Cybersecurity Threats Challenges Opportunities - November 2016 - ACS

 
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
November 2016

Cybersecurity
Threats
Challenges
Opportunities
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
“It is only when
  they go wrong
 that machines
     remind you
   how powerful
        they are.”                      Clive James

          Cybersecurity – Threats Challenges Opportunities   3
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
Contents

01   03
Foreward
Executive summary
                    1
                    4
                                                    Threats in the
                                                    information age                  13
                                                    The nature of threats            14

  02
                                                    The Internet of Things (IoT)     16
                                                    Botnet armies                    17
                                                    When security is an afterthought 18
                                                    Autonomous systems               19
                                                    Driverless cars and transport    19
                                                    ATMs and Point of Sale           21
                                                    What about wearables?            22
                                                    Cyberwarfare                     24
               A brave new world               5    Automated attacks                24
               Cyber speak!                    6    Energetic Bear                   24
               What is cybersecurity?          7    Cyberattacks on infrastructure   26
               And the weakest link is…        9    When software kills              28

               A world without cybersecurity   11   Data manipulation                29
                                                    Backdoors and espionage          29
                                                    Cloud concerns                   29
                                                    Blast from the past              30
                                                    Virtualised threats              32
                                                    Industry and the individual      33
                                                    Ransomware and Cryptoware        33
                                                    Multi-vector attacks             33
                                                    Identity theft                   34
                                                    The world we live in             34
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
04
The future in our hands
The 100% secure computer
                                35
                                37
Opportunities                   38

                                     05
The data-driven economy         38
Technology as wealth creation   39
Cybersecurity as job growth     39
Leveraging technology talent    39
Challenges                      40
Leadership                      40
Learning from history           40
Collaboration                   41
Education and awareness         41
You are what you do             43
                                     Looking to the road ahead                       45
                                     State of the nation                             46
Legal and regulatory            43
                                     What role can you play?                         47
Services and privacy            43
                                     Government                                      47
Perception and practicality     44
                                     Education and research                          50
                                     Business and industry                           50
                                     You, the individual                             50
                                     The five pillars of cybersecurity readiness     51
                                     Online resources                                52
                                     Through the looking glass                       53
                                     Fast facts                                      55
                                     Glossary                                        57
                                     References                                      59

                                         Cybersecurity – Threats Challenges Opportunities   5
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
Foreword
                         You’ve seen documents like this pass your desk
                         before, but we hope this one is a little different. You can
                         gloss over it, seeking the diamonds in the rough, but
                         take the time to delve into the information presented
                         here and you will walk away with a different
                         appreciation of the laptop on your desk, the car that
                         you drive, and the phone that you carry.
                         Not to mention the planes you fly,          Logically, then, protecting that upon
Protecting that upon     the banks that hold your money, the         which we depend should be front
which we depend should   hospitals that keep you alive and           of mind for government, business
                         the very infrastructure that makes          and industry, academia and every
be front of mind for     our cities run. In short: the basis         individual with a smartphone in
government, business     of our modern lives.                        their pocket.
and industry, academia   It can be hard to not overuse a word        Which is to say, all of us.
and every individual     that’s become popular thanks to
                                                                     If you are part of government, this
with a smartphone in     public awareness, but ‘cyber’ is now
                                                                     primer serves as a guide to the
                         firmly entrenched in our language
their pocket.                                                        greater sphere of cybersecurity
                         and our mindset, by virtue of the fact
                                                                     and how it relates to our national
                         that our society today depends so
                                                                     security, our national interest, and
                         much on technology.
                                                                     our economic prosperity.
                         So we’re going to talk about cyber
                                                                     If you are an executive, board
                         with respect to security, as the two
                                                                     member, business leader, or IT
                         are intimately intertwined. In this
                                                                     professional this is an opportunity
                         guide we aim to break down what
                                                                     to verse yourself in the language
                         is sometimes a large and complex
                                                                     and the ecosystem, the threats and
                         issue into an easy to read and
                                                                     the opportunities, and to better
                         digestible summary that should
                                                                     communicate the issues and
                         – if we’ve done our job well – give
                                                                     responsibilities around cybersecurity
                         you the tools to both talk confidently
                                                                     within your organisation.
                         about the issues, as well as equip you
                         with the core information required to       And if you are simply an individual
                         make decisions around cybersecurity.        interested in understanding more
                                                                     about the nature of our digitally-
                         Because, despite the technical
                                                                     driven world, this guide will provide
                         nomenclature, the issue of cyber-
                                                                     the basics and a clear overview of
                         security is as vital to our way of life
                                                                     how cybersecurity relates to you.
                         as technology itself. In fact, they can’t
                         be separated: our economic health,          At the ACS we welcome every
                         our national security, and indeed the       opportunity to educate and assist.
                         fabric of our society is now defined        If you have any questions, or would
                         by the technology we depend on              like more information, please feel
                         every day.                                  free to contact me at:
                                                                     anthony.wong@acs.org.au.
                         What’s left unsaid here, however, is
                         the assumption that this technology         Enjoy this guide. We hope it will make
                         will continue to work as we intend –        a difference to you.

