Cyber Security Trends Opined

It is no secret that cyber is, and will continue to be the hot topic in 2019, with global cyber security spending expected to reach USD 124 billion (Gartner). We have all heard the spiel of “technology is evolving, and security must evolve with it” and “as technology innovation increases so does the cyber security risk”. I am not going to bore you to death by repeating what we all have heard a thousand times. Don’t even get me started on the incessant sharing of the same news story when a breach occurs…..

277269_Papel-de-Parede-Meme-Virando-a-Mesa_1600x1200[1]

But I digress! In this short piece, I lay out my opinion (rant) of the current market trends and nuances I have seen in Australia across both government and private industry.
“Vendor agnostic” does not always mean vendor agnostic.
– This is particularly true in Federal government. CIO/CISOs/whoever (the buyer) will identify a requirement/gap and assess potential solutions that will fit in with their overall business and its architecture. Often, before an RFQ is even issued, the buyer will already have a solution or provider in mind. Of course, probity and abiding by the government’s strict procurement regulations prevent them from going direct in most cases. If an RFQ seems like it has been written with a specific vendor in mind, (some are even written by the preferred vendor, although no one will admit to that), then it probably is. It is a useful skill to be able to spot these types of RFQs, and if you cannot provide that particular brand or solution, then it might be best to pass on that opportunity.

11697618

Organisations want a silver bullet, or as close to it as possible
– CIO/CISO/buyers are not overly interested in what “value-adding” vendors can provide or their capabilities. They don’t want your “spray and pray” spam emails and cold calls. That’s rookie s@$t man! They want to know if a vendor can identify and solve more than one of their problems at once. Procurement preference has shifted from deeply specialised providers to a vendor that can provide a platform that performs a wide range of functions adequately. A “one-stop-shop” if you will. The focus is largely now on the following:
o Does the solution solve multiple problems?
o Will the solution integrate with the current architecture and is it easy for staff to manage?
o Can it be automated?
Consider the above before you start marketing your solution and pitching to the CIO/CISO/whoever.

what-if-i-told-you-there-is-no-silver-bullet

IoT is not going away. Ever.
– IoT devices are proliferating like, well, rabbits… I and many others like @Lani Refiti have spoken about this issue many times. There is no sign of slowing down, and the lack of enforceable standards means security is not baked into the product lifecycle from the beginning. They are notoriously difficult, if not impossible, to update/patch, and to respond effectively to the threats posed by IoT, an iterative and adaptive approach is needed. Organisations are gradually becoming more aware of the risk and have taken a more considered approach to their use of IoT devices. Considerations like “do we really need a connected fridge that informs us when we are out of milk?” or “is it possible that my toaster is a Decepticon?” (The answer is “Yes” by the way).

iotJackson

There will be some (see “many”) that still have not implemented basic security standards
– There are security standards which should be common across all organisations by now. If your organisation (particularly mid to large size organisations) has not implemented the following, you should give yourself a swift uppercut (figuratively… or literally. Up to you.) This is obviously a non-exhaustive list. I just picked a few.
o Cyber awareness training for all staff and contractors. The majority of breaches are caused by human error so this one is a “no-brainer”. There is great training available for as little as $50/person. It will be cheaper than a breach. I promise.
o Cyber security as an ongoing topic of discussion at board/leadership meetings. A top-down focus on cyber will flow through the rest of the organisation.
o Backups. PLEASE, PLEASE back up your organisation’s data. Daily preferably. It is fairly straightforward and cost-effective to set up. Should the worst happen, then you won’t lose everything.
o Encrypt your data, including data at rest. This goes a long way to preventing unauthorised users from being able to view your data, even if they are able to get their mitts on it.
o Multi-factor authentication. Enable it on all applications. On every device. Even your Tinder account has MFA, for all you single people.

a2b5247a7df4fa62fd6965676dc4275a
Final thoughts (see “disclaimer”)
– This piece is just my weekend thoughts on paper and does not reflect the beliefs of my employer etc. etc. Take it with a grain of salt and some humour. I welcome constructive feedback and opinions on any or all of the topics I have discussed.

For more of my thoughts/ramblings, visit ssedgwick.com

But-Im-Not-Ready-To-Say-Good-Bye-Meme

Legislation and Cyber Security

Data privacy and cyber security legislation have been a hot topic in Australia of late, with the implementation of the European GDPR, the Notifiable Data Breach Scheme under the Privacy Act 1988, and more recently, the Australian Government’s proposed Assistance and Access Bill (2018). The Assistance and Access Bill, in particular, is causing concern amongst the wider Australian public, privacy watchdogs, technology giants, and telecommunications providers about the level of government access to encrypted information. Aided by an international media “frenzy”, there is an increasing fear of over-regulation and unintended consequences for the privacy of individuals or organisations.

