Legislation and Cyber Security

Data privacy and cyber security legislation have been a hot topic in Australia of late, with the implementation of the European GDPR, the Notifiable Data Breach Scheme under the Privacy Act 1988, and more recently, the Australian Government’s proposed Assistance and Access Bill (2018). The Assistance and Access Bill, in particular, is causing concern amongst the wider Australian public, privacy watchdogs, technology giants, and telecommunications providers about the level of government access to encrypted information. Aided by an international media “frenzy”, there is an increasing fear of over-regulation and unintended consequences for the privacy of individuals or organisations.

In our dealings with the public sector, it’s clear that there is a lack of legislation and regulation in Australia that is industry specific. Many within the Australian industry view cyber security as something they have to “put up with”, which means that it may not be allocated sufficient budget or regarded as the business enabler that it is. One of the most effective ways to encourage compliance with recognised standards (NIST, ISO27001, ISM, Essential 8 etc.) is to mandate it with legislation. Legislated compliance provides confidence to end-users and business stakeholders. (Greenwald, 2015)

Consider healthcare as an example. The industry is notoriously immature in cyber security maturity with more breaches suffered than any other sector (OAIC 2018). Statistically, over 50% of their data breaches occur due to human error (Verizon 2018), which speaks to a lack of training and enforced standards. By comparison, the US has healthcare-specific legislation in the form of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information. Almost 1 million people have elected to opt out of the Australian Digital health Agency’s My Health Record due to a perceived lack of appropriate security measures. (ABC News, 2018) Australia’s adoption of a similar approach to the US’ HIPAA would go a long way towards improving the cyber maturity of Australian healthcare and the trust of the Australian public.

Another issue with the lack of industry-specific regulation and legislation is that organisations are not aware of their data privacy obligations. If an organisation suffers a data breach, non-compliance with their legal and regulatory obligations could equal large fines, greater financial loss, and potential loss of trust with their customers/stakeholders. For organisations and industries to thrive and grow they need to be digitally enabled and digitally driven to keep pace with competitors, both domestic and international. Organisations using cutting-edge technologies can create new products and services, and create better end-user experiences.

To innovate rapidly, cyber security must be prioritised and viewed as a business enabler rather than an expensive anchor. Legislation that has been drafted in cooperation with industry stakeholders will aid cybersecurity maturity and compliance in digital transformation and increase the resilience and performance of Australia on the world stage.

Do you think legislatively mandated compliance with cyber security standards is a good idea? Please feel free to comment your thoughts on this issue below. You can read more of my writing or discuss speaking requests at ssedgwick.com

When computer hackers turn out to be the good guys – UNSW Business Think

I contributed to this article for the University of NSW (UNSW) Business Think Journal https://www.businessthink.unsw.edu.au/Pages/When-computer-hackers-turn-out-to-be-the-good-guys.aspx

The popular image of a computer hacker is a hoodie-wearing night owl, a ‘black hat’ who remotely breaks into an organisation’s systems, intent on mischief, financial gain, or political exposure.

But while wearing a hoodie and operating at night may still be de rigueur, recent years have seen the emergence of a new breed – ‘white hat’ hackers, who do what they do legally and with an organisation’s blessing, with some getting paid as much as $350,000 a year to do so.

Mortada Al-Banna, a doctoral researcher in the school of computer science and engineering at UNSW, and his academic colleagues have investigated this phenomenon of crowdsourced vulnerability discovery, interviewing 36 key informants from various organisations about the challenges and benefits of inviting outsiders to test their computer systems in this way.

“I’m interested in how externally generated events affect the security posture of an organisation, and crowdsourcing security is one of these,” Al-Banna says.

While the first award of a ‘bug bounty’ (a payment for finding and reporting a bug) was by web browser company Netscape as far back as 1995, the wider industry remained sceptical.