01
                         but this is only true if we can protect
                         it from being hacked, manipulated,          Anthony Wong
                         and controlled.                             President, ACS
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
SECURING
AUSTRALIA’S FUTURE
At ACS we are passionate about the     services to identify and certify        Nations in New York, where the
ICT profession being recognised as     ICT professionals you can trust,        importance of ICT professionalism
a driver of productivity, innovation   including through the Professional      was acknowledged by the UN
and business – able to deliver real,   Standards Scheme that assures           General Assembly President in 2015.
tangible outcomes.                     professionals have the specialist
                                                                               In May 2016 the President of
                                       skills business can rely upon.
This year ACS celebrates 50 years                                              IFIP participated in the European
of advancing ICT in Australia. Our     ACS is part of the global federation    Foresight Cyber Security
founders and pioneers worked           of professional ICT societies,          Meeting where he advocated
on the first innovative computers      the International Federation for        that professionalism of the ICT
in government, academia and            Information Processing (IFIP),          workforce is “a key element in
industry, and our members now          and the first professional body to      building trustworthy and reliable
work at the coalface of technology     receive accreditation under the         systems” and that it is important
development across every industry.     International Professional Practice     to ensure that “cyber security
                                       Partnership (IP3) – providing a         and cyber resilience is also a
In 2011, ACS brought together its
                                       platform for accreditation for          duty of care of the individual
own Cyber Taskforce from our
                                       ICT professionals and mutual            ICT professional”.
23,000 members to respond to the
                                       recognition across international
Federal Government’s new cyber                                                 As we move forward another
                                       boundaries. The ACS currently
discussion paper, ‘Connecting with                                             50 years, ACS will be there
                                       chairs IP3 and plays a leading
Confidence’, where we highlighted                                              at the forefront meeting the
                                       role in the professionalism of the
the need to develop co-ordination                                              challenges and opportunities
                                       ICT workforce.
and a focus on the pipeline of                                                 of ICT, and supporting the
cyber professionals.                   IP3 has since gained global             growth and potential of ICT
                                       attention after successful              professionals in Australia.
To play our part in securing
                                       engagements at the World Summit
Australia’s future, we continue
                                       on the Information Society (WSIS)
to perform the role of trusted
                                       Forum in Geneva and the United
advisor to government, and deliver

                                                                      Cybersecurity – Threats Challenges Opportunities   2
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
01
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
Executive summary
As technology continues to evolve so also do the
opportunities and challenges it provides. We are
at a crossroads as we move from a society already
entwined with the internet to the coming age of
automation, Big Data, and the Internet of Things (IoT).
But as a society that runs largely        Critically, this document clarifies         Our aim is that this document
on technology, we are also as a result    the importance for Australia to take        provides an informative primer on
dependent on it. And just as technology   responsibility for its own cybersecurity,   the relevant issues facing Australia
brings ever greater benefits, it also     especially with regards to essential        in relation to cybersecurity, to
brings ever greater threats: by the       infrastructure and governance.              generate discussion and debate, and
very nature of the opportunities it                                                   to raise awareness with regards to
                                          On the flip side – and as one of the
presents it becomes a focal point for                                                 a fundamental building block of the
                                          fastest growth industries globally
cybercrime, industrial espionage, and                                                 technologically-dependent society
                                          – developing our own cybersecurity
cyberattacks. Therefore, protecting                                                   which we have already become.
                                          industry is also an opportunity for
it is of paramount priority.
                                          economic growth, job creation, and          As you will read in the following
This guide looks at some of the           education – ensuring Australia is           pages, cybersecurity is not optional.
concerns facing us in the near future     well positioned for a future as a           It must form part of the design of
that include:                             digitally advanced nation.                  every product, of every database, of
                                                                                      every electronic communication. And
• Attack vectors such as botnets,         Finally, we look at some of the
                                                                                      – through education, awareness, and
  autonomous cars and ransomware.         challenges that countries worldwide
                                                                                      proactive change – we can all play a
• Threats including data manipulation,    are currently dealing with in regards
                                                                                      part in securing our future.
  identify theft, and cyberwarfare.       to cybersecurity, including:
• Tangential issues such as data          • The need for more collaboration
  sovereignty, digital trails, and          in order to mitigate threats.
  leveraging technology talent.           • Education and awareness; and
Additionally, it provides some            • The balance between privacy and
background to the nature of digital         security.
ecosystems and the fundamentals
of cybersecurity.

                                                                             Cybersecurity – Threats Challenges Opportunities   4
Cybersecurity Threats Challenges Opportunities - November 2016 - ACS
A brave
     new world
     You’re reading this document written with, laid out
     by, and printed using computers. From start to
     finish it existed as 0s and 1s – the binary blood of
     our modern world.
     In fact, our lives today are codified by data: almost
     everything we do, and everything we depend on,
     involves data and the technology that uses it – there
     are scant few areas not touched by this revolution
     we call the information age.