The new laws announced in August of this year are focused on cybercrime and aiding police and intelligence services investigating cybercriminals. I believe they’re a step in the right direction towards achieving a balance between privacy and the practical safeguarding of national security. In our dealings with the public sector, it’s clear that there is a lack of legislation and regulation in Australia that is industry specific. Many within the Australian industry view cyber security as something they have to “put up with”, which means that it may not be allocated sufficient budget or regarded as the business enabler that it is. One of the most effective ways to encourage compliance with recognised standards (NIST, ISO27001, ISM, Essential 8 etc.) is to mandate it with legislation. Legislated compliance provides confidence to end-users and business stakeholders. (Greenwald, 2015)

Consider healthcare as an example. The industry is notoriously immature in cyber security maturity with more breaches suffered than any other sector (OAIC 2018). Statistically, over 50% of their data breaches occur due to human error (Verizon 2018), which speaks to a lack of training and enforced standards. By comparison, the US has healthcare-specific legislation in the form of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information. Almost 1 million people have elected to opt out of the Australian Digital health Agency’s My Health Record due to a perceived lack of appropriate security measures. (ABC News, 2018) Australia’s adoption of a similar approach to the US’ HIPAA would go a long way towards improving the cyber maturity of Australian healthcare and the trust of the Australian public.

Another issue with the lack of industry-specific regulation and legislation is that organisations are not aware of their data privacy obligations. If an organisation suffers a data breach, non-compliance with their legal and regulatory obligations could equal large fines, greater financial loss, and potential loss of trust with their customers/stakeholders. For organisations and industries to thrive and grow they need to be digitally enabled and digitally driven to keep pace with competitors, both domestic and international. Organisations using cutting-edge technologies can create new products and services, and create better end-user experiences.

To innovate rapidly, cyber security must be prioritised and viewed as a business enabler rather than an expensive anchor. Legislation that has been drafted in cooperation with industry stakeholders will aid cybersecurity maturity and compliance in digital transformation and increase the resilience and performance of Australia on the world stage.

Do you think legislatively mandated compliance with cyber security standards is a good idea? Please feel free to comment your thoughts on this issue below. You can read more of my writing or discuss speaking requests at ssedgwick.com

When computer hackers turn out to be the good guys – UNSW Business Think

I contributed to this article for the University of NSW (UNSW) Business Think Journal https://www.businessthink.unsw.edu.au/Pages/When-computer-hackers-turn-out-to-be-the-good-guys.aspx

The popular image of a computer hacker is a hoodie-wearing night owl, a ‘black hat’ who remotely breaks into an organisation’s systems, intent on mischief, financial gain, or political exposure.

But while wearing a hoodie and operating at night may still be de rigueur, recent years have seen the emergence of a new breed – ‘white hat’ hackers, who do what they do legally and with an organisation’s blessing, with some getting paid as much as $350,000 a year to do so.

Mortada Al-Banna, a doctoral researcher in the school of computer science and engineering at UNSW, and his academic colleagues have investigated this phenomenon of crowdsourced vulnerability discovery, interviewing 36 key informants from various organisations about the challenges and benefits of inviting outsiders to test their computer systems in this way.

“I’m interested in how externally generated events affect the security posture of an organisation, and crowdsourcing security is one of these,” Al-Banna says.

While the first award of a ‘bug bounty’ (a payment for finding and reporting a bug) was by web browser company Netscape as far back as 1995, the wider industry remained sceptical.

But in 2017, this attitude was transformed in remarkable fashion when the US Department of Defense announced via website Hackerone that they wanted people to “hack the Pentagon”.

“This has motivated a lot of companies to get involved,” says Al-Banna. “The Department of Defense started small and then expanded, and the US government is currently considering expanding the program throughout all areas of their operation.”

‘Humans are actually better at this. They are more creative and look for the unexpected’

Test your system
Al-Banna’s research has revealed a number of challenges and reservations that organisations have about crowdsourced vulnerability discovery, including the lack of managerial expertise to run a successful bug bounty program, the possibility of low-quality submissions and cost escalations, and a general distrust of ‘white hat’ hackers.

“If companies want to run a bug bounty, but want to minimise the problems, there are techniques to help them do this,” says Al-Banna.

But while it’s possible to automate, say, the examining of reports from bug hunters to exclude duplication or out-of-scope issues, actually automating the process of looking for bugs is more difficult.

“The current automated tools for looking for vulnerabilities are actually more ‘noisy’ than the crowd,” says Al-Banna.

“Humans are actually better at this. They are more creative, and look for the unexpected.”

So how can organisations make use of this research? Al-Banna’s advice is that businesses need to do their homework first.

