Australian Cyber Security Magazine, ISSUE 15, 2023

Is ChatGPT AI the next Superman or humanity's Kryptonite?

Will AI make us more secure?

Are you ready? How to be prepared for a security incident.

What should the cyber security committees report to the boards of directors?

Why security culture matters in Australia Digital trust: A collaborative responsibility towards cyber resilient digital ecosystem ChatGPT: AI for good or AI for bad camp

Cyberattacks: Why we need to shift the focus from prevention to containment

Security Operations

Use Case Guide

Improve your cyber resilience and vulnerability management while speeding up response times

Security Operations Use Case Guide

Security Operations

Use Case Guide

Digital security workflows, automation, and orchestration speed up tasks such as analysis, prioritization, and remediation. Automatically correlate threat intelligence from multiple sources, including MITRE ATT&CK, or take action in other security or IT management tools from a central console. Track your security posture across the organization, as well as team and process performance, with fully-customizable reports and realtime dashboards.

Improve your cyber resilience and vulnerability management while speeding up response times

Improve your cyber resilience and vulnerability management while speeding up response times

Many organizations have millions, tens of millions, or even 100 million+ vulnerabilities, and Security must work together with IT to fix the most important ones quickly.

By

When innovation works, the world works

23-24 OCTOBER 2023, PAN PACIFIC HOTEL PERTH, WESTERN AUSTRALIA

Bringing together leaders from across the Indo-Pacific and beyond for opportunities in cross-sector technology and innovation

Western Australia's space capabilities include:

• Southern hemisphere location with ideal longitude for space situational awareness and global coverage of space assets.

Geographically stable with clear skies, large arid areas, minimal radio interference, and radioquiet zones.

• Significant communications, computational infrastructure, and technical expertise.

• Substantial capabilities in space systems, ground stations, astronomy, and planetary research.

• World-leading capabilities in remote operations, automation, and robotics utilizing ultra-low bandwidth satellite communications.

Diverse and highly-skilled workforce with over 100 international and Australian space-related companies.

GREENSQUAREDC IS PROUD TO SPONSOR THE CYBER WEST SUMMIT IN PERTH, WHERE CYBERSECURITY PROFESSIONALS AND ENTHUSIASTS FROM ACROSS AUSTRALIA WILL CONVERGE OVER THIS ALL-IMPORTANT ISSUE.

At GreenSquareDC, we understand the critical importance of cyber security and the need to keep data secure, sustainable and local. Our state-of-the-art data centre design is equipped with cutting-edge security technology and round-the-clock monitoring, ensuring the highest level of physical and digital security for our clients.

We also prioritise sustainability. Our data centres are designed to be water positive, super resilient and carbon neutral day one with a clear and present pathway to the Net Zero future we should all hope and aspire to achieve.

As a local provider, we understand the importance of keeping our sovereign data within Australia. Our data centres are strategically located to ensure that your data stays safe and secure, and we’re committed to working with our customers to meet all unique needs and requirements.

Join us at the Cyber West Summit in Perth and discover how GreenSquareDC can help protect and future-proof your data. We’re proud to be a sponsor of this important event, and we look forward to seeing you there.

FOR MORE INFORMATION PLEASE VISIT GREENSQUAREDC.COM

OF RISK - CYBER SECURITY, RISK AND VULNERABILITY MANAGEMENT

XEM CONVERGED ENDPOINT MANAGEMENT

Interview with James Sillence

Vice President, Technical Account Management, South Asia for Tanium.

Tanium defends every team, endpoint and workflow against the largest attack surface in history by delivering the industry’s first convergence of IT management and security operations with a single platform under a new category, Converged Endpoint Management (XEM).

The integrated offering links IT operations, security and risk teams from a single pane of glass to provide a shared source of truth, a unified set of controls, and a common taxonomy that brings together siloed teams for a shared purpose — to protect critical information and infrastructure.

James has over 36 years of IT experience spanning diverse areas such as Cybernetics and Control Systems, Network and Application Performance, Data Storage and most latterly, Risk and Security.

For the last 10 years, James has been leading technology teams, helping organisations get the most from the solutions that they use to manage and protect their digits assets.

Digital Forensics and Incident Response Year In Review 2022

ENERGY EFFICIENCY AND TALENT DEVELOPMENT AT PAWSEY SUPERCOMPUTING CENTRE

Interview with Mark Stickells

Pawsey Supercomputing Research Centre

Mark Stickells leads the Pawsey Supercomputing Research Centre, a critical national research infrastructure located in Perth, Western Australia.

Before joining Pawsey, Mark led joint ventures between universities, CSIRO and industry delivering national and international research and education programs for Australia’s key energy, resources and agricultural sectors.

Appointed as a Fellow of the Australian Institute of Management in WA in 2019 and a Fellow of the Australian Institute of Company Directors in 2020, Mark is also member of CEO’s for Gender Equity.

Committed to supporting diversity and inclusion initiatives in his professional and personal life, Mark is an enthusiastic advocate for Pawsey's expertise and enterprise contributing to prosperity and well-being in its region, and for the nation and internationally.

Wrapping up, Mark and Aditi shared how Pawsey is now part of the “exascale” community, and how Pawsey will continue to actively support collaborations and sharing to tackle challenges beyond borders.

16–18

The Australian Institute of Professional Intelligence Officers takes great pleasure in inviting you to participate in the 32nd AIPIO Intelligence Conference and Exhibition, Intelligence 2023, at Hilton Adelaide on 16–18 August 2023. The AIPIO National Conference is the premier conference and networking event delivered for the extensive intelligence professionals’ community.

The AIPIO annual conference and exhibition has been conducted continuously since our establishment in 1991. The AIPIO (www.aipio.asn.au) is the peak representative body for intelligence practitioners in Australia. Our goal is to advance the professionalism of intelligence, and to achieve this goal the AIPIO works to sustain and grow a community of intelligence practitioners through advocacy, thought leadership and partner engagement. Our vision, “Integrated Intelligence: People and Practice”, is reflected in this year’s theme ‘Intelligence in the Future(s)’, with three sub-themes – Innovation, Space and Data & Integrity – each representing areas and aspects of intelligence that are rapidly changing and relevant to the intelligence profession of the future. Throughout the Conference, attendees have the opportunity to establish new scientific collaborations and build upon lifelong associations during the plenary lectures, oral presentations and industry perspective presentations that explore the subthemes. Complementing this, a stream of “Developing your Tradecraft sessions” will be entwined into the program: providing an insight into the differences in duties for intelligence professionals from a range of intelligence domains, and creating opportunity for attendees to strengthen their soft, technical and leadership skillset.

Innovation

Innovation in intelligence practice, through technological and tradecraft advancements, allows intelligence professionals to improve productivity, increase agility and invest in their future wellbeing as members of the intelligence community. The proliferation and expansion of data and intelligence sources means that the ability to handle multiple forms of data at once while linking different pieces of related information is crucial. Agility of thinking to pivot and respond to new and emerging threats in a timely and effective way, and investment in technology and tradecraft as enabling capabilities to support achievements, are vital aspects of the intelligence enterprise in the future.

Space

Space is the fourth physical domain –the others being air, sea and land – and space intelligence is arguably one of the most popular demonstrations of an intelligence capability which challenges the ability for intelligence professionals to prevail in contested and increasingly congested environments. We rely on space intelligence for navigation, climate change research, weather forecasting, community, everyday devices, and military operations, but we should ask, what other information is available and what other demands are there for intelligence professional in the context of space intelligence.

Data & Integrity

We live in an age of information and misinformation – making the role of the intelligence professional evermore challenging. The ability to effectively determine the integrity and accuracy of the information we collect is a crucial aspect of intelligence analysis and in the digital age has never been more important. Not only is the integrity of our information of upmost importance, but we must also ensure that as intelligence professionals, our personal and professional integrity does not waver.

Developing Your Tradecraft

Whether you are a seasoned professional or looking to get into the intelligence field, the importance of building, reviewing and mastering fundamentals of the intelligence discipline is vital. These sessions will provide insight into differences in duties for intelligence professionals in different intelligence domains whilst strengthening your soft, technical and leaderships skills.

*If you would like to become an AIPIO Member and take advantage of discounted member pricing, please finalise your membership before you register to attend the conference.

^International Affiliated Organisation must be a current financial member of an International Intelligence Organisation/Association.

For information on the conference including sponsorship and exhibitor opportunities please visit www.aipionationalevents.asn.au or contact Conference Organisers, Madeleine Cullity for further details, aipio@wiseconnections.com.au +61 3 9885 6566

We invite you to stay in touch with the AIPIO community and follow us on Twitter (@aipio) or hashtag #intelligence2023 for conference related tweets. Connect with like-minded intelligence professionals via LinkedIn and stay in touch with news regarding the AIPIO 2023 Conference and Events program.

MARKETING

CONTRIBUTORS

Welcometo a special edition of the Australia Cyber Security Magazine, released as Official Media Partners to the Cyber West Summit 2023, amongst other industry events in Australia and the Indo-Pacific region.

The year 2023 is clearly an inflection point to a new era with generative AI and quantum computing evolving to be mainstream and creating new opportunities in a security context. These technologies naturally present a doubleedged sword and the challenge is to remain ahead of nefarious intentions by nation state competitors and criminal actors.

The US Department of Defence Cyber National Mission Force (CNMF) and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) shared details for the first time at the RSA Conference last month, on recently declassified ‘Hunt Forward’ cyber operations, showcasing how both organisations work together and with Five Eye partners, like Australia, to bolster cyber defences.

CNMF Hunt Forward Operations included the 2021 Solarwinds supply chain breach, the large scale attacks on Microsoft Exchange servers by Chinese threat actors and the 2020 US Federal Election subjected to an Iranian initiated breach of a local municipality, which may have potentially discredited the election.

When asked by MySecurity Media for an Australian perspective on the organisational structure of CISA and CNMF, similar to the structure of the Australian cybersecurity framework, Maj. Gen. Hartman stated, “the partnership with Australia adds another toolkit that we’re able to utilise in order to get after these operations globally, and so much of what we’re able to share with [CISA], we’re also of course, able to share with Five Eyes partners... The coordination that we do with DHS, we also do with Australia, Five Eyes partners, other like-minded nations and that really does allow us to scale.”

With this global effort in mind, as part of the 2023 Defence Strategic Review, released last month, the federal government is transforming the defence innovation ecosystem to deliver the advanced technologies urgently needed for Australia’s national security. $3.4 billion over

the next decade will be invested to establish the Advanced Strategic Capabilities Accelerator (ASCA). This is an additional $591 million above current planned spending on defence innovation. Priorities for the program are hypersonics, directed energy, trusted autonomy, long-range fires, quantum technology and information warfare.

Thus a timely release of the Australia’s first National Quantum Strategy. The Strategy identifies five priority areas, which includes securing infrastructure and materials and safeguarding cyber infrastructure, which remains a critical aspect of this technology and the Defence Strategic Review.

On the back of significant and continued cyber-attacks on Australian businesses and organisations, an Active Adversary Report from Sophos looked at the changing behaviours and attack techniques that adversaries used in 2022. The data, analysed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.

Unpatched vulnerabilities were the most common root cause of attackers gaining initial access to targeted systems. In half of the investigations to infiltrate organisations, attackers exploited ProxyShell and Log4Shell vulnerabilities, which not surprisingly are the same vulnerabilities from 2021. The second most common root cause of attacks was compromised credentials, again a long-time consistent theme.

A key take-away from RSA last month was the reducing dwell times. More than twothirds of the attacks that the Sophos IR team investigated (68%) involved ransomware. While ransomware still dominates the threat landscape, attacker dwell time decreased in 2022, from 15 to 10 days, for all attack types. For ransomware cases, the dwell time decreased from 11 to 9 days, while the decrease was even greater for non-ransomware attacks.

In this edition, our cover feature focuses on AI and as David Carvalho writes, AI should be seen as a tool that will improve vulnerabilities that are coded in error by humans. While it will potentially significantly improve the quality of coding across web2 and web3 applications, we can never fully trust its output. Developers will still need to read and critique AI output by learning its patterns and looking for weak spots, while being cognisant of the fact that threat actors are using it for nefarious purposes in the short term.

In this context, Sean Duca provides input, highlighting how Singapore's Government Technology Agency demonstrated recently how AI crafted better phishing emails and effective spear phishing messages, much better than any human actor could.

Monica Oravcova, co-founder of Naoris Protocol also writes how AI could help organisations improve their cybersecurity defences by analysing large volumes of data and using advanced machine learning algorithms, identify patterns and trends that may indicate a cyberattack is imminent, allowing organisations to take preventative measures before an attack occurs, minimising the risk of data breaches and other cyber incidents.

Enjoy this edition covering all aspects of national cyber security and we will otherwise continue to provide coverage across the cyber domain, including a focus on AI and quantum technologies, such as our interviews with WA’s Pawsey Supercomputing Research Centre and quantum computing company, Quantinuum.

On that note, as always, there is so much more to touch on and welcome your feedback and contributions. Enjoy the reading, listening and viewing.

"We live in an interesting time in that a threat a foreign partner sees…is also a threat to the network that many of the people in this room either own or provide support to and I would offer that, we have not been in this position, as it relates to a foreign threat… to any other time in our history. And so a threat to us is a threat to you"

- U.S. Army Maj. Gen. William J. Hartman, Commander for Cyber National Mission Force, US Cyber Command speaking at RSA Conference, San Francisco, April 25, 2023

MySecTV Interview Highlights

We're joined by Ginger Spitzer, Executive Director and Chloe Miller, Program Manager with One in Tech, an ISACA Foundation.

One In Tech seeks to make both broad and in-depth impacts in infusing untapped talent into the cyber workforce throughout the world. Formally launched in 2020, One in Tech is led by a volunteer Board of Directors comprised of recognized international experts and leaders.

SheLeadsTech is the banner program of One In Tech, dedicated to building a gender diverse and inclusive global community of cyber professionals. Initiated in 2017, SheLeadsTech empowers women to enhance their professional skills and advocate for their career advancement. SheLeadsTech also brings global awareness to the lack of gender diversity in all levels, particularly chief and executive positions, within tech fields.

