertainty bound organisations who were able to successfully management, probabilistic risk methods, data analytics, transition their workforce into a remote capability. Now, natural systemic resilience and complex systems in contrast, consider those organisations that could not thinking are going to be found increasingly wanting adapt their traditional business models to a new state, like in this brave new world. Most positively, however, gyms, airlines, hotels and the like – many are now facing is how COVID-19 is already demonstrating to many long-term shutdowns and catastrophic losses. Clearly, organisational leaders that risk management is not a organisational resilience in the face of disruption is not simple-state game; it is, in fact, a highly complex and about bouncing back but rather about bouncing forward. technical discipline. Hopefully this will translate into Building on this observation, the COVID-19 pandemic organisations taking their future risk-management is almost certainly going to change the way modern investments and hires that much more seriously. organisations (and the risk-management profession) In conclusion, what COVID-19 will almost certainly think about organisational resilience. The sheer number teach us all is that those who don’t evolve their capabilities of organisations that will either evolve or succumb to account for an age of advanced risk are simply to natural economic selection during this time will allowing themselves to remain vulnerable to the complex shi the risk profession’s mindset as to exactly what disruptive forces of the modern working world. modern resilience is and is not. Equally, those historical Welcome to the new age. Is your risk-management methodologies designed to bounce an organisation back capability ready? •

CYBERAUSTRALIA | 35 SANS OnDemand

SANS OnDemand courses are perfect for students who want the comprehensive content of a SANS course and the ﬂ exibility to train without the need to travel or take time from work. Complete control over the pace of learning ﬁ ts every learning style. Taught by SANS’s top instructors, our OnDemand courses are available via your desktop, laptop, iPad, or tablet, so you can learn from the comfort of your home, or on-the-go.

With 45+ SANS courses to choose from, you’ll have access to:

Four months of content, available 24/7 You’ll have full access to your course content at any time during your training—which gives you control of your own pace, learning environment, and schedule. OnDemand gives you the freedom to train whenever and wherever it’s most convenient for you.

Lectures, quizzes, hands-on exercises, and virtual labs Along with 24/7 access to course content, you’ll also have access to all instructor lectures, class exercises, and the virtual labs associated with each module. With the ability to revisit and review complex or difﬁ cult topics, you’ll have plenty of time to master the content and reinforce what you’ve learned through real-world, hands-on exercises.

Subject-Matter Experts SANS Subject-Matter Experts (SMEs) are available at any point during your training to answer any questions you may have and to help break down complex topics. Accessible via online chat, our SMEs are there to ensure your success as a student and build your conﬁ dence with the content.

A complete set of books, course media, and course progress reports Everything you need to be a successful student is included with your course. Course booklets are sent to your door after registration; course media—including lectures, virtual labs, and hands-on exercises—are available online at any time during your training; and course progress reports help you stay on track, pick up where you left off, and plan your training schedule accordingly.

GIAC prep OnDemand courses are also a great way to help you prepare for a GIAC certiﬁ cation attempt. With extended access to course content, you’ll have plenty of time to review and master the material and study for the exam with conﬁ dence.

Visit sans.org/train-online-au to ﬁ nd your course, check for special offers, and get registered today!

OnDemand A4 ad 2020.indd 1 27/10/2020 09:45 506989A_SANS I 2542.indd 1 29/10/20 11:13 am SANS OnDemand Why Certify?

SANS OnDemand courses are perfect for students who want It’s no secret that cyber threats are evolving, becoming Ready on day one: GIAC certifi cations the comprehensive content of a SANS course and the fl exibility more sophisticated, and having greater impacts on verify that you’re job-ready to train without the need to travel or take time from work. individuals and businesses. Large businesses globally lose millions to cybercrimes each year and companies in GIAC Certifi cations develops and administers premier, Complete control over the pace of learning fi ts every learning every vertical are taking cybersecurity seriously. According professional information security certifi cations that provide style. Taught by SANS’s top instructors, our OnDemand courses to The U.S. Bureau of Labor and Statistics projects the most rigorous assurance of cyber security knowledge are available via your desktop, laptop, iPad, or tablet, so you that employment for information security analysts will available to the modern global enterprise. More than 30 can learn from the comfort of your home, or on-the-go. grow at 32 percent between 2018 and 2028*, which is cyber security certifi cations align with SANS training and higher than the average for all other occupations. This ensure mastery in critical, specialized InfoSec domains. rapid increase in demand for employees with highly GIAC Certifi cations provide the highest and most rigorous specialized knowledge and hands-on skills for identifying assurance of cyber security knowledge and skill available to and responding to cyber threats creates unlimited industry, government and military clients across the world. opportunities for employment. Practitioners with a cyber security certifi cation, such as Global Information Assurance GIAC provides a role-based certifi cation platform With 45+ SANS courses to choose Certifi cation (GIAC), are highly valued in this market. that gives cyber security professionals with the degree of cyber security knowledge and skills from, you’ll have access to: Large organizations such as Amazon, Allstate, Discover, required to secure organizational behavior around Lockheed Martin, and Siemens AG are examples of critical IT systems across the enterprise. companies that recognize a SANS-trained and GIAC- certifi ed information security force is the best way Join the InfoSec Force to guarantee the integrity of the operation. A certifi cation on its own may not be enough. That’s why Four months of content, available 24/7 every GIAC Certifi cation is paired with a SANS training Advance your career by standing course. This ensures you receive the live-scenario You’ll have full access to your course content at any time during out with a GIAC certifi cation training before certifying that you possess the needed your training—which gives you control of your own pace, learning environment, and schedule. OnDemand gives you the freedom An increase in cyber threats creates a massive need for a skills to respond to your organization’s cyber needs. to train whenever and wherever it’s most convenient for you. highly specialized workforce; do you have the expertise and certifi cations required to fi ll these in-demand roles today? View the full list of SANS online training events in Lectures, quizzes, hands-on exercises, and virtual labs your time zone here: Gaining certifi cation through a cyber security certifi cation sans.org/liveonline-apac Along with 24/7 access to course content, you’ll also have access to program like GIAC Certifi cations can create opportunities all instructor lectures, class exercises, and the virtual labs associated for you. Work experience and innate ability are important, You can also train with SANS online at your own with each module. With the ability to revisit and review complex or but skill-focused certifi cations validate them both, pace with SANS OnDemand, for more information diffi cult topics, you’ll have plenty of time to master the content and making you more marketable to potential employers head to their website sans.org/OnDemand_AU reinforce what you’ve learned through real-world, hands-on exercises. and more likely to advance with current employers. If you’d like to learn more about certifi cation with If you are currently in a cyber role, you know that the Subject-Matter Experts demands of your position are constantly evolving with GIAC you can fi nd details at giac.org/why-certify-AU SANS Subject-Matter Experts (SMEs) are available at any point during your new technologies and threat types. Certifying through training to answer any questions you may have and to help break down GIAC Certifi cations signals that you have truly acquired *https://campuspress.yale.edu/tribune/what- complex topics. Accessible via online chat, our SMEs are there to ensure hands-on cybersecurity skills and have relevant, real- is-the-future-of-cybersecurity-jobs/ your success as a student and build your confi dence with the content. world training that top companies critically need.

Visit sans.org/train-online-au to ﬁ nd your course, check for special offers, and get registered today!

420x297 Aus.indd 1 28/10/2020 08:26 506989A_SANS I 2542.indd 2 29/10/20 11:13 am 5G: a security liability? COVID-era remote working may legitimise 5G’s capabilities, but the world’s newest mobile technology demands security prudence, reports David Braue.

38 | CYBERAUSTRALIA hen it comes to technology hype, emerging Measures covered in the guidance include seven 5G mobile networks arguably take the cake, strategic policy areas, such as regulatory powers; W with pundits regularly making breathless restrictions for high-risk suppliers; controlling the use of claims. An Inc. magazine article recently claimed managed service providers and equipment suppliers’ third- that the new services ‘will fundamentally change line support; developing supplier diversity and national everything you know about mobile computing’. resilience; and screening foreign direct investment. Analyst firms have echoed the projections, with IDC The Toolbox also addresses nine operational issues, predicting that 2020 will be the year 5G becomes ‘real’, such as the application of baseline security requirements; and is expecting more than one billion worldwide 5G ensuring strict access controls; improving the security connections by 2023. Gartner recently projected that of virtualised network functions; reinforcing soware worldwide 5G network infrastructure spending will integrity and patch management; reinforcing resilience nearly double this year as carriers – particularly in and continuity plans; and others. China, which will account for more than 49 per cent A July report on the Toolbox’s progress found of worldwide 5G investment this year – evolve from that while many states had progressed in areas transitional 4G/5G hybrids to fully 5G networks. such as applying baseline security standards to 5G In some ways, 5G’s contemporaneity with the networks and ensuring strict access controls, specific COVID-19 pandemic has been particularly fortuitous, technical measures – such as physical security and since surging demand for the faster mobile technology soware integrity – were still in the planning or early is being tied to near-ubiquitous remote working. As the implementation stages. home-working trend morphs into a fundamental part of Other critical capabilities – including the evaluation the ‘new normal’ for businesses, availability of robust and implementation of security measures in 5G connectivity will be crucial – and 5G will provide it in standards, security of virtualised network functions, spades wherever networks are rolled out. and increasing suppliers’ security by developing robust Yet, 5G will also be a crucial part of many efficiency procurement conditions – were still at a low level of initiatives expected to be undertaken by governments maturity, as were efforts to ensure supplier diversity and and businesses as they fight to pivot away from the operational resilience at a national level. pandemic’s economic savagery by cutting costs and The gist of this assessment is important for every deploying new automation, Internet of Things (IoT) corporate security strategist. Although the Toolbox lays devices, environmental sensor networks, and other out key areas where 5G security may create new risks, six 5G-enabled technologies. months on it is clear that many questions about 5G mobile Despite its flexibility, however, 5G is not a plug- security remain unanswered. and-play panacea for what ails your business. Being ‘Progress is slower when it comes to technical increasingly able to depend on a single wide area measures for mandating key security requirements network (WAN) topography will have benefits in terms from 5G standards,’ the report’s authors conclude, of logistics, faster onboarding of remote users, and easier noting that many technical security efforts remain management once they’re connected – but it also has the opaque and technical requirements for suppliers have potential to create new security exposures that must be yet to be elucidated. proactively managed. The report continues by saying, ‘This is, in some cases, directly linked to the fact that 5G is by nature an evolving INFRASTRUCTURE SECURITY STILL IN ITS technology with some uncertainties on the way it will be EARLY STAGES implemented and deployed’. In Australia and other Five Eyes countries, discussions about security issues around 5G have – in the public BUSINESSES READY TO MOVE ON 5G? sphere, at least – revolved mainly around questions That’s hardly the kind of confidence that enterprise of sovereignty and security, with Chinese companies IT decision-makers want to hear when planning core like ZTE and Huawei ostracised by government infrastructure – but with up to 60 per cent of European policymakers as connoting specific security threats countries still unsure when key security measures might to 5G networks that have already been categorised as be introduced to their 5G rollouts, Australian enterprises critical infrastructure. should proceed with caution before jumping on board the European Union (EU) regulators, for their part, 5G hype bandwagon. have been working to progress a consistent and less- Advisory bodies have largely painted executives’ emotional evaluation of 5G’s security threats, with efforts reluctance around 5G as a case of misunderstanding its to implement a joint EU Toolbox on 5G Cybersecurity – a real benefits, with a late-2018 Deloitte survey finding that collection of mitigating measures that was agreed by 78 per cent of Australian business leaders believed faster, member states in January. more reliable mobile telecommunications would benefit

CYBERAUSTRALIA | 39 their business for applications like remote access – and that 69 per cent of businesses expected to be using 5G before the end of 2020. Although Australian 5G rollouts have progressed steadily throughout 2020, it has become clear that ‘using 5G’ is a broad term that offers little specific guidance around 5G take-up. Ongoing lack of clarity around issues such as security has been a problem, with one Accenture survey of Australian executives finding that security was the only concern about 5G that had actually grown over time. Although 68 per cent of respondents said that 5G would make their businesses more secure, many expressed concerns about 5G network architecture issues, such as user privacy, the number of connected devices, use of multiple networks, service access, and supply chain integrity – many of the And while 5G may well help to facilitate now-critical same issues that, the EU report found, carriers are still business capabilities, such as remote working, embracing wrestling with. it too soon may expose the business to still-evolving technological architectures with as-yet-unknown CHARTING A SAFE PATH TO 5G vulnerabilities – turning 5G from a boon into a liability. Such surveys highlight the ongoing issues that security This exposure will be magnified given the surging strategists face in ensuring that 5G networks deliver the numbers of connected devices that 5G facilitates. expected benefits while maintaining expected levels of Forty-three per cent of respondents to the Accenture survey operational security. said that running new networks based on 5G was their most Yet, many networking executives are quite content important challenge, while 38 per cent said that it was their with their current networking environments. In June, most difficult challenge around the new technology. for example, a Deloitte survey of US-based networking Faced with top-down pressure to push towards 5G, executives found that more than 80 per cent are however – particularly as Apple’s expected 5G-capable satisfied with their existing networks’ security, iPhone 12 hits the market – simply stonewalling against ability to control and customise their networks, 5G isn’t likely to remain a viable strategy for much longer. interoperability, scalability, technology maturity, and Given its inevitability, security specialists may find ease of deployment. it prudent to elucidate a clear argument for a slower and Many of these capabilities overlap with some of 5G’s more measured 5G transition than many may want. biggest selling points, suggesting that despite all the Rather than waiting for 5G to fix all of its problems, hype, risk-averse companies holding the line on 5G may this may mean that now is a great time to double-down on not sacrifice as much transformational capability as demand for layer-three protections that can compensate breathless advocates would lead them to believe. for potential vulnerabilities around virtualisation Supporting infrastructure will steadily evolve to management – think stronger multi-factor authentication improve 5G’s security capabilities, but many businesses and zero-trust architectures, better patching regimes, will necessarily lean heavily on telecommunications application whitelisting to lock down largely unregulated providers and managed service providers to manage many remote-work environments, and the like. of the technological exposures that 5G creates. Ultimately, 5G will become part of enterprise life – Those services, however, are still evolving, and as the but with security standards still evolving, it remains as EU’s recent audit found, it will be several years before important for security specialists to defend the company’s carriers’ internal management capabilities are as mature data assets against 5G as it is to enable its business as those available on current 4G LTE networks. processes using the technology. •

40 | CYBERAUSTRALIA Advancing your career, protecting organisations... starts here

Study Cyber Security in 2021 Are you up for the challenge of keeping organisations safe from cybercriminals?

Organisations across the world are under increasing threat from cyber-attacks and there is a worldwide shortage of cyber security professionals. Now is the time to advance your career in this field.

Earn your qualification from a top-ranked University for Computer Science & Information Systems*.

Study a Bachelor or Post Graduate Degree in Computer Science (Cyber Security) or be part of the first intake for the new 100% online courses: Master of Cyber Security, Graduate Diploma in Cyber Security, or Graduate Certificate in Cyber Security.

FIND OUT MORE uow.info/study-cyber-security

*UOW is ranked in the top 200 universities in the world for Computer Science & Information Systems in the QS World University Rankings by Subject 2020.