But in 2017, this attitude was transformed in remarkable fashion when the US Department of Defense announced via website Hackerone that they wanted people to “hack the Pentagon”.

“This has motivated a lot of companies to get involved,” says Al-Banna. “The Department of Defense started small and then expanded, and the US government is currently considering expanding the program throughout all areas of their operation.”

‘Humans are actually better at this. They are more creative and look for the unexpected’

Test your system
Al-Banna’s research has revealed a number of challenges and reservations that organisations have about crowdsourced vulnerability discovery, including the lack of managerial expertise to run a successful bug bounty program, the possibility of low-quality submissions and cost escalations, and a general distrust of ‘white hat’ hackers.

“If companies want to run a bug bounty, but want to minimise the problems, there are techniques to help them do this,” says Al-Banna.

But while it’s possible to automate, say, the examining of reports from bug hunters to exclude duplication or out-of-scope issues, actually automating the process of looking for bugs is more difficult.

“The current automated tools for looking for vulnerabilities are actually more ‘noisy’ than the crowd,” says Al-Banna.

“Humans are actually better at this. They are more creative, and look for the unexpected.”

So how can organisations make use of this research? Al-Banna’s advice is that businesses need to do their homework first.

“Don’t just jump straight into a bug bounty. You need to test your system yourself with [network] availability tools – bug hunters will use these themselves – before leveraging the crowd for problems that require more creative input.

“In the first instance, limit the scope and only invite in a small number of bug hunters. But if organisations keep it this way forever, they will not reap the benefit of crowdsourcing,” says Al-Banna.

Adrenaline rush
Despite being only 22 years of age, Shubham Shah is a veteran of the world of crowdsourced vulnerability discovery. His childhood interest in computer gaming and ‘game hacking’ (modifying games) soon escalated into the world of computer security. By the age of 13, he was hacking web applications.

Shah’s skills led him to work for professional services multinational EY, and then as a consultant for Bishop Fox, doing work for Fortune 500 companies. But he soon found he could make more money pursuing bug bounties, which he has done exclusively for the past year.

‘They can often show you where you are most vulnerable more effectively than your security team could identify’

“My first bug bounty was from PayPal. It took me eight hours to get into an internal network that they owned, and they paid me US$1500. If you’re good at it, the financial incentive is very high,” Shah says.

“When you find a big vulnerability in a big company, there’s an adrenaline rush. You feel you’ve achieved something big – like running a marathon. But you could spend many hours finding nothing, and there’s no model for predicting what money you’ll make.”

Shah envisages a wider move towards a crowdsourced economy, and not just in computer security – he cites the example of design consultancy 99 Designs, which has been operating a similar model in its industry.

“Traditional consulting, where companies charge even if they ultimately do nothing, involves a waste of resources,” he says. “It’s not based on results.”

During the next five to 10 years, Shah believes that low-level bug hunting will become automated – which will focus the attention of the crowd on being more creative, and searching for more serious vulnerabilities.

“We’re currently paying the crowd to do what is in effect manual labour. We’re encouraging ‘noise’, and it’s a significant effort for a company to run a bounty,” Shah says.

“The only way to reduce the noise is to automate what can be automated.”

Establishing parameters
Shannon Sedgwick, a senior manager for cyber risk at Deloitte Canberra, has experience of employing ‘white hat’ hackers and observing the benefits they can bring to an organisation.

“In my experience, the industry is quite open about engaging with ‘white hats’,” he says. “Google paid out US$3 million in bounties in 2017, and some individual bounties can be as much as $100,000.”

Sedgwick believes that, even with the large budgets available to companies such as Google or Apple, ‘white hat’ hackers can be more efficient and cost-effective than companies performing the same tasks with internal staff.

“They can often show you where you are most vulnerable more effectively than your security team could identify. A plan is only effective if you’ve tested that plan, and this is especially true for security systems.”

Another advantage for companies is that ‘white hat’ penetration testing typically occurs outside of business hours, thus minimising potential disruptions to their business operations.