02
CYBER SPEAK!
                                                                                    Every industry has its own lexicon,
                                                                                    and the cyber world is no different.
                                                                                    While built on technological
                                                                                    foundations that we all know
                                                                                    – computers, the internet,
                                                                                    smartphones, and similar – as you
                                                                                    delve deeper into the subject you
                                                                                    start to encounter acronyms and
                                                                                    technical concepts that you may
                                                                                    not be familiar with.
                                                                                    And, if we’re all to communicate
                                                                                    on the subject of cybersecurity –
                                                                                    across all sectors of government,
                                                                                    business, industry, and academia
                                                                                    – then it can help to familiarise
                                                                                    yourself with the nomenclature
                                                                                    associated with this diverse and
                                                                                    compelling subject.
                                                                                    To this end we’ve included a
                                                                                    Glossary on page 57. Feel free
                                                                                    to flick back and forth as you read
                                                                                    to ensure you get the most out this
                                                                                    document, spending more time
                                                                                    expanding your knowledge and
                                                                                    less time scratching your head!

And so it follows that in order to       individual; at other times it can cause    billion1 globally in the next seven
keep our way of life – and to continue   significant financial or operational       years alone – and the possibility
to prosper through technology – we       harm. At its worst, loss of life can be    for Australia to establish itself as a
must ensure that it always operates      a result.                                  leader, pioneering new technologies
and works for us as intended.                                                       and exporting cybersecurity products
                                         Cybersecurity, then, is not optional.
                                                                                    to the rest of the world.
And for the most part it does, until     As our world transitions more
it’s hacked. In the hands of less than   products and services online, and          We are more than just the lucky
favourable individuals, organisations,   we in turn depend on them, protecting      country. We are early adopters. We
and governments, technology and          this technological infrastructure has      are tenacious innovators. We are a
the data it depends on can be turned     become a fundamental building block        nation with the skills and talent to
against us.                              for information systems globally.          lead the world in cybersecurity –
                                         It must underpin every technology,         and with the right mix of leadership
When you read yet another report
                                         every gadget, every application, and       and commitment from government,
of a multimillion-dollar bank theft,
                                         anywhere data is stored.                   industry, and academia, we can make
yet another million usernames and
                                                                                    it happen.
passwords leaked on the web, or          To help understand the risks, this
yet another scam milking millions        document will explore the threats          What part will you play?
from vulnerable people – what you        Australia faces in this digital age:
are reading about is the lack of         to our economy, our sovereignty,
cybersecurity: a failure to protect      and ultimately, our way of life.
systems, processes, or data and
                                         It will also cover the opportunities
thereby enabling exploitation.
                                         as a burgeoning industry – one that
Sometimes the end result is just an
                                         is projected to be worth $US639
embarrassment for a company or

                                                                           Cybersecurity – Threats Challenges Opportunities   6
46   What is
     cybersecurity?
                            %          OF THE WORLD’S
                                       POPULATION
                                       IS CONNECTED
                                       TO THE
                                       INTERNET

     As with any technological advance throughout
     history, whenever new opportunities are created,
     there will always be those that exploit them for
     their own gain.
                                Despite the threat of viruses and
                                malware almost since the dawn
                                of computing, awareness of the
                                security and sanctity of data with
                                computer systems didn’t gain
                                traction until the explosive growth of
                                the internet, whereby the exposure
                                of so many machines on the web
                                provided a veritable playground for
                                hackers to test their skills – bringing
                                down websites, stealing data, or
                                committing fraud. It’s something we
                                now call cybercrime.
                                Since then, and with internet
                                penetration globally at an estimated
                                3.4 billion users (approximately 46%

02
                                of the world’s population2), the
THREAT VECTORS BY INDUSTRY
                                                                        The vectors by which industries are compromised.
                                                                        Source: Verizon 2015 Data Breach Investigations Report

                                                                                       FINANCE
                                                                                       INFORMATION

                             PUBLIC SECTOR
                             EDUCATIONAL                          WEB
                             FINANCE                              APPLICATIONS                                 RETAIL

                                                                  9.4%
                                                                                                               ENTERTAINMENT
                                                                                                               HOSPITALITY

                                             CRIMEWARE
                                                                            POINT OF SALE
                                             18.8%                          28.5%                    MISCELLANEOUS

                                                                                                     14.7%

                                                                                      PRIVILEGE
                                                                                      MISUSE
                                                            CYBER
                                                            ESPIONAGE
                                                                                      10.6%               MINING

                                                           18%                                            HEALTHCARE
                                                                                                          ADMINISTRATIVE

                                    PROFESSIONAL
                                     INFORMATION
                                   MANUFACTURING

opportunities for cybercrime have            of critical business or government
ballooned exponentially.                     intelligence, that drives the cyber         The increasing
                                             underworld.                                 prevalence and severity
Combating this is a multi-disciplinary
affair that spans hardware and               One fact remains clear: it’s only           of malicious cyber-
software through to policy and people        going to increase. As we integrate
                                                                                         enabled activities…
– all of it aimed at both preventing         technology further into our lives, the
cybercrime occurring in the first            opportunities for abuse grow. So too,       constitute an unusual
place, or minimising its impact              then, must the defences we employ           and extraordinary threat
when it does. This is the practice of        to stop them through the education          to the national security,
cybersecurity.                               and practice of cybersecurity.
                                                                                         foreign policy and
There is no silver bullet, however;                                                      economy of the United
cybersecurity is a constantly evolving,
                                                                                         States. I hereby declare
constantly active process just like the
threats it aims to prevent.                                                              a national emergency
                                                                                         to deal with this threat.
What happens when security fails?
While what frequently makes the
                                                                                         Barack Obama,
news are breaches of user accounts
                                                                                         President of the United States, 20153
and the publication of names and
passwords – the type that the Ashley
Madison hack publicly exemplified
– it’s often financial gain, or the theft

                                                                              Cybersecurity – Threats Challenges Opportunities   8
LAST
            TO KNOW
            MORE THAN
            90%
            OF BREACHES
            ARE DISCOVERED
            BY EXTERNAL
            PARTIES

            WHAT’S THE
            PASSWORD?