UNIVERSITY OF WOLLONGONG CRICOS: 00102E

507660A_University of Wollongong I 2542.indd 1 9/10/20 11:59 am CONTENT PROVIDED BY CYDARM TECHNOLOGIES Collaboration key to cyber resilience

THE REQUIREMENT FOR greater Government Information Security benefits of information sharing with trust and transparency has continued Manual mandate the need for the drawbacks of sharing sensitive in 2020, driven by increasing cyber greater situational awareness by information, ideally sharing the threats and new regulations. The Chief Information Security Officers necessary information, and only trend is clear – increased engagement (CISOs). Included was a specific call- the necessary information, with the by organisations with their customers, out for CISOs to be fully aware of all appropriate parties’. industry peers, and regulators on incidents across the organisation, Striking the right balance matters of cyber security has become including ‘how internal teams respond between information sharing and the accepted norm. and communicate with each other application of the need-to-know In August 2020, the Department during an incident’. It is clear that principle is difficult to achieve of Home Affairs released the collaboration and communication at the speed and scale needed Protecting Critical Infrastructure with other business units and outside during an incident response and Systems of National Significance parties during an incident has been activity. Commonly used IT service Consultation Paper, signalling a identified as key to the success of management and chat ops platforms more prescriptive approach to response efforts. run the risks of exposure of cyber security for Australian critical These ideas are not new. sensitive information, or preventing infrastructure across 11 industry In 2012, the NIST Computer broad collaboration with the right sectors. The paper aims to ‘ensure Security Incident Handling Guide stakeholders. A solution that systems and personnel can detect, (NIST 800-61r2) was updated achieves the right balance needs to understand and respond to cyber to recommend identifying other enable timely access to information security incidents’, and ‘promote a groups or individuals within the at a fine-grained level. Just as brakes positive and collaborative security organisation that may need to be on a car enable you to drive faster, culture of continual improvement involved in incident handling, noting effective access control enables and engagement across sectors, that, ‘Incident response teams rely you to collaborate better and make ensuring lessons learnt are shared’, on the expertise, judgment, and decisions faster. with a near real-time threat picture on abilities of other teams, including Cyber security collaboration one of the desired outcomes. These management, information assurance, between people with different proposals are a timely recognition IT support, legal, public affairs and experience and skill sets, at different that the ability to collaborate and facilities management’. To fully levels of trust, is critical to an disseminate information, both involve these personnel, the need organisation’s ability to withstand across an organisation and within to share information with audiences inevitable cyber security incidents. ‘communities of interest’, is critical to at different levels of trust must be The growing recognition of the need those outcomes. balanced by their need to know. for collaboration is a positive change In a similar vein, the October According to NIST 800-61r2, that will be a key success factor to 2020 updates to the Australian ‘Organisations need to balance the achieve cyber resilience. •

A42 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507226E_Cydarm Technologies I 2542.indd 1 29/10/20 2:38 pm CASEMANAGEMENTFOR CYBERSECURITYOPERATIONS

Secure collaboration including multi-tenancy, using flexible and fine-grained access control

Consistent best practice using NIST-recommended workflows

Reduce manual effort using integration with open API and STIX2

Decision support using evidence from automated reports on every aspect of security operations

PROUDMEMBEROF cydarm.com [email protected] @cydarmtech

AUSTRALIANOWNEDANDOPERATED

507226A_Cydarm Technologies I 2542.indd 1 29/10/20 2:43 pm CONTENT PROVIDED BY NETSKOPE The illegal economy and how the cyber industry can help

WITH THE SIGNIFICANT advances Bitcoin is the preferred of technology over many years, cryptocurrency for cybercriminals, not only have law-abiding citizens, with ransomware attack demands organisations and governments often being requested in bitcoin. leveraged this to their advantage to The bitcoin addresses recorded in grow and prosper, but so, too, have the blockchain are not registered to criminals. They are not regulated or certain individuals, only the account governed, but are often well funded holder of the bitcoin wallet that is and well coordinated. receiving the transaction can see This is the challenge that this information. This means that organisations, governments and their authorities have a difficult time security teams battle on a daily basis. tracking down connections and trails to criminals. Cashing out can THE ILLEGAL ECONOMY AND be more risky; however, bitcoin FINANCIAL CRIME mixing services can help to obscure The illegal economy refers to the origin of the funds, hiding the the illegal trade of goods and criminal’s connection to the crime. services, such as human trafficking, In 2015, a Europol report stated racketeering, smuggling of that bitcoin was used in more than David Fairman endangered species, sale of illegal 40 per cent of illicit transactions and disrupting the illegal economy drugs and just about any other activity in the European Union (The can then be done to a more effective that generates financial transactions Internet Organised Crime Threat degree by having more transparent and is deemed illegal in nature. Assessment, 2015) . management, establishing an end-to- The exploitation of the financial end operating model, and allowing system enables criminals and HOW CAN THE CYBER easier collaboration and consolidation organised-crime gangs to launder INDUSTRY HELP? on relevant threats and actions. funds received through illegal Digital transformation has accelerated, A challenge of the model, however, activity and to disguise criminal with business being conducted is the initial implementation as this may activity. As with any organisation through digital channels more than require quite a significant amount of or entity, criminals look to take ever, and this has naturally resulted restructuring to be effective, creating advantage of new ways of working in cyber security playing more of a difficulties for businesses that may be in order to make their trade role in combating financial crime and large in size as this takes significant more effective and efficient, disrupting the illegal economy. This has time, planning and effort to execute. thus resulting in these entities led to cyber security teams working Furthermore, the cyber leveraging technology to achieve more closely with fraud and financial industry needs to be aware of their mission and increasing the crime teams. This is especially true in what cryptocurrency providers are opportunity for financial crimes. the banking sector. available, what their features are and This also applies to cybercrime and With the convergence of cyber how criminal organisations are going the facilitation of financial crimes and financial crime teams, the to make use of those services. through digital means. industry has seen the emergence of It also needs to be considered the fusion centre. A fusion centre can how authorities are tracking these DIGITAL CURRENCY be thought of as an advanced version transactions and how they will plan Cryptocurrencies are widely used by of the Security Operations Centre to do so as cryptocurrencies become cybercriminals in order to transfer management model that unifies more anonymous, even going to the and collect funds, this is due to several different teams within an extent of being offline. One such their anonymity, ease of use, and organisation, such as fraud, financial solution is seen with Bithumb, Upbit, lack of international borders and crime, cyber, physical security and Corbit and Coinone, four of South restrictions – things that make intelligence teams. Korea’s cryptocurrency companies, using a traditional bank difficult for By bringing together these units, as they have decided to join forces criminals. Cryptocurrency accounts organisations can increase situational to share wallet data in real-time in generally do not require the user to awareness, share analytics and order to mitigate pyramid schemes provide any personal information or threat intelligence more easily, have and phishing funds being sent through their location, and also allow the use increased attractiveness to talent, their services (Perez, 2019) . of multiple accounts at once (Dyntu and have a standard framework for There are some powerful and Dykyi, 2019). procedures. Combating cybercrime examples of where private industry

A44 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507635E_Netskope I 2542.indd 1 30/10/20 12:14 pm CONTENT PROVIDED BY NETSKOPE

and government have partnered to systemic level, but this alone will not Canadian Cyber Threat Exchange – CCTX – disrupt cybercrime. In the United eradicate this threat, nor is it realistic Informing Canadian Business. 2020 [online]. States, the large banks and the US that it ever will be eradicated. Just Available at https://cctx.ca/ [Accessed government formed – under the as cybercriminals continue to share 28 August 2020] Financial Services Information information, coordinate and evolve Perez, Y., 2019. South Korean Cryptocurrency Sharing and Analysis Centre (FS- their capabilities, so must private Exchanges Pool Data To Counter Money ISAC) – the Financial Systemic industry and government. Never Launderers [online]. Hard Fork | The Next Analysis & Resilience Center (FS- before has there been a better Web. Available at https://thenextweb. ARC) to combat cyber attacks and time to accelerate this collaboration. com/hardfork/2019/01/28/south-korean- financial crime running through the There is momentum and this cryptocurrency-exchanges-pool-data-to- financial system (Prnewswire.com, must be capitalised on to further counter-money-launderers/ [Accessed 27 2016). The Financial Action Task the mission. • Force is also attempting to regulate August 2020] cryptocurrency organisations by References Europol. 2015. The Internet Organised Crime compelling them to include the Dyntu, V., & Dykyi, O. (2019). Threat Assessment (IOCTA) 2015 . [online] details of senders or recipients in Cryptocurrency in the system of money Available at https://www.europol.europa. transactions (Wilson and O’Donnell, laundering. Baltic Journal of Economic eu/activities-services/main-reports/internet- 2019) . In Canada, the Canadian Cyber Studies , 4 (5), 75-81. https://doi.org/10.30525/ organised-crime-threat-assessment-iocta-2015 Threat Exchange (Canadian Cyber 2256-0742/2018-4-5-75-81 [Accessed 27 August 2020] Threat Exchange, 2020) is another Prnewswire.com. 2016. FS-ISAC Announces Wilson, T. and O’Donnell, J. 2019. Global such example. The Formation Of The Financial Systemic Money-Laundering Watchdog Launches Analysis & Resilience Center (FSARC). Crackdown On Cryptocurrencies [online]. CONCLUSION [online] Available at https://www.prnewswire. U.S. Available at https://www.reuters.com/ We have seen some very good com/news-releases/fs-isac-announces-the- article/us-moneylaundering-crypto-fatf/ examples of where the cyber formation-of-the-financial-systemic-analysis- global-money-laundering-watchdog- security industry is working to -resilience-center-fsarc-300349678.html launches-crackdown-on-cryptocurrencies- address this threat at a macro and [Accessed 29 August 2020] idUSKCN1TM1I8 [Accessed 28 August 2020]

CYBERAUSTRALIACYBERAUSTRALIA 2020 | |45 B

507635E_Netskope I 2542.indd 2 30/10/20 12:14 pm Where ﬁ ntech investments go, cybercriminals follow Profi t-minded cybercriminals are targeting fi ntech sector’s success, reportsDavid Braue.

46 | CYBERAUSTRALIA espite this year’s global fi nancial disruption, AWS is playing fi ntech innovator in its own right, Australia’s fi nancial technology sector has gone working with the National Australia Bank to develop Dfrom strength to strength as fi nancial institutions a secure open banking API to streamline the secure lean heavily on digital technologies to securely support exchange of data with third parties. their accelerated transition to online services. ‘As Australia enters this new era of banking, security That transition has been hastened by consumers’ rapid of information remains the highest priority,’ Beavis says. movement from retail stores towards online shopping, ‘The new framework puts control of data into the hands which is managed by an ecosystem that has had to move of the consumer, and will enable them to more easily quickly to adapt. identify and consume fi nancial services that best meet This need, in turn, has driven wins for Australian their needs.’ fi ntech pioneers like DataMesh, which recently chalked up a signifi cant win by selling the system – which uses GOING WHERE THE MONEY IS a new payments framework that improves point-of-sale Security has become tougher during the months of the effi ciency and reliability, as well as integrating loyalty COVID-19 pandemic, with cybercriminals well aware programs – to $2-billion retail interest Peregrine. of the increasing use of digital payments, fi nancial Fintech investment was one-sixth of last year’s total services and clearing houses – and cybercriminal gangs, globally, but increased by 153 per cent in Australia during like advanced persistent threat (APT) group Evilnum, the fi rst half of the year, according to the recent KPMG stepping up the sophistication of their attacks. Pulse of Fintech report, which notes 15 deals that attracted The global fi nancial industry has been under siege a total of $510 million (US$376.5 million) in funding. as a result, with the latest VMware Carbon Black Global Transformational fi rms like foreign-exchange fi rm Incident Response Threat Report noting that 51 per cent of Airwallex, neobank Judo Bank, and instalment fi nance cybercriminal attacks during the second quarter of this fi rms A erpay and Zip – all of which have invested year were targeting the fi nancial sector. heavily in foundational infrastructure to support their ‘Not only has the corporate perimeter been broken, technology-led market disruptions – attracted ‘solid but people are hungry for new online experiences,’ notes investments despite rising pandemic concerns’, KPMG Tom Kellermann, Head of Cybersecurity Strategy with Australia Partner and Head of Fintech Dan Teper says. the fi rm. Growing investment in the local sector will be ‘helpful As a result of that hunger for new digital experiences, to policymakers hoping to accelerate the emergence of the he says citizens ‘are using new, smart technologies to fi nd sector’, Teper says, citing surging demand in areas such them. And hackers know it’. as contactless payments and online commerce, as well Fi y-nine per cent of attacks had a fi nancial as enabling technologies such as cyber security, fraud motivation, the report found – corroborating recent prevention and digital identity management. Offi ce of the Australian Information Commissioner Supporting security technologies have become as (OAIC) statistics showing that 37 per cent of data breaches important to the reinvention of the fi ntech sector as during the fi rst half of this year involved fi nancial details fi ntechs themselves, with a long-held understanding like bank account or credit card numbers. among fi nancial innovators that the dramatic digitisation Refl ecting the increasing role of digital services of the largely conservative fi nancial sector will only come to support fi ntech innovation, ‘island hopping’ – a if the security of that digitisation can be guaranteed. technique that exploits the interconnectedness of Providing those guarantees was already tough business ecosystems by fi nding a vulnerability in one enough with the 1 July introduction of the new Consumer service provider and then moving laterally towards Data Right (CDR), which has forced banks to develop the ultimate target – was noted in around a third of and secure mechanisms for providing sensitive data observed attacks, with 40 per cent of those attacks also to consumers – and to manage access by consumer- distributing malware like Kryptik, Obfuse and Emotet appointed networks of authorised representatives. across targets’ systems. Fintechs have jumped into the new world of CDR with In many cases, this malware has proven devastating both feet, leveraging cloud-hosted tools to streamline the for fi nancial businesses – which, according to Boston transfer and analysis of consumer data. Consulting Group fi gures, regularly experience up to ‘Sharing banking data securely between banks and 300 times as many cyber attacks per year as companies in Accredited Data Recipient fi ntechs through open banking other industries. will bring added value to consumers,’ says Adam Beavis, Ransomware launched by cybercrime gang REvil shut Commercial Sector Managing Director with Amazon down dominant Chilean bank Banco Estado in September, Web Services, whose cloud platform and services forcing the company to close all of its branches a er an have been favoured by Australia fi ntechs, including employee received and opened an infected Microso Conformity, Frollo, Basiq, Zip Money and Xinja. Offi ce document.

CYBERAUSTRALIA | 47 A May analysis, also by VMware Carbon Black, institutions, both private sector and law enforcement, drew out the experiences of financial industry to collaborate and maintain awareness of evolving security staff that are being targeted by multinational money-laundering techniques in order to reduce organised crime groups pummelling their targets with the opportunities for threat groups to benefit from ransomware, distributed denial-of-service (DDoS), committing high-value cyber heists.’ business email compromise (BEC) and other forms of The ongoing exploitation of fintech innovation financial malfeasance. offers important guidance for financial giants Indeed, attacks against the financial sector surged and fintech innovators that, as one recent analysis by 238 per cent between February and April, with showed, understand the importance of securing their 80 per cent of financial institutions noting an increase in disruptive digital technologies – but oen fall short of cyber attacks over the past 12 months. the mark anyway. ‘The growing availability of ready-made malware Application security firm ImmuniWeb, for one, is creating opportunities for even inexperienced analysed the systems of 100 prominent fintech startups – criminal actors to launch their own operations,’ US including three in Australia – and found that 98 of Secret Service Cyber Investigations Advisory Board them had vulnerabilities that made them potentially Executive Director Jonah Force Hill is quoted as saying susceptible to web and mobile application attacks. in the report. Clearly, security remains an aspirational goal ‘When combined with a steady commercial growth for fast-moving fintechs – and amid the surge in of mobile devices, cloud-based data storage and services, cybercriminal interest, any shortcomings could be and digital payment systems, cybercriminals today have catastrophic. And as agile fintechs guide consumers, an ever-expanding host of attack vectors to exploit.’ businesses, banks and markets into COVID-19’s new digital world, experience to date guarantees that BEATING THEM AT THEIR OWN GAME cybercriminals won’t be far behind. • Ironically, cybercriminals are not only targeting financial providers more aggressively than ever, but are also leaning on the very fintech innovations that have reshaped the industry by offering consumers faster, easier and more flexible access to conventional finance and cryptocurrencies. Sixty-four per cent of financial institutions said that they had seen increased attempts at fraudulent wire transfers – up 17 per cent over the previous year – while 24 per cent had seen an attack leveraging counter-incident response. New technologies and payment systems are helping many cybercriminals ‘cash out’ aer a successful ransomware extortion, moving and hiding their anonymous funds in a process that, a recent SWIFT-commissioned BAE Systems Applied Intelligence analysis found, runs the money-laundering gamut, including front companies, cryptocurrencies and careful moderation of buying patterns. ‘As technology and criminals’ techniques evolve at a rapid pace,’ says Simon Viney, BAE’s Cyber Security Financial Services Sector Lead, ‘so will the need for

48 | CYBERAUSTRALIA 507642A_Information Integrity Solutions I 2542.indd 1 1/10/20 10:10 am CONTENT PROVIDED BY ALSID Harnessing innovation

FOUNDED IN 1874 and insights into the current AD security headquartered in Australia, Orica posture. It highlighted several is the world’s largest provider of weaknesses that could potentially commercial explosives and blasting lead to account and domain systems for the mining, quarrying, compromise. The ability to see such construction, oil and gas sectors. vulnerabilities enabled the IT teams Orica employs approximately to realign their focus, and reignited 11,500 employees worldwide and the importance of securing AD. Alsid serves customers in more than also helped to address gaps in AD 100 countries. expertise, providing the IT team with guidance on what to prioritise and CHALLENGES what steps the team could take to While Active Directory (AD) is correct the situation. This empowered central to Orica’s IT infrastructure, the IT team to focus on fixing issues, this component was not prioritised rather than accepting them. as a potential single point of failure for operations. Management of AD Addressing a lack of visibility by the in-house IT team was focused Following the POC, the IT team on maintaining availability of services accepted the need for continuous and minimising service disruption. monitoring and the ability to track Amid other competing priorities, changes in real time on the most Orica’s AD security configurations critical parts of the directory. The were not properly maintained. While initial discovery was followed with the in-house Security Operations the instant deployment of the Centre (SOC) had several security agentless, non-intrusive Alsid for agents deployed to end points, AD solution. Incorporating the Alsid servers and on the network, there alerts into the SOC enables Orica to was no visibility on what activity was continuously monitor for suspicious occurring within AD itself. activity on AD. The POC and, later on, the production deployment Prioritising mindsets provided management with an THE SOLUTION Through an Alsid proof of concept overview of the AD security posture The incoming CISO identified (POC), Orica was able to get real-life and the rate of improvement. four needs that Alsid could fulfil. It could provide: 1. insight into the security posture of AD 2. guidance to the in-house team on how to remediate 3. alerts on suspicious activities occurring on the domains 4. continuous monitoring of the AD configuration.