If a company is considering offering bounties for the first time, Sedgwick suggests trialling the process internally first and then, when approaching the market, establishing strict NDAs [non-disclosure agreements] and parameters of what is under review and cannot be exploited.

“Don’t release all of your applications and systems for testing at once, and engage an experienced specialist security company to oversee the process,” he says.

For Sedgwick, one of the challenges for companies engaging with ‘white hat’ hackers is the risk that some can edge towards becoming ‘grey hats’, who identify vulnerabilities but don’t report them, going on to exploit the vulnerabilities for financial gain or selling them to interested parties on the dark web.

“If ‘white hats’ feel they’ve been treated poorly by a company – for example, being underpaid, or not appreciated – then they can cause problems.”

But importantly for Sedgwick, the boards of organisations have to understand that information security is a business risk, not just a technology risk.

“They need to identify their critical data and assets, and direct appropriate resources to those as a priority,” he says.

“You need to consider the big picture. You can patch vulnerabilities all day, but if a company’s governance and security strategy are not effective, then patching vulnerabilities is not going to do the trick.”

Australian Government – The State of Cyber

Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

Amongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016).

The 2016 Australian Cyber Security Strategy addressed five key goals;

1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,
2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks,
3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence,
4 – Australian businesses grow and prosper through cyber security innovation, and
5 – Australians have the cyber security skills and knowledge to thrive in the digital age.

These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals.

Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are:

  1. Application Whitelisting
  2. Restrict administrative privileges
  3. Patch Application
  4. Patch Operating Systems
  5. Disable untrusted Microsoft Office macro
  6. Multi-factor authentication
  7. User application hardening
  8. Daily backup of important data

The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too.

Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018)

One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on.  Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards.

A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts.  When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient.

It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018)

The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage.

Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016)

A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry.  Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference.

As published in Australian Security Magazine Aug/Sep Edition https://issuu.com/apsm/docs/emag_asm_aug_sep_2018/12

 

Cyber Security in Banking

With the recent coverage of the Australian Prudential Regulation Authority’s (APRA) release of its first prudential standard on cybersecurity for financial services firms, security in banking has been a much-discussed topic. Cybersecurity is a prevalent issue in the minds of senior managers, CROs, and CISOs across all industries. Arguably, none are more concerned about this issue than the banking sector. But what should banks be focused on regarding meeting regulatory standards and their overall resilience against cybercrime?

Banks are increasingly looking to improve the customer experience through innovation and digitalisation. Online banking, card-less withdrawals, wearable transactions, mobile credit card readers, connected ATMs, and banking apps are all examples of innovative technologies design to improve operability and gather more data on their customers. However, this pursuit of digitalisation also increases the risk to customer data and security.

The data collected by the banks assist them in assessing their customer’s needs and insights to provide more customised products and services. The banking system is built on maintaining the trust of its customers by keeping their data confidential and secure. Trust is not to be underestimated, it gives a competitive edge and will assist in gaining and retaining customers.

Banks need to develop a holistic approach to cybersecurity to establish and maintain this trust. Robust security frameworks, policies, and procedures should be implemented to enhance cyber resilience. These frameworks, systems, policies, and procedures need to be continually monitored and updated to allow for rapid response times and faster recovery. To develop an effective cybersecurity strategy there needs to be strict policies and guidelines in place to guide organisational culture and behaviour. There also needs to be pre-determined plans and procedures with allocated responsibilities in the event of a cyber breach.

Senior management is responsible for cyber risk management and ensuring that cybersecurity is treated as a business and strategic risk, not just an IT risk. Investing in staff cyber-awareness training, improved security software, intelligence gathering and sharing with government and industry peers, enhanced encryption, efficient use of reporting and metrics, robust frameworks and policies, and a risk-aware culture will lead to greater customer trust, increased profits, and a more stable industry for the future.