API security is one of the biggest challenges facing CIOs today

We speak with VP of Product Gil Shulman. API security is one of the biggest challenges facing CIOs today. Traditional API security solutions are siloed and fragmented, leaving CIOs with a choice of multiple point products or bolt-on integrations to create a patchworked solution. This results in increased cost and complexity, reduced visibility and control, and greater exposure to risk.

Wib, a fast-growth cybersecurity startup is pioneering a new era in API security. The company announced late last year they had a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars and existing investors. The investment will be used to enhance Wib’s pioneering holistic API security platform and accelerate international growth as it expands operations across the Americas, UK and EMEA.

Pen Testing as a Service and bug bounty partnerships

We speak with Dave Gerry, CEO and Nick McKenzie, CISO of Bugcrowd.

Bugcrowd has announced new capabilities in its Penetration Testing as a Service (PTaaS) offering that enables buyers to purchase, set up, and manage pen tests directly online without a need for lengthy sales calls and scoping sessions. PTaaS is one of several solutions delivered on the Bugcrowd Security Knowledge Platform.

Bugcrowd says it is offering the only platform-driven PTaaS through its Security Knowledge Platform, which includes a rich Pen Test Dashboard for real-time access to test status, analytics, prioritized findings, and methodology progress.

Transforming cybersecurity through quantum computing

We speak with Duncan Jones, Head of Security for Quantinuum.

Quantum computers are getting stronger every day and when powerful enough, experts believe they will be able to break standard encryption. Today, bad actors are employing a 'hack now, decrypt later' strategy to access data when encryption is breached. Executives can discuss how the bank is mitigating this current and future threat to become ‘quantum resilient.’

Quantum Computing is set to have a huge impact on cybersecurity. Much of the discussion today is around the threat that it could pose to the foundation of security systems, but there is also enormous potential for quantum computing to transform the security of communications and data.

Cyberattacks: Why we need to shift the focus from prevention to containment in 2023

Historically, cybersecurity in both the public and private sectors has followed one consistent theme: prevention and detection.

The problem? Prevention and detection aren’t enough. Breaches are still happening.

After decades of trying to prevent and detect direct attacks by adversaries – and failing – it’s time to shift the focus to containment. Whether Einstein actually said it or not, the truism is still accurate: “The definition of insanity is doing the same thing over and over and expecting different results.”

Traditional security methods aren’t enough to fight modern adversaries

Most security teams’ efforts have focused on trying to keep threats from entering the data centre or cloud.

The boundary between the untrusted outside and the trusted inside, is where the majority of security tools have been placed. This is where next-generation firewalls, anti-virus scanners, proxies, and other security tools are deployed which attempt to inspect all incoming traffic to ensure that nothing bad slips through.

However, all of the security breaches of the past years have had at least one of these tools deployed and most have been in compliance with security requirements. Yet, adversaries have successfully entered the network.

And once inside the network, all adversaries have one thing in common: They like to move. They spread laterally, east-west, moving from host to host to seek out their

intended target for data exfiltration.

Many of these breaches have been discovered long after they entered the network, sometimes months later. Even with the shift from prevention to detection, today’s tools are no match to modern adversaries who are very good at avoiding detection until after the damage is done.

Once compromised, most networks are wide open to east-west propagation

A traditional approach to cybersecurity defines everything outside of the perimeter as untrusted and everything inside of the perimeter as trusted. The result is that there is often very little to prevent adversaries from spreading laterally once inside of the trusted core.

Spreading host to host, application to application, across network segments means that most workloads are sitting ducks to fast-moving adversaries. And network segments are usually very ineffective at preventing them from spreading between hosts.

Network devices look at packet headers, but discovering adversaries requires looking deep into the data payload of packets, and this requires deploying firewalls between all hosts. This quickly becomes expensive and a potential network bottleneck, with every packet needing to be ‘cracked open’ and inspected, relying on either signatures, ‘sandboxes,’ AI, Machine Learning, or other complex methods without slowing down the network.

Even when this approach is tried, it is quickly

abandoned or pared down – and delivers no ROI on hardwon budget dollars. This leaves very little to prevent eastwest propagation and hosts remain wide open.

When the inevitable breach occurs, people start pointing fingers.

Organisations without Zero Trust Segmentation are fighting a war they can’t win

All perimeters are porous. Even a 99 percent effective perimeter security boundary will eventually be breached. Or a security breach will enter from the inside, either accidentally or intentionally.

Those who are still trying to deploy even more expensive security tools at the perimeter – and who continue to trust that their hosts are not propagating any kind of threats, will find themselves in the media the next day as the latest victim of a direct attack.

Zero Trust Segmentation, also known as microsegmentation, is a major part of a Zero Trust architecture in which every resource is a trust boundary, decoupled from network boundaries.

Illumio ensures every single workload is segmented from every other workload, enforcing a least-privilege access model between them, with hosts identified using a metadata-driven model and not their network addresses. This means that workloads deployed on hosts are identified via their function and not their location, enabling the clear visualisation of network behaviour between hosts.

Gain visibility of how applications are talking on your network

Visibility into network traffic between applications, from an application-centric perspective, is challenging using network devices, either physical devices in a data centre or virtual devices in a public cloud.

This is because visualising application behaviour and dependencies from switches, routers, firewalls, or monitoring tools usually requires translating network behaviour into application behaviour and discovering ‘who is doing what to whom’ between applications and hosts. Usually, this quickly becomes more confusing than revealing.

Visualising how applications talk to each other across a network requires a solution deployed directly on the hosts which those applications reside on. Having a clear and precise dependency map between all applications in your data centre and cloud enables very quick discoveries of compliance violations and how hosts are communicating with each other without having to touch the network or touch the cloud.

Always assume breach

The modern security model needs to assume a breach either will or already has occurred. Whether the breach comes from a state-sponsored adversary or a criminal gang, with the right technology, like Zero Trust Segmentation, that threat can be isolated and prevented from spreading.

Prevention rather than cure

Why data recovery due diligence helps improve cyber resilience and ransomware response

Malicious actors’ intent to infiltrate systems to access, exfiltrate, and extort vital company data (usually production data) through ransomware, means they are constantly evolving their approach to counteract defensive measures taken by organisations. This creates a major challenge for Information Technology (IT) and Security Operations (SecOps) teams tasked with protecting their company’s IT infrastructure, hybrid environments, and precious data, as they in-turn must also evolve their own data protection strategies and implement the right technology to counter these evolving threats such as ransomware

According to the Australian Cyber Security Centre (ACSC), in its late 2021 report into the state of cyber security in Australia, “Consistent with global trends, ransomware remains one of the most disruptive threats to Australian organisations”. The ACSC also found that in the period from 1 July 2020 to 30 June 2021, “ransomware cybercrime reports increased by 15 per cent; nearly 500 ransomware cybercrime reports received; and there was average of more than one ransomware cybercrime report received every day.”

However, ransomware has not only increased in trickiness and frequency, but it has become more potent due as attackers increase their attackers’ inventiveness and innovation, with the objective of holding more

companies to ransom, and at a greater scale. In 2021, Ransomware as a Service (RaaS) became a more frequent and widely seen form ransomware, as cybercrime organisations looked to improve the division of labour and empower cyber criminals without technical skills to participate in cyber-attacks, and even attack small and medium-sized companies more frequently. This makes sense given specific attacks on larger organisations may result in a bounty in the millions of dollars, yet they require a high degree of technology execution. Alternatively, an attack targeting a medium sized company using RaaS may breach a larger volume of companies, and even if the individual ransom amount is smaller, the overall damage cause may be substantially larger.

Cyber resilience is the concept of being able to continuously deliver business outcomes and operations despite adverse events, which is a vital capability or muscle for organisations to develop in the ransomware environment of today. However, a company can only be cyber resilient if they can recover data from a high-quality data backup. Backups are a foundational component to an overall cyber resiliency strategy and are crucial for companies in responding to ransomware. Having a secure, clean, immutable copy of your data can better equip your business to defend your data and refuse the ransom.

While many companies may already prioritise or

regularly backup their data as a countermeasure to ransomware attacks, on its own this is becoming a less reassuring measure in the past. Backups and backup environments are being increasingly targeted by attackers because many companies rely on backups that are not being created or protected via best practices or capability rich data management and protection technology. This allows attackers to not only encrypt backed-up production data, but exfiltrate data for double extortion attempts or to expose it for other reasons, which is means we’re seeing an increasing evolution from what could be typically called Ransomware 1.0, to Ransomware 2.0 which is targeted at destroying backups first and then encrypting data, and Ransomware 3.0 where attackers are focused on encrypting or stealing data to expose it or extort its owner multiple times.

With ransomware evolving, increasing in potency, and even coming via an as a service method of attack, in Australia, companies are faced with an even harder question than before of what constitutes a high-quality data backup that they should aim to be able to recover from, especially if these very backups are being targeted? Key traits of a high-quality data backup include being secure, immutable by design not as an afterthought or layer on top, clean, available via a copy that has been stored under the ‘3-2-1’ rule, come from a recent or regularly specified point in time, are recoverable from a regularly test process, and are made through data management technology that can recover files at the individual level – whether that’s by geographic or data storage location. If data can be recovered from backups that are made under these best practices and technology, then companies can be more confident in their state of cyber resiliency.

Here’s three recommendations companies should consider to improve their data recoverability and cyber resilience:

1. Non-rewritable Backups A Must

Organisations should take steps to prevent their data from being encrypted under attack, protecting data with an immutable (immutable) backup that makes the written data read-only, and a write-once mechanism (WORM) that makes the written data unerasable or changeable, is recommended.

Immutable backups and their data cannot be modified, encrypted, or deleted, making them one of the purest ways to tackle ransomware as they ensure the original back job is kept inaccessible. This means that while ransomware may be able to delete files in a mounted or read-write backup, these files are not able to be mounted on an external system and the immutable snapshot will be unaffected. However, not all data management technology companies provide immutability that is built in from the core, some add it at the end of their design process, so organisations must consider this when choosing data management technology.

Companies can be more self-assured if they have employed security features such as role-based access control (RBAC), multi-factor authentication (MFA), and cryptographic frameworks. It is also advisable to back up

from the in-house data center to the public cloud and create an "air gap" to block communication between the two.

2. Encryption is Key

Data that is backed up should always be encrypted either at rest or in transit over a network, with AES 256-bit encryption to secure data. For example, Cohesity customers benefit from encryption in flight, provided data is replicated to a Cohesity cluster, and is tiered or achieved to the cloud from the Cohesity platform. Next-gen data management platforms are beneficial too, as they allow IT teams to understand if the data that is ingested is changed, typically compressed or de-duplicated, as this is often a red flag that a malicious act is occurring. Changes to entropy or randomness of stored data may indicate outside encryption - a typical signature for ransomware. If this occurs, the next-gen data management technology will help detect it and notify all the key stakeholders in the IT and security teams via multi-channel alerts including mobile, email, and UI or API.

3. Invest in Accurate Backup & Early Detection Technology

Make sure data is backed up regularly and cleanly, not from infected backups. If a company is infected, it is important to notice the malicious activity early. Which is why the right next-gen data management technology will leverage AI and machine learning capabilities to help detect anomalies - as these are usually indicators of suspicious activity - and then alert the necessary IT and Security team members that they must investigate what is occurring. This is vital, as early detection will help reduce the blast radius of an attack, limit the overall attack surface, ensure that future backups do not backing up malicious files, and help in identifying a clean point amongst your existing backups. Companies should be employing the 3-2-1 rule for data backups, whereby they have at least three copies of their data, stored on two types of media, with one backup copy kept offline or offsite, with isolated cloud data vaults like Cohesity FortKnox also offering similar capabilities. This simple data backup and recovery approach ensures that organisations will always have an available and usable backup of their data or systems. Offsite and offline backups not only limit the effects of ransomware, but when combined with the right data and infrastructure security solutions and employee awareness training, can help prevent ransomware.

Ransomware poses an incredible technology and security challenge for organisations, especially their CIO, CISO, and their respective teams. It’s no longer enough to focuses purely on traditional cyber defences such as network, perimeter, endpoint, and application security. Data protection and recoverability are vital to being able to resume business operations should a ransomware attack or other cyberattack be successful. The best way to build a solid foundation is via data management technology that allows for high-quality backups to be created and cyber resilience to be maintained.

Are we safe? The question every new CISO needs to be prepared for

The spate of recent high-profile breaches has many senior leadership teams concerned their organisation may be hit next. While it’s not possible to be prepared for any eventuality, the new (old) adage of “when, not if” applies.

In this time of heightened sensitivity, every CISO must be ready to have the conversation relating to “are we safe?” with the CEO and other leaders. And it’s better to do it before you have to deal with a live incident and are focused on fixing an identified high-profile problem.

As you cannot guarantee your organisation won’t face potential breaches and threats, as the security leader, you may be asked to demonstrate that you and your teams are doing everything you can with the strategies, processes, and resources you have put in place.

Understand your “safe” according to your risk tolerance and communicate

The current climate is actually a great time to prove how integral cybersecurity is to your organisation. Part of the balance in any CISO’s role is being able to rise above the day-to-day firefighting, and be proactive in your communications with senior leaders across the business; to highlight exactly what you’re doing to ensure the business is as protected as it can be. While cyber security is everyone’s problem, it is often considered that the CISO will provide the ultimate guidance on how to ensure your organisation is cyber secure (safe).

But what does a cyber-safe organisation look like?

And how do you communicate that effectively to your senior leaders?

Your ability to protect your organisation depends on many factors, including your processes, organisational security culture, the availability of skilled teams and tools, and importantly, defined cyber-security metrics, aligned to risk appetite, all of which are understood and tracked by all relevant stakeholders. There must be a solid and shared understanding of cyber security risk appetite, and an acknowledgement of who owns, and ultimately provides remediation / execution functions against defined assets (and yes, assets include data).

All too often the CISO is assumed to have accountability that goes beyond their purview, as the ownership and accountability of information system assets belongs to others. Simply put, assets belong to others, and the CISO is engaged to provide cyber security guidance on identification and risk treatment options against those assets. In a more mature cyber organisation, a CISO will have defined the policies, and the operational owners will execute. A good CISO will recognise that if you put the security brakes on too hard, you risk hampering the ability to operate and innovate. Be too laissez-faire and it could become open season for threat actors.