KEY RESULTS • A reduction in the number of critical Pillar 1 Pillar 2 and high exposures with AD. • Trail flow alerts sent to SOC for continuous actioning. • Monthly reporting on the security state of AD as part of IT KPIs. ‘Alsid is the answer to the two questions every CISO should be constantly asking: “Are my domains adequately secured? How can I independently prove it?”’ says Jamie Rossato, Vice President, Information Technology and Cyber Pillar 3 Pillar 4 Security at Orica. •

150 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507641E_ALSID I 2542.indd 1 15/10/20 3:52 pm #ADSEC

ACTIVE DIRECTORY

HARDEN. DETECT. RESPOND.

507641A_ALSID I 2542.indd 1 13/10/20 11:33 am COVID-19 and the introduction of e-voting

BY DAVID BRAUE

Security issues and intensified cybercriminal activity continue to threaten one of digital government’s most obvious use cases.

52 | CYBERAUSTRALIA CYBERAUSTRALIA | 53 n a year of global turmoil that will conclude with the With widespread concern about potential voter fraud world’s most closely watched election, long-spurned and manipulation by external parties, cyber security Ielectronic voting (e-voting) is back on the table as experts have called for heightened eff orts to ensure the governments try to fi gure out how to conduct a fair and integrity of voter rolls, with US Department of Homeland free election while respecting social distancing rules. Security’s Cybersecurity and Infrastructure Security Late last year, Lithuania shelved plans for e-voting, Agency Senior Advisor Matt Masterson noting that following the lead of countries like Canada, Germany absentee voting and mail-in ballots ‘shi the risk towards and others. But in June, authorities revived the idea a er voter registration data security’. legislative changes from a government eager to explore That risk proved problematic in cases such as the 2016 alternatives in the face of the COVID-19 pandemic. presidential election – when Russian hackers accessed Yet, it didn’t take long before it became clear that Illinois state records on 76,000 voters – and more recently security issues prevented a rapid rollout of e-voting. when a new $157-million (US$107-million) e-voting system ‘E-voting should be safe and trustworthy so that threw up so many issues that authorities worry it won’t nobody has doubts over election results,’ Lithuania’s be ready for the November elections. Justice Minister Elvinas Jankevičius says. ‘Therefore, This year ‘was always going to be a challenging year it is important to consult cyber security experts while for [election offi cials] with the preparations they were creating and introducing such a system, and testing and making to secure their systems’, Masterson says. ‘And trialling this method.’ then you introduce a pandemic into it.’ Jankevičius estimates that procuring technology, and creating and testing a new system could take 18 to SECURING THE SYSTEMS 24 months, meaning that e-voting won’t be used for the Yet, technology has enabled such dramatic country’s general elections in October. But the country’s transformation within governments that e-voting seems President, Gitanas Nausė da, has supported its staged like an obvious step forward. A er all, if we can work introduction, fi rst for Lithuanians living outside the securely from home, we should be able to vote securely country and later for municipal elections, referenda and online, right? other extraordinary events. Sadly, that’s not the case, with a recent review In Australia, scrutiny of e-voting has been high, and of Democracy Live’s OmniBallot web-based voting the Australian Capital Territory has been the only local platform – recently adopted for certain elections by three jurisdiction regularly using e-voting. The system has been US states – providing a textbook example of why e-voting carefully managed and runs at polling stations rather remains a cyber security nightmare. than being made available to voters over the internet. The system, university security researchers Given that e-voting as a technology problem has been conclude, ‘uses a simplistic approach to internet voting solved dozens of times in the past 20 years, ongoing that is vulnerable to vote manipulation by malware on scepticism about its integrity speaks volumes about the the voter’s device, and by insiders or other attackers magnitude of the procedural challenge that e-voting who can compromise Democracy Live, Amazon, Google, presents. All these years later, authorities still prefer or Cloudfl are’. paper-based ballots whose many insecurities have long Sensitive details about voters, and their ballot choices, fuelled controversy around ballot stuffi ng, ‘hanging are regularly transmitted back to Democracy Live – a chads’ and other malfeasance. move that the analysis said was ‘an unnecessary security risk that jeopardise s the secret ballot’. THE COVID ELECTION Their scathing conclusion was simple: ‘Using With many countries having put e-voting on the OmniBallot for electronic ballot return represents a backburner a decade or more ago, its re-emergence severe risk to election security, and could allow attackers comes as government authorities consider how to keep to alter election results without detection. Without democracy’s most basic mechanisms functioning in greater technical transparency and analysis, voters and a time when large gatherings – including at polling election offi cials will be unable to accurately weigh the stations or elsewhere – have become unadvisable or trade-off s between risk and access’. even illegal. Similar concerns emerged in an analysis of Estonia’s Eff orts to position mail-in voting as an alternative e-voting system – which has been used for years to in the United States, where concerns about virus facilitate online voting but has ‘staggering gaps in transmission have presaged major disruptions for procedural and operational security’, security analysts November’s presidential and congressional elections, with the University of Michigan Open Rights Group found. have seen President Donald Trump warning – ‘The architecture of the system leaves it open to cyber erroneously, experts say – that mail-in voting paves the attacks from foreign powers, such as Russia,’ the team way for political manipulation. concludes, noting that ‘these attacks could alter votes or

54 | CYBERAUSTRALIA leave election outcomes in dispute... we urgently recommend that Estonia discontinues the use of the system’.

RISK VERSUS ACCESS Trade-off s have long defi ned e-voting’s ongoing narrative, with countless so ware developers claiming to have solved problems of data security, anonymity and system integrity – and myriad security researchers proving them wrong time and again. Simply providing the source code of e-voting systems – a measure supported by some governments as a gesture of transparency – is not enough. Swiss Post discovered this a er recently opening its planned Scytl e-voting system to the public for scrutiny – and ‘Protecting voters’ anonymity has been a barrier to mass having three critical vulnerabilities fl agged by a team of e-voting, but our proprietary method is able to preserve researchers, including University of Melbourne security the identities of the voters while disambiguating them expert Associate Professor Vanessa Teague, who warned from their votes.’ they could let votes be manipulated without detection. Despite its promise, however, there are still fewer real- Peer review of proposed e-voting systems has world examples of blockchain’s use than proposals that produced a robust body of work that has normalised highlight its desirable traits – and analyses that show how their testing against prescribed standards, such as the EU it’s still coming up short. recommendations on e-voting, the US Voluntary Voting MIT security engineers, for example, recently System Guidelines, and other methods developed by the published a damning analysis of the blockchain-based US Federal Election Commission. Voatz system, which would verify voters’ identities using Technical eff orts, such as a framework by Italian the phone’s facial-recognition tools. security researchers Prandini and Ramilli, sought to split ‘Given the severity of failings discussed in this paper, the diff erence between the two and ‘prune the excess of the lack of transparency, the risks to voter privacy, and generality that comes with’ previous guidelines. the trivial nature of the attacks, we suggest that any near- Yet, no matter the testing guidelines, e-voting systems future plans to use this app for high-stakes elections be are likely to fall short without an early emphasis on abandoned,’ the researchers conclude. security being built in by design from day one of the Innovators have seemingly solved e-voting’s problems so ware development eff ort. many times over, but each new solution has fallen at the In contemporary terms, this means embracing hands of determined security analysis. And that’s not DevSecOps methodologies – which manage the even considering potential external threats, such as the interplay between security and operational resources massive distributed denial-of-service attack that took – yet, most companies are still in the early days when it Australia’s 2016 election offl ine. comes to DevSecOps. A similar attack on a mainstream election would be Blockchain has been fl oated by many as a solution, just one of myriad potential interruptions that could providing procedural security, as well as the necessary threaten the legitimacy of any full-blown online vote. immutability, verifi ability and ability to make e-voting Given recurring defi ciencies in solutions to date, it’s clear resistant to undetectable manipulation. that blockchain won’t automatically fi x e-voting any more These characteristics made Ethereum blockchain the than past technologies. natural base for SecureVote, an online voting platform That is likely to keep e-voting as a laggard in the push intended to facilitate participatory decision-making towards digital government, leaving elections to be through the Flux Party, which bills itself as ‘Australia’s conducted with the usual high scrutiny, fervent debate most transparent political party’. and fi erce challenges. Without dramatic change of the ‘We discovered that we could, for the fi rst time ever, voting system, these issues are likely to persist long a er conduct completely decentralised, scalable elections that improving security technology has revolutionised every were also anonymous,’ CEO Nathan Spataro explains. other part of the government. •

CYBERAUSTRALIA | 55 CONTENT PROVIDED BY AUSCERT

AusCERT at the forefront of cyber security

AS A NOT-FOR-PROFIT security 4. RESILIENCE AusCERT members practice cyber group based at The University of AusCERT partakes and assists in security at home and at work Queensland (UQ), AusCERT delivers organising Asia-Pacific regional cyber With the increase in remote working, 24-hour service to its members drills, as well as providing training to AusCERT assists our members alongside a range of comprehensive members to maintain cyber security regardless of the physical location of tools to strengthen their cyber awareness as front of mind. their work. security strategy. The Department of Home Affairs 5. INVESTMENT AusCERT is a cyber security released its report on Australia’s AusCERT reinvests all membership incident response team exemplar 2020 Cyber Security Strategy proceeds into service deliveries, AusCERT takes incident response recently, and AusCERT is very improvements and the building seriously and trains its staff to be proud to have been involved in the of our membership cyber able to handle incidents whenever consultation process late last year. security capabilities. they arise. Staff are encouraged to The report was structured around attain industry certification, which is a framework with five key pillars – all Clear benefits for members then reinvested back to members in aligned to AusCERT’s core values: AusCERT leverages the resources the form of advice publication, blog provided by its membership base articles and educational events, such 1. DETERRENCE and UQ. Its reach with international as webinars. Additionally, IoVs and Any infrastructure reported by CERTS, as well as other Australian IoCs are streamed to members on AusCERT members that proves to be organisations, increases the a daily basis, thus keeping members malicious will be subject to persistent effectiveness of its action for aware of vulnerabilities, leaked and escalated take-down notices. malicious infrastructure take-downs credentials and misconfigurations, and abuse advisory. This international as well as the availability of 2. PREVENTION cooperation enables an internationally remedial advice. The initiative of providing indicators recognised norm of incident response. of vulnerability (IoVs), indicators of Trusted services, nationally compromise (IoCs), security advisories, Cyber risks are owned by those best and internationally and bulletins provides strong proactive positioned to manage them AusCERT, as a trusted entity in and preventive information. Assistance in establishing risk cyber security, is handed information assessment, as well as an incident on incidents and vulnerabilities from 3. DETECTION response plan, is covered through national and international sources. Bi-directional threat intelligence AusCERT education, where an The cyber security landscape gathering through open-source understanding of these concepts is ever-changing, and AusCERT is platforms where members are given allows for efficient use of resources in passionate about engaging with real-time intel that help to automatically preventing, mitigating the transfer of, members to empower their people, detect and block potential attacks. or avoiding cyber risks. capabilities and capacities. •

156 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507169E_AusCert I 2542.indd 1 18/9/20 10:59 am Safeguard your information With Australia’s Pioneer Cyber Emergency Response Team

Incident Phishing Security Security Management Take-Down Bulletins Incident Notiﬁcations

Sensitive Early Warning Malicious Information Alert SMS URL Feed

Become a Member Today +61 (0)7 3365 4417 auscert.org.au [email protected]

507169A_AusCert I 2542.indd 1 8/9/20 12:59 pm 58 | CYBERAUSTRALIA The changing role of the CISO Amid the new steady state, CISOs must find new ways to think strategically, reportsDavid Braue.

or many chief information security officers (CISOs), That includes liaising with supply chain partners, relationships with other executives have long been outsourcing suppliers and other parties to ensure that Ffraught with challenges around responsibilities, their COVID response also maintains enough security to reporting issues and strategic priorities. But as the cope with the rising tide of cybercriminal activity. myriad challenges of COVID-19 flatten management As CISO, you should also be working with other internal structures and force executives to work together in new management to ensure that scalable infrastructure is ways, the role of the CISO is up in the air – and with the available to maintain data security and business continuity right approach, it could work out for the better. even in the event of COVID-inspired evacuations or deep Changes in remote work have surfaced technological cleans of key facilities. issues for every employee, putting additional pressure on CISOs to deliver adequate supporting infrastructure – and THE NEW STEADY STATE on CISOs to ensure that security is maintained throughout. Ryan Weeks, CISO with business continuity consultancy Anecdotal reports suggest that remote-worker Datto, recognised early on that everything would be security has trumped all other strategic concerns, with different during COVID-19. He assembled his team big projects postponed indefinitely, and many CISOs for some brainstorming and ‘quick sanity checks’ in looking for quick wins, such as implementing two- areas such as remote access infrastructure, a review of factor authentication, getting patching up to speed, or available bandwidth and soware licences, ‘and all those reviewing VPN and other edge security strategies given sorts of things we had to do to make sure that users had a the explosion in remote endpoints. good experience’. Maintaining continuity through this environment may ‘We had to move really quickly to think about require adjustments to standard operating procedures – how to adapt this campus, on-premises-centric set of for example, imposing restrictive whitelisting to limit security controls to work from home,’ he explains. ‘And exposure to non-core applications and services, or scaling I think that’s going to be the new norm going forward; technical support capabilities to ensure responsiveness the new steady state will see most companies having to the inevitable deluge of forgotten passwords, technical a very large proportion of their users that will never issues, and remote-access challenges. return to an office.’ Yet, logistical issues are only part of the challenge As a consequence of this change, an effective endpoint for CISOs who, as noted by KPMG technology advisory management program ‘is going to become table stakes for partner Benny Bogaerts recently, ‘have vital roles in a mature security program’. making sure the organisation can function as pandemic Weeks adds, ‘If we want to continue to keep this safe, containment measures are implemented’. we need to adapt the way we think about the control stack.

CYBERAUSTRALIA | 59 A lot of the things we’ve been hinting at in the past as iteration of the company’s multinational survey of 2800 being good ideas have really become quite mandatory at CISOs worldwide. this point’. Even then, surveyed CISOs were citing the challenges Providing that security isn’t only about technology, of maintaining security and visibility while working it will be important to plan for issues such as the to support changing environments within tight budget sudden departure of key staff to maintain your security constraints and a multitude of stakeholders. governance throughout the pandemic. This means Notably, 89 per cent of respondents said that they had clearly delineating staff responsibilities and developing successfully worked with the executive team to clarify backup plans in the event that one security roles and responsibilities or more members of your security – a strong vote of confidence in team – or even you – needs to isolate As COVID-19 has relationships that will have been due to an infection. shown over and over stress tested when COVID-19 emerged Established on-call rosters mean just months later. many security teams are already again, Murphy’s Yet, that number – and several geared for remote support, but with Law applies – and other key indicators of the CISO– staff availability fluid at the moment, it’s crucial that your executive relationship – had declined there’s no better time to ensure over the past four years, suggesting that everything is up to scratch. security planning that some executives and CISOs feel As COVID-19 has shown over and accounts for this as though other priorities may be over again, Murphy’s Law applies overwhelming previously well- – and it’s crucial that your security delineated responsibilities. planning accounts for this. The effects of shaky relationships can easily spill over during times of intense stress like the COVID-19 THE STATE OF THE CISO pandemic, potentially affecting CISOs’ effectiveness With so much to react to this year, it’s instructive to as business units’ competing priorities take step back to before the pandemic hit when Cisco’s 2020 precedence over the relationships necessary to span CISO Benchmark Report was released – the latest operational silos.