            63%
            OF BREACHES ARE
            CAUSED BY WEAK,
            DEFAULT, OR STOLEN
            PASSWORDS

EASY HACKS, EASY BREACHES                       TOP 10 ESPIONAGE TARGETED INDUSTRIES
Source: Verizon 2016 Data Breach                The most targeted industries in 2015.
Investigations Report                           Source: Verizon 2015 Data Breach Investigations Report

                           MANUFACTURING                                                                                 27.4%
                                     PUBLIC                                                                   20.2%
                             PROFESSIONAL                                                            13.3%
                              INFORMATION                                   6.2%
                                    UTILITIES                     3.9%
                          TRANSPORTATION                1.8%
                              EDUCATIONAL               1.7%
                                 REAL ESTATE          1.3%
                        FINANCIAL SERVICES          0.8%
                              HEALTHCARE           0.7%

                                                AND THE WEAKEST
                                                LINK IS…
                                                Humans are inherently complex                In fact a recent study by researchers
                                                and multi-faceted creatures with             at the Friedrich-Alexander
                                                our own agendas, influences,                 University of Erlangen-Nuremberg,
                                                faults, beliefs, and priorities.             Germany, revealed that just over
                                                                                             50% of people click on links in
                                                Sometimes we’re also simply just
                                                                                             emails from strangers, even when
                                                too trusting.
                                                                                             they were aware of the risks.4
                                                Even the most hardened system
                                                                                             And so, as a result, cybersecurity
                                                can be breached through social
                                                                                             isn’t just about technological
                                                engineering – the ‘hacking’ of
                                                                                             defences: it’s also about people.
                                                people. No amount of secure
                                                                                             From the home user through
                                                network topologies and firewalls
                                                                                             to industry and government,
                                                or security software can withstand
                                                                                             everyone needs a basic
                                                a user innocently clicking on an
                                                                                             understanding of cyberthreats
                                                email link, or being convinced to

02
                                                                                             and how to recognise them –
                                                give up login details over the phone
                                                                                             something which comes under the
                                                by someone pretending to be from
                                                                                             umbrella of digital literacy.
                                                the IT department.
Cybersecurity – Threats Challenges Opportunities 10
A world without
                                        cybersecurity
            93%        WHILE            One the most damaging targets for a society embroiled
                       COMPANIES
            OF CASES   TOOK             in cyberwarfare is infrastructure.
         HACKERS       WEEKS
           TOOK JUST
                       OR MONTHS TO
         MINUTES DISCOVER               Our reliance on automation focuses single points
          TO BREACH
                                        of failure that can have dramatic consequences if
                                        directed at power stations, communication networks,
           SHOW
             ME THE    95%              transport and other utilities.
         MONEY         OF WEB
                       ATTACKS          By way of example, and to draw           terrorist, criminal, or foreign power.
                       ARE FINACIALLY   from the emerging technology of          Australia invaded without the invader
                       MOTIVATED
                                        driverless cars gaining popularity       ever stepping on our shores.
                                        now, is the following example of
                                                                                 It’s a stark example, but it
          EMPLOYEE LOST ASSETS          what might happen if we continue to
                                                                                 demonstrates the Achilles heel the
          MISTAKES
                       100x
                       TIMES MORE
                                        create products and services without
                                        cybersecurity in mind:
                                                                                 inter-connected society that we are
                                                                                 heading for right now, and the reason
                       PREVALENT        Thirty years from now our society        cybersecurity must be part of all
                       THAN THEFT
                                        runs on automated cars, buses and        technology from the outset.
                                        trains. Planes still require human
                                                                                 Consider this: the internet has
          NEARLY       12% DO           authority – for now – and drones
                                                                                 enabled entirely new business
                       CLICK
          30%          THE LINK OR
                                        line the sky. On the one hand, this
                                        advance in technology has brought
                                                                                 models that have already shaped
                                                                                 our planet. But the Googles and
              OPEN
          PHISHING
                       OPEN             much greater efficiency: traffic
                       ATTACHED                                                  Facebooks and Amazons of this
          EMAILS       FILES            jams eliminated, pollution lowered,
                                                                                 world are not the most profitable
                                        cheaper cost of transport and more.
                                                                                 organisations that conduct business
                                        It’s a golden age.
SIMPLE MISTAKES, COSTLY LOSSES                                                   over the internet today – that crown
Source: Verizon 2016 Data Breach        Then a cyberattack compromises the       belongs to cybercrime. It speaks
Investigations Report                   central network. The systems that        volumes that the most lucrative
                                        co-ordinate all transport shut down,     business on the internet today
                                        bringing the city of Sydney – now        is fraud.9
                                        7 million people – to an abrupt halt.
                                        No cars, no buses, no trains.
                                        Workers can’t get to and from work,
                                        and productivity stops. Life-saving
                                        medicine doesn’t arrive and people
                                        die. Essential services begin to fail,
                                        and chaos ensues. The economic and
                                        social fallout is immense: a city held
                                        hostage by an external force – be it

02
Q2 2015 saw one of the
                                                                      highest packet rate
                                                                      attacks recorded... which
                                                                      peaked at 214 million
                                                                      packets per second (Mpps).
                                                                      That volume is capable
                                                                      of taking out Tier 1
                                                                      routers, such as those
                                                                      used by Internet service
                                                                      providers (ISPs).