A delicate balance is always required, and many technically focused CISOs start their cyber security metrics with details that an average board won’t understand. If you want to get on the front foot with your CXO to help

them understand what “safe” may look like, here are three elements to help.

1)

Assess

Best practice cyber security assessment evaluates not just your organisation's susceptibility to vulnerabilities and cyber threats, but also security culture and the support you receive from senior management stakeholders. One of the biggest determinants of successful cyber culture, and the cyber safety of an organisation, is the extent to which that culture is driven from the very top of the business.

At a technical level, assessments often rely heavily upon the ability to have complete visibility into your entire technology environment from the inside, and out. Understanding where all your assets reside, and the associated vulnerabilities in your organisation is critical. If there is limited visibility and understanding of risk, that can have a major impact on securing budget, resources, and confidence. As the saying goes, “you can’t manage what you can’t see,” and this is often one of the first (and biggest) stumbling blocks for any CISO, especially in today’s hybrid environments.

That’s why many security leaders are investing in new visibility tools and technologies, and further leveraging systems that contain asset data, such as cloud resource inventory APIs. Greater visibility begins with gathering accurate data from a tool you can trust; one that ensures the number of false positives are low and accuracy is high. Integrations are essential, such as to CMDBs, both for additional asset context, as well as to provide updates to those systems. Any assessment of cybersecurity should also be viewed in light of your organisation’s obligations and compliance with frameworks and regulations, and risk tolerance levels, particularly with respect to industry guidance and critical infrastructure.

2) Quantify

Understanding how to quantify risks and threats is likely the most challenging of the three elements to get right, and that’s because you can never predict the actions of an adversary or rogue employee in an ever-changing cyber landscape. Nowadays, most organisations will use a threat intelligence tool to help them further understand what external threats exist, how those threats are being exploited in the wild, and against what regions and verticals. Digital Brand protection services assist in early stage identification that a campaign may be about to be undertaken against your specific organisation. This helps to ensure you can protect digital assets and secure cloud environments and applications. However, making sense of this data can often be overwhelming.

The cyber industry relies upon various rating systems and models to help understand the severity levels of those threats. The challenge is that much of this is meaningless to those outside of the cybersecurity world. Case in point: according to CVE Details, out of roughly 176,000 vulnerabilities, more than 19,000 have a CVSS score of 9.0–10.0 (most severe) — over one in ten. However, this metric alone is misleading. Would you prioritise the remediation

of an external facing service that has a high CVSS score but no known exploit, or an internal system that has a lower CVSS score but has multiple active exploits and in which you may have no compensating controls? How is that data then further interpreted to not only understand what’s relevant to your organisation to prioritise your resources, but also explain to senior management so they too can also understand what’s important? The answer lies in how you communicate and present the data to the business.

3.) Communicate

Better communication of risk and threats means talking in a language the C-suite understands — the operational impacts. The best CISOs make technical details easy to consume by explaining their potential impact on the business. For example, if there’s a high-risk vulnerability that could affect customer-facing or revenue-generating systems, the conversation will quickly focus on how to reduce the risk to those systems.

Sometimes, risks can be assigned a specific dollar value proportionate with their potential impact. System downtime or regulatory fines are two potential outcomes with hard dollar values. Other consequences, such as reputational damage, are more abstract but no less important. The CISO should communicate the risks in terms their colleagues will understand to get agreement on prioritising the most critical risks in alignment with the defined risk matrix.

CISOs can assign security resources to assess for and communicate work on vulnerabilities and exposures in the order that would cause the largest business impact. This also means, with the support of the business, that plans can be developed and tracked to remediate identified issues in alignment with defined service-level agreements (SLAs).

Now, time can be spent on things that matter, rather than drowning in daily alerts and subjectively ranking threats with the same or similar severity scores, which may potentially be misinterpreted and leave you exposed in other areas.

CISOs can also build confidence among their C-suite colleagues by implementing, and then communicating, SLAs or an emerging term ‘protection level agreements’. Using and tracking SLAs for resolution teams can help demonstrate the value of the investment in security in terms of the business impact. Talking to measures of “safe” in this manner enables an easier and more efficient measurement of ROI for cyber initiatives. Business leaders can now assess their decisions based on likelihood of occurrence and cost to the bottom line.

Set expectations

The fact of the matter is that no organisation will ever be safe, and putting in place all the tools and resources is just half the battle. Positioning risk and communication with your senior leadership teams are just as vital in being able to set appropriate expectations. Unfortunately, we’ve seen firsthand the impacts of breaches in Australia, and very often, how a situation is managed and dealt with will have a huge bearing on your executives and/or boards mindset.

TROY HUNT TO KEYNOTE CYBER WEST SUMMIT 2023

Interview with Troy Hunt

Founder - Have I been pwned

The WA Cyber Security Innovation Hub is excited to be delivering the second CyberWest Summit, 10-11 May, 2023 at the Pan Pacific, Perth WA. CyberWest Summit is WA’s flagship event providing cyber security education and awareness to key sectors and highlighting WA cyber security capabilities. The conference will deliver three content streams: Critical Infrastructure & Supply Chain Cyber Uplift, Securing Local & State Government, and Cyber Skills & Education Pathways.

Troy Hunt, a world leading security researcher and commentator, will deliver a top-rated keynote on security and other technology concepts from around the world.

Troy Hunt created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

For more information visit https://www.cyberwestsummit.com.au/ https://haveibeenpwned.com/ https://www.troyhunt.com/

Australia’s military defence must include cyber defence

Our political leaders are warning of armed conflict in the Indo-Pacific. But there’s more to worry us than bombs alone.

Critical infrastructure (aviation, rail, telecoms, electricity, ports, etc) are always prime targets in any armed conflict. When the Japanese hit Darwin in 1942, it was to knock out the city's seaport and airfields and cripple its trade and defence capability.

In the Ukraine, nuclear, electric and hydro infrastructure was among the first hit.

Here, Australia's second round of amendments to the Security of Critical Infrastructure Act 2018 (SOCI) came into effect earlier this year. Now it includes data centres among critical infrastructure, recognising that they are key to our national security. Central to the thinking behind these amendments is the steady growth in cyber attacks on Australian targets conducted by criminal individual and hostile state actors in recent years.

SOCI aims to more closely integrate the Australian Signals Directorate (ASD) with private sector critical infrastructure. Key corporations in the infrastructure space are now required to report to the ASD their assets and security and risk mitigation plans. They must also share information on any cyber incident.

At the end of the day, it is all about data security.

All major organisations rely on data and this invariably will involve data centres. This dependence has only increased during the COVID emergency amid the rise of remote-working and therefore the need to secure data has also grown.

The Security 2025 Report by the Australian Security Research Centre highlighted cyber vulnerabilities as a crucial element in Australia’s overall security arrangement. It called on all governments, the private Security Industry and the corporate sector to work as a team and bring

about meaningful and lasting reforms in regulations, knowledge and practice. Afterall, many private companies work for government agencies and much of the work is conducted online. The SOCI amendments are not enough on their own and the private sector must ensure that mechanisms are in place to defend against cyber-attacks and promptly report them. This is not merely a software solution provided by an IT professional. Registered and licensed security professionals are needed to analyse an organisation through a security lens rather than relying on an IT professional, who might not have any kind of security clearance at all.

Critical infrastructure and security go hand in hand.

In the event of general mobilisation, critical infrastructure will be hit first but that will be more than the railway lines, ports and airfields. Several joint cybersecurity advisories warn that key data service providers in Australia have been targeted by malicious cyber actors.

The Australian Security Industry Association Ltd (ASIAL) was one of several organisations invited to consult in the first draft of the Australian Defence Department’s General Mobilisation Design Directorate. Together with representatives from oil and gas, logistics and transport, water and electricity infrastructure providers, representatives from the private Security Industry highlighted the need to ensure best-practice security measures at Australia’s critical infrastructure both in terms of physical protection and cyber security.

The SOCI amendments reflect that the new front in cyberwarfare is key infrastructure. The Act has expanded the policy framework to protect valuable information needed for Australia's continued operation.

Steve Cropper is a Strategic Communication Adviser to the Security Industry and an Information Operations Contractor to the Australian Army.

Building a secure and resilient Australia

Cyber can be complex.

That’s why our community of solvers is simplifying cyber, from boards to business owners and c-suite to customers.

It all adds up to The New Equation.

Red Alpha graduation ceremony 2023

“In order for us to reap the benefits that digitalization provide, we need to get cybersecurity right”, said David Koh (Commissioner of Cybersecurity and Chief Executive of The Cyber Security Agency of Singapore), at the Red Alpha Graduation Ceremony on 15th February 2023, where cybersecurity leaders gathered to celebrate the achievements of the latest minted talents in cybersecurity in Singapore.

For sure, digitalisation exposes more of our cyber activities to threat actors to exploit, and often, trust in the security of the technology is an important consideration to adopting digital solutions.

Growing cybersecurity capabilities and capacities is therefore of priority in addressing cybersecurity concerns.

Recognising the demand for talent, Red Alpha – a cybersecurity talent development company – has developed a 40-month “Alpha Specialist Training Programme” – which comprises of a 4-month full-time bootcamp and a 3-year industry placement.

The event was an opportunity to congratulate the 12 graduates from the most recent intake for completing the bootcamp (as well as the graduates from the previous two intakes during the Covid pandemic).

Having been exposed to a variety of fields within cybersecurity - from incident response, digital forensics to “red teaming” – the graduates will be spending the next 3 years working full-time at one of Red Alpha’s partner organisations.

(These partner firms include companies in the private as well as the public sectors (such as Accenture, Kiteworks,

Singapore’s Ministry of Defence, SMRT Corporation).

Whilst the evolution of the cyber threat landscape does not pause, the learning does not stop. Trainees will return to the classroom for a week level every six months to learn about the latest developments – in areas ranging from reverse engineering, vulnerability research to advanced penetration testing techniques.

Interestingly, by offering the training period as salaried opportunities, the programme demonstrates its mission not only to nurture, but also to retain talent.

Indeed, testimonials from partner organisations point to how the newly minted talents help “to grow and sustain” their cyber business, and how the professionals “with strong technical skills” are “adding value to the team from day one”.

With industry practitioners providing real-world insights and partner organisations offering rigorous handson training, the trainees would also have opportunities to build a rich network of mentors and contacts.

In closing, CE Koh’s take-aways that “security is a continuous journey” and “communication is key” would no doubt resonate with many in the cybersecurity field.

Cybersecurity professionals well know that, during a cyber crisis, having that list of contacts and network to seek the latest intelligence and exchange best practices makes a huge difference to a “well managed incident and disaster recovery”.

For more information, visit the Red Alpha website. The programme’s mission to develop next-generation cybersecurity defender is opened to new graduates as well as mid-career professionals.

SALES AND MARKETING FOR THE IT SECTOR

Interview with Abbie White

Chief Smarketer, Sales Redefined

We speak with Abbie White, Chief Smarketer with Sales Redefined.

With over 15 years’ experience in sales and sales management, Abbie’s proven track record includes assisting in the delivery of over $500M in sales and specialising in the corporate IT sector.

Abbie’s superpower is being the marriage counsellor for sales and marketing in order to deliver an astronomical ROI. Leveraging this superpower, she’s achieved in excess of 2000% + ROI on lead generation campaigns for leading Tier 1 global corporations.

Abbie holds a BSc Honors in Business Management, Diploma in Positive Psychology and is also a certified MSCEIT practitioner. The latter enables her to complement here sales enablement with abilities-based, emotional intelligence testing.

For more information visit abbiewhite.com.au or salesredefined.com.au

Why security culture matters in Australia

High-profile data breaches continue to bring cybersecurity to the top of the conversation. Yet IT decision-makers are still struggling to build a security culture in their organisations, and end users are even more in the dark.

Before we look at security culture in Australia, let’s look at what it is, as there are vastly different definitions of the term.

According to new research from KnowBe4, when it comes to defining security culture, those IT decision-makers who have heard the term most commonly say that, to them, 'security culture' means:

• recognition that security is a shared responsibility across the organisation (67%)

• having an awareness and understanding of security issues (64%)

• believe it means compliance with security policies 59%

• think it means that security is embedded into the organisation’s culture (44%)

• it has something to do with establishing formal groups of people that could help influence security decisions (36%)

• *respondents were able to select more than one response

While all the responses are correct in their own way, one stands out as it incorporates them all. That is 44% of IT decision makers who said that a good security culture meant security was embedded into the organisation’s culture.

Additionally, only one-third of IT decision makers across Australia know what 'security culture' is and think their organisation has a good security culture.

The phrase ‘security culture’ is beginning to find its way into the lexicon of IT leaders. But there is a problem. IT decision-makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards. At KnowBe4, we define security culture as the ideas, customs and social behaviours that influence an organisation’s security. A common definition makes it possible to discuss the same thing, in the same way. We all know that if you do not measure something, that something does not exist.

When it comes to security culture across the broader organisation, employees are even more in the dark. A quarter (25 percent) of office workers say their employer has not communicated about security culture at all and more than two in five (43 percent) office workers have never heard of the term security culture. Only a third of office workers (34 percent) say that their employer has communicated about security culture, and only a quarter say they are clear on what it means and their role.

How employees perceive their role is a critical factor in sustaining or endangering the organisation’s security. Employees must be educated on securing not only their professional but personal environments. What they learn and how they incorporate it into everyday behaviours and attitudes is completely transferable into their personal lives and will protect their data.

Building a strong and positive security culture is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organisation’s risk and increase resilience. The question is, how do we go about it?

Historically, the IT department has been responsible for security awareness training. The attack vector has increased exponentially over the last 10 years with technological developments, increased internet speed, accessibility, the growth of mobile devices and, more recently, the move to remote working has meant that cybersecurity is literally on the move as we take our devices everywhere with us. As a result, the responsibility when it comes to cybersecurity has spread from IT to everyone in an organisation.