60 | CYBERAUSTRALIA Thirty-six per cent of CISOs said that their latest data ‘I think CISOs are going to increasingly become breach had impacted operations, while brand reputation involved in product conversations, and how businesses (33 per cent), finances (28 per cent), intellectual property adapt their products and services to be secure in this new (27 per cent), customer retention (27 per cent), supplier landscape and the threat landscape that comes with that.’ relationships (26 per cent), business partnerships That change in attitude will not only do wonders for (23 per cent), regulatory scrutiny (23 per cent) and legal CISOs’ standing, but may also help to loosen the corporate engagements (18 per cent) were also cited. purse strings as recession-hit business leaders push to cut Each of these affected areas is managed by different spending anywhere they can. combinations of executives within your company – Indeed, more than 70 per cent of CISOs responding to a and as CISO, one way to get ahead of a potential COVID recent McKinsey survey said that they expect budgets for interruption is to reach out to those executives early on, fiscal 2021 to shrink aer the economic desolation of 2020. and collaboratively develop response plans to minimise This has already had direct impacts on security the potential effect of any cyber incident during this leaders’ planned scope of work, with McKinsey reporting challenging time. clients diverting funding for a security automation project to bolster multi-factor authentication; another CEMENTING THE CISO’S ROLE IN THE NEW putting off cyber ‘war games’ to speed the rollout of a BUSINESS VPN; and a financial services company that redirected Reaching out to business units is likely to pay off in other funding for ‘red team’ security exercises to patching ways, with CISOs increasingly being recognised as subject remote-work applications. matter experts by business leaders who are being forced to While the reallocation of funding may prove digitally transform by COVID-19 whether they like it or not. challenging in the short term, it’s important to reframe With line-of-business leaders working hard to the need for previously stalled projects within the transition conventional products to their digital context of the post-COVID-19 organisation. As always, equivalents, Weeks says CISOs will become ‘first CISOs will be facing the pressure to do more with less – responders’ whose expertise will come to be seen as an but with the right approach, their heightened profile enabler rather than a blocker, as was oen the case in may make it easier than ever to become real agents for the past. organisational change. •

CYBERAUSTRALIA | 61 62 | CYBERAUSTRALIA Crime prevention through environmental design

BY SIMON HENSWORTH

Practical examples of how embedding security into an environment facilitates better safety.

CYBERAUSTRALIA | 63 he design and layout of a building or space can Other measures that have assisted contribute greatly to the safety and security of in improving natural surveillance Tpeople and assets in and around that space. It can during the design stage of projects also contribute to the occupant’s/user’s perception of have included: their own safety, freeing them from fear and encouraging strategically placed windows them to use the space. on the building envelope Crime Prevention Through Environmental Design to provide the perception (CPTED) is based on embedding safety/security into the of surveillance in areas built environment. CPTED suggests that opportunities vulnerable to graffiti for crime can be reduced by maximising opportunities identification of obstacles for natural surveillance, natural access control and to natural surveillance and territorial reinforcement. This is best achieved if removal of these through included during the early design stage. design changes Over many years of providing security consultancy review of planned tree services for clients, I have noted many great examples types and locations to assess of how better safety and security has been achieved by if they obscure sightlines embedding security into the built environment. and CCTV surveillance at the design stage, and either NATURAL SURVEILLANCE relocation of these or selection Criminals or illegitimate users of a space generally do of alternatives that do not not want to be seen. Being seen leads to being reported or obscure surveillance. challenged, and increases the likelihood of apprehension. Enhancing natural surveillance opportunities in a space NATURAL ACCESS CONTROL elevates people’s perception that they will be seen by Criminals or illegitimate users of others in that space. The effect of this is that legitimate a space generally want freedom users of the space feel safer, while criminals/offenders of movement so that they can feel more at risk of exposure or detection. approach their target from the There have been many examples during past projects best vantage point and escape via where natural surveillance has been enhanced either numerous possible directions when during the design stage or following an inspection/ required. Natural access control, review of an existing space. which uses the built and/or natural One example was a local park where crime and environment to assist in controlling unwanted behaviour, including graffiti, arson, motorcycle access, can assist in deterring crime hooning, breaking and entering, et cetera, were a common and unwanted behaviours. occurrence. This activity was contributing to a negative There have been numerous safety perception of the park, which deterred residents projects where a review at the early design stage from entering the area. One of the key issues at this was successful in identifying features that provided location was dense vegetation around the perimeter of opportunities for the space to be used for dangerous the space, which obscured visibility into the area from behaviour. These included design elements at a surrounding houses. While there were many potential transport hub that would have been attractive to witnesses available to report unwanted behaviour, they skateboarders, or to vandals to gain access to upper were unaware of the behaviour at the time as it was floors of structures. This activity would have put the occurring due to poor natural surveillance. offenders at risk of life-threatening falls. These design Following a review of the space, recommendations elements were omitted from the design through some were made to improve natural surveillance by thinning simple changes, thereby mitigating these risks. out the vegetation around the perimeter, clearing some Other measures that have assisted in improving internal areas of thick vegetation and introducing natural access control during the design stage of projects activity generators in the park to encourage use by local have included: residents. These recommendations were carried out by identifying climb points that could allow burglars the local council, and the park was transformed into a access to the roof of a building space that local residents were drawn to, which nearly omitting unnecessary underpasses that may be completely mitigated the previous unwanted behaviour. used as a movement predictor to entrap victims Since this project was completed, the same council has the use of design features that assist in preventing transformed other parks in its local area in the same way unauthorised access by vehicles or for vehicle-as-a- with equal success. weapon attacks.

64 | CYBERAUSTRALIA TERRITORIAL REINFORCEMENT ensuring that semi-private zones sit in between Criminals or illegitimate users of space oen gravitate public and private zones to assist in raising the risk to areas where there are no strict rules or enforcers of perceived by would-be offenders rules. If there are no clear rules in a space, and nobody identification of landscaping materials that can be to reinforce them, offenders feel more confident that used as tools/weapons/missiles and omitting these their behaviour will go unchallenged. from the design, or removal from an existing site. There have been many examples during projects The International CPTED Association is the leading where territorial reinforcement has been enhanced global authority in CPTED, and is a great source for either during the design stage or following an inspection further information and resources. of an existing space. An early minor investment to ensure that CPTED These have included: issues are considered during the design stage of a incorporating perimeter and warning signage building or space can improve safety and quality of life (such as warning of CCTV and alarm systems) to for the occupants/users, minimise loss, and provide reinforce clear border definition and provide an significant savings in the life cycle cost involved with the early deterrent management of a space. • introducing activity generators into spaces to Before undertaking any activity related to this article, it is encourage ownership of space by legitimate recommended you consult a licensed security professional. users assessing designs to identify transitional zones, Simon Hensworth is a Security Consultant with Security including public zones, semi-private zones and Consulting Group (SCG). Contact Hensworth at private zones [email protected].

CYBERAUSTRALIA | 65 CONTENT PROVIDED BY PROGRESS SOFTWARE Secure file transfers when it matters most

THE CHALLENGE After the acquisition of Bibby Financial Services’ Australian and New Zealand offices, Scottish Pacific Business Finance (ScotPac) had the daunting task of juggling different systems of file transfer from the two companies and the massive volumes of sensitive information passing through its systems daily. With ever- increasing cyberthreats, ScotPac could not afford to have a data breach that might affect their customers negatively, ruining the rapport that it has built up over the years.

THE SOLUTION ScotPac had been using the award-winning MOVEit software across its offices globally. During the consolidation process of the acquisition, ScotPac decided to extend the use of MOVEit to all eight of its offices. ‘With the different systems we had in place, the degree of human error due to the manual processes was high. But with MOVEit, we finally had a single tool that could deal with all the disparate systems. This made the processes much simpler for us and ensured that our data was always secure,’ says Nick McAvoy, Head of Technology and Systems at ScotPac. ScotPac deals with a lot of sensitive information, including credit scorings, which the company has to regularly share with banks. Nick McAvoy ‘Our systems contain large amounts programming knowledge. MOVEit ScotPac’s daily activities. MOVEit of sensitive data protected by a Automation also comes with Automation allows employees across firewall in our internal system, which Pretty Good Privacy security that the globe to use the service daily requires authentication in order to simplifies encryption and decryption without having to take any extra access it. While the files are well of the files, as well as ongoing steps to ensure its security. protected within the system, they key management. Setting up and selecting the lacked the same protection while ‘The focus of our business is the system was an easy task for being transferred, increasing their service to our clients, which means ScotPac thanks to DNA Connect, vulnerabilities,’ adds McAvoy. that any improvements that can be Progress’s Authorised Partner MOVEit helps companies to made to our business processes are in Australia and New Zealand. exchange critical data with external highly welcomed,’ McAvoy highlights. ‘Working with DNA Connect to parties, ensuring that it is delivered ‘MOVEit does just that to speed up incorporate MOVEit into our to the intended recipients safely our business processes.’ system has been so easy,’ says while allowing ScotPac to track McAvoy. ‘We haven’t had the need its trail. Furthermore, MOVEit POST IMPLEMENTATION: to contact DNA Connect until now Automation streamlines the EASE OF USE as the system is so easy to use, process further by enabling users There was no inertia when it came and leveraging its benefits has to automate without requiring any to incorporating the system into been straightforward.’ •

166 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507294E_Progress Software I 2542.indd 1 10/11/20 11:07 am 507294 PROGRESS SOFTWARE

507294A_Progress Software I 2542.indd 1 5/6/20 10:29 am National security or privacy?

BY MICHAEL TROVATO, MANAGING DIRECTOR AND LEAD SECURITY ADVISOR, INFORMATION INTEGRITY SOLUTIONS AND AISA BOARD MEMBER; CHONG SHAO, SENIOR CONSULTANT, INFORMATION INTEGRITY SOLUTIONS; AND SARAH BAKAR, ASSISTANT CONSULTANT, INFORMATION INTEGRITY SOLUTIONS

The 4A framework: stronger protections for stronger powers.

68 | CYBERAUSTRALIA perennial conflict in the technology and policy 4A FRAMEWORK space is the apparent trade-off between privacy Analysis Aand security. The issue has resurfaced in Australia The first thing we need to get right is analysis. This in the law enforcement and national security space. My involves a series of steps: views are coloured by the impacts of 9/11. I was in New 1. Define the problem, taking care to be calm, York that day – my country, city and industry were objective and frame it in the right way. attacked by a truly malevolent extremist organisation, and 2. Be clear about the values that you would like to I believe threats like those must be a priority. Can we do preserve and uphold – for example, respect for that and still preserve the freedoms we all need? individuals, due process, et cetera. During a recent parliamentary inquiry into the 3. Choose the most suitable option with the least controversial Telecommunications and Other Legislation privacy impact on balance – for example, Amendment (Assistance and Access) Act 2018 (the TOLA confirming 18 years of age and older (rather than Act) – which allows security agencies to compel tech collecting everything on the ID card), introducing companies to decrypt information – the Australian a sunset clause to enabling legislation, establishing Security and Intelligence Organisation (ASIO) Director- a reasonable cause requirement, et cetera. General Mike Burgess revealed that ASIO has only issued 4. Ensure that you are conducting the analysis while voluntary requests for assistance, and it has not had keeping in mind the other As, as well. to use the compulsory powers under the Act.1 Burgess Analysis should be an iterative process. For law stated that the agency’s preference is to work with enforcement and national security powers that have the industry partners, although it has ‘come close’ to issuing potential to significantly intrude on privacy, analysis should a compulsory notice, and that the treatment environment encompass public consultations and parliamentary scrutiny. ‘remains complex, challenging and changing’. The Parliamentary Joint Committee on Intelligence Australian Signals Directorate (ASD) Director- and Security (PJCIS) played an important role in halting General Rachel Noble shares this sentiment. In her recent the government’s proposal to expand the use of facial speech to the National Security College, she defended the recognition by law enforcement agencies. In its review need for secrecy in ASD’s operations because authorities of the Identity-matching Services Bill 2019, the PJCIS are in a ‘near impossible game’ to keep Australia safe unanimously found that there was insufficient privacy and ‘the threat to our way of life is more real today than and transparency safeguards in the Bill, and took the at any time I have known in my career’.2 This speech uncommon step of requesting that it be redraed.5 was made not long aer Minister for Home Affairs Peter Dutton confirmed that that the powers of the ASD will Authority be expanded to enable the targeting of serious criminal Next, we need the right authority for law enforcement activity within Australia as part of the government’s new and national security agencies to do their job properly. cyber security strategy.3 As with everything, there needs to be a careful balance. In light of proposals to give agencies more intrusive Where privacy is likely to be affected, the power should powers in the name of preserving national security be granted expressly by legislation setting out in objective while claiming the mantle of operational secrecy, terms what kinds of information can be collected, for how it is even more important that this is matched with long, and in what circumstances. countervailing safeguards. The enactment of the TOLA Act is a welcome step in Fortunately, we have a well-established approach – ensuring that agencies have the authority to gain access which is known in the Office of the Australian Information to encrypted information. A subsequent review of the Commissioner as the 4A framework4 – that has resolved legislation by the Independent National Security Legislation such difficult issues in the past. Here’s how we can do it Monitor (INSLM) recommended that the two most intrusive again today. powers be authorised by an independent body (a separate arm of the Administrative Appeals Tribunal headed by 1. https://www.smh.com.au/politics/federal/encryption-powers-not- a retired judge); however, Burgess considered that the used-by-asio-afp-as-tech-companies-volunteer-help-20200807- existing approval process was adequate.6 This is a fine p55jhl.html point of judgment that is very controversial given the new 2. https://www.asd.gov.au/publication/speech-transparently-secret-asd powers that the agencies are seeking. 3. https://www.theguardian.com/australia-news/2020/aug/06/peter- dutton-confirms-australia-could-spy-on-its-own-citizens-under- 5. https://www.itnews.com.au/news/govt-told-to-rewrite-facial- cybersecurity-plan recognition-bills-532885 4. https://www.ag.gov.au/sites/default/files/2020-05/Office%20 6. https://www.smh.com.au/politics/federal/encryption-powers-not- of%20the%20Australian%20Information%20Commissioner%20 used-by-asio-afp-as-tech-companies-volunteer-help-20200807- Annexure%20A.PDF p55jhl.html

CYBERAUSTRALIA | 69 ASIO and the ASD. Despite the IGIS’s clear remit, however, there appears to be ongoing challenges with its ability to carry out its extensive responsibilities. One major issue is that of resourcing. Outgoing Inspector-General Margaret Stone recently told the PJCIS that her office required five additional personnel to meet the workload that has arisen out of the TOLA Act.8 Furthermore, she agreed with one senator’s summary that the office cannot sustain the demand of its current legislative oversight roles. A consequence is that the extent to which the IGIS can effectively exercise oversight over the relevant agencies is being questioned. The IGIS recently investigated complaints by a former intelligence officer (Witness J) against his former employer and cleared the agency of wrongdoing. Witness J rejected this finding and claimed that ‘[IGIS] was not taken seriously when I was in the agency…’.9 The IGIS plays a crucial role in holding national security agencies accountable. There are proposals to Accountability expand its oversight even further to cover four additional The third thing we need to get right is accountability: agencies, including the Australian Federal Police and the making sure that power is, and is seen to be, exercised Department of Home Affairs; however, the accountability in the right way. This is especially important in the of these agencies will be significantly weakened unless law enforcement and national security space – their lawmakers do more to secure the power and resources considerable powers are frequently exercised in a for the IGIS to do its job. corrosive environment, in difficult situations, and against vile people. As Noble put it, ‘Not all Australians Appraisal are the good guys’.7 In such a context, misuse and abuse Finally, as we have seen, technology changes, the threat of authority can and does happen – no-one is infallible. landscape changes, and powers become stronger. Hence, We already have laws and institutions that provide for the last of the 4As: appraisal. We need to monitor the accountability mechanisms, such as access to information, new measures and evaluate whether they are working prohibition on classifying or withholding information as expected. We need to ask whether the circumstances about violations of law, whistleblower protection, and have changed, which circles back to an analysis of what monitoring and review of power-wielding agencies. needs to be done about it. The real challenge is to ensure that in practice, our A good example of appraisal taking place is the recent accountability bodies are able to function effectively now inquiry by the PJCIS into the TOLA Act. Companies and and in the future. This requires that: civil society groups have voiced a number of concerns, 1. they have the necessary scope to operate, and it has been reported that none are likely to be in enshrined in legislation. No agency or activity favour of the anti-encryption laws.10 The PJCIS’s report – should escape scrutiny, and there should be strong which will be informed by the INSLM report – will likely powers of evidence gathering make recommendations that rebalance privacy and 2. they are allowed to operate without undue political security considerations, and address the issues that have or outside influence arisen in the TOLA Act’s first two years of operation. 3. we must provide them with sufficient resources in Give me privacy, or give me security? Let’s all move order for them to do their job effectively. Having all beyond this false dichotomy and have a conversation the legal mandate in the world is useless without based on facts, sound judgment and an appreciation of the money and personnel to carry it out. our past successes. • In the national security space, the Inspector-General of Intelligence and Security (IGIS) is the independent statutory 8. https://www.zdnet.com/article/igis-still-calling-for-more-staff-to- office holder charged with reviewing the activities of the provide-oversight-of-asios-encryption-busting-powers/ major Commonwealth intelligence agencies, including 9. https://www.abc.net.au/news/2020-09-01/witness-j-mental-health- neglect-spy-watchdog-inspector-general/12611580 7. https://www.asd.gov.au/publication/speech-transparently- 10. https://www.innovationaus.com/encryption-inquiry-is-out-of- secret-asd hibernation/

70 | CYBERAUSTRALIA CYBER SECURITY TECHNICAL + GOVERNANCE SKILLS

General IT degrees are not enough. We teach advanced content so that you can unlock your potential and work from anywhere, on your terms. Learn the skills you need to protect your assets in a data-driven future.

