Conferences

AusCERT2013 Conference Report – This time it’s personal

Fields marked with an * are required

Subscribe to our newsletter

James-Sankar

James Sankar, AARNet’s Director, Enterprise Services reports:

AusCERT2013, the 12th annual AusCERT Information Security Conference was held from 20th-24th May 2013 at the RACV Royal Pines Resort on Queensland’s Gold Coast, Australia.

The theme for AusCERT2013 was “This time, it’s personal”, reflecting the growth in attacks and unauthorised disclosures of online personal information. Motivated by illicit financial gain, cyber criminals obtain unauthorised access to personal information, but more and more, we are seeing data disclosures being posted publicly by attackers for political motives, rather than financial gain.

Overall AUSCERT 2013 was an impressive conference that covered technical and strategic topics of interest.  The security industry offers a number of products and services but relies on the mutual sharing of incidents and vulnerabilities when attacks are widespread.

Summary of the keynotes and executive sessions:

Michael T Jones, Google’s Chief Technology Advocate explained the importance of two factor authentication with mobile phone SMS messages alongside default secure http webpages to improve secure searches.  Google has gone further to inform users of any links that are known to include malware.

See https://www.virustotal.com/en/ for free checking of files and websites using over 300+ products with the aim to raise the bar for vendor and end user awareness.

HD Moore, Chief Security Officer at Rapid7 and Chief Architect of Metasploit presented his latest research on global vulnerability analysis where through the use of bot.nets, trace routes and reverse DNS he collated glaring security holes translated into a global map highlighting 18 most exposed ports, interestingly the Australian results showed less than 20% relative deviation for any service when compared to global results.

Key vulnerabilities include:

  1. Universal plug and play ports with few vendor updates
  2. SNMP read access exposing critical information.
  3. The use of default or recognisable username and passwords.
  4. Telnet router shells open access (no passwords) in 10,000 routers
  5. 3,000 Linux systems drop to root access.

Mark Fabro, President and Chief Security Scientist, Lofty Perch, Inc provided insight on SCADA (supervisory control and data acquisition), a type of industrial control system (ICS) which if attacked increases the potential for physical real world impacts.  The energy sector is high risk for command and control systems exploitation.

See the World Economic Forum Cyber Vulnerabilities report for more detail at http://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf

Companies need to consider not only their own networks and infrastructure but also their supply chain and any services sourced from cloud computing service providers where interdependencies could create the unthinkable if proactive planning through threat tree scenarios is not developed to mitigate future attacks.

Applying cyber kill chain allows attack behaviours to be identified and managed. See http://www.digitalbond.com/blog/2011/11/22/applying-the-cyber-kill-chain-to-ics-part-1/ for more.

Marcus Ranum, Chief Security Officer, Tenable Network Security gave a refreshing talk on how the military rhetoric in cyber security is misplaced through demonstrations of real world war examples over the ages that simply do not make sense in cyberspace.  He notes that Cyberwar was simply a move to keep traditional machines of war in business.

See http://www.amazon.com/Transformation-War-Reinterpretation-Conflict-Clausewitz/dp/0029331552

Today, network engineers are on the frontline as espionage offers a more effective avenue in cyberspace.  Distributed warfare is making everyone the frontline.  Marcus recommends reading http://www.amazon.com/Lic-2010-Operations-Unconventional-Brasseys/dp/0080359825 for those more interested in this subject.

 

The AUSCERT Executive session explored three use cases:

  1. A leading bank implemented extreme cyber security scenario planning within traditional risk analysis. The deep analysis took many months to complete but allowed the organisation to work with all business units to secure funding and pathways for strategic improvements or acceptable risks.  For more see Extreme Cyber Scenario Planning on LinkedIN.
  2. A leading telecommunications carrier described its committee-based approach to translate security drivers through IT and business teams to identity and measure who inappropriately touches the corporate network from the outside, build relationships with CERT, and invest in tools for fine grain analysis to improve security responsiveness.  All aspects of business action from technical to PR resulted in response plans, executive devices migrated to borrowed secure devices for certain countries, external penetration tests and strategies for mobile devices were introduced to facilitate business activity in secure ways.
  3. A leading retailer shared details of its risk process and how outsourcing risk required  building relationships and partnerships to market the value of IT security to the board, CIO, internal audit and business units so that third party applications such as Google Apps have a secure framework..  The importance of a security brand with accountability and responsibility and where the business has options to invest or accept and record accepted risks are supported.

Final Thoughts:

The growth in targeted, personal and insurgent-like one-off attacks that have moved from pranks to criminal gain (financial or espionage) places new demands on all employees and executives to increase their awareness of security issues for accessing third party services, bring your own devices and industrial control systems that have physical impacts on the way we live and work.

Securing competitive advantages in a highly competitive global world is being impacted through espionage and disruption.


Related Stories

Conferences

Mar 28, 2017

AARNet attends Science Meets Parliament 2017

Three AARNet staff members were among around 200 members of the scientific community attending this year's annual Science Meets Parliament event (SmP2017) in Canberra on 21 and 22 March. The two-day gathering is hosted by peak body Science & Technology Australia (STA) and included a day of professional development, a...

Conferences / eResearch / GLAMs

Sep 16, 2016

Registrations are open for AARNet GLAMs workshop

Enabling Data Flow between HASS and GLAMs Workshop When: Friday 14 October Where: Pullman - Albert Park, Melbourne AARNet Presenters: Ingrid Mason. Deployment strategist (eResearch), Chris Myers. Solutions consultant (architecture and applications), Hilary Goodson. Strategic engagement (customer relations), Guido Aben. Director (eResearch) . We're holding a half-day Workshop will be held at the eResearch Australasia Conference...

Conferences / eResearch / Network

Sep 13, 2016

Registrations are now open for Science DMZ workshop

Registrations are now open for AARNet's Science DMZ workshop When: 10 October 2016, 9.30am to 4.30pm Where: Pullman - Albert Park, Melbourne Presenter: Chris Myers - Solutions consultant (architecture and applications) for AARNet. This is a pre-conference workshop for the eResearch Australasia Conference , on 10-14 October 2016. The workshop will give attendees an overview...