Over the years, the evolution of best-in-class security awareness training has included the following elements:

1. Continuous awareness, training and education for the cyber threat landscape.

2. An opportunity to apply what has been learned using simulated phishing (malicious emails) programs and assessments or quizzes.

3. Observable changes as they relate to secure behaviour.

The question we continue to hear globally and what keeps IT professionals such as yourself up at night is, “We are training our people and rolling out simulated phishing emails, which is great. We want to create a security culture and are unsure how to do that.”

There are a couple of elements to consider in order to answer to that question.

The first is that successful programs often include support from across the organisation, clear communication when it comes to the what, why and how, plus an understanding of the requirement of an ongoing, continuous approach to security awareness.

The second is an understanding of what is required to create a security culture. You certainly cannot buy it off the shelf. Every organisation already has a security culture, whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen.

At this point, take some time to reflect on your organisation and its current security culture. Consider the KnowBe4 Seven Dimensions of Security Culture as a great place to start, as it looks at the following elements:

1. What attitudes do you expect your people to have towards security?

2. What behaviours do you want to change or see?

3. Do your people have an understanding, knowledge and sense of awareness?

4. How do you communicate with your people and do they feel like they have a part to play?

5. Have you considered and included your people in your policies, and do they know what to do?

6. When it comes to the unwritten rules of conduct at your organisation, have you thought to include (cyber) security?

7. Lastly, and perhaps most importantly, as without it you are doomed to fail, do your people understand why cybersecurity is everyone’s responsibility and that they have a critical role to play?

Once you have an idea of where you are, it is time to consider, discuss and define what your organisation’s security culture should be.

In addition to answering operational questions like those above, the KnowBe4 Security Culture Survey provides indicators for reporting your organisation’s security posture to the board or executive team.

For more information, please see our Security Culture Report here: https://www.knowbe4.com/organizationalcyber-security-culture-research-report

No matter where you are in your security awareness journey, it is always a good time to focus on security culture. We have a long way to go to embed security into our daily routines. Perhaps we are one or two generations away from everyone thinking of cyber first, just as we do regarding sun safety in Australia with slip slop slap. Until then, please ensure you are applying best practices regarding security awareness with a focus on security culture..

The phrase ‘security culture’ is beginning to find its way into the lexicon of IT leaders. But there is a problem. IT decision-makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards.

New Cybersecurity strategy shifts breach responsibility to vendors & software providers

The White House wants to shift the responsibility for cybersecurity away from individuals and small businesses to entities that hold onto personal data, software makers and vendors. US President Joe Biden said the stakeholders best placed to prevent bad cyber outcomes needed to take more of the burden to prevent them.

His comments accompanied the release of the US National Cybersecurity Strategy 2023 on March 1. Calling the 2020s a "decisive decade" for cybersecurity, a statement from The White House following the strategy's release said the US will "reimagine" cybersecurity and reshape how roles, responsibilities, and resources are allocated.

"We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests," reads the statement. The strategy revolves around five pillars – defending critical infrastructure; disrupting and dismantling threat actors; shaping market forces to "drive security and resilience"; investing in the future; and pursuing international partnerships with like-minded allies.

The ambition to shape market forces has sparked the most immediate response. "Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience," the strategy notes.

"The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services. Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and

establish higher standards of care for software in specific high-risk scenarios."

The White House also wants to hold what it calls "the stewards of our data" accountable for data breaches, saying all too often, individuals who deal with those entities are left to deal with the consequences of cyberattacks. The White House says when entities holding onto data fail to protect it adequately, they "externalise the cost," and often to people who will experience disproportionally high levels of harm from cyber breaches.

"Too much of the responsibility for cybersecurity has fallen on individual users and small organisations," said Biden. "We will re-balance the responsibility to be more effective and equitable."

Edgard Capdevielle, CEO of California software company Nozomi Networks, welcomed the strategy, saying it underscores "we are all on the same team." But he said attempts to shift responsibility will be met with varying responses from CEOs and will take time and money, something that The White House needs to consider.

"The National Cyber Strategy's non-voluntary requirements for critical infrastructure to increase cybersecurity posture will be met with varying responses from CEOs and boards alike," he said. "While the impetus for a better cyber posture to defend against potential nationstate adversaries is wise and necessary, the ability for these entities to identify the budget and personnel to manage these pieces will take time, as it is for most companies in this macroeconomic climate."

The White House says the strategy's implementation is already underway and that the Office of the National Cyber Director will oversee it.

What should the cyber security committees report to the boards of directors?

Irecently attended the Gartner Security & Risk Management Summit 2023 in Sydney. During the conference, Gartner predicted that board governance would evolve over the coming years. Gartner predicts that by 2025, 40% of boards will have dedicated cyber security committees overseen by qualified board members.

I also recently attended the company directors course by the Australian Institute of Company Directors, which helped me better understand the duties and responsibilities of company directors and what things typically concern them.

Hence, I decided to write this blog post to combine my knowledge from the cyber security industry and my learnings from the company directors course to help cyber security professionals and directors work together on managing cyber security risks for their organisations.

Cyber Security is an Increasing Interest

It’s not surprising that boards are beginning to care more about cyber security. The increasing interest is because the Australian Cyber Security Centre has observed over 67,500 cyber crimes during the 2020-21 financial year, representing an increase of nearly 13% from the previous financial year.

The board of directors is responsible for reviewing the appropriateness of the organisation’s risk identification, assessment, management, monitoring and reporting processes. And cyber security is all about risk management.

So it makes sense for the boards to view cyber security as a business risk and keep a close eye on it.

Boards rely more on committees to play a significant role in the board’s cyber security risk oversight activities. These include ensuring the organisational culture aligns to its risk appetite, purpose and strategy; and developing and supporting organisational resilience, including a robust crisis management capability.

So what would the cyber security committee report to the board during the board meetings?

Risk Rating has Changed

The cyber security committee must first report the cyber security risk status driven from the cyber security risk register that the committee monitors.

The board would be interested in knowing the risks that changed their rating over the reporting period, especially if the risk has moved from low to high. The rating will vary if the risk likelihood has increased if, for example, another company in the same industry got compromised. Or if the risk impact has increased if, for example, the backup system or disaster recovery site stopped working due to a technical failure. These risks need to be brought to the board’s attention to answer the question, “what do I need to worry about?”. And, of course, they need to be brought with a control, mitigation and treatment plan for the board’s approval.

Emerging Risks

Other significant risks to be brought to the board include ‘Emerging Risks’. They are new risks driven by social, economic, political and pandemic circumstances, such as the conflict between Russia and Ukraine, fast-tracked digital transformations due to COVID-19, working from home arrangements, and legislation amendments.

Audit for controls, mitigations and treatments

Another key matter the cyber security committee updates the board with is the status of the control, mitigation and treatment activities applied to existing high risks to reduce their level (likelihood and impact) to medium or low. The status of the control, mitigation and treatment activities will answer the question, “Is our approach defensible?”.

The cyber security committee needs to report when these controls, mitigations and treatments did not stop a threat and triggered an incident. Then, prioritise actions required to build a sustainable program that balances the need to protect against the requirements to run the business.

An example can be to report the number of operating systems that are not updated within the acceptable timelines, the number of failed backups, number of applications used by the staff and are not whitelisted, among others.

Cyber Security Projects Update

Another essential item to communicate with the board of directors is the status of cyber security projects. These are projects the board has approved and provided funding to control, mitigate or treat risk and reduce its level (likelihood and impact).

It is essential to report to the board if the projects are on track or off track and seek support and advice if any tasks are blocked.

Indicators for Security Conscious Corporate Culture

Your people are your cyber security strategy's core and your best defence. So, every organisation should build a security-conscious culture to reduce the number of cyber security incidents caused by human activities.

It is important to report to the board the indicators that measure changes in employees' behaviour in relation to cyber security. These are not security awareness training completion rates and phishing simulation click-throughs. These include the number of suspicious emails reported by employees rather than ignoring or deleting them and the number of executive briefings on spear-phishing.

Communicate Effectively with the Board

Each of the above items will create items for discussion and decisions to be made. For each item, you need to:

• Lay out the problem: Use storytelling to educate the board of directors on how things work and describe the limitations of the current state

• Define the objectives and criteria for the solution: The board doesn’t know what bad, good or great looks like.

So make sure to provide a big picture of the desired state and describe what success looks like.

• Generate Options: You need to help the board understand the decision it needs to make. Co-create a strategic story through a focus on business trade-offs.

• Evaluate Options: Help the board map the options to the business capabilities, funding and the company strategy to select the best option and provide direction and funding as required.

Recommendations

There is no standard template I can provide for cyber security committees to report to the board. However, the above items provide a starting point for reporting cyber security posture to the board of directors in the most effective way. You can always add more items as you see suitable. The best way to add items is to observe what questions the board normally asks and include them in future reports. I would also encourage you to ask the board members about their questions related to cyber security and include the answers in the report.

Most of the members in cyber security committees include senior cyber security professionals like the CISO. So, one last piece of advice I have is that these professionals must understand their liability for the decisions taken by the board if they participate in the decision-making process.

By law, any individual who exerts influence or control over a company is considered a shadow director. This is despite not being officially appointed as a director. So, if you participate in the decision-making process, beyond giving advice, you have the same legal responsibilities as a registered director.

Remember that management's primary objective is to provide information to the board of directors with data to enable them to make key operational and strategic decisions that allow the organisation to achieve its strategic outcomes.

About the author:

Mouaz Alnouri is a technology enthusiast. With over a decade in the IT services industry, he’s provided intelligent solutions for complex problems throughout his career. He’s worked with major technology and telecommunications firms, including Telstra and NBN. Mouaz is leading the team at Skillfield with a passion for protecting Australians and their businesses from hackers and all sorts of bad actors.

Are you ready? How to be prepared for a security incident.

In February 2021, an Australian university was hit by a ransomware attack. The university quickly shut down its network to identify the infiltration, contain the breach and conduct a proper investigation. As a result, critical operations were offline, new enrolments were suspended and the university could not pay casual staff. A few days later, the university fully restored its IT systems and confirmed there was no evidence to suggest a data breach had occurred.

This could happen to any organisation; Australian organisations across all sectors are targets for cyber attacks. Cyber criminals are very determined and the number of cyber attacks is continuously increasing. The ACSC revealed that cyber attacks have increased by nearly 13 percent in FY20/21 from the previous financial year. The increase equates to one cyber attack every 8 minutes compared to one every 10 minutes last financial year.

What should organisations do to minimise the time required to investigate cyber security incidents, reduce their impact and restore their systems as quickly as possible?

Effective Incident Response

Every organisation should have an incident response plan. An incident response plan enables organisations to respond decisively to a cyber security incident, limit its impact and support recovery.

When an incident occurs, the incident investigator will collect data from numerous sources within the organisation to determine whether or not there is a security incident.

The investigator will request audit logs, transaction logs, intrusion logs, connection logs, system performance records and above all, User activity logs from firewalls, intrusion detection/prevention systems, routers, switches, servers, desktops, mainframes, business applications, databases, anti-virus, VPNs and any other system with a CPU.

This is a process that, if done manually, takes time and effort, causing days worth of delays before responding to the incident. This manual process will potentially increase the organisation's downtime and subsequently the impact of the attack.

For effective incident response, every organisation should have a centralised collection of all the logs generated within its environment. The incident investigator can only draw a picture of what has happened after examining the logs, including how the malicious actor has gained access to the environment and what key data and assets the attacker got access to.

Furthermore, by quickly examining the logs, the incident investigator can efficiently recommend the best course of action for a rapid response to contain the attack and minimise the impact.

How to store logs centrally

A central log repository is a software solution that aggregates logs from many different resources across the entire environment and empowers the organisation’s security team to analyse them when required. This software is called SIEM: Security information and event management.

Blind spots are the enemy of every organisation; a SIEM eliminates these by consolidating silos of data into one datastore. The SIEM will enable organisations to correlate logs from multiple data sources and identify patterns beyond single messages. For example, a user connecting via VPN out of working hours may not be a concern. However, suppose it happens at the same time as repeated failed attempts to connect to a production database as an administrator. In that case, it is alarming and it may mean someone has compromised the user’s VPN access and is trying to steal the company’s data.

The starting point to deploy a SIEM capability is to develop an event logging policy that covers events to be logged, logging facilities to be used, event log retention periods and how event logs will be protected.

After developing the policy, the organisation needs to select the right software and the right deployment option. There are multiple SIEM solutions in the market that can be deployed on-premise or in the cloud and each has its own features. The organisation must analyse its requirements carefully and design a solution that scales as its business does.

Then comes deployment. At this stage, the logs from different sources need to be collected and there are three main ways to do that.

Configuring a centralised log collecting agent to pull the logs from the devices

Installing agents on the endpoints and pushing the logs to the centralised repository

Configuring the devices to push the logs directly to the centralised repository.

Once the logs reach the SIEM, they are ready to be used when required. It’s highly recommended that organisations select software that can process the data and normalise it against a standard data model to make it easy to analyse.

Unrealized gains of having a SIEM

A SIEM is not only useful in assisting an investigation following a security breach. There is a significant unrealised gain from having a SIEM; that’s the ability to continuously monitor the environment to detect potential security incidents by correlating events within the SIEM.

The SIEM comes typically with a detection engineer with built-in rules that search the logs against predefined criteria to identify malicious activities. The rules in the detection engine can be customised based on the business needs. Furthermore, additional custom detections can be developed to monitor the organisation's most critical assets.

Advanced SIEM solutions come with a machine learning module that implements algorithms to spot abnormal behaviour or activity to aid the detection and provide better monitoring coverage.

Recent industry advances have introduced the concept of combining SIEM and EDR functionality while adding more advanced log analysis capabilities. This often integrates cloud-based analysis of host-based sensor telemetry to link disparate alerts to detect compromises of systems and provide better visibility.

SIEM is important

I can’t stress enough how important it is to prepare the logs for use if an incident occurs. This is, in my opinion, even more, important than your insurance policy. In the case of an incident, both the insurance company and the government regulator will look for evidence that you have done the right things and taken active measures to ensure the security of the sensitive data you hold. No logs, no evidence.