Make tomorrow better

scieng.curtin.edu.au/study/postgraduate/ scieng.curtin.edu.au/study/undergraduate/

507652A_EECMS Curtin I 2542.indd 1 13/10/20 11:21 am CONTENT PROVIDED BY BELDEN SINGAPORE Industrial cyber security for the 2020s

DO YOU HAVE visibility into the growing target for cybercriminals’ operational and cyber risks; and as assets that are on your industrial evolving tactics. ‘Security through a Belden company, it benefits from network? Do you know what obscurity’ is no longer an option. decades of experience providing vulnerabilities exist on those assets? Tripwire provides deep visibility solutions for industrial use cases. This problem is compounded as more through a comprehensive suite Tripwire is the trusted cyber and more organisations – driven of highly integrated products security leader for the world’s by the need to stay competitive to detect ICS cyber threats and leading organisations against the and drive more efficiencies – are breaches, prevent future incidents most damaging cyber attacks, converging IT and operational by discovering and prioritising risks, keeping pace with rapidly changing technology (OT). They are also and facilitate continuous monitoring technology complexities to defend increasing the complexity of to help keep your security program against ever-evolving threats for previously isolated industrial control on track. more than 20 years. system (ICS) networks. This digital The vast majority of ICS threats On site and in the cloud, evolution, coupled with the explosive can be prevented by foundational Tripwire’s solutions find, monitor growth of Industrial Internet controls and the corresponding and mitigate risks to organisations’ of Things (IIoT) devices, leaves processes wrapped around them. digital infrastructure – all without industrial networks that support Tripwire’s industrial solutions disrupting day-to-day operations or critical infrastructure systems bridge the IT–OT gap to let you see, productivity. Think of Tripwire as vulnerable to cyber attacks. secure and monitor your entire the invisible line that keeps systems Industrial organisations organisation at once, turning raw safe. With a portfolio built on must focus on gaining visibility ICS data into actionable information. maintaining the most critical cyber into the cyber risks presented Its large ecosystem of technology security practices at the highest by connected OT on the plant integrations and vendor-agnostic standards, Tripwire delivers the floor that could threaten safety, solutions gives ICS operators plenty technology and expertise to stay productivity and quality, which are of freedom of choice in the selection on top of unauthorised changes, of paramount importance for any of automation systems that are best vulnerabilities and drifts outside industrial organisation. But the for their business. Tripwire provides of your security policy. Known and legacy technology at the heart of in-depth device visibility for OT trusted, Tripwire keeps complex most industrial environments isn’t networks; enables effective, real- digital systems protected in a world properly secured, making them a time management of a full range of of unknowns. •

Prevent breaches, detect changes and respond to incidents

A72 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507583E_Belden Singapore I 2542.indd 1 30/10/20 12:31 pm ALL NODES LEAD TO TRIPWIRE

RETAIL

MEDICAL GOVERNMENT MANUFACTURING

ENERGY CHEMICAL PROCESSING FINANCE

tripwire.com | The State of Security: Stories. Trends. Insights tripwire.com/blog

CYBERAUSTRALIA | 73

507583A_Belden Singapore I 2542.indd 1 6/10/20 3:58 pm Transforming Victoria’s transport telecommunications network

BY BRUCE MOORE

A major transformation of Victoria’s rail transport telecommunications infrastructure will deliver a network that is safer, more efficient and more resilient against the increasing threat of cyber attack.

74 | CYBERAUSTRALIA icTrack owns Victoria’s stations and other sites within the rail corridor across transport land, assets Victoria. Rollout of the TGSN is already underway, V and infrastructure, with full implementation taking place over the next including a telecommunications three years. infrastructure portfolio valued at This $69-million investment is our largest more than $3 billion, on behalf of ever telecommunications project. Existing the state government. telecommunications infrastructure is being replaced Although they may not always with next-generation technology to meet the rapidly realise it, commuters come expanding telecommunications needs of transport into contact with VicTrack’s operators, government agencies and customers, and to Bruce Moore telecommunications infrastructure ensure that the network remains fit for purpose for the every time they travel. The long haul. The TGSN will support the rollout of High network supports services from signalling, driver Capacity Signalling technology, and deliver an increase in communications, public information displays and myki data capacity and speed. ticketing. It also keeps train passengers connected To safeguard against future redundancy of throughout their journey. Maintaining the network equipment, the new TGSN network architecture will is critical to the safe and reliable operation of public be modular and scalable, allowing new assets and transport and rail freight across Victoria. technologies to be incorporated as required. The new The network’s importance is recognised in Victorian technology will also have in-built security measures that Government legislation, which designates it as ‘vital will safeguard it against potential cyber breaches. critical infrastructure’, signifying that it is of state Optical Transport Network (OTN) technology significance and critical to the continuity of the supply of is underpinning the new network, making it fast, essential services to the state, and to the overall economic reliable and secure. OTN, sometimes described as a and social wellbeing of Victorians. digital wrapper, allows different services to be carried While the existing network of fibre cables and radio along optical light paths. It is capable of carrying towers has served Victorians well over many years, multiple services for different clients along a single it is coming under pressure from ageing equipment, fibre. Effective partitioning of traffic onto dedicated population growth and cyber security risk. It’s time for a circuits brings a high level of privacy and security. major network transformation. Data is segregated, preventing cross-pollination of customer data, ensuring that any potential breaches TRANSFORMING THE NETWORK are limited. Around two-thirds of the íxed transmission network OTN will provide for integration of the chosen IP/ is ageing. Over time, it will become increasingly Multiprotocol Label Switching (MPLS) technology, which difícult and expensive to maintain as equipment will result in faster traffic flows across networks, and reaches end of service. Ageing hardware and will simplify and improve network performance. We are software can also become vulnerable to cyber using MPLS to the edge technology, which creates more attack, a growing global problem. As cybercriminals separation of traffic than older VLANS services, where become more active and more sophisticated in their some unwanted overlap of traffic can occur. A range of methods, security must remain front of mind for engineered security solutions from encrypted routing telecommunications operators. protocols, route engine filtering, and the latest soware At the same time, Victoria’s population boom is patching and security updates will further bolster increasing passenger demand for rail transport services, TGSN’s security. and is placing more pressure on existing infrastructure. We’re already installing the TGSN technology, To help meet this growth in demand, the Victorian including in new railway station builds as part of the Government has invested heavily in new rail transport Victorian Government’s Level Crossing Removal Project. projects, including the Metro Tunnel and the introduction This is helping to speed up deployment and reduce the of High Capacity Metro Trains, which will require state-of- costs of retrofitting equipment at the new stations. In the-art high-capacity signalling technology. addition, we are installing new equipment in existing Our telecommunications clients and the travelling telecommunications facilities in key locations. public need a modern and resilient network that is When complete, the TGSN will support rail operators, secure and reliable, and also capable of adapting as new public safety, mobile broadband and other technologies. technologies emerge. That’s why we’re building the It will also improve efficiency in responding to any Transport and Government Secure Network (TGSN). telecommunications issues. Perhaps most importantly, it The TGSN is a fixed statewide telecommunications will support a faster, more secure and more reliable rail network. It will eventually connect 344 railway transport system across Victoria. •

CYBERAUSTRALIA | 75 Is that really you? Discovering an authentication bypass vulnerability.

76 | CYBERAUSTRALIA n June 2020, Monash University reported a provider. The service provider requests a SAML critical vulnerability to Palo Alto Networks, which assertion (assertion is the message that tells a service Isubsequently issued a Security Advisory rated provider that a user is signed in), usually by redirecting 10 out of 10 on the Common Vulnerabilities Scoring the user to the identity provider so the user can verify System (CVSS) scale. The rare 10 rating was widely their identity (username, password and 2FA). Upon reported in the cyber security media, and the United successful authentication, the identity provider generates States Cyber Command advised organisations to patch a SAML response, which contains an authentication their Palo Alto Networks devices immediately, warning assertion. On the basis of this assertion, the service that nation-state sponsored hackers would likely try to provider can make an access control decision. The exploit the vulnerability. assertion is digitally signed and includes a signature to Monash University Chief Information Security Offi cer protect against tampering. (CISO) and AISA Executive Advisory Board Member The SAML response is passed to service providers Dan Maslin chats with the Monash University team that through the user’s browser, which, in our case, gave us discovered and reported the vulnerability. an opportunity to tamper with the response. Service providers were not verifying signatures, and some Dan Maslin (DM): First things fi rst – what is Security were prone to replay attacks. Some implementations Asserti on Markup Language (SAML), and what is it checked for a valid signature and matched it to a valid typically used for? assertion, but did not check for multiple assertions Salman Khan (SK), Cyber Threat and Vulnerability in a response. This meant that we could impersonate Specialist, Monash University: SAML is an open any user in the system or, in some cases, bypass standard used for exchanging authentication and authentication altogether. authorisation information between identity providers This is formally known as ‘Improper Verifi cation of (for example, Okta or Azure AD) and service providers Cryptographic Signature’. Figure 1 is a generic process (can be any application; for example, Salesforce or SAP). diagram and I’ve written a LinkedIn article with more of It is used for performing single sign-on transactions a deep dive. where a user verifi es their identity with their identity provider and gets seamless access to applications DM: Being acknowledged as discovering a severity (service providers) without the need to provide their 10 vulnerability is very rare. Tell us a little more identity information again. about the time leading up to the CVE-2020-2021 public announcement. DM: Ok thanks. I’m oversimplifying, but the SK: We’d been undertaking assurance testing on some of vulnerability allowed authenti cati on to be bypassed – our internal controls. In scope for us were applications what part of the SAML authenti cati on exchanging using SAML authentication. We quickly discovered that process were you able to bypass? many of the SAML integrations being used were not SK: To answer this question, let me fi rst explain the SAML SAML compliant. We found a few diff erent variations authentication workfl ow. The way SAML authentication of the vulnerability, and we quickly started engaging works is that a user requests a service from a service vendors and internal teams to fi x the vulnerability as soon as possible. The time leading up to the public disclosure was quite busy as we were dealing with User accesses a service 1 > external vendors and performing Service 2 Redirect to identity provider validation testing. Provider 6 Login as User “Y” > DM: Interesti ng, so it sounds like a > widespread issue. SK: Yes, our extensive assurance User’s Browser Modify user “X” to user “Y” 5 testing covered Monash’s 200- plus SAML endpoints. We found 42 integrations to be SAML > noncompliant and out of those 20 were vulnerable to at least one of SAML Response for user “X” Identity 4 eight variants of authentication 3 > Provider User “X” authentication (Username,Password,MFA) bypass. We responsibly disclosed it to all impacted vendors; Palo Figure 1 Alto Networks was the only one

CYBERAUSTRALIA | 77 responsible disclosure procedures because it’s our professional responsibility to disclose and bring this to the vendors’ attention. We were not the only users of the applications in question; some were global vendors with far-reaching consequences for their customers. We ﬁrst tried to raise the issue with our account managers because many organisations did not have disclosure procedures; and where an organisation had vulnerability disclosure procedures, we followed those guidelines. And yes, of course there were those where we could not get beyond their service desk, and stakeholders didn’t understand the issue and/or did not take it seriously.

DM: Based on your observations, what are some general that publicly released an advisory. Along with Palo recommendations for those using the SAML protocol? Alto Networks, we are also not aware of any malicious SK: While SAML authentication has many benefits, I attempts to exploit these vulnerabilities. recommend the following when using SAML integrations: if you are a service provider, check the integrity DM: How is a CVSS score calculated, and why was a of the message by validating signatures, and rating of 10 assigned in this case? make sure each assertion and the entire response SK: CVSS assigns scores to vulnerabilities on a 10-point element is signed scale. The base score is calculated by evaluating eight make sure the SAML response is validated before different matrices. Attack Vector, Attack Complexity, making any access control decisions Privileges Required and User Interaction combined identity providers should use asymmetric describe the exploitability of a vulnerability. Impact is identifiers instead of using email/username for calculated by looking at the Confidentiality, Integrity identity assertions. and Availability. Lastly is Scope, which looks at whether When onboarding new applications, organisations exploiting the vulnerability affects resources beyond the should make sure that service providers are checking scope of the vulnerable component. the integrity of messages and that each assertion, and the The CVE-2020-2021 vulnerability was highly entire response element, is signed. Also, make sure that exploitable, could impact confidentiality, integrity and the SAML response is validated before making any access availability of a system, and exploitation could result control decisions. in complete ownership of a given system – this is why a CVSS score of 10 was assigned. DM: How important is it that organisations have an avenue to report these types of findings in a DM: How did you go about testing and validating responsible manner? the issues? Ed Messina (EM), Senior Manager, Cyber Operations and SK: I used Burp Suite to test and validate issues, but Architecture, Monash University: Very important. You quickly discovered that decoding Base64 every time I had can take a look at this from two different perspectives. to look at a SAML response was a lot of work. Looking If you don’t have an open, accessible and communicated for automation ideas, I found a Burp Suite extension way for cyber security researchers to responsibly report written by Roland Bischo½erger and Emanuel Duss vulnerabilities within your environment or product, called SAML Raider, which made the process much easier. you run the risk of never actually knowing about it until SAML Raider also includes a certificate manager, which is it’s too late, or risking your organisation’s reputation by helpful when manipulating certificates. not being proactive in this space. Secondly, even with offering incentives or rewards, it can be a cost-effective DM: Why did you feel that you needed to report this? way to perform threat hunting and form a pillar of your How did you approach reporting the discovery to vulnerability management program. various third parties, and did you see varying responses to your disclosure? DM: We all use technology and services from external SK: It was our responsibility to report this issue. We were parties. Ed, from a commercial perspective, how can running applications where attackers could potentially organisations ensure that their supply chains and bypass authentication and impersonate any user in the providers take security vulnerabilities seriously? system. I wanted service providers to fix the issue as EM: In the Palo Alto Networks instance, we were very soon as possible. We kept it confidential and followed happy with how serious and responsive Palo Alto