                                                                      Akamai, State of the Internet
                                                                      Q2 2015 Report10

                CHINA 37.01%

                   US 17.88%

                   UK 10.21%

                   INDIA 7.43

                 SPAIN 6.03%

                KOREA 4.53%

   RUSSIAN FEDERATION 4.45%

              GERMANY 4.29%

             AUSTRALIA 4.18%

                 TAIWAN 4.0%

TOP 10 SOURCE COUNTRIES FOR DDOS ATTACKS, Q2 2015
Top sources of mitigated DDoS attacks on Akamai’s network.
Source: Akamai State of the Internet Report, Q2 2015

                                                             Cybersecurity – Threats Challenges Opportunities 12
Threats
           in the
     information
             age
       Every minute, we are
       seeing about half a
       million attack attempts
       that are happening in
       cyberspace.

       Derek Manky,
       Fortinet Global Security Strategist5

03
500
             500,000 ATTACKS
             AGAINST FORTINET
             EVERY MINUTE

To understand just how technology
becomes vulnerable to cybercrime,
it helps to first understand the nature
of threats and how they exploit
technological systems.
You might first ask why technology is
vulnerable at all, and the answer is
simple: trust. From its inception, the
protocols that drive Internet, by and
large, were not designed for a future
that involved exploitation – there was
little expectation at its birth that we
might need to one day mitigate
against attacks such as a distributed
                                          considered.
                                                                    Thousand
                                          for nefarious purposes isn’t even

                                          And the result is that today cybercrime
                                          almost exclusively leverages the lack
                                          of security-focused design in
                                          everything from your smartphone and
                                          web browser through to your credit
                                          card and even the electronic systems
                                          in your car.

                                          The nature of threats
                                          Cybercrime comes in a variety of
                                          forms ranging from denial of service
                                          attacks on websites through to theft,
                                                                                    by hardware and software. That is,
                                                                                    if a hacking exploit works on Apple
                                                                                    iPhones for example, and everyone
                                                                                    in your organisation has one, then
                                                                                    by definition the attack surface could
                                                                                    range in the dozens to the thousands
                                                                                    depending on the size of your
                                                                                    company. Or, looking at it another
                                                                                    way, if anyone with an iPhone is
                                                                                    vulnerable, the attack surface
                                                                                    worldwide totals in the hundreds
                                                                                    of millions.
                                                                                    This is further compounded by the
                                                                                    fact that hardware and software
denial of service (DDoS), or that a       blackmail, extortion, manipulation,       may provide multiple vectors for
webcam you buy off the shelf might        and destruction. The tools are many       attacks, such that – and using the
need security protocols to prevent it     and varied, and can include malware,      above example again – an iPhone
being hacked and used to spy on you.      ransomware, spyware, social               might have multiple different
                                          engineering, and even alterations         vulnerabilities, each of them a
There is much greater awareness
                                          to physical devices (for example,         possibility for exploitation. In some
today, but even so you can still buy
                                          ATM skimmers).                            cases, multiple exploits can be used
devices that connect to the internet
                                                                                    in tandem to hack a device, as the
that have poor security measures or       It’s no surprise then that the sheer      FBI recently demonstrated when it
no security at all built-in, because up   scope of possible attacks is vast,        gained access to the San Bernardino
until recently this simply wasn’t part    a problem compounded by what’s            shooter’s iPhone (yes, the good guys
of the design scope. In many cases,       known as the attack surface: the          can hack you, too…)
the idea that a device might be used      size of the vulnerability presented

                                                                           Cybersecurity – Threats Challenges Opportunities 14
And this is to say nothing of           According to network security and
There were 19 distributed   embedded systems the type that          services company Fortinet, 500,000
denial-of-service (DDoS)    of which power our infrastructure       attacks occur against its networks
                            including transport, electricity, and   every minute5. And that’s just one
attacks that exceeded       communications. Here, attacks are       service provider.
100 Gbps during the         often more targeted – even down to
                                                                    The bottom line is this: almost
first three months of the   specific to systems in a particular
                                                                    anything controllable by technology
year, almost four times     plant – but the repercussions are
                                                                    will have a weak spot. In the past
                            also considerably more dangerous.
more than in the previous   Shutting down an electrical grid, for
                                                                    year we’ve seen everything from
                                                                    cars (“Hackers remotely kill jeep
quarter. In some cases      example, can have life-threatening
                                                                    on highway”6) to medical devices
attackers don’t even        consequences.
                                                                    (“Hackers can send fatal dose to
have to deliver on their    What you also don’t see – because       drug pumps”7) to toys (“Hackers
threats. Researchers        it’s hidden in the millions of fibre-   hijack Hello Barbie Wi-Fi to spy
                            optic networks and routers that         on children”8) succumb to anyone
from CloudFlare reported
                            form the internet – is that attacks     with a little knowledge, time, and
that an extortion group     are happening constantly all around     opportunity.
earned $100,000 without     the world, even as you read this.
                                                                    To appreciate the scope of the
ever launching a single     Your modem at home that gives you
                                                                    challenge that lies ahead – the new
                            access to the internet is constantly
DDoS attack.                                                        types of threats that we are starting
                            fending off queries to see if your
                                                                    to see emerge now – and thus the
                            IP address has any open ports (the
Lucien Constantin,                                                  importance of cybersecurity for
Network World, 201628
                            virtual addresses that allow software
                                                                    the government, industry, and the
                            to communicate to and from your