Even the Australian Cyber Security Centre (ACSC) has added a recommendation to Essential 8 for organisations to use a SIEM to centrally log and analyse system behaviour to detect compromises and facilitate incident response.

Conclusion

The university’s ability to quickly detect, investigate and respond to the cyber attack has been crucial to minimise the impact on its operations, maintain its reputation and protect its sensitive data. They were ready to provide the investigators with the data they needed when they needed it.

Good visibility of what is happening in an organisation’s environment is essential for conducting an effective investigation. It also aids incident response efforts by providing critical insights into the events relating to a cyber security incident and reduces the overall cost of responding to them.

Unfortunately, many Australian organisations have insufficient visibility of the activity occurring on their network, workstations and servers. This has been confirmed by the Australian Cyber Security Centre (ACSC) while performing recent investigations.

Gaining sufficient visibility for an organisation doesn’t have to be expensive nor complex. And it is worth the money. Remember, remediation costs for a cyber security incident can be far greater than early and ongoing investment in being ready for one.

About the author

Mouaz Alnouri is a technology enthusiast. With over a decade in the IT services industry, he’s provided intelligent solutions for complex problems throughout his career. He’s worked with major technology and telecommunications firms, including Telstra and NBN. Mouaz is leading the team at Skillfield with a passion for protecting Australians and their businesses from hackers and all sorts of bad actors.

Supply chain risk management needs physical layer visibility

Visibility at the physical layer (Layer 1) provides a clear and unobscured picture of all hardware assets connected to your network. With countless vendors making up the supply chain (none of which an organization has control over) ensuring you have this clear and unobscured visibility is paramount. Unfortunately, organizations lack such visibility, and their current efforts are not enough. Any hardware discrepancies brought in through the supply chain will go unaccounted for, which is a massive security risk that may even lead to operational disruptions.

Here are three ways in which managing supply chain risks with physical layer visibility can benefit the organization.

Reason One: Regulation

Thanks to globalization, today’s economy is highly interconnected. As a result, organizations are required to comply with various regulations, many of which concern security. Such regulations contain significant bureaucratic hoops that organizations must jump through, and failure to do so can result in hefty fines, among other consequences. In order to maintain regulatory compliance, it is necessary that organizations have complete asset visibility to verify supply chain integrity. A great example of when this is relevant is for Section 889 of the 2019 National Defense Authorization Act, which prohibits US government contractors from using hardware manufactured by specific vendors. These contractors must determine whether any of their hardware has been manufactured by one (or more) of the barred

vendors – an arduous task without physical layer visibility. Implementing a system that supplies complete asset visibility ensures that organizations know the true identity of all connected devices and their associated risk posture. Without physical layer visibility, it would be nearly impossible for an organization to guarantee that their devices are compliant with regulations; a simple change to the hardware along the supply chain could easily jeopardize compliance efforts, and no-one would know any better.

Reason Two: Efficiency

As the age-old saying goes, efficiency is key; businesses must do everything in their power to maintain optimal levels of profitability. Supply chain hardware risks can harm the efficiency of an organization, should a device not perform as expected. Having visibility at the physical layer will help organizations achieve continuous operational efficiency by identifying any anomalies in device behavior. Automatically detecting the true identity of a device in realtime prevents any errors in device authentication.

Reason Three: Compatibility

When an organization orders large quantities of devices for the workplace, every single one must behave and function as expected. However, let’s say you just received an order for new laptops from a tech supplier and, unbeknownst to you, some of the laptops had been refurbished. These refurbished devices, which have undergone firmware

and hardware modifications, may not operate the way a new device would, resulting in compatibility issues. With physical layer visibility, such changes would get detected instantly, notifying the security team of the anomalous device(s). Furthermore, there could also be compatibility issues with the operational software, which can also be preemptively spotted by physical visibility. Compatibility is extremely important as any discrepancies can impact both the aforementioned points of regulatory compliance and operational efficiency.

In short, implementing physical layer visibility helps organizations better manage hardware-related supply chain risks. With a heavy (and growing) reliance on extensive supply chains, organizations cannot afford to be lax about supply chain risk management. It starts with visibility.Visibility at the physical layer (Layer 1) provides a clear and unobscured picture of all hardware assets connected to your network. With countless vendors making up the supply chain (none of which an organization has control over) ensuring you have this clear and unobscured visibility is paramount. Unfortunately, organizations lack such visibility, and their current efforts are not enough. Any hardware discrepancies brought in through the supply chain will go unaccounted for, which is a massive security risk that may even lead to operational disruptions.

Here are three ways in which managing supply chain risks with physical layer visibility can benefit the organization.

Reason One: Regulation

Thanks to globalization, today’s economy is highly interconnected. As a result, organizations are required to comply with various regulations, many of which concern security. Such regulations contain significant bureaucratic hoops that organizations must jump through, and failure to do so can result in hefty fines, among other consequences. In order to maintain regulatory compliance, it is necessary that organizations have complete asset visibility to verify supply chain integrity. A great example of when this is relevant is for Section 889 of the 2019 National Defense Authorization Act, which prohibits US government contractors from using hardware manufactured by specific vendors. These contractors must determine whether any of their hardware has been manufactured by one (or more) of the barred vendors – an arduous task without physical layer visibility.

Implementing a system that supplies complete asset visibility ensures that organizations know the true identity of all connected devices and their associated risk posture. Without physical layer visibility, it would be nearly impossible for an organization to guarantee that their devices are compliant with regulations; a simple change to the hardware along the supply chain could easily jeopardize compliance efforts, and no-one would know any better.

Reason Two: Efficiency

As the age-old saying goes, efficiency is key; businesses must do everything in their power to maintain optimal levels of profitability. Supply chain hardware risks can

harm the efficiency of an organization, should a device not perform as expected. Having visibility at the physical layer will help organizations achieve continuous operational efficiency by identifying any anomalies in device behavior. Automatically detecting the true identity of a device in realtime prevents any errors in device authentication.

Reason Three: Compatibility

When an organization orders large quantities of devices for the workplace, every single one must behave and function as expected. However, let’s say you just received an order for new laptops from a tech supplier and, unbeknownst to you, some of the laptops had been refurbished. These refurbished devices, which have undergone firmware and hardware modifications, may not operate the way a new device would, resulting in compatibility issues. With physical layer visibility, such changes would get detected instantly, notifying the security team of the anomalous device(s). Furthermore, there could also be compatibility issues with the operational software, which can also be preemptively spotted by physical visibility. Compatibility is extremely important as any discrepancies can impact both the aforementioned points of regulatory compliance and operational efficiency.

In short, implementing physical layer visibility helps organizations better manage hardware-related supply chain risks. With a heavy (and growing) reliance on extensive supply chains, organizations cannot afford to be lax about supply chain risk management. It starts with visibility.

As the age-old saying goes, efficiency is key; businesses must do everything in their power to maintain optimal levels of profitability. Supply chain hardware risks can harm the efficiency of an organization, should a device not perform as expected.

Free cyber security program propelling prototypes of the future

When Raja Ravi, Founder and Director of Swan Foresight, first heard about CSIRO’s Innovate to Grow, he was excited to see how his business could progress their potential R&D opportunity. For him, the prospect of having direct access to mentors with expertise in R&D in the sector of his choosing was an opportunity too good to pass up.

Swan Foresight is a start-up with a vision to co-create sustainable and secured futures and eco-systems using the latest technologies, both ethically and safely.

Their primary focus is on the renewable energy sector and small-medium businesses, and they are in the process of developing two cybersecurity products and consulting services, in addition to their existing consulting work in IT and Security domains.

The Innovate to Grow Cyber security program presented the opportunity to further develop a business idea Raja had for developing a Distributed Energy Resource (DER) security model, and he found the brainstorming sessions with experts from CSIRO, universities and industry and the structure of the program to assist greatly in bringing this forward.

“The participants and mentors were really of tremendous value to bring things together, establishing deeper

connections and enabling us to expand our networks of sharing ideas to help materialise them and take them to the next stage,” Raja said.

“The program helped me to open discussions with the University of Melbourne, microgrids and other academics to keep advancing the idea.”

Currently, the prototype is being tested at a microgrid, with research papers being published in notable journals also. With all this momentum, Raja foresees their prototype working in a production environment at a microgrid by the end of 2023.

“This is one of the programs that helped me gain confidence to invest my time and money to give some shape to the idea,” Raja said.

“The important thing is that innovation is not a straight line. It is a journey with lot of twists, loops, and turns. While the idea is what we believe in, we are sure that programs like this help us and steer us in this journey with better preparation and less surprises.”

Expressions of Interest are now open for the next round of CSIRO’s Innovate to Grow program for Cyber security and digital technologies, proudly supported by the Department of Industry, Science and Resources.

HELPING CYBERSECURITY PROFESSIONALS BEFORE BURNOUT

Interview with Peter Coreneos

Burnout is common throughout many industries, but a recent report has shown that cybersecurity professionals are amongst those most affected –possibly at a faster rate than frontline health care workers.

That’s why the non-for-profit CyberMindz was born – to provide direct support to restore and rebuild emotional and cognitive health in the cyber community.

MySecurity Media's senior journalist Laura Hawkins reports from the NFP's first fundraising gala event in Sydney.

How to prevent cybersecurity burnout

I’m willing to wager that pretty much everyone has felt the symptoms of burnout at some point in their career. Some people have a problem saying “no” when new requests come in or their ambition gets the better of them and they believe that the more work that piles up the more secure they are in their job. However, in IT and specifically in the field of Cybersecurity, burnout may not always be self-induced. With the adoption of cloud technologies as well as DevOps principles, organisations are constantly accelerating the pace of software and service delivery. While that well-oiled CI/CD machine will continue to run efficiently, the security teams are tasked with ensuring the entire organisation’s safety and compliance. Alert fatigue within the world of cybersecurity is a very real problem.

Tools Should Help

With such a large responsibility placed on security teams, it’s absolutely necessary that they bring in the technology and tools built for securing networks and infrastructure. However, with the sheer number of vendors and tools in the cybersecurity market, businesses can have, on average, 45 or more security tools deployed! With too many tools, you can run into problems. In actuality, too many tools can severely impact a security team’s ability to truly protect their organisation efficiently, but why and how exactly is this a problem?

If you have ten security tools in your arsenal, your staff needs to understand how each of those tools function and what benefit they’re providing. Then your staff needs to learn the appropriate rule syntax for each tool. Now let’s say you’ve written rules, you’ve set up the appropriate notification channels, and you turn everything on. It’s almost a certainty the amount of alerts and security events that are generated will be overwhelming or even unmanageable. The only way to reduce the noise is to begin suppressing rules. This, however, can lead to true indicators of compromise being completely missed, which is the opposite of the result the security team is aiming for.

The Cybersecurity Talent Shortage and Burnout

Data from the CyberSeek platform shows that in the 12 months to September 2020 there were over 14,000 job openings for dedicated and related cyber security roles in Australia. According to the Cybersecurity Workforce Study 2021 from industry group the International Information System Security Certification Consortium, or (ISC)2, there is still a cybersecurity workforce gap of 25,000 in Australia, 16,000 in Singapore and 1.42million across APAC.

So, if your idea was to hire more security professionals to combat the avalanche of alerts and events that are being generated on a daily basis, you may be completely out of luck. You simply cannot hire your way out of this

particular problem.

This places an additional burden on your existing resources and many security professionals may start to believe that the demands of their jobs are unachievable. When a valuable team member finds a new job and leaves your organisation, there’s a strong chance their role will go unfilled for some time, only adding strain to the alreadystretched-too-thin resources left on the team. The result? More burnout. More turnover.

Is There A Solution?

As a result of the global pandemic pressing organisations to adopt cloud technologies, there has been a parallel rise in cyberattacks. Legacy security tools that rely on constant rule writing produce too many alerts because of the amount of data that is generated by the cloud and the constantly changing nature of cloud-native applications. Attackers are constantly developing novel and sophisticated attacks, which leaves so much unknown to security teams. Add in tool sprawl, staff and talent shortages, plus resources whose work performance is impacted by the symptoms of burnout and it’s the perfect storm for any organisation. So, is there a solution?

In this modern age of cybersecurity, companies are finding more value in taking a data-centric, platform approach when implementing a security

solution that is purpose built for the cloud. By leveraging automation and machine learning in a security solution, for example, an organisation can take millions or billions of security signals from cloud accounts and workloads, learn thousands of user or entity’s normal behavioural patterns, identify hundreds of security issues, and surface a handful of high or critical events on a daily basis. By removing the heavy lifting of threat hunting and context gathering, your security analysts won’t be wasting their limited time and energy with manual investigative work. And by providing a low signal-to-noise ratio, cybersecurity professionals won’t be subjected to the extremely high workload demands that typically result in burnout. They may even feel energised and ready to take on securing cloud accounts and cloud workloads, which is one of the toughest challenges in the IT industry at the moment.

It’s time to evolve your security teams’ capabilities by adopting a modern cloud security solution to enable rapid innovation while prioritising safety. Imagine how many more cybersecurity professionals you could hire by letting them know your organisation is using a cuttingedge technology solution that has significantly reduced your employee burnout by completely automating all the manual and redundant tasks a typical analyst is accustomed to? And all without ever writing a single security rule or policy.

Is ChatGPT AI the next Superman or humanity's Kryptonite?

Now that the dust of innovation has settled on the hype around ChatGPT, it may be a good time to unpack the full implications of this technology. While it certainly helps sleep-deprived college students ace term papers and gives copywriters a creative boost, it has a potentially dark underbelly. David Carvalho, CEO and co-founder of Naoris Protocol, unpacks some of the not so pretty aspects of emerging AI technology and its potential to wreak havoc for businesses globally.

How can ChatGPT be used to exploit code and can it really create code?

The short answer is yes. OpenAI’s ChatGPT, is a large language model (LLM)-based artificial intelligence (AI) text generator, it just requires a prompt with a normal English language query.

GPT stands for Generative Pre-Trained Transformer, it is trained on a big data sample of text from the internet, containing billions of words to create learnings on all subjects in the samples. It can ‘‘think’ of everything from essays, poems, emails, and yes, computer code.