78 | CYBERAUSTRALIA Dan Maslin Ed Messina Salman Khan

Networks was when we first platform, and details were only reported this vulnerability. This distributed to those required to was our first experience reporting Top 3 Recommendations participate. There were times when a flaw to them, and we leveraged the this virtual room was open 8–9 1. Audit SAML implementations existing relationships and account hours a day, with breakout sessions to ensure that the response management structure to ensure that to demonstrate the vulnerability is validated. the right attention was given to it. In to development teams and offer 2. Ensure that clauses exist in other cases, the response from third suggestions on how to remediate. commercial contracts for parties was not acceptable, and we Details were kept up to date online in timely issue remediation. needed to escalate several times to get our secure workspace, similarly to 3. Publish your process for the right level of attention. Speaking how we would track an incident while responsible vulnerability more generally, it does come down physically working in the office. disclosure. to a few things, such as running The room was coordinated by our simulations and understanding the nominated major incident manager, contact points of your suppliers, and any external communications and relationships, and when that fails you need to be able were facilitated through our service delivery manager. to lean on strong commercial arrangements, including This allowed the technical teams to focus on remediation defined escalation paths, time frames for responses and efforts and testing, and ensured that stakeholders were service-level agreements. kept informed through regular checkpoints throughout the day. DM: Cyber security is a team game. Are there any others in the team that you’d like to call out for praise? DM: Any other closing comments? SK and EM: It sure is. This has been a long and complicated SK and EM: Aside from the recommendations that process requiring a multidisciplined response. Call-outs we’ve already covered, this process also reinforced the to Josh Campione from the Cyber Risk and Resilience importance of timely installation of patches, as these Team; Ryan Newington, Abhinav Pandey, Ariel Salmon, types of vulnerabilities are frequently reported and Daniel Ta, Matthew Solly, Nathan Munro and Cameron fixed in point releases, oen without the detail of the Duck from the Identity Team; and Steve Mitchell and vulnerability made public. The whole process also Michael Homesy from our Service Governance Team. reinforced the need for a consistent state of readiness – test your incident response plans regularly and be DM: The timing and COVID-19 restrictions meant that ready to come together at short notice; something we were all working remotely during this process. How like a vulnerability in SAML can affect hundreds of did you manage to coordinate a complex and time- applications across a large enterprise. sensitive issue securely and effectively? The Palo Alto Networks security advisory for EM: This was definitely a challenge, but we benefited from CVE-2020-2021 indicates that the issue is fixed in PAN-OS our existing processes to respond to a cyber security 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3 and all later versions, incident, which included commencing a ‘war room’. This and Palo Alto Networks is not aware of any malicious was run virtually over our enterprise videoconferencing attempts to exploit this vulnerability. •

CYBERAUSTRALIA | 79 CONTENT PROVIDED BY LOGMEIN

The future is passwordless

THIS YEAR HAS shaped up to be Despite questions around the minimising the risks associated one of the most challenging for many future of the password, 85 per cent with credentials. organisations around the world. of IT professionals surveyed do not • Enabling multi-factor The pandemic has driven a large- think passwords are going away authentication (MFA) provides IT scale transition to remote work, and completely. More than 92 per cent, teams with the tools to manage cybercriminals are taking advantage however, believe that delivering access at the individual-user level, of the situation. a passwordless experience for by defined groups or even by job In Australia, Scamwatch reported end users is the future for their role. MFA considers a multitude an increase of 18 per cent in incidents organisation. The answer to the of factors, such as location, IP of hackers trying to steal credentials password predicament is simple: address or biometrics (face ID), via email, phone and the internet, rather than eliminating passwords versus only one factor, such as which is approximately 16,000 completely, we should instead change a password, prior to granting attempts during the second quarter the way we interact with them. This access to an application. By of 2020. is where passwordless authentication prompting a user for additional Passwords are not only a source comes in – where IT professionals information when logging in, the of vulnerability. In our most recent must take into consideration choosing IT department can be confident LastPass report, ‘From Passwords and implementing the technology that the person requesting access to Passwordless’, we found that that fits their organisation’s needs. is indeed who they say they are. password security is one of the main The following are some methods It also streamlines the process sources of frustration for the IT to consider. for the final user, who will have a department. They are required to • Implementing single sign-on (SSO) faster and easier login experience. spend an average of six hours per can help secure and simplify Organisations and users alike week on password-related issues managing access no matter where should keep in mind that passwords alone – an increase of 25 per cent employees are located. Through will still be in use for a long time. from 2019. For employees, top a protocol such as Security Combining a passwordless login frustrations are convenience Assertion Markup Language, SSO experience with a password manager related, such as changing passwords establishes a secure link between will be the best way to secure all regularly; remembering multiple where IT manages employees access points, while delivering a passwords; and typing long, complex access to information and the seamless login experience. • passwords. There is a clear disconnect application users want to login between the security priorities of IT into. SSO allows for employees to Is your organisation ready to go professionals and the user-experience reduce the number of passwords passwordless? Visit lastpass.com to demands of employees. they must remember or update, learn more.

A80 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

507616E_LogMeIn I 2542.indd 1 15/10/20 11:50 am Empower your employees. Protect your business.

From single sign-on and password management to adaptive multifactor authentication, LastPass is the comprehensive access platform for securing every entry point to your business.

www.lastpass.com

507616A_LogMeIn I 2542.indd 1 13/10/20 10:39 am The evolving information security body of knowledge

BY YVONNE WONG, ASSOCIATE DIRECTOR, MAISP, ASSOCIATION OF INFORMATION SECURITY PROFESSIONALS

Since 2009, the Association of Information Security Professionals has launched its Information Security Body of Knowledge 1.0 for information security professionals who wish to build and update their knowledge. Its domains are covered in the NICF* – AiSP Qualified Information Security Professional (QISP®) Course.

82 | CYBERAUSTRALIA 5. Soware Security 6. Cyber Defence 7. Security Operations 8. Data Security 9. Technology Trends. AiSP is also planning to have industry validation to seek high-level views from academia and industry in Singapore on how the BOK 2.0 can be enhanced in its future iteration. The aim is for our professionals to be ready for workplace and industry application.

BOK IS FOR THE ECOSYSTEM, BY THE ECOSYSTEM As mentioned in Singapore’s Cybersecurity Strategy, the government will work with industry associations such as AiSP to introduce and build strong communities of practice for cyber security professionals in Singapore. This builds a common identity and fosters trust within the profession. As cyber security development and trends are fast-evolving, AiSP would systemise regular updates together, and cross-reference with cyber security laws and best practices overseas with its regional partners worldwide. The association has signed memorandums of understanding with IS-related associations based in Singapore, Australia and other parts of the world, with the aim to collaborate with more partners to develop a more vibrant and dynamic ecosystem for IS and cyber security together, and to support our continuous efforts to maintain the BOK for IS professionals. Maintaining the BOK for mutual recognition of IS domains across different countries and contextualised application would help to address the critical need to develop a strong pipeline of professionals in cyber and IS professions in the region. Singapore needs more cyber security professionals, and this is evident in other evelopment in information security is countries. The 2019 (ISC)2 Cybersecurity Workforce progressing quickly due to technology Study pointed to a severe shortage of cyber security Dadvancements. As a ‘live’ atlas for information professionals, and estimated that there are 2.8 million security (IS) professionals with one to five years of skilled professionals worldwide, while an additional working experience in the industry, the current Body 4.07 million more are needed.1 of Knowledge (BOK) 2.0 has built on the momentum of With falling birth rates in developed economies, its predecessor, and its 2019 update is made possible by the competition for talent is intense. In addition, IS more than 40 voluntary contributors from academia work is borderless. This requires our professionals and the industry in Singapore. The BOK 2.0 presents a to learn continuously and keep up their knowledge high-level set of concepts, terms and activities that are in tools, systems, platforms and infrastructure that of relevance to the IS professional domain in Singapore, leverage data and information ´lows. The nature as defined by the Association of Information Security of our work is demanding on a daily basis, as our Professionals (AiSP). BOK 2.0 has taken reference from professionals are balancing organisational needs the current Skills Framework for Infocomm Technology and constraints while monitoring vulnerabilities and on cyber security topics to ensure BOK’s coverage is handling incidents concurrently. With the Industrial appropriate for Singapore’s cyber security ecosystem. It Revolution 4.0, more digital technologies, processes covers the following: and devices would be interconnected, with more 1. Governance and Management global consumer and corporate users using them at an 2. Physical Security, Business Continuity and Audit exponential speed. 3. Security Architecture and Engineering 4. Operation and Infrastructure Security 1. https://www.isc2.org/Research/Workforce-Study

CYBERAUSTRALIA | 83 Having a BOK that encompasses the best- of-class knowledge that is espoused by representative IS associations and societies worldwide will also elevate the standing of our IS professionals

For our cyber security and IS professions to thrive area for jobseekers and fresh graduates, as digitisation and excel, we need a larger and growing pool of and its risks have also accelerated during this period. professionals in the region. A longer career runway How can we emerge stronger from this current crisis would be attractive for young people and mid-career as IS professionals? For a start, the business case for our switchers to seriously consider committing to our field. value-add, knowledge and skills has strengthened. This Employability and career longevity based on one market encourages enlightened companies to invest in their regardless of size may not be attractive to individuals people and be mindful of their competency development to invest in their continuous learning in a sustainable to support organisational goals and needs. Companies that manner. Besides having an unwavering passion for are steering their course cautiously in the uncertain storm IS, a more tangible draw is the opportunity to hone appreciate more collective and timely insights from our their competencies as regional practitioners. Having professions. This could help them to prepare ahead. a BOK that encompasses the best-of-class knowledge Secondly, the accelerated demand and growing that is espoused by representative IS associations and acceptance for digital platforms and tools for the safety societies worldwide will also elevate the standing of our and wellbeing of individuals is a strong market driver IS professionals who are conversant in these mutually for our professionals to maintain and upgrade their recognised domains. knowledge. Any downtime from work can be used productively by our professionals or even mid-career COLLECTIVELY, WE CAN DO MORE WHEN WE switchers for learning and training. COLLABORATE Thirdly, the trends of COVID-19-related attacks There is no monopoly in the IS domain as our individual and security incidents offer rich insights in human developments and journeys in our respective industries, behavioural patterns, which encourage us to re-calibrate cultural contexts, and countries would not be identical. our assumptions, competencies and learning road map. Our acquisition of selected skill sets for our respective This hones our analytical skills and percipience to better industries, and varying depth and breadth in specified handle incidents, and enables us to mitigate such threats domains reflects our unique experiences and encounters, in the future. and diverse views and interpretations; all this can Finally, it is important for our professionals to create powerful insights to circumvent our blind spots connect and collaborate with the stakeholders in the holistically. The more we know and share with our peers, ecosystem. This connection not only supports them when the more we learn and the better we work in a team and they need to seek clarifications on their professional as teams. One important learning we gleaned in our development, but also offer a collaborative platform for development of BOK 1.0 and 2.0 is to be objective and open them to contribute and shine as leaders in their own to understand different interpretations and applications, fields. Collectively, we can do more when we collaborate. as unique situations require us to think differently Cyber security and IS are like team sports, where our during problem-solving. adversaries are also partnering in teams to win! The actual contents of any BOK for a profession AiSP is trying to harness learning points and evolves over time. We would only be limiting ourselves Singapore’s experience in the current pandemic to and our progress if we believe that there is one enhance the BOK to benefit more IS professionals in the standardised or constant BOK to fulfil the aspirations and future. We believe that having like-minded partners to growth of IS professionals. Given the wide spectrum in collaborate in recognising IS domains essential to our information applications in our current world, there is regional practitioners will reinforce our collective efforts ‘no one BOK to rule them all’ to ensure security for all. to raise the professional standing of IS personnel. As our world evolves and adapts from the pandemic, so must we PREPARING AHEAD FOR A POST-COVID WORLD as we endeavour to let our ‘atlas’ evolve. • We are reminded constantly of how things will change * The National Infocomm Competency Framework (NICF) is part of as the world recovers from the COVID-19 pandemic. Our the Singapore Workforce Skills Qualifications (WSQ) system. It was professionals have been stretched to cope and support developed as a joint effort between SkillsFuture Singapore, Infocomm Media Development Authority and strategic stakeholders in the extensive remote-working deployment while handling an information and communication technologies industry. NICF was increase in attacks, phishing and security incidents. Our last updated in 2014 and to date, 631 competency standards have been professions have also been highlighted as one key growth identified for 334 job roles.

84 | CYBERAUSTRALIA CONTENT PROVIDED BY KATANA Say goodbye to phishing with PowerDMARC

‘TODAY, CUSTOMERS DON’T stay silent,’ explains Stephen Rielly, Founder of Katana Group. ‘If they’ve been a victim of a phishing attack, odds are that they will tell their friends over social media. PowerDMARC helped us restore trust into our email delivery channel and combat phishing attacks with absolute ease.’ Looking to prevent frustration building up within their diverse customer base, the team decided to look into a reliable, long-term solution that would effectively combat this issue. This ultimately led them to their behalf according to the sending Katana also appreciated the PowerDMARC. source, host, reporting organisation executive reports produced by ‘While the team was first worried and authentication results. This PowerDMARC, as they provided that implementing DMARC would allowed them to identify where an overview of its DMARC disrupt their normal email flow, this the legitimate email originated implementation status. was not the case,’ says Rielly. from, update their Sender Policy Not only that, but PowerDMARC’s They were astonished by the Framework records accordingly comprehensive threat intelligence level of detail provided by the and ensure that all of their email view, coupled with a one-click PowerDMARC application, which forwarding third-party services were ‘takedown’ button, also made it easy is able to easily filter emails sent on DKIM signed. to track and report abusive senders. •

1 | CYBERAUSTRALIA 2020 CYBERAUSTRALIA | 85

507459AE_Katana I 2542.indd 1 30/10/20 12:35 pm 86 | CYBERAUSTRALIA Managing the mental health of CISOs and their teams

BY MARILIA WYATT, CYBER RISK ANALYST, WSJ PRO RESEARCH FEATURE CONTRIBUTORS:ROB SLOAN, CYBERSECURITY RESEARCH DIRECTOR, WSJ PRO, AND MICHAEL FIELDHOUSE, ADVISOR, WSJ PRO The mental stress associated with keeping networks secure from constant attacks is affecting chief information security officers and the teams they manage.

e unchecked, this stress could significantly affect a chief information security officer’s (CISO’s) Lmental wellness and security staff retention rates – both of which could negatively affect an organisation’s cyber security. The job-related stressors are well documented, and include: feelings of personal responsibility for breaches long hours and being ‘always on’ job insecurity in the case of a compromise understaffed teams running on the maximum bandwidth slim budgets resulting in unrealised security projects disillusionment stemming from security oen being viewed as an aerthought constant pressure to learn and monitor changes in risk and threat. CISOs are not unique among executives in having to deal with high stress, but they might be at higher risk due to their personal investment in an organisation’s security. This, in turn, can lead to an increased risk of burnout, depression, fatigue, anxiety, substance abuse and even suicide risk – all concerns that businesses will need to grapple with, rather than sweep under the corporate rug.

BUILD MENTALLY RESILIENT TEAMS Jamil Farshchi, CISO at Equifax Inc, spoke at the December 2019 WSJ Pro Cybersecurity Executive Forum in New York, and recounted the effects on cyber security staff of a 2014 data breach at Home Depot Inc., where he used to be CISO. ‘You have a workforce that’s been grinding day in, day out for several months, and I’m talking about situations where people have put cots on the floor and are staying there night aer night,’ Farshchi said. ‘What you step into, when you get into an organisation that’s post breach, is chaotic.’