03
                                                                    individual, the following section
                            computers and network).
                                                                    delves into our predictions of where
                                                                    cybercrime is heading, and the type
                                                                    of attacks we can expect to see.
The Internet of
                                     Things (IoT)
                                     Perhaps the most recognised buzzword of the
For $6 in Bitcoin, I can
                                     moment, the Internet of Things (IoT) encompasses
rent time on a DDoS tool
and bring down most
                                     the many and varied devices currently on the market,
websites. Better yet, if I           or soon to be on the market, that will connect to and
send just the right type             stay connected to the internet 24/7.
of packet to their web               Typically this includes products like     But this is just the beginning. IoT
servers, I can crash the             webcams, smart TVs, and even the          has the potential to encompass a lot
site for free.                       much touted internet-connected            more – heart monitoring implants,
                                     fridges. But IoT actually encompasses     pathogen monitoring for food,
A Thief’s Perspective (interview),   a broad range of products most of         transponders for animals on farms,
Intel Security, 201518               which you won’t actually see –            environmental waste monitoring,
                                     electronics, sensors, actuators           field devices for police to detect
                                     and software soon to be built into        threats, feedback sensors for
                                     everything from your car to your home:    firefighters in search and rescue
                                     technology to unlock your door and        and much, much more.
                                     turn on the lights when you arrive
                                                                               Perhaps the best way to imagine
                                     home; technology to allow cars to
                                                                               IoT is – and to borrow a phrase
                                     talk to other cars and traffic lights
                                                                               from a research paper at the Social
                                     to prevent accidents; technology to
                                                                               Science Research Network – is
                                     let entire cities regulate air-quality,
                                                                               to think of IoT as an “inextricable
                                     manage energy distribution, and
                                                                               mixture of hardware, software, data
                                     regulate water supply all in real-time
                                                                               and service”11. Which of course is
                                     from thousands of buildings, each with
                                                                               to say that the potential is close to
                                     thousands of sensors, all communi-
                                                                               limitless.
                                     cating through a city-wide network.
                                                                               According to the CEO of Cisco, Chuck
                                     Sound like fantasy? There is already a
                                                                               Robbins, the IoT industry is expected
                                     development in the UK by River Clyde
                                                                               to be worth $US19 trillion globally
                                     Homes and the Hypercat Consortium
                                                                               by 202012. Closer to home, Frost &
                                     to build a Smart Neighbourhood in
                                                                               Sullivan is tipping the Australian
                                     Scotland by installing hundreds of
                                                                               market for IoT – just in terms of
                                     IoT devices to monitor everything
                                                                               home devices, such as in security or
                                     from temperature and local weather
                                                                               energy management – to be worth
                                     through to carbon monoxide levels,
                                                                               $200M by 2020.13
                                     potential gas leaks, lift maintenance,
                                     smoke detection and communal              Taken together, this means is that in
                                     lighting to name a few. All of these      the near future just about everything
                                     talk to each other to provide an          you use, and everywhere you go,
                                     overall real-time knowledge base          devices will be hooked up to each
                                     for the operating of neighbourhood        other communicating, sharing data,
                                     services, and to minimise health and      and enabling a future that once
                                     safety risks.                             was the realm of science-fiction.
                                                                               The potential boon for society is
                                                                               immense, but so too are the risks.

                                                                      Cybersecurity – Threats Challenges Opportunities 16
IOT – A FUTURE OF CONNECTED DEVICES
 As barriers to entry drop we will see an uptake of IoT, creating a future where
 attack vectors are everywhere.
 Source: IoT Alliance Australia

   99%                                                                               1T
                        20x               40x 60x
 OF THINGS IN THE        COST OF           COST OF          COST OF                1 TRILLION
 WORLD ARE STILL         SENSORS           BANDWIDTH        PROCESSING             CONNECTED
 NOT CONNECTED           PAST 10 YEARS     PAST 10 YEARS    PAST 10 YEARS          THINGS BY 2035