It can generate code fed to it from plain English text,or receive new and existing code as input. This code can however be exploited for malicious purposes, or more importantly, it can be used for defensive and protective applications, it’s all about the intentions of the user. While Google can show you an article on how to solve a specific coding problem, ChatGPT could write the code for you. This is a game-changer, it means that developers could do near-instant security audits of application code and Smart Contract code to find vulnerabilities and exploits prior to implementation. It would also enable companies to change their deployment processes making them more thorough

prior to launch, reducing vulnerabilities once deployed. This would be a significant contribution to the fight against cyberthreat damage, which is expected to exceed $10 trillion by 2025.

What are some of the current limitations?

The downside is that bad actors can program AI to find vulnerabilities to exploit any popular, existing coding standard, Smart Contract code, or even known computing platforms and operating systems. This means that thousands of existing environments that are complex and at risk in the real world, could suddenly be exposed (in the short term).

AI is not conscious, it is an algorithm based on mathematical principles, weights and biases. It will miss basic preconceptions, knowledge, emotions and subtleties

that only humans see. It should be seen as a tool that will improve vulnerabilities that are coded in error by humans. While it will potentially significantly improve the quality of coding across web2 and web3 applications, we can never, nor should we, fully trust its output. Despite this cautious approach, we should strive to have confidence that we will be able to trust its baseline in the future

Developers will still need to read and critique AI output by learning its patterns and looking for weak spots, while being cognizant of the fact that threat actors are using it for nefarious purposes in the short term. However I believe the net-output is a positive addition to the maturity of all processes in the long term. There will always be new threats for it to analyse and mitigate, so while it may be a great tool to assist developers, it will need to work in tandem with dev teams to strengthen the code and protect the systems. The attacking position will be to find bugs or errors in the output

of the AI instead of the code itself. AI will be a great tool but humans will have the last word, hopefully. With some bumps along the way, this will be a net positive for the future of cyber security trust and assurance. In the short-term AI will expose vulnerabilities which will need to be addressed very quickly, and we could see a potential spike in breaches”.

Does regulation need to be updated to include/ consider these models?

Regulation will be critical in the adoption of this type of AI, but it may also be avoided because current regulation is analogue in nature, i.e., broad, self-policed, usually reactive rather than proactive, and incredibly slow to evolve, especially in a fast-changing and innovative "target area" like AI. Regulators in their current capacity might very well find themselves out of touch and out of their depth, they should be directly advised by specialists in the field and in academia to ensure quick reactions. Perhaps they should look at creating a completely separate Regulatory Body or Council for Ethics, with the purpose of regulating or setting up fundamental rules of what is off-limits while using such powerful dual-use technologies. Regulations usually only kick in when something has gone wrong, then it takes months, if not years to get the regulation through the various iterations and approval processes. Currently regulation in this field is not fit for purpose. The ability to oversee and implement regulation that addresses the rate at which AI learns and executes output, is a much-needed extra string to the compliance bow.

AI itself needs to be regulated, the burning question is “Should it be centralised?” We need to seriously consider whether centralised tech companies or governments should hold the keys and be able to “bias the AI” to influence outcomes. A more palatable model would be a decentralised solution, or at least a decentralised governance system that allows for the assurance of trust of the baseline systems that provide answers, and that provide data for the answers and all their processes through an assurance mesh. We should perhaps look at a model similar to how web 3 developers and validators are rewarded. The AI should have a pool of professional advocates who are incentivised to develop and evolve the AI to meet certain publicly ethical shared goals that ensure the technology is used for good in every sector that it's operating in.

Can filters be created to detect these models?

Yes, but it would result in a whack-a-mole effect similar to what we have now, it would be a good best effort, but definitely no panacea. Filter-based ethical principles could

be programmatically created to detect the models of any malicious or exploitative actor or define areas or topics that would be out of bounds. However, we need to ask “Who is in control of the AI code itself?” and “Can we trust the AI systems that are providing the answers not to be biased, or have compromised integrity from a baseline?”. If the baseline was indeed biased or compromised, we would 100% need to know.

The logical solution would be to protect networks and devices using decentralised and distributed consensus methods, so the status and trustworthiness of the data that is being generated is known to be good, true and trusted in a highly resilient and cryptographically strong manner. It must be auditable and immune to local tampering or subversion by malicious actors, whether internal or external.

So where to from here?

How Chat GPT crashed into the market can be compared to Superman's arrival on planet Earth from Krypton. We had no clue of his existence before he arrived; we were not sure how his powers would impact the world as he grew up, and we were not sure how dark forces (Kryponite) could affect the outcome of his behaviour. It would be presumptuous, if not arrogant to suggest that anyone really knows how this is all going to play out. The only thing we know for sure is that some aspects of the way the world functions will change irrevocably. It will be an exciting and compelling journey to see how humanity deals with yet another game changing technology that in turn, will be overshadowed by many other innovations. We no longer have rear view mirrors to look at the past to help us predict the future, the future is a vector that will chart its own course and everyone will have a role to ensure it is a net positive for humanity.

'Developers will still need to read and critique AI output by learning its patterns and looking for weak spots, while being cognizant of the fact that threat actors are using it for nefarious purposes in the short term.'

THE GROWING THREAT OF RANSOMWARELEARN HOW TO PROTECT YOUR BUSINESS.

Cybercrime is continuing to surge in Australia and ransomware is the most popular weapon of choice.

The latest report from the #AustralianCyberSecurityCentre (ACSC) states a 75% increase in the number of ransomware related incidents reported, compared to the previous report of 2019/20.

It’s now vital that all individuals and organisations protect their data in order to protect their business.

One way to do that is learning from experts. Rubrik, Inc. and Sekuro have been hosting 'Save the Data' workshops around the country recently. Attendees are put into the shoes of key players of a ransomware attack and together learn how to best handle the situation.

Our senior journalist, Laura Hawkins reports

ChatGPT: AI for good or AI for bad camp

Science, technology, and all its components have strongly benefited humanity over generations. By definition, it is the search for new knowledge - so how could it be bad? But the reality is that every tool has the potential to be good or bad, and it depends on the people using it.

In our relentless quest to mimic and decipher the human mind, we have ushered in the era of Artificial Intelligence (AI). ChatGPT, a text-based AI bot, has become the latest tool making headlines for its viral use of advanced AI. From accurately fixing a coding bug and creating 3D animations to generating cooking recipes and even composing entire songs, ChatGPT has showcased the immense power of AI to unlock a world of incredible new abilities.

On the flip side, AI - as considered by many - is a double-edged sword. In cybersecurity, experts today have access to AI-powered security tools and products that enable them to tackle large volumes of incidents with minimum human interference. However, at the same time, amateur hackers can leverage the same technology to develop intelligent malware programs and execute stealth attacks at increasingly higher levels.

Is there a problem with the new chatbot?

Since the launch of ChatGPT in November, tech experts and commentators worldwide immediately became concerned about the impact AI-generated content tools will have, particularly for cybersecurity. A question many are asking is - can AI software democratise cybercrime?

Recently, at the Black Hat and Defcon security conferences in Las Vegas, a team representing Singapore's Government Technology Agency demonstrated how AI crafted better phishing emails and devilishly effective spear phishing messages, much better than any human actor could.

Using OpenAI's GPT-3 platform and other AI-as-aservice products, the researchers focused on personality analysis-generated phishing emails customised to their colleagues' backgrounds and individual characters. Eventually, the researchers developed a pipeline that groomed and refined the emails before attacking their intended targets. To their surprise, the platform also automatically supplied highly relevant details, such as mentioning a Singaporean law when instructed to generate content for their targets.

The makers of ChatGPT have clearly suggested that the

AI-driven tool has in-built controls to challenge incorrect premises and reject inappropriate requests. While the system technically has guardrails designed to prevent actors using it for straightforwardly malicious ends, with a few creative prompts, it generated a near flawless phishing email that sounded 'weirdly human'.

How to tackle the challenges?

As per the Australian Cyber Security Centre (ACSC), the total self-reported losses by Australian businesses hit with Business Email Compromise (BEC) attacks reached $98 million in 2022, up from $81.45 million in 2021. This trend is only expected to rise with the availability of tools on the dark web for less than $10, the emergence of ransomware-as-a-service models, and AI-based tools such as ChatGPT, which collectively lower the barrier to entry for cybercriminals.

Considering the looming threats of an ever smarter and more technologically advanced hacking landscape, the cybersecurity industry must be equally resourced to fight such AI-powered exploits. However, in the long run, the industry's vision cannot be a vast team of human threat hunters

sporadically trying to tackle AI threats with guesswork.

On the positive side, Autonomous Response is significantly used to address threats without human intervention, but the need of the hour is to take intelligent action to counter these evolving threats. While organisations can ensure a baseline level of cyber security by implementing practices such as the ACSC's Eight Essential mitigation strategies, it does not guarantee protection from newer, more advanced threats. As AIpowered attacks become a part of everyday life, businesses, governments, and individuals must turn to emerging technologies such as AI and Machine Learning to generate their own automated responses.

Using AI tools more responsibly and ethically

Following Australia's recent high-profile hacks, it's no surprise businesses are looking at ways to improve their cybersecurity posture. Implementing emerging technologies can no longer be ignored, especially with the Australian Securities and Investments Commission (ASIC) placing increased scrutiny on company directors who failed to prioritise cybersecurity.

However, businesses face a number of challenges in navigating the AI cybersecurity landscape. From technical complexities to the human components, there is a considerable focus, particularly on the balance between machines, the people involved and ethical considerations.

Establishing corporate policies is critical to doing business ethically while improving cybersecurity. We need to establish effective governance and legal frameworks that enable greater trust that the AI technologies being implemented around us will be safe and reliable while contributing to a just and sustainable world. Therefore, the delicate balance between AI and people will emerge as a key factor in a successful cybersecurity landscape in which trust, transparency, and accountability supplement the benefits of machines.

Since the launch of ChatGPT in November, tech experts and commentators worldwide immediately became concerned about the impact AI-generated content tools will have, particularly for cybersecurity.

Will AI make us more secure?

ChatGPT, the dialogue-based AI chatbot capable of understanding natural human language, has become another icon in the disruptor ecosystem. Gaining over 1 million registered users in just 5 days, it has become the fastest growing tech platform ever.

ChatGPT generates impressively detailed human-like written text and thoughtful prose, following a text input prompt. In addition, ChatGPT can write and hack code which is a potential major headache from an infosec point of view and has set the Web3 community on fire. They are reeling from the implications and the sheer ingenuity of this AI Chatbot that can analyse code and detect vulnerabilities in seconds - : https://twitter.com/gf_256/ status/1598104835848798208

The Naoris Protocol POV

Following the hype around ChatGPT, the race is now on between OpenAI’s Chat GPT and Google’s LaMDA to be the market leading NLP search tool for users and corporations moving forward. OpenAI is a newbie with $1B in funding and a $20B valuation, as opposed to Google’s towering $281B revenue. However, Google must rapidly innovate and adapt or risk being left behind, an example being TikTok and Meta, with the short format of TikTok leading the zeitgeist to become the most downloaded app, beating Facebook in 2022. Google is taking this seriously, having announced a

‘code red’ to develop a new AI based search engine product to counter OpenAI’s land grab. Ironically, ChatGPT uses the same conversational AI platform developed by Google's engineers in 2017.

How this will affect cybersecurity in the future is unknown, but there are some assumptions.

In the long term, this will be a net positive for the future of cyber security if the necessary checks and balances are in place. In the short term, AI will expose vulnerabilities which will need to be addressed, as we could see a potential spike in breaches.

AI that writes and hacks code could spell trouble for enterprises, systems and networks. Current cybersecurity is already failing with exponential rises in hacks across every sector, with 2022 reportedly already 50% up on 2021.

With AI maturing, the use cases can be positive for the enterprise security and development workflow, which will increase the defence capabilities above the current (existing) security standards. Naoris Protocol utilises Swarm AI as part of its breach detection system which monitors all networked devices and smart contracts in real time.

AI can help organisations improve their cybersecurity defences by enabling them to better detect, understand and respond to potential threats. AI can also help organisations respond to and recover from cyberattacks more quickly and effectively by automating tasks such as incident response and investigation. It can free up human resources to focus

on more high-level, strategic tasks.

By analysing large volumes of data and using advanced machine learning algorithms, AI could (in the future) identify patterns and trends that may indicate a cyberattack is imminent, allowing organisations to take preventative measures before an attack occurs, minimising the risk of data breaches and other cyber incidents.

The adoption of AI could help organisations stay one step ahead of potential attacks and protect their sensitive data and systems. By integrating AI into an organisation's production pipeline to create smarter and more robust code, with developers instructing AI to, write, generate and audit (existing programming) the code.

AI currently cannot replace developers as it cannot understand all of the nuances of systems (and business logic) and how they work together. Developers will still need to read and critique the AIs output, learning patterns, looking for weak spots. AI will positively impact the CISO and IT team’s ability to monitor in real time. Security budgets will be reduced, cybersecurity teams will also reduce in numbers. Only those who can work with and interpret AI will be in demand.

However, bad actors can increase the attack vector, working smarter and a lot quicker by instructing AI to look for exploits and vulnerabilities within existing code infrastructure. The cold hard truth could mean that thousands of platforms and smart contracts could

suddenly become exposed leading to a short term rise in cyber breaches.

As ChatGPT and LaMDA are reliant on large amounts of data to function effectively, if the data used to train these technologies is biassed or incomplete, it could lead to inaccurate or flawed results, e.g. Microsoft’s TAY AI turned evil within hours. Naoris Protocol uses Swarm AI only to monitor the metadata of the known operational baselines of devices and systems, ensuring they have not been tampered with in any way. Therefore, the Naoris Protocol AI only detects behavioural changes to devices and networks, referencing known industry baselines (OS & firmware updates etc) rather than learning and forming decisions based upon diverse individual opinions.

Another issue is that AI is not foolproof and can still be vulnerable to cyberattacks or other forms of manipulation. This means that organisations need to have robust security measures in place to protect these technologies and ensure their integrity.