CYBERAUSTRALIA | 87 A company’s culture is important to reduce stress, says Nominet’s CISO, Cath Goulding. ‘It makes my job easier when we are all working towards the same goals, and I can make security fit into that’

The prolonged stress levels that cyber security teams THE TONE AT THE TOP experience not only affects their wellbeing, but it can also A company’s cyber security resilience is only as strong as potentially affect how a company maintains resilience. the endurance and vitality of its people, combined with its Dr Ryan Louie, a psychiatrist at Vituity – a multispecialty technical capabilities. A robust cyber security immune partnership of physicians – said mental health can affect system means that a workforce can quickly recover how a company counters threats. ‘The risks to companies from stress and perform at an optimum level to keep the are the lingering effects aer and during a cyber attack organisation secure. The responsibility for building that that affect a workforce’s ability to respond and maintain resilience and ensuring the wellbeing of the team lies resilience, and upkeep that constant alertness and ability with the CISO, or equivalent security executive. to perform well in times of extreme stress.’ The CISO must set the tone continuously, which According to a survey from the UK domain name includes taking their annual leave and not expecting registry Nominet, 88 per cent of CISOs said they were others to forego their leave. Team members must be ‘moderately or tremendously stressed’. Of the 406 CISOs encouraged to make use of mental wellness assistance or similar roles surveyed, 48 per cent reported that stress offered by the organisation, and leaders must foster an levels affected their mental health, up from 27 per cent environment and culture where stress is not perceived last year. Ninety per cent reported that they would take a as weakness. Being sensitive to the team’s emotional pay cut to achieve work-life balance, and 31 per cent said diversity to gauge how the work affects them differently, stress affects their ability to do their job. depending on other personal challenges, will also be a The 2020 Nominet report didn’t go into specific mental skill for the security leader to develop. health risks, but raises questions about the long-term effect of stress on the CISO and the organisation’s security WHAT CAN COMPANIES DO? posture. The leaders said they are expected to work long There are a number of steps that organisations can take hours – an average of 10 hours extra per week beyond towards creating a healthier work environment, without contracted hours – and this results in them missing affecting the ability of the cyber security team to deliver family and social time. against risk and security goals: Evaluate the current mental wellness resources. CULTURE MATTERS If a corporate-wide program is in place, is it A company’s culture is important to reduce stress, says sufficient to cover the cyber security department’s Nominet’s CISO, Cath Goulding. ‘It makes my job easier particular needs? when we are all working towards the same goals, and I Work with HR to understand whether stress has can make security fit into that. contributed to staff absences or was a factor in ‘The CISO stress is different in that they generally cyber security team retention rates. have bad news about incidents and need to ask for Discuss how stress affected the effectiveness of money to mitigate risks,’ Goulding adds. She points to responses to previous incidents. mindfulness courses and yoga, both available at the Identify those roles that are exposed to prolonged company, that help her take a step back from work. stress levels. Consider rotating workers to There is a cost associated with any worker being reduce stress on individuals. Ensure that all team absent from the office for a period with stress-related members take annual vacation days. illness, but the loss of the CISO for a longer period could Provide senior managers with mental health potentially affect the company’s cyber security. first-aid training to help gauge when teams are struggling. Give thought to a mental wellness THE COST OF RECRUITING CISOS ambassador for the cyber security team. According to Deidre Diamond, CEO at CyberSN, a Offer onsite and offsite counselling opportunities cyber security staffing company, the average tenure of that fit cyber security workers’ schedules. • CISOs is 18 months in the United States and two years in other countries. The Nominet survey, largely based on Marilia Wyatt is a cyber risk analyst at WSJ Pro Research, The data from the United Kingdom, found that the average Wall Street Journal’s professional arm. Wyatt writes research CISO tenure is 26 months. The high turnover rate of and analyses, develops strategy, and creates solutions to CISOs means that companies are already exposed to augment executive decision-making around improving cyber regular periods without a security leader. Investing security, data privacy, ethics and responsible use. She has a in mental wellness could help keep a CISO in place for passion for building things that provide utility for readers and longer while avoiding the costly and oentimes difficult leverage innovation with the responsible use of technology. recruitment of a replacement. Email Wyatt at [email protected].

88 | CYBERAUSTRALIA The changing face of retail Security will be crucial as retailers tap changing consumer behaviour to rebuild their brands online. David Braue reports.

CYBERAUSTRALIA | 89 lim Dusty may have had his tongue in his cheek incidents – including 146 with confirmed data loss – at when he lamented about the pub with no beer, but retail organisations last year. Manufacturing firms Snobody was laughing this year when drinks giant suffered a further 922 incidents, 381 with confirmed Lion warned that its recent cyber security attack could data disclosure. potentially turn Australia into a country with no beer. Attack targets have steadily shied in recent years, Its warning came in the wake of a June attack by with retailers’ increased investment in online services and REvil ransomware, which took key Lion distribution ecommerce sites reflected in a decline in attacks on point- systems offline and forced the company – whose popular of-sale systems, and a surge in attacks on web applications. brands include XXXX, Tooheys, James Squire, Little With hackers having financial motivations in Creatures, Dairy Farmers and Pura – to shut down 99 per cent of cases, retailers targeted by cybercriminals production and switch to manual processes as its IT staff are likely to suffer financial losses no matter how the raced to recover. incident plays out. The company first advised that no confidential data DBIR analysis found that personal data was stolen in had been taken, but it was forced to walk back from the 49 per cent of incidents – only slightly more frequently claims aer cybercriminals posted alleged screenshots targeted than payment-card data, which is stolen of files and directory trees that they said would be 47 per cent of the time. published online if the company didn’t pay a ransom Some 27 per cent of incidents that involved reported at $1 million. cybercriminals also targeted login credentials, which ‘Given this development, our expert teams are doing all are commonly used to access other corporate systems they can to investigate whether any data has been removed and may also – if stolen credentials allow attackers to from our system,’ the company said in a public update. access executives’ email systems – allow hackers to set up ‘Unfortunately, based on the experience of others in this business email compromise attacks, which are extracting situation, it is possible [that] this may have occurred.’ money from businesses with frightening regularity. The threats added a new wrinkle to an attack that ‘In a perfect world, someone else’s data breach had already caused significant damage to Lion’s core would not raise the risk to your own; however, that is businesses, not only causing shortages of packaged increasingly not the case, with the adversaries amassing and keg beer, but also creating new problems for pubs datastores of credentials from other people’s misfortune that had only just started to reopen aer the financially and trying them out against new victims,’ the report notes. punishing COVID-19 lockdown. RIDING OUT RETAIL’S ANNUS HORRIBILIS NO DISCOUNTING BIG-BRAND ATTACKS Breaches against retail targets are nothing new; but The incident added Lion to the list of well-known with the world’s retailers already on their knees from consumer brands to suffer major cyber security the COVID-19 pandemic, the impact of a successful cyber compromises this year, which also include steel supplier security attack could be magnified many times over. BlueScope Steel, shipping giant Toll Group, consumer- A recent analysis by Deloitte warns, ‘Australian finance firm MyBudget, whitegoods giant Fisher & Paykel, retailers are facing the fight of their life in 2020’, with and state government agency Service NSW. retail brands like Criniti’s, Karen Millen, Bardot, Harris All have occurred within the context of a cyber Scarfe and McWilliam’s Wines among those calling security climate that has been steadily growing in it quits in the face of plunging retail spending and intensity and severity. Thirty-two per cent of respondents widespread job losses. to ISACA’s recent State of Cybersecurity 2020 report, Australian retail spending is expected to drop for one, said that the number of attacks that they were 1.4 per cent this year, making it the worst year on record dealing with had increased in 2019 compared with the and driving what Deloitte calls ‘significant swings in previous year. A further 24 per cent said that the volume consumer ability and willingness to spend’. was the same. Yet, there is more to the changing retail story than just Many companies have historically worked to keep having fewer people in the shops: aer months of keeping data breaches as quiet as possible, and notifiable data to their homes, many Australians have discovered the breaches regulations only require companies to notify benefits of online shopping and delivery. those affected by a serious breach. Yet, in the retail A recent Mastercard survey found that 38 per cent of and the fast-moving consumer goods market, when Australian consumers believe that they will be shopping systems stop working and supply of well-known goods is less in stores in the future, and 30 per cent will be interrupted, there is nowhere for the companies to hide. shopping online more as they build on their newfound Statistics suggest that retailers and manufacturers love of online delivery. are well and truly in the spotlight, with the Verizon 2020 This trend has already seen record online shopping Data Breach Investigations Report (DBIR) analysing 287 revenues, with US online retailers noting that year-on-

90 | CYBERAUSTRALIA year revenue growth had reached 68 per cent by mid April, with online retail orders growing by 146 per cent. Figures from CCInsight, which is tracking ecommerce trends during the COVID-19 pandemic, note healthy growth in Australian online retail, and advises that the pandemic has become a tipping point that will force retailers to adopt digital-led retail strategies. As struggling retailers become increasingly dependent on robust ecommerce storefronts, they could become increasingly easy to disrupt by cybercriminals – who will most certainly continue peppering retailers with phishing emails, ransomware attacks, and even distributed denial-of-service attacks that will potentially be able to shut down a retailer’s core business. Consequently, businesses looking to reinvigorate their revenue streams online will need to ensure that they temper their investments in digital customer experience with solid fundamentals around cyber security, which will elevate in status from protecting the systems that run a bricks-and- mortar business to protecting the entire business. Increased consumer spending ‘is driving more online capabilities to liaise with those executives – early and deeply – to for retailers, but is also highlighting the issues that arise ensure that new ecommerce investments are matched when operations are moved online’, KPMG notes in a with adequate cyber security funding and planning. recent analysis of COVID-19’s cyber security implications This may seem obvious, but without the right on retailers. relationship building, cyber security executives may ‘Retailers need to build security into their design find their proposed investments rebuffed or limited as from the outset to protect their brand, reputation and executives juggle competing priorities – and a depleted customers,’ the firm notes, with recommendations revenue base – for a post-COVID-19 recovery that, including ensuring that online environments are according to Nestlé Oceania Director of eBusiness, penetration tested; are running the right encryption Strategy and Marketing Martin Brown, should be standard and protecting customer data; have published expected to span between two and 10 quarters of privacy and data-handling policies online; and have negative growth. extended security controls onto public cloud services that ‘A bunch of marketing case studies are going to be might be used to support the retail presence. written around the way in which brands responded to Retailers will also, KPMG advises, need to be this challenge,’ Brown said in a recent Mi3 interview – hypervigilant about frauds, scams, protecting consumer and the same goes for cyber security. identity, risks from increased adoption of contactless By moving proactively to put the right cyber payments, and the increased susceptibility of certain age security strategy in place, retail businesses will be able groups to cyber security compromise. to minimise the potential for outside interruptions as Distracted executives will be well aware of the shi, they fight to ensure their viability – both online and but information security executives will be well advised offline – in the post-COVID-19 world. •

CYBERAUSTRALIA | 91 92 | CYBERAUSTRALIA Spotlight: Education

CYBERAUSTRALIA | 93 The future of training

BY DAVID BRAUE

Tech-focused government policy is forcing new partnerships, and a rebalancing of education and training agendas as the sector figures out how to do more with less.

rowing competition for the expanding pool of a growing diversity of cyber security–related courses full-fee-paying overseas students has long kept has shown, universities recognise that broadening their Guniversities on an arm’s-length footing, where new cyber security offerings will help them maintain their buildings, courses and resources were added as much to industry relevance. attract enrolments to cater for industry demand. That relevance was up for scrutiny in the latest annual Yet, in the wake of a catastrophic COVID-19 pandemic QILT Graduate Outcomes Survey-Longitudinal (GOS-L) that Universities Australia believes will cost the sector report, which measures employment outcomes for $16 billion by 2023, that spirit of healthy competition university graduates across a range of study areas. has been rapidly replaced by a new camaraderie – and It has taken most of the past decade for the jobs a rebalancing of the public and private sector roles in market to recover the demand that it enjoyed before the meeting growing demand in sectors like cyber security. global financial crisis (GFC) hit, but the recently released An increasingly deterministic government is helping 2020 report suggests that recent years have seen strong to tip the scales, with major initiatives like the federal and ongoing demand for computing and information government’s recently launched Job-ready Graduates systems graduates. Package pulling funding levers to force universities to Some 92.9 per cent of such graduates had found jobs by redouble their focus on STEM areas – at the expense the beginning of this year, the GOS-L found – compared of humanities areas that, authorities argue, are less with the healthy 76.2 per cent of the same cohort that immediately job-relevant. were working within four months of graduating in 2017 – Not everybody agrees, of course, but arguments about confirming that ICT courses remain solid choices for the value of ‘so skills’ are likely to be lost under the students and valid areas for prioritisation by universities. crushing weight of a savings-minded government and a Yet, as the sector reworks itself to recover from the university sector whose rapid financial demise is forcing damage that COVID-19 has wrought, the long-running it to fundamentally reinvent itself. spirit of natural competition is mutating into something That reinvention has already seen the closure of more collaborative – and this is also reshaping the way many courses and the retrenchment of hundreds of universities work to bolster their cyber security operations academics that used to teach them, but that trend is to support increasingly remote students and instructors. likely to continue as universities seek to claw back their David Stockdale, Deputy Director of Information operational viability. Technology Services at The University of Queensland, In this context, universities are increasingly likely to told a recent Cisco webinar discussing the university fall in line with the government’s moves to cut the cost sector’s pandemic response that change management, of courses like information technology – trying to use good communications and a willingness to ‘force’ financial incentives to steer students towards jobs that concepts like zero-trust authentication have helped The have historically enjoyed high workplace demand. University of Queensland to overhaul its technological Strategic planning will be crucial as the COVID-19 architecture in recent months, catastrophe ejects high school leavers into university ‘Security is everybody’s responsibility, and courses, and university graduates into job markets while there’s a lot of good support coming out of the that are being profoundly transformed by sustained government, we have to take some responsibility economic catastrophe and a complete realignment of ourselves,’ he said, citing increasing collaboration their industries. between university technologists and strategists as a sign that the pandemic has strengthened the sector’s PUT YOUR MONEY WHERE THE CAREERS ARE overriding sense of solidarity. Cyber security remains one of the ICT areas in clear ‘We really are working together to help solve some of favour with both government and industry – and, as our problems, with close cooperation with the federal and

94 | CYBERAUSTRALIA state governments, and with technology partners, as well,’ A recently announced partnership between he said. He added, ‘This is where I’m seeing a change of Soldier On and IBM SkillsBuild, for example, will help culture happening’. Australian Defence Force veterans to retrain with This spirit of cooperation and collaboration is ‘really market-ready digital skills aer retirement. And a important’, according to Stockdale, ‘and it’s beneficial for consortium of Australian cyber security companies, all that an organisation will help shape [security] practice including FihDomain, Cydarm, Elttam, Penten and and information on threats traversing the sector. It’s Retrospect Labs, recently debuted an Accelerated really important that this is the approach we start to drive Defence Cyber Training program that facilitates cyber into the Australian economy’. security training in a virtual training environment. External training organisations will be more REWORKING THE BALANCE important than ever in helping graduates to refine Even as the Morrison Government moves to refashion their skills, and workers in other sectors to transition Australia’s universities around providing job-ready to in-demand areas like cyber security, according to skills, other elements of the education sector – including recent DDLS survey Staying Ahead of the Technology TAFEs, private sector institutions and registered training Curve, which found that only 34 per cent of respondents organisations (RTOs) – will have both an opportunity and expected ICT training to increase in the next 12 months. an obligation to fill in the vacuum. The data ‘reinforces the existence of a huge skills The Australian Information Industry Association shortage in Australia’s cyber security industry’, (AIIA) was among the bodies welcoming the Morrison DDLS CEO Jon Lang says, noting that ‘there exists an Government’s $2-billion JobTrainer program, which important opportunity for all organisations, regardless will effectively complement universities’ increasing of their sector, to invest in cyber security training and specialisation with a broad-based curriculum of micro- certification for their staff’. credentials – including 430,000 new training courses The nature of this opportunity will become clearer in areas defined by the National Skills Commission – to in the coming months, as universities finalise their 2021 help school leavers and young people to train for jobs in curriculums, and ancillary training organisations firm high-demand areas. up their online and, potentially, in-class offerings with an ‘The funding is a step in the right direction for a eye on delivering the rapid outcomes that the post-COVID post-COVID-recovery Australia; however, we need more world will require. focus on agile training packages that are able to react COVID-19’s evisceration of Australia’s job market is likely faster to the emerging opportunities and new skills to drive a plunge in GOS-L outcomes similar to the one that required for the technology industry,’ says AIIA CEO was observed in the wake of the GFC. In the short term, this Ron Gauci. may play into the Morrison Government’s narrative about ‘It is clear that the system of training to address the importance of favouring high-demand technical skills. skills needed by employers is fractured,’ he added in For professionals, recent graduates or finishing an oblique swipe at the university sector, in that ‘both students, the implications of this disruption are clear: the policy environment and the qualification levers are conventional qualifications-based career paths are siloed and inconsistent’. dead, and exactly what is going to replace them is still Innovation by RTOs is already expanding the range of anybody’s bet. Think flexibly, explore partnerships and courses available and targeting specific demographics of training opportunities wherever possible, and pursue potentially valuable workers – and the defence sector is incremental learning to define a future path that will proving to be a big winner. keep you both employed and happy for the long term. •

CYBERAUSTRALIA | 95 CONTENT PROVIDED BY EDITH COWAN UNIVERSITY

World-class home for cyber hub

THE COVID-19 PANDEMIC Building and Security Operations The fully integrated space is now has impacted the cyber security Centre (SOC). home to the WA Austcyber Innovation landscape like no other global event ECU’s new world-class SOC is the Hub – incorporating WA Austcyber in recent history, and our technology- first of its kind in Australia and one of Node – as well as the WA New enhanced homes, businesses and only a handful worldwide. Industries Hub (cyber), SCADA/OT infrastructure are increasingly As well as a fully functional cyber security provider Sapien Cyber and, vulnerable to malicious attacks. security facility, the centre is designed most recently, the Western Australia With the soaring costs of to enable students to gain experience in Police Technology Crime Services. cybercrime threatening Australian monitoring, detecting and responding The co-location of Western and global businesses, the cyber to cyber security incidents. Australia Police at ECU affords security industry is set to replace ‘The key to protecting against unprecedented opportunities to the mining sector as the next jobs cyber security threats is maintaining deliver innovative solutions to boom in Australia. up-to-date knowledge of emerging the pressing challenges facing our It is expected that the global attacks and trends, which is why our community and the world today, and cyber security workforce shortage courses are designed to meet the in the future. will reach between three and six changing landscape of this dynamic Professor Craig Valli, Director of million over the next few years. industry,’ says ECU’s Associate Dean the ECU Security Research Institute, With Western Australians for Computing and Security, Associate says cyber attacks are a ‘persistent increasingly under the threat of Professor Paul Haskell-Dowland. pandemic of threat’ that’s not going cybercrime, it is more critical than ‘Having the SOC on our campus away anytime soon. ever to coalesce the strengths of ensures that ECU students graduate ‘Cyber security is now a top cyber intelligence, research and law with the necessary skills to be the priority on the national agenda, enforcement to protect and defend cyber security leaders of the future.’ and ECU is playing a pivotal role our community. ECU has drawn Western Australian in helping to protect Australian Edith Cowan University (ECU) is cyber experts from government, organisations against malicious responding to this growing demand industry and academia in its state-of- cybercrime,’ he says. • with the opening of two of the the-art Science Building to work side by top STEM education and training side to deliver world-class teaching, to For more information, visit facilities in the state – its Science collaborate and innovate. http://ecuworldready.com.au/cyber-security.

