James Sankar, AARNet’s Director, Enterprise Services reports:
Cyber security is attracting a lot of attention in the media these days and speakers at the recent Cyber Security conference day at CEBIT 2013 in Sydney provided a range of perspectives and mitigation information. If you weren’t there, you might find my key takeaways useful.
The Threat and Countermeasures in Cyber Security – Joe Franzi, Assistant Secretary Cyber Security, Defence Signals Directorate (DSD) presented 35 mitigation strategies developed to catch (white listed applications), patch (up to date systems) and match (appropriate user permissions and access). A recently announced Cyber Security centre will coordinate efforts between agencies and the public and private sector.
Huawei’s Global Cyber Security Officer, John Suffolk presented Cyber Security Perspectives: 21st Century Technology and Security – A Difficult Marriage, explaining the 9 steps Huawei has taken to embed security, from requirements through to end of life. Components in hardware are all tracable and suppliers sign cyber security agreements to address vulnerabilities and ensure quality to various international standards. The question he posed was whether other commercial vendors have this same level of traceability?
Security Leaders Panel: New and Emerging Security Threats provided the following advice:
Many virtual threats need to be handled differently to physical threats and resilience when encountering a black swan event needs preparation and planning as opposed to reliance on Government agencies and standards compliance.
Michael Sentonas, Chief Technology Officer & Vice President, McAfee Asia Pacific presented on “Shifting Focus From the Who to the How: Why Prevention is Better Than Attribution for Effective Cyber Security” citing the need to move from a trial and error approach to security to coordinated orchestrated and adaptable defence through the collection of forensic information.
Dr Jodi Steel CSM, Director of Security and Environment Business, NICTA presented aNICTA and the US Defense Advanced Research Projects Agency (DARPA) Project case study. The study highlighted new ways to build physical and software based systems with mathematic reasoning for crash proof software that can verify device drivers and create compliance systems at higher assurance levels to lower the risk of hacking physical machinery. The standards in design aim to improve software standards in a cost effective way to protect control and command and software controlled physical systems.
Richard Stiennon, Chief Research Analyst, IT Harvest (USA) delivered the International Keynote: Welcome to the Age of Weaponised Malware. Richard explained how attacks could be a stepping-stone to your connections where “spearfishing” for information leads to attacks that are primarily designed to capture Intellectual Property for country advantage. Three malware risks driving these threats are (1) retaliation risk – risk of sensitive assets impacting the enterprise (2) Collateral risk – loss of controlled malware spreading and (3) repurposing by cyber criminals using toolkits to exploit malware. The enterprise can respond by
Prof. Jay Guo, Research Director, Smart Secure Infrastructure, CSIRO Digital Productivity and Services National Flagship presented a Cyber-Crime Case Study: Using Social Media to Impersonate Brands, Build Trust, and Commit Fraud
Case 1: A fraudulent corporate bank XYZ harvests Facebook followers and Google App store apps enabling 60,000 downloads of a 99 cent app that did not work correctly, led to large customer care workload and brand reputation damage.
Case 2: A fake twitter profile led 3,500 followers to a new trading platform to phish information.
Enterprises need to be proactive to threats by monitoring fake profiles across 200+ social media sites and fake app stores, this may be where a fraudwatch platform or service is needed?
Wayne Tufek, IT Security and Risk Manager, University of Melbourne presented onMitigating Security Challenges Posed by Cloud Service Adoption. After highlighting key security risks he talked about the process for identifying data in terms of criticality when considering handover to a cloud provider and thinking about accessing a shared infrastructure (web servers, integration, access control, service desk/incident mgt, any data masking required). Business processes may need to change and it’s worth asking the cloud provider the following questions:
Wayne believes that service level agreements with cloud providers should include uptime and response time, penalties for downtime, details on event notification, data privacy and ownership and termination notice allowing time for data transfer. Customers should also have the right to regularly audit the cloud service provider.
Angela Coble, Global Manager, Enterprise Security & Risk Management, Johnson & Johnson gave a refreshing twist on addressing security with a Case Study: “SecureMe” & “ProtectingU”! Taking the “IT” out of SecurITy by adopting an educational campaign beyond IT with the business showcasing how IT can help in evolving technology whilst knowing the risks. She framed the discussion and context to determine risk by addressing fundamentals in protecting the ’human‘ first by helping staff recognize real risks (intentional or accidental) and that only people and their behavior can mitigate against physical and virtual risks thus protecting the enterprise, job and staff and their families. A series of weekly videos on examples has helped improve all forms of security at Johnson & Johnson.
Damien Manuel, Security Specialist, One of the Big Four Australian Banks noted 2.5 quintillion bytes of data are produced daily on the Internet. Security has moved from firewalls, virtual LAN segmentation, intrusion protection into data analytics to identify a wide variety of threats from the likes of creative exploiters, script kiddies, the insider, corporate and industrial espionage, hacktivism, terrorists, organized crime and national sponsored threats. Other threats to consider are environmental (weather related), supply chain and lack of foresight. A range of techniques and disrupt vectors were presented. In short we need to be aware of the threats and analytics could be a way to develop pattern recognition as an early warning and respond solution.