It is also important to consider the potential ethical implications of using ChatGPT and LaMDA for cybersecurity. For example, there may be concerns about privacy and the use of personal data to train these technologies, or about the potential for them to be used for malicious purposes. However, Naoris Protocol only monitors metadata and behavioural changes in devices and smart contracts, and not any kind of personal Identifiable Information (PII).

Conclusion

AI will require enterprises to up their game. They will have to implement and use AI services within their security QA workflow processes prior to launching any new code / programmes. AI is not a human being. It will miss basic preconceptions, knowledge and subtleties that only humans see. It is a tool that will improve vulnerabilities that are coded in error by humans. It will seriously improve the quality of code across all web2 and web3 organisations. The current breach detection time as measured by IBM (IBM's 2020 Data security report) is up to 280 on average. Using AI systems like Naoris Protocol’s cybersecurity solution as part of an enterprise defence in depth posture, breach detection times can be reduced to less than 1 second, which changes the game.

It is worth noting that AI is a relatively new technology and still being developed and refined, therefore we can never 100% trust its output. Human developers will always be needed to ensure that code is robust meeting an organisation's business requirements. However, AI is being used by both sides - from good and bad actors in an effort to give them the edge. With regulation working several years behind technology, we need organisations to implement a cyber secure mentality across their workforces in order to combat the increasing number of evolving hacks. The genie is now out of the bottle and if one side isn't using the latest technology, they're going to be in a losing position. So if there's an offensive AI out there, enterprises will need the best AI tool to defend themselves with. It's an arms race as to who's got the best tool.

...it is worth noting that AI is a relatively new technology and still being developed and refined, therefore we can never 100% trust its output. Human developers will always be needed to ensure that code is robust meeting an organisation's business requirements.

Inclusive talent management to address the cybersecurity skills shortage

Cyber threats and attacks are increasing: Australian organisations face unprecedented risks. Although an increasing number of tech companies are active cyber defenders, many report difficulties in recruiting, retaining, and developing cybersecurity talent: Inclusive talent management could be the answer.

Diverse cyber adversaries require diverse cyber defenders. In the workplace, teams with talent from diverse backgrounds enable cyber threats to be examined from multiple perspectives. However, an organisation only gets value from the diversity of their workforce if the underrepresented groups are empowered to contribute. Inclusive talent management assumes that everyone has ‘a talent’; empowering everybody to boost the success of their organisation.

The OECD defines diversity along six dimensions: migration; ethnic groups, national minorities and indigenous peoples; gender, gender identity and sexual orientation; special needs including learning disabilities and physical impairments; and giftedness including neurodiversity. We also suggest that diverse academic background, professional experience and age are also important dimensions of diversity. Each of these dimensions may need specific talent management strategies to recruit, retain and train (or retrain) potential cybersecurity talent. However, an inclusive organisational culture is an imperative. Organisations with a culture that makes them more welcoming and inclusive

increase their competitive advantage.

Inclusive talent management practices are not yet widespread in the cybersecurity industry. Let’s look at some of the ways that inclusive talent management could be applied to cybersecurity workforce.

Recruitment

Job advertisements frequently request a number of years of work experience. However, a curious, creative professional actively involved in their community could rapidly acquire deep technical skills and organisational knowledge. Limiting to recruit and attract talent with a specified duration of experience could exclude the most enthusiastic, curious, creative, and community-engaged cybersecurity talent from your shortlist.

Technical and non-technical skills are required in all cybersecurity roles. Technical skills can often be learned in-house, whereas the non-technical skills (or soft skills) can be more difficult to gain. For example: a former emergency nurse with some technical training might be good in an incident response role because they can keep calm in a crisis. A former librarian might be good in a governance role as they have the patience to read extensive documents. A person who is blind may note vulnerabilities because they interact with technology in different ways to a seeing person. A neurodiverse talent may have traits such as

hyperfocus, precision, persistence and the ability to identify patterns. Recruitment which focuses on technical skills and experience may fail to attract those with highly developed non-technical skills, and nonstandard perspectives.

Recruitment processes need to be flexible enough to engage with the diverse dimensions of talent. For instance, neurodiverse talent often presents poorly in an interview, yet are very capable in a technical role. For a client facing role, and interview may be appropriate, however interview panels need to be diverse to attract diverse talent; such as if all members of an interview panel of the same gender or cultural background may turn off candidates with different gender or cultural background.

Recent graduates are ambitious and enthusiastic, but little experience on where best to build and direct their innovative ideas and energies. Broad ranging and structured support can rapidly turn an inexperienced graduate into a valuable team member. Recent graduates expect lower salaries than experienced professionals, making recent graduates an attractive addition to an established team. Some graduates have experienced unpaid internship experiences; or international graduates are vulnerable to exploitation by unethical migration agents or by intensive workload are few examples of what is happening.

Curiosity and creative problem solving are some of the most sought after attributes in cybersecurity staff. Yet very few job advertisement, key selection criteria or promotion

rubrics mention curiosity or creativity. Well-resourced curiosity turns a little bit of knowledge into subject matter expertise. Well supported creativity turns tricky problems into achievable solutions. Hiring for curiosity and creativity and providing resources and support can create teams with deep knowledge that can creatively solve tricky problems.

Retention

Valuing staff contribution can be done in many ways. Salary is important, but not everything. Some people enter cybersecurity for the technical challenge, some for the humanitarian ideal of keeping the community safe, some because they think hacking is ‘cool’, some because would like to go back to the workforce, or some just because they have the skills. Those motivated by technical challenges may not be interested in managerial career pathways, as well as those who are retired may like to work few days per week; those motivated by humanitarian notions may like to choose their projects based on end user groups; those who want to be a hacker may not like client engagements that require a business suit; and those motivated by their own skills (such as neurodiverse talent) may not be interested in any of the former. Providing opportunities for work that matches an employee’s motivation leads to staff feeling valued.

Equitable opportunities include large things like promotion pathways; project allocation; travel opportunities; special training and mentoring opportunities fitting the different diverse dimensions of talent; and creating a safe workspace in relation to e.g., team meetings, task allocation and the way that someone is introduced. Studies indicate that white men often speak most in team meetings and interrupt their female or non-white colleagues. Neurodiverse talent feels valued and supported at work when employees provide a place where they can be safe and relaxed with non-distractions and pressures. Indigenous talent value organisations that support connectivity with their community, and provide cultural awareness training within organisations, development and training opportunities, and ongoing support and mentoring. When mature age talent make fewer mistakes, are more reliable, and have higher productivity rate than their younger colleagues, they look for flexibility in the

"Sharing knowledge and skills within an organisation builds capacity. Rotating staff into a cybersecurity team for a few months, and rotating cybersecurity staff into another team for a few months can build cross disciplinary skills"

workplace, still want the social engagement and intrinsic rewards but with less career focus. Creating organisational strategies to support diverse dimensions of talent not only enhance retention and productivity but also a sustainable workforce, reputation, and competitive advantage.

Training

Employers can offer study leave or payment of course fees to support their staff to upskill into a cybersecurity domain or create their own training strategic support. Many universities and TAFEs offer cybersecurity courses of various lengths and foci, from the highly technical, to a business focus, for highly theoretical to practical implementations. Various courses of study are eligible for commonwealth funding support. However, training may need to fit with needs of diverse dimensions of talent. Training and retraining are valuated to most diverse dimensions of talent.

Private training organisations, industry bodies and vendors offer short courses that can train people in a specific area of knowledge. Organisations can consider arranging for a team of employees to do a specific short course of most relevance. This can be useful for those in a cybersecurity role who need to learn a new technology, or those in an adjacent role looking to enter into a cybersecurity role. Vendor training (or retraining) packages may offer good value if your organisation is already using the vendors’ products, but can be used to advertise new products, which may not be the best use of your staff time. Be aware that the private training space is diverse with many quality operators vying for space alongside shams. We teach our staff to spot a scam email, we can also try to spot a sham training offering.

Sharing knowledge and skills within an organisation

builds capacity. Rotating staff into a cybersecurity team for a few months, and rotating cybersecurity staff into another team for a few months can build cross disciplinary skills, and productive working relationships across business units. Training and development are two of the most valuated aspects within the diverse dimensions of talent, attracting these talent and retention.

Inclusive Talent Management for Cybersecurity

Inclusive talent management means ensuring that all staff, including diverse dimensions of talent, have equitable opportunities for career development, and are supported to engage in formal training and development, and knowledge sharing experiences if they are interested.

• Attract, recruit, and retain diverse dimensions of talent through an inclusive company culture

• Ensure that job advertisements and instructions to recruiters will not exclude cross trained or informally trained staff.

• Take a chance on a recent graduate, especially if you are adding strength to an existing team.

• Get value from the diverse perspectives in your organisation by ensuring that everybody is empowered to contribute all their best ideas.

• Build technical and managerial career paths within your organisation.

• Investigate upskilling options (training, retraining), universities, TAFEs, private training organisations and vendors can provide useful training options that can be fitted to diverse talent, but don’t get scammed!

• Design ways to share cybersecurity skills within your organisation. www.spaceandearthconference.com

OCTOBER 2023, PAN PACIFIC HOTEL PERTH, WESTERN AUSTRALIA

“Bringing together leaders from across the Indo Pacific and beyond for opportunities in cross-sector technology and innovation”

Digital health leaders call on government and industry to avert global healthcare crisis

Digital healthcare leaders are calling on government, national public healthcare bodies and the IT industry to come together to avert a looming global health crisis.

The call comes in the Manhattan Manifesto from the United Nations Science Summit Digital Health Leadership Steering Group, which sets out 12 principles for improving global healthcare in the face of rising costs, declining outcomes and worsening inequalities.

Professor Martin Curley, chair of the steering group and the document’s lead author, said: “There is overwhelming evidence that we’re heading for a cliff edge unless we make a radical shift. Half the world’s population still has no access to essential health services and the other half may soon be unable to afford the services they have.”

The evidence of global access to health services comes from the WHO and World Bank. The OECD has warned that healthcare costs will become unsustainable in advanced economies by the middle of this century. Other studies have warned of a global shortfall of 18 million health workers by 2030.

The Manhattan Manifesto, the outcome of the last meeting of the UN digital health symposium in New York, makes the case for accelerated adoption of digital technology for monitoring, managing and improving health accompanied by a “shift left” from hospital to community and home-based care.

The manifesto calls for governments to commit 6% of

healthcare spending to digital healthcare, a figure based on levels of investment in the private sector to achieve digital transformation. It also calls for personal digital healthcare records backed by international standards for data governance and privacy.

The document has 50 signatories including Professor Jeffrey Braithwaite, founding director of the Australian Institute for Health Innovation, Ann Mond Johnson, chief executive of the American Telemedicine Association and Romita Ghosh, the Indian healthcare entrepreneur.

Professor Curley, former digital transformation director of Ireland’s national health service, the Health Service Executive said: “In the USA, the cost of hospital services grew approximately 225% over the last two decades while average hourly earnings grew about 75%, making healthcare increasingly unaffordable. Healthcare productivity declined across the same period. Other advanced countries are experiencing similar pressures, regardless of how their services are funded.”

The manifesto describes three ‘Copernican shifts’: from treating illness to promoting wellness, including the earlier identification of rare diseases and chronic conditions; from treating people in hospital to treating them in the community, ideally their own homes; and from ‘doctor knows best’ to ‘patients know best’. It argues that these changes will only be possible with digital transformation resulting from collaboration between governments, public healthcare systems, clinicians,

and

industry.

Curley said: “We call this ‘stay left, shift left, 10x’. Stay left, shift left is a focus on prevention and treating people in their own homes. 10x refers to the growing body of evidence from living labs in Ireland and beyond to show that when you apply digital technology and improved data management to health you get a ten times improvement in outcomes – it’s ten times faster, ten times cheaper and ten times better. Crucially, it also supports ten times higher volumes, addressing the capacity issue. Insights Care recently dubbed this ‘Curley’s Law’.

“To paraphrase Einstein, we keep doing the same things in healthcare and expecting a different result. Unless we make a fundamental change millions of people will have a lower quality of life or shorter lives than they deserve. The technology is available. It would be a tragedy if we fail to embrace it.”

Romita Ghosh said: “A culmination of our UNGA 77 meeting was our flag-bearers' decision not to let the movement rest until it became mainstream. The Manhattan Manifesto launched today aims to champion a new era of digital health through collaboration, co-operation and change.”

Ryl Jensen, CEO of New Zealand’s Digital Health Association said: “The United Nations Manhattan Manifesto developed at UNGA 77 to steer the global direction of digital health comes at a pivotal time. The development and uptake of interoperable technology systems and remote

patient monitoring across health systems will make a palpable difference to health outcomes across the world”.

Dave DeAngelis, global head of healthcare at Dell said: “My challenge to you is don’t be a bystander, join with this leadership group, lean in with us and help everyone to stay left, shift left.”

Dr Charles Larkin, director of the Policy Research Institute at the University of Bath said: “We are pleasantly surprised at the increasing empirical evidence for ‘Curley’s Law’ and are building a promising theoretical model based on existing growth models such as the Solow Growth Model and the Endogenous Growth Model, which can help explain this phenomenon.”

The third United Nations digital health symposium will take place on September 21 and 22 in New York. The steering group is inviting representatives from industry and public services to get involved in meetings in the run up to the event. For further information, contact info@ivi.ie

About the United Nations Science Summit Digital Health Leadership Steering Group

The Digital Health Leadership Steering Group is a grand coalition of global leaders from all four sections of the quadruple helix (government, industry, academia and citizens) who are committed to use breakthrough thinking and innovation methods to drive the digital transition of global health to provide better health for all. Orchestrated by Maynooth University in Ireland, the next UNGA 78 Science Summit Digital Health Symposium will take place in New York on 21 and 22 September.

“Every cybersecurity professional worth their salt wants to see business value protected and in so doing implement their duties as a business enabler”.

A healthier Australian healthcare industry with Identity Security

The healthcare industry continues to be the most targeted industry by cybercriminals in Australia, with the sector reporting the highest number of notified breaches in Australia - 14% of 497 data breaches - to the privacy regulator in the second half of 2022, according to the OAIC report.