Considerably more devices will be                Botnet armies                                      the Googles and Akamais of this world
connected to each other and the                                                                     – are able to withstand.
                                                 Somewhat related are botnets. A bot
internet: Intel predicts there will be as
                                                 (sometimes called a ‘zombie’) is a                 Analysis of the attack on OVH revealed
many as 200 billion devices by 2020.14
                                                 remotely-controlled and compromised –              it consisted of some 145,000 devices,
And if you remember our primer at                unbeknownst to the owner – computing               the majority of which belonged to
the start of this document, that is              device that’s connected to the internet.           internet-connected CCTV cameras
one very large, very vulnerable attack           This could be a desktop computer or a              and DVRs (digital video recorders)
surface. It should go without saying             laptop, but it can also be a webcam,               typically used in business and home
that the threat potential from IoT is            a modem, or a Wi-Fi router, all of                 surveillance.
beyond vast, and therefore                       which almost everyone has in their
                                                                                                    Such products make ideal bots because
cybersecurity practices must form                home today. Unfortunately, again, poor
                                                                                                    their limited functionality provides less
part of IoT development from the                 security design sees devices like
                                                                                                    scope for security software; they’re
ground up. For example, car manufac-             these come with only basic security
                                                                                                    often headless, meaning a user doesn’t
turers need to build security protocols          that can be easily bypassed, allowing
                                                                                                    have a display or other means to
into the sensors in smart cars to                cybercriminals to install malware and
                                                                                                    interact with them to monitor activity.
ensure they can’t be turned against              control the device remotely.
                                                                                                    They almost always come with a
the driver to cause injury or death.
                                                 Collect enough bots and you have                   default administrator password that
Something which, unfortunately, is
                                                 a botnet, and with a botnet you can                nobody changes because it requires
currently not the case (see next
                                                 launch a distributed denial-of-service             effort and a bit of technical know-how
section, Autonomous systems).
                                                 (DDoS) attack. In large enough                     – allowing cybercriminals to walk
                                                 numbers, such an attack can take                   through the front door and take it over.
                                                 down websites and knock services
                                                                                                    This is a great example of how lack of
                                                 offline – something we saw first-hand
Although a successful                            earlier this year when the Australian
                                                                                                    security design enables cybercrime
attack on industrial IoT                                                                            – who would think to hack a CCTV?
                                                 Bureau of Statistics eCensus website
                                                                                                    But that’s the line of thinking that
devices with an installed                        was very publicly attacked.
                                                                                                    engenders security flaws. And once a
base of hundreds of                              This is to say nothing of what happens             flaw is out there, it often can’t be fixed:
millions would likely                            when IoT devices take part in a DDoS,              the cost of updating the devices could
                                                 which we know they already do. In fact,            be ruinous for a company if they need
cause havoc, one device
                                                 the world’s largest DDoS occurred in               to be recalled, as not every device sup-
at a key point in a critical                     August of this year knocking out French            ports the ability to be updated remotely.
infrastructure control                           internet service provider OVH, suffering
                                                                                                    Prevention, then, is better than cure.
system could be far more                         an attack that transmitted a record-
                                                 breaking 1Tbps17. To put this into                 Recently, cybercriminal botnet
devastating.
                                                 perspective, a 1Gbps attack is sufficient          operators have moved to self-
                                                 to knock most businesses anywhere in               sustaining botnets that continually
McAfee Labs 2016
Threats Predictions15
                                                 the world offline, and this attack was             find new devices to infect and add to
                                                 1000 times stronger. It was only earlier           the flock, even while others may
                                                 in 2016 that the previous record came              be taken offline16. This has led to
                                                 in at 579GBps. That is, we have already            cybercriminals to sub-lease access to

03
                                                 seen almost a doubling of capability               their botnets on the cheap, meaning
                                                 in less than a year, and at a volume so            anyone with a grudge and $50 can
                                                 high that very few very large players –            bring down a website.
TABLETS                                                                           WEARABLE DEVICES

  2015 – 248 MILLION       2019 – 269 MILLION                                       2015 – 200 MILLION    2019 – 780 MILLION

  IOT DEVICES                                                                       GLOBAL PUBLIC CLOUD MARKET SIZE

  2015 – 15 BILLION        2020 – 200 BILLION                                        2015 – $97 BILLION   2020 – $159 BILLION

MORE DEVICES, MORE THREATS
The growth in user-centric mobile and IoT devices will see greater exploitation of personal data.
Source: McAfee 2016 Threats Predictions

WHEN SECURITY IS
AN AFTERTHOUGHT
One of the most potent botnets                   and passwords (usually all related
to date is Lizardstresser, by the                to administrator logins).
infamous Lizard Squad DDoS
                                                 It’s so successful because many
group. In 2015 the group released
                                                 IoT devices are manufactured with
the source code, allowing others to
                                                 the same default login credentials.
make their own. This has resulted
                                                 Additionally, these same devices
in copy-cat groups and a stark
                                                 are also often simply plugged in
increase in botnets-for-hire.
                                                 and turned on, and have unfettered
Lizardstresser relies on cheap                   access to the internet through
IoT hardware to build large botnet               whatever corporate or home
armies, using shell scripts (simple              networks they are connected to.
text-based scripted programs)                    This makes them easy targets
to scan IP ranges and to attempt                 to enslave into botnets.19
access using hardcoded usernames

                                                                               Cybersecurity – Threats Challenges Opportunities 18
Attacks on automobile
systems will increase
rapidly in 2016 due to
the rapid increase in
connected automobile
hardware built without
foundational security
principles.