A96 | |CYBERAUSTRALIA CYBERAUSTRALIA 2020

506901E_Edith Cowan University I 2542.indd 1 30/10/20 12:36 pm 11465635_AISA_Cyber_Conference_297x210mm_FNL.indd 1 506901A_Edith CowanUniversity I2542.indd1

303ML 11465635 | CRICOS IPC 00279B ecuworldready.com.au/cyber-security visit out more, To find who have a shared interest inthesecurity industry. to discuss research collaborations withpublicandprivate businesses andindividuals research projects for Federal andDefence agencies. ECU welcomes theopportunity Security, Digital Forensics andHumanSecurity, andhasahistory of delivering successful ECU oers leading-edgeteaching andresearch inCyberSecurity, Critical Infrastructure OperationsSecurity Centre openedin2020. from world class lecturers instate-of-the-art facilities, includinganew multimilliondollar designed to meet thechanginglandscape of our cybersecurity future. Students learn of Excellence CyberSecurity inAustralia andtheonlyoneinWA. courses Our are recognised by theAustralian Federal Government asoneof just two Academic Centres ECU hasthelargest cybersecurity andresearch program inAustralia, whichhasbeen Australian businesses, government from andthecommunity digital crimes. With cybersecurity threats onlyincreasing, there’s never beenagreater needto protect At WA’s onlyAcademic Centre of Excellence. CyberSecurity CYBER SECURITY THE FRONTLINE OF YOURSELFSEE ON - 20/10/20 3:39pm 22/10/20 4:17 pm 98 | CYBERAUSTRALIA The ASD Cyber Skills Framework

BY TONY VIZZA, DIRECTOR OF CYBER SECURITY ADVOCACY, ASIA-PACIFIC, (ISC)2 , AND BOARD MEMBER, AISA

n September of 2020, the federal government’s proíciency levels, career pathways, and learning Australian Signals Directorate released the blueprint and development. Ito Australia’s future cyber workforce and cyber skills The ASD Cyber Skills Framework Levels correspond development as part of the government’s 2020 Cyber to long-established Australian Public Service Integrated Security Strategy.1 Leadership System (APS-ILS) levels.8 The ASD Cyber Skills Framework2 lists cyber roles that are applicable to Australian conditions, and FRAMEWORK ROLES AND DISCIPLINES articulates the knowledge, skills and capabilities of The ASD Cyber Skills Framework defi nes four core individuals working in those roles. disciplines that represent the foundational groupings The ASD Cyber Skills Framework ‘enables within the cyber security industry. These four displines targeted recruitment of cyber specialists, provides a are cyber security analysis, cyber security operations, development pathway for current and future cyber cyber security architecture, and cyber security testing. staff , and aligns skills, knowledge and attributes with Under these four disciplines, nine distinct cyber security national and international industry standards’.3 The roles are defi ned within the framework. framework is aimed at ‘wider government, industry and academia’, and can be ‘used as a tool for understanding Framework core capabiliti es and profi ciencies and profi ling cyber skills in any organisation’.4 Each role draws from a defi ned set of core capabilities that The framework leverages a number of highly are expressed within the ASD Cyber Skills Framework. regarded international workforce frameworks, In addition, the ASD Cyber Skills Framework utilises including the US NICE Cybersecurity Workforce profi ciency levels within each role. The nine categories of Framework (NICE Framework)5, the Skills core capabilities and profi ciency levels are drawn from Framework for the Information Age (SFIA) 6 and a number of industry frameworks, including CIISec and the Chartered Institute of Information Security SFIA, and align to the Australian Public Service Integrated (CIISec).7 The framework seeks to address íve key Leadership System. Profi ciency levels range from ‘Learners’ areas, including role deínitions, skill deínitions, at Level 1 through to ‘Expert Practitioners’ at Level 6.

ASD Cyber Skills Framework

CYBERAUSTRALIA | 99 Figure 1

The relati onship between role, capabiliti es, skills and Operations coordinator, who is responsible for the levels of profi ciency managing tasks associated with cyber security The ASD Cyber Skills Framework illustrates the incidents across various teams for incident interdependencies between the roles defi ned under the response and hunt operations, including setting framework, the capabilities each role should provide, the priorities and engaging with customers. skills required for each capability, and the profi ciency The cyber security testing discipline defi nes two roles: level required for each skill dependent on the level of Penetration tester, who performs cyber security seniority for that role. exploitation, penetration testing and red team The dependencies that are contained within the activities. Penetration testers plan, coordinate and framework document are illustrated in Figure 1. execute cyber threat emulation activities in support of certifi cation, accreditation and operational goals. Framework roles Vulnerability assessor, who assists with the Under the cyber security analysis discipline, three application and compliance of security controls, specifi c roles are defi ned: reviews information systems for actual or Cyber threat analyst, who is tasked with potential security vulnerabilities, and explains performing cyber security research, analysis and threat profi les of a variety of electronic devices. strategic threat assessments. Under the cyber security architecture discipline, two Intrusion analyst, who coordinates and conducts roles are defi ned: proactive cyber threat discovery activities to Cyber security advice and assessment, characterised identify potential intrusions or anomalous as a blue team role responsible for cyber and behaviour based on cyber threat intelligence. information security risk assessments, and who Malware analyst, who is responsible for the provides technical, professional and policy advice analysis of the functionality, origin and potential regarding security controls. impacts of malware, using techniques such as Vulnerability researcher, who plans, coordinates reverse engineering, development and research of and conducts cyber vulnerability research activities design systems and so ware components to defend to identify defi ciencies and impacts on systems and networks against malicious threats. emerging technologies. Under the cyber security operations discipline, two distinct roles are defi ned as follows: Digital career pathways for informati on security Incident responder, who analyses and investigates Due to the rapid change within cyber security, and cyber security incidents, o en malicious, to cognisant that many professionals in the cyber security remediate networks and provide mitigation advice industry will seek to broaden their experience across to protect and secure systems. The framework also diff erent roles, skills and capabilities, the ASD Cyber Skills includes a detailed Learning and Development Framework incorporates the Digital Career Pathways for Pathway for this role, as an example. Information Security.

100 | CYBERAUSTRALIA Figure 2 The Digital Career Pathways seek to provide professional development goals, as well as recognised ´lexibility for employees by providing career options industry certifi cations that are indicative of the around established skill sets and information on profi ciency level that the practitioner is aiming to how to plan for future roles. The Digital Career perform at. Pathways seek to answer the question, ‘What skills Figure 2 illustrates the development, learning and do you need?’ for a particular role and at a particular certifi cation milestones a practitioner considering a proíciency level. position as an incident responder should work towards.

Career learning and development pathways RELATIONSHIP WITH THE NICE CYBER A novel feature of the ASD Cyber Skills Framework is the SECURITY WORKFORCE FRAMEWORK incorporation of a Learning and Development Pathway The ASD Cyber Skills Framework extensively for the incident response role. The pathway has been leverages the US Government–based NICE provided as a sample to allow for external parties to Framework, explaining the relationship between develop their own distinct pathways. the two frameworks in detail and describing them as The incident response example pathway illustrates ‘complementary’. It is important to note that while the key learning outcomes, suggests formal and experiential ASD Cyber Skills Framework defi nes nine discrete roles learning, and provides development guidance for that are applicable to an Australian context, the NICE practitioners seeking to attain the role at the desired Framework defi nes 52 work roles that are relevant to profi ciency. The pathway also includes suggested the much larger US cyber ecosystem.

Figure 3

CYBERAUSTRALIA | 101 The ASD Cyber Skills Framework recommends that Australian academic institutions that are looking The framework further establishes to implement the NICE Framework in order to align to how Australian cyber security a more US-centric curriculum can refer to guidance contained in the framework to demonstrate which ASD professionals can strengthen their Cyber Skills Framework roles translate to which NICE knowledge, skills and abilities Framework roles. These are per Figure 3, with the ASD Cyber Skills Framework roles on the le and its NICE References Framework equivalents on the right. 1 Australian Government – Australia’s Cyber Security Strategy 2020, A significant benefit of demonstrating the alignment https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber- between the ASD Cyber Skills and NICE Framework security/strategy roles is that Australian organisations are able to leverage 2 Australian Signals Directorate – Australian Government, ASD mappings of globally recognised industry certifications Cyber Skills Framework, https://www.cyber.gov.au/acsc view-all- that have been mapped across to the NICE Framework. content/publications/asd-cyber-skills-framework This includes the (ISC)2 Certification NICE Framework 3 Ibid. Refer to the ASD Cyber Skills Framework (September 2020) Map.9 Guidance on industry certifications mapped across PDF file, page 7 4 Ibid to NICE roles is also published by the NICE Working 5 National Institute of Standards and Technology (NIST), SP Group Training and Certifications Subgroup.10 800-181: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, https://csrc.nist.gov/ IN CONCLUSION publications/detail/sp/800-181/final The ASD Cyber Skills Framework seeks to provide 6 SFIA Foundation, SFIA – The Global Skills and Competency Australian governments, businesses and organisations Framework for a Digital World, https://sfia-online.org/en with a comprehensive and standardised reference source 7 Chartered Institute of Information Security, CIISec Knowledge in order to assist them in better identifying which cyber Framework, https://www.ciisec.org/Knowledge_Framework roles they may need to fill, and to help identify what 8 Australian Public Service Commission – Australian Government, capabilities and proficiency levels personnel recruited Work Level Standards: APS Level and Executive Level Classifications, for those roles should possess. The framework further https://www.apsc.gov.au/work-level-standards-aps-level-and- executive-level-classifications establishes how Australian cyber security professionals 9 (ISC)2, NICE Cybersecurity Workforce Map for (ISC)2 Certifications, can strengthen their knowledge, skills and abilities, https://www.isc2.org/NICE-Cybersecurity-Framework-Map and illustrates to them the necessary learning, career, 10 National Institute For Standards and Technology (NIST), US development and certification steps they can take to Government, Illustrative Mapping of Certifications to NICE ensure that they can achieve their career objectives, and Framework, https://www.nist.gov/itl/applied-cybersecurity/nice/about/ help to deliver a safer and more secure cyber Australia. • working-group/training-and-certifications-subgroup/illustrative

102 | CYBERAUSTRALIA Secure your future in cyber security

Looking to upskill to boost your opportunities? Choose an online course to gain new skills.

Call us on 1800 275 278 to secure your spot today or visit study.csu.edu.au/gc-cyber-security.

Are you are an IT professional looking to move into specialised cyber security roles? Charles Sturt University’s Master of Cyber Security will give you the advanced skills and knowledge you need to quickly transition into the industry with this 100 per cent cyber security degree.

Core subjects include dark web, cyberwarfare and terrorism, digital forensics, hacking countermeasures, and professional systems security. You’ll choose four electives from areas like cyber security management, network security and cryptography, cloud privacy and security, and pen testing.

Visit study.csu.edu.au/master-cyber-security to ﬁnd out more.

Do you have a law enforcement background but lack advanced IT skills? Or experience in IT but limited forensic investigations knowledge?

Charles Sturt University’s Master of Cyber Studies and Investigations will equip you to work at the intersection of information technology and cyber investigations in both current and emerging roles.

Work anywhere in the world investigating drug tracking, human tracking, illegal arms trading, ﬁnancial crime, environmental crime, piracy and more. Visit study.csu.edu.au/master-cyber-studies-investigations to ﬁnd out more.

Our courses ﬁt your life • Online study that lets you learn while you earn. • Tailored options to suit your professional interests and aspirations. • Articulated programs that allow you to achieve the level of qualiﬁcation that’s right for you. • Admission pathways that recognise your achievements – whether that’s previous study, professional attainment or work experience.

The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number for Charles Sturt University is 00005F. © Charles Sturt University, 2020. F6373.

507109A_Charles Sturt University I 2542.indd 1 8/9/20 1:19 pm CONTENT PROVIDED BY THE UNIVERSITY OF QUEENSLAND

Cyber security pipeline delivers talent to Australian businesses WITH MORE THAN a million job and management capabilities. The critical infrastructure security-testing openings globally, cyber security new UQ Master of Cyber Security lab, which is supported by Siemens. professionals are in hot demand, and is the first program in Australia to A capstone project places UQ these positions are fast becoming the offer an experience that ticks all of students within the cyber security highest-paying jobs in the IT sector. these boxes. workforce where they gain industry As the evolution of the threat Students come together experience before graduation. Partner landscape accelerates with rapid from diverse backgrounds to organisations are invited to join this IT change, The University of specialise in cyber defence, cyber program and take the opportunity Queensland (UQ) is closing the security leadership, criminology or to identify and attract the best and skills gap, ensuring that its Master cryptography, taught by experts in brightest emerging talent. of Cyber Security graduates are each field. Some organisations have also well-armed to keep pace, and that The program was developed in chosen to fund scholarships, aiming homegrown talent is available to close consultation with industry to address Australia’s shortfall Australian businesses that need it. partners, and this engagement in cyber security specialists by In addition to specialist skills, continues so that real-world broadening the talent pool. The employers are looking for graduates relevance sits at the heart of every HP Women in Cyber Security with a demonstrated ability to apply student experience. Scholarship will support five women deep strategic insight into the global Students can choose flexible to study at UQ in 2020, turning cyber security landscape beyond electives, which enables them to the tide on a global trend that sees just their field of expertise. Practical pursue professional cyber security representation rates of women in real-world experience is also certifications, such as the gold- the cyber security industry as low as increasingly expected as an entry- standard Certified Information 10 per cent. level requirement. Systems Security Professional; they In this rapidly developing industry, At UQ, graduates aren’t are invited to engage with UQ’s collaboration is key, so to find out how just equipped with technical research-focused Cyber Hub, which you could partner with the UQ Cyber skills – cyberthreats require a is in development; and they can take team, or for more about UQ’s new multiskilled response spanning advantage of world-class facilities like Master of Cyber Security, search legal, organisational, investigative the Industry 4.0 Energy TestLab, a ‘UQ Cyber Security’. •

A104 | CYBERAUSTRALIA | CYBERAUSTRALIA 2020

507174E_UQ Cyber Security I 2542.indd 1 29/9/20 12:48 pm Study Cyber Security at UQ and go beyond traditional thinking.

From six months to two years, our postgraduate suite of cyber security programs bring together students from technology, business, mathematics, social science and law to offer an integrated learning experience, unique to UQ.

future-students.uq.edu.au

CRICOS Provider 00025B

Cyber Security ADV August 2020.indd 1 25/08/2020 10:28:06 AM 507174A_UQ Cyber Security I 2542.indd 1 8/9/20 3:47 pm 507582A_Mimecast I 2542.indd 1 6/10/20 4:10 pm