The major scale of the Medicare breach recorded in October last year was one of the last to shake up the industry to its core, with the exposure of 9.7 million current and former customers’ sensitive data. It is not surprising then that 85% of Australians see data privacy as a major concern, displaying a lack of trust and confidence in sharing their personal health information digitally.

Paired with continuing challenges with chronic staff shortages and the growing number of data privacy and information security regulations impacting the industry, the healthcare sector stands at a crucial point in finding the right balance between privacy and security when it comes to accessing Australians’ sensitive data.

For example, whilst My Health Record has been available to Australians for over 10 years, the uptick in adoption only picked up its pace during COVID with more Australians and healthcare providers accessing and adding to the existing data. The accelerated demand of digital integration and deployment of data has been a catalyst to reviewing how medical data is shared and accessed safely

across complex and highly connected ecosystems. And that is the next challenge for the healthcare sector.

What’s promising is that according to SailPoint’s “The State of Identity Security 2023: A Spotlight on Healthcare” report, the healthcare industry almost universally recognises the importance of identity security, with 95% indicating that identity security is either a relatively important, critical, or number one investment priority for the organisation.

Whilst 29% of organisations recognise it’s their number one investment priority amid growing cloud adoption, digital transformation, and mergers and acquisitions within the industry, most organisations are still in the early stages of identity maturity as only a third have had an identity and access management program in place for more than two years.

The sector’s vulnerability is therefore still high and as the growth of employee, non-employee and non-human identities continue to proliferate, it is no longer viable to give users broad access to internal healthcare systems as human error and insider threats are the cause of most data breaches.

Why an Identity Security strategy is a must

As 93% of healthcare organisations experienced an

identity-related breach in the last two years, the healthcare sector cannot afford to ignore identity security. In order to keep up with evolving security risks and prevent financial and reputational losses, healthcare organisations must implement a comprehensive identity program.

The healthcare sector is uniquely challenged with securing identities with one-to-many roles, multiple authoritative sources as well as several non-employees such as contractors, affiliate doctors and temporary healthcare professionals like nurses, imaging technologists and therapists.

Having an identity security strategy in place enforced by a Zero Trust and least-privileged access which harnesses AI, provides healthcare firms with complete visibility over all the direct and related access each user has – including all permissions, entitlements, and roles.

Identity management is key to ensuring a secure, compliant, and efficient infrastructure as it enables organisations to understand and manage who has access to which resources, and how exactly that access is being used to reduce, adjust or remove privileges as needed. By providing all internal and external users the minimum amount of access to resources required to perform their job, healthcare organisations can mitigate the risk of compromised credentials.

With tighter security controls in place, Australians

would also feel more assured to share their private health information.

Adopting a SaaS-first approach

Healthcare organisations are typically built on legacy systems which are more vulnerable to cyberattack exposure. Their infrastructure not only poses a risk to their security due to their human and manual centred processes, but also affects their operational efficiency due to inflexibility in integrating with innovative solutions to automate all identity decisions.

Implementing a true native Software-as-aService (SaaS) approach with identity security which is interoperable with a mix of on-premise and cloud environments, can provide IT teams with continuous and accurate visibility into their entire SaaS environment. This visibility reduces the strain on IT teams by allowing controls to be set up to govern all SaaS access, control software spend, and secure identities to combat cyber threats, whilst delivering enhanced data security, telehealth, and improved patient engagement.

In the recent report by SailPoint, 38% of healthcare firms said that managing access is time-consuming, with a typical healthcare IT professional spending more than a third of their week managing access and permission for identities. An automated identity approach can easily define user roles and create policies for access, giving healthcare workers fast, simple and error-free access to the data and critical resources they require to care for patients. With an AI-driven process to review, refine and evaluate roles, healthcare organisations can improve compliance, meet regulatory requirements, and deliver successful audit outcomes.

With an integrated, intelligent and automated identity security strategy that provides visibility and insights to extend access at the right time by monitoring behaviour patterns and allowing IT managers to spot risky access faster, healthcare firms will not only benefit from enhanced security to protect patient data but also improve operational efficiency to deliver a seamless patient experience.

Healthcare organisations are typically built on legacy systems which are more vulnerable to cyberattack exposure.

Digital trust: A collaborative responsibility towards cyber resilient digital ecosystem

Catherine Lee (CISA, CISSP, CRISC, CDPSE, CCSK) is the Regional Senior Cybersecurity Risk & Compliance Strategist specialised in Cyber Governance, Risk and Compliance (GRC). She has profound experience in providing strategic consultation and leading cybersecurity risk assessments, third-party security risk management programs, and driving cybersecurity transformation roadmap implementation for global MNCs of various industries including financial institutions, pharmaceutical, oil & gas, and emerging tech.

Catherine is the AiSP Co-opted Exco Member and is passionate about driving diversity in the cyber ecosystem. In her personal capacity, she volunteers in different communal initiatives including mentoring female students as well as shares her experience in a series of school talks and conferences.

She holds strongly in her personal CIA guiding principles where she believes “Confidence, Inspire or be Inspired and Adaptable” are key elements to excel and reach new heights in tech and cybersecurity careers. In this technology-blooming era, the demand for digital transformation and innovation has been rising more than ever. Many companies are accelerating goto-market strategies with evolving digital solutions and migrating to the cloud to improve operational efficiency as well as optimise cost. Building secure and reliable digital solutions, or digital trust tenets, are increasingly important to enhance a company’s reputation and brand loyalty as consumers prefer to buy from companies that are transparent and equally care about protecting the data rather than profitability.

Digital Trust is More Than Just Cybersecurity

Any new technology or digital solution introduces new risks and no technology is completely risk-free in the

ever-changing digital landscape. A holistic and collective approach from cybersecurity, risk management, privacy, data governance, and ethics coupled with the Security Shift-left mindset is therefore the imperative elements in building a trustworthy solution for digital interaction. Bridging compliance and development makes it possible to identify defects much earlier in the Software Development Life Cycle (SDLC). This also improves the product quality with a high level of security by embedding the security controls needed at every stage of SDLC which can then reduce the time and cost of fixing the vulnerability detected instead of dealing with security as the afterthought.

Enforce Governance and Take Ownership of Risk

Business is about taking risks and Security is a decision that can only be achieved through collaboration and not confrontation. It is with proactive communication, strong continuous governance and taking ownership of risks, the senior management can have the appropriate visibility and make risk-informed decisions to strike the right balance between the business strategy/investment and treatment action needed for the identified digital trust risks to ensure the company’s business continues to grow and at the same time continue to stay in compliance with the applicable laws & regulations.

Diversity is an important digital trust enabler

In the male-dominated industry, diversity is important in cybersecurity as different people and disparate backgrounds bring broader perspectives in building a more resilient cyber ecosystem. Let’s continue our effort to create more opportunities and mentorships to encourage even more ladies in joining us in this field.

IIOT cyber security lessons from Africa

Diversity, Equity and inclusion teach us that lessons can come from the most intriguing sources and in the most interesting packages if all we do is open our eyes. Quite recently I had the opportunity of sitting on a panel at the AfricaTech Festival which looked specifically at challenges around securing Industrial Internet of Things (IIOT).

AfricaTech, which is the biggest conference in Africa, is held annually in the beautiful city of Cape Town, South Africa bringing together the movers and shakers in the African Technology and Communications space. Representation from across the continent is notable with no country to big nor too small. With every idea seen as important and significant, the festival is a giant mash of creativity and intellect.

One thing that I found admirable about the conference and Africans in general is the deep-rooted desire to belong to a community. The African proverb “it takes a village to raise a child” is inculcated in every African from birth.

This community value drives the strong relationship culture for which Africa is both known for and proud of. In my language, Shona, we call it “hukama” which means relationships. Ever since I can remember, the ritual of creating family out of strangers has involved the same coordinated questions after exchanging names starting with “Where are you from?” If a link can be found, then down the rabbit hole of association, the conversation goes. If place of origin produces no link, then the search is stepped up a notch – “What is your totem(mutupo)?” Here you have to appreciate that the totem, which is usually an animal, is a gold standard for relationship. People with similar surnames

may not be related, but people with the same totem are considered as related as if they were sanguine kin. My totem is “Shava Museyamwa - Mhofu yomukono ” which in English translates to the Great Eland Bull. Whether the person I may have just met bears the same last name as mine or not is immaterial as long as they are a Mhofu, we are related. Depending on age and gender they automatically become my brother, sister, father, or aunt; as totems, like surnames, follow a patriarchal lineage. Similarly, a person bearing my mother’s totem is my aunt, uncle, cousin, and it goes on. No matter where I am, as long as there is a Zimbabwean, I will have a relative.

Now, halfway down the article you must be asking yourself how this lesson on Shona culture relates to IOT Security. Well, the thing is that the IOT phenomena is based upon, “things” connecting and communicating to other “things”. For this to happen there must be a common communication medium and protocol, whether this is done wirelessly through Bluetooth, LoRa and WiFi or through fixed wired networks such as Ethernet or DeviceNet. The trump card of any implementation is the simplistic seamless communication that in most cases can be established without any end-user intervention. Tie artificial intelligence into the matter along with machine learning and bingo, we have mimicked the African culture of establishing and maintaining relations at all costs. Where there is no relationship, the ultimate goal is to build one. From the perspective of Digital Transformation and experiencing tomorrow’s tech today, this is absolutely amazing, and everything should be done to increase the simplicity and ease of connection, however, from a

Cybersecurity perspective, this is an absolute nightmare. The exponential increase of 1 to 1 connections to 1 to many connections multiplies the existing attack surfaces along with the associated vulnerabilities at an astronomic rate. Every cybersecurity professional worth their salt wants to see business value protected and in so doing implement their duties as a business enabler. One of the easiest ways to do that is to reduce the attack surfaces. This may be a seemingly mammoth task in the face of hyper-connected IOT strategies which are constantly trying to increase those attack surfaces by finding newer, faster, and easier ways for devices to talk to each other. This is compounded by the fact that old legacy technology and protocols such as MQTT which was originally developed to monitor SCADA system oil lines in “controlled” and isolated environments is now the go-to protocol for Industrial IOT yet, out of the box, it lacks basic communication encryption instead sending messages in plain text. Its robustness, efficiency, economy, and simplicity must be lauded, even in the face of glaring security shortcomings.

To tackle this quandary, we will look again at the African Culture of Relationships. As I mentioned earlier, when Africans meet a “new” unfamiliar face every effort is made, not only to establish some sort of relationship that brings that person into their “circle of friends” but also to understand each and every relationship. All too often I have sat through pleasantries where two people, normally of the older generations, narrate their entire lineage and relations in a hope that their new acquaintance may recognize a name, place or totem with which they are familiar. Going back to the totems, there are different derivatives under the various totems. For example, my very own mother was a Shumba - Siphambi, which means Lion in Shona. It is always a common joke that a man, such as my father being an Eland Bull should not marry a woman whose totem could easily eat his. Back to our derivatives. As much as my mother was a Lion and any man whose totem is a Lion should automatically become my uncle, if their derivative is not Siphambi but something different like Shumba – Mhazi, there is unfortunately no relationship to speak of and other efforts must be made to establish a relationship.

I mention this because, with Cybersecurity, it is only possible to protect what you know, not only on the surface but that you know deeply. It is nearly impossible to understand or protect an asset from a SYN Flood attack if you do not understand the fundamentals of SYN/ACK handshakes in an IP network. It is this requirement to understand how things work that has made me so fond of Cybersecurity because surface knowledge will not cut it. One needs to understand the technology and exactly how it works and how it communicates with other technology to build its cyber resilience. The field of cybersecurity has grown in leaps and bounds. Although nowadays there is a huge requirement for non-technical cybersecurity experts, let us not frown upon the hardcore technology specialist who has spent the greater part of their life understanding or in some cases developing the intricacies in certain tech that we now consider basic such as Bluetooth. That person is best positioned to understand and protect the attack surface and vulnerabilities that new IOT devices introduce into any

environment be it at home or at scale in enterprise setups.

Turning again to African culture, once the relationship has been established and fully understood, every effort is made to maintain the relationship especially where it matters most. The question being, where does it matter most? and in African rural settings it matters most during public social gatherings, notably at funerals. It is taboo and unheard of to miss a funeral unless an Act of God forces that fate. Funerals are unplanned and un-budgeted but in solidarity and “Ubuntu,” attendance is non-negotiable. This is the opportunity to pay last respects to the dearly departed and more importantly to maintain good relations with the remaining loved ones.

In the world of IOT security, once that relationship has been fully appreciated and understood it is imperative to document and maintain that knowledge being sure to constantly revisit, patch and upgrade the technology around the communication between the IOT devices. Simply being aware of the vulnerabilities and their intricacies is critical but leaving it at that is a recipe for disaster. The discoveries must be constantly and consistently managed as with our African relationships. Like African Funerals, remediation of security issues that pop up on the CVE (Common Vulnerabilities and Exposures) list and the NVD (National Vulnerabilities Database) are unplanned and un-budgeted but at the risk of facing breaches they must be addressed immediately at all costs. IIOT security in most cases deals with IT/OT integrations and critical infrastructure whose erroneous functioning can quite literally result in life-or-death situations. Maintenance is imperative. Unfortunately, this is where the African culture parallelism ends. A faux pas in cultural protocol can be forgiven but when critical infrastructure is breached and lives are lost, the consequences, more often than not, are unpardonable.

Avoiding such mistakes requires the right guidance. As African culture is guided by grey-beards and matriarchs the ISA/IEC 62443 standard guides the secure implementation and maintenance of electronically secure industrial automation and control systems. Lend yourself and your management system to it and reap the rewards in bucket-loads.

The next time you introduce new technology into your existing infrastructure, remember this lesson out of Africa! Make every effort to garner a deeper understanding of the relationships between the devices, considering each device on a case-by-case basis. Establish, what you need to protect, how you need to protect it, when and where the protection is required and why. Once you think you’re done, get a second eye to review your discoveries and strengthen your knowledge of your IOT. In so doing so you will enable the secure deployment of next-generation IOT advancements.

“Every cybersecurity professional worth their salt wants to see business value protected and in so doing implement their duties as a business enabler”.

The Next Generation of Communication Technology