“Don’t just jump straight into a bug bounty. You need to test your system yourself with [network] availability tools – bug hunters will use these themselves – before leveraging the crowd for problems that require more creative input.

“In the first instance, limit the scope and only invite in a small number of bug hunters. But if organisations keep it this way forever, they will not reap the benefit of crowdsourcing,” says Al-Banna.

Adrenaline rush
Despite being only 22 years of age, Shubham Shah is a veteran of the world of crowdsourced vulnerability discovery. His childhood interest in computer gaming and ‘game hacking’ (modifying games) soon escalated into the world of computer security. By the age of 13, he was hacking web applications.

Shah’s skills led him to work for professional services multinational EY, and then as a consultant for Bishop Fox, doing work for Fortune 500 companies. But he soon found he could make more money pursuing bug bounties, which he has done exclusively for the past year.

‘They can often show you where you are most vulnerable more effectively than your security team could identify’

“My first bug bounty was from PayPal. It took me eight hours to get into an internal network that they owned, and they paid me US$1500. If you’re good at it, the financial incentive is very high,” Shah says.

“When you find a big vulnerability in a big company, there’s an adrenaline rush. You feel you’ve achieved something big – like running a marathon. But you could spend many hours finding nothing, and there’s no model for predicting what money you’ll make.”

Shah envisages a wider move towards a crowdsourced economy, and not just in computer security – he cites the example of design consultancy 99 Designs, which has been operating a similar model in its industry.

“Traditional consulting, where companies charge even if they ultimately do nothing, involves a waste of resources,” he says. “It’s not based on results.”

During the next five to 10 years, Shah believes that low-level bug hunting will become automated – which will focus the attention of the crowd on being more creative, and searching for more serious vulnerabilities.

“We’re currently paying the crowd to do what is in effect manual labour. We’re encouraging ‘noise’, and it’s a significant effort for a company to run a bounty,” Shah says.

“The only way to reduce the noise is to automate what can be automated.”

Establishing parameters
Shannon Sedgwick, a senior manager for cyber risk at Deloitte Canberra, has experience of employing ‘white hat’ hackers and observing the benefits they can bring to an organisation.

“In my experience, the industry is quite open about engaging with ‘white hats’,” he says. “Google paid out US$3 million in bounties in 2017, and some individual bounties can be as much as $100,000.”

Sedgwick believes that, even with the large budgets available to companies such as Google or Apple, ‘white hat’ hackers can be more efficient and cost-effective than companies performing the same tasks with internal staff.

“They can often show you where you are most vulnerable more effectively than your security team could identify. A plan is only effective if you’ve tested that plan, and this is especially true for security systems.”

Another advantage for companies is that ‘white hat’ penetration testing typically occurs outside of business hours, thus minimising potential disruptions to their business operations.

If a company is considering offering bounties for the first time, Sedgwick suggests trialling the process internally first and then, when approaching the market, establishing strict NDAs [non-disclosure agreements] and parameters of what is under review and cannot be exploited.

“Don’t release all of your applications and systems for testing at once, and engage an experienced specialist security company to oversee the process,” he says.

For Sedgwick, one of the challenges for companies engaging with ‘white hat’ hackers is the risk that some can edge towards becoming ‘grey hats’, who identify vulnerabilities but don’t report them, going on to exploit the vulnerabilities for financial gain or selling them to interested parties on the dark web.

“If ‘white hats’ feel they’ve been treated poorly by a company – for example, being underpaid, or not appreciated – then they can cause problems.”

But importantly for Sedgwick, the boards of organisations have to understand that information security is a business risk, not just a technology risk.

“They need to identify their critical data and assets, and direct appropriate resources to those as a priority,” he says.

“You need to consider the big picture. You can patch vulnerabilities all day, but if a company’s governance and security strategy are not effective, then patching vulnerabilities is not going to do the trick.”

Australian Government – The State of Cyber

Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

Amongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016).

The 2016 Australian Cyber Security Strategy addressed five key goals;

1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,
2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks,
3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence,
4 – Australian businesses grow and prosper through cyber security innovation, and
5 – Australians have the cyber security skills and knowledge to thrive in the digital age.

These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals.

Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are:

  1. Application Whitelisting
  2. Restrict administrative privileges
  3. Patch Application
  4. Patch Operating Systems
  5. Disable untrusted Microsoft Office macro
  6. Multi-factor authentication
  7. User application hardening
  8. Daily backup of important data

The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too.

Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018)

One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on.  Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards.

A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts.  When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient.

It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018)

The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage.

Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016)

A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry.  Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference.

As published in Australian Security Magazine Aug/Sep Edition https://issuu.com/apsm/docs/emag_asm_aug_sep_2018/12