McAfee Labs 2016
Threats Predictions15

                         Autonomous
                         systems
                         As technology continues to permeate our lives, we
                         move from operating technology to integrating with
                         it. This is especially true of autonomous systems
                         that are by definition designed to blend in with our
                         society, becoming second nature.
                         By the same token however,              Similar abuse of access has also
                         reliance on such systems makes the      been demonstrated with cars from
                         outcome of their abuse potentially      Mercedes, BMW, Toyota, Audi and
                         more damaging. Typically, these         Fiat – all due to poor security in the
                         technologies also integrate into        design process.20 21 22
                         critical infrastructure, such as
                                                                 It’s not hard to see that in the wrong
                         payment systems and – in the case
                                                                 hands such abuse could result in
                         of autonomous cars – the transport
                                                                 cars being used as weapons to maim
                         network, making protecting them
                                                                 or kill pedestrians – or even the
                         from a cybercrime a pivotal focus for
                                                                 occupants themselves – on the road.
                         cybersecurity.
                                                                 According to Business Insider in its
                                                                 Connected-Car Report, there will be
                         Driverless cars and transport           220 million autonomous cars on the
                         At the moment, driverless cars are      road by 2020.23
                         stealing the limelight of autonomous
                                                                 McAfee’s 2016 Threats Predictions
                         systems. While so far there have
                                                                 Report notes that “poorly secured
                         been no documented cases of
                                                                 driverless cars and smart highways
                         wilful misuse, it’s already been
                                                                 will further expose drivers and
                         demonstrated that autonomous cars
                                                                 passengers in 2017 and beyond,
                         can be remotely controlled.
                                                                 likely resulting in lost lives…”, and
                         In 2015, 1.4 million Jeep Cherokees     that “recent vehicle hacks are a
                         were recalled after hackers             great example… selectively modifying
                         demonstrated that the cars could        communications and commands
                         be taken over remotely through the      so they can take control or affect

03
                         entertainment system.6                  what the vehicle does. This has a
                                                                 potentially terrifying result.”15
DRX-BASED
                                 AIRBAG ECU                       USB                                  RECEIVER (VX2)

                      REMOTE LINK                 ONBOARD                      BLUETOOTH                                 REMOTE KEY
                         TYPE APP                  DEVICES

           STEERING AND                                                                                              PASSIVE
           BRAKING ECU                                                                    TPMS                       KEYLESS ENTRY

                                                              LIGHTING SYSTEM
VEHICLE ACCESS                  ENGINE AND                    ECU (INTERIOR AND                            ADAS SYSTEM
SYSTEM ECU                      TRANSMISSION ECU              EXTERIOR)                                    ECU

      THE ATTACK SURFACE OF A MODERN CAR
      Many car systems have not been designed with security in mind, making it possible to hack into a car via smartphone or laptop.
      Source: McAfee 2016 Threats Predictions

                                                                              Cybersecurity – Threats Challenges Opportunities 20
EMAIL LINK

                           PHISHING                               PERSON               USER DESKTOP

                           EMAIL ATTACHMENT                                                      MALWARE INSTALLATION

                                                                ALTER BEHAVIOUR

                                                                                                 STEAL CREDENTIALS
                                                        USE OF STOLEN CREDENTIALS

                                                        DIRECT INSTALL MALWARE

                                                        BACKDOOR, C2, RAMSCRAPER, EXPORT DATA

                                                        PAYMENT

                                                        POS TERMINAL/CONTROLLER

                                              BIRTH AND REBIRTH OF A DATA BREACH
                                              An example of how one breach can lead to another (in this case, harvesting
                                              payment data of consumers after first breaching a POS vendor).
                                              Source: Verizon 2016 Data Breach Investigations Report

                                          ATMs and Point of Sale                            processing system, and so it’s
They’d been inside our                    Credit cards have long been the
                                                                                            not uncommon to find malware
network for a long period,                                                                  specifically designed to pull data
                                          target of fraudsters, spurring the
                                                                                            from embedded systems in POS
about two years. And the                  development of RFID chips and
                                                                                            terminals (see ‘Birth and re-birth
                                          other protective technology in the
way it was described to                                                                     of a data breach’ diagram, above.)
                                          banking ecosystem. However,
us was they’re so deep                    security is an arms race and threats              Now, of course, the technology has
inside our network it’s                   such as skimming is now a global                  progressed further with contactless
like we had someone                       phenomenon that allows data from                  pay systems from the likes of Apple
                                          cards to be read and transmitted                  (Apple Pay) and Google (Android Pay),
sitting over our shoulder
                                          wirelessly in real time from ATM                  as well as players like Samsung
for anything we did.                      machines and point of sale devices.               (Samsung Pay, of course) that allow
                                                                                            consumers to pay simply by waving
Daryl Peter, IT Manager,
                                          Indeed, point of sale systems as a
                                                                                            their smartphone over a device –
NewSat 2012-201485                        whole are their own a sub-category
                                                                                            which presents yet another attack
                                          of cybercrime infiltration, being
                                                                                            surface for cybercrime.
                                          the weakest point of the payment

03
WHAT ABOUT
WEARABLES?
Wearables are rapidly gaining          Wearables are tracking all sorts
popularity with smartwatches such      of personal information including
as the Apple Watch and Samsung         GPS location, blood pressure,
Gear, as well as exercise wearables    heart rate, and anything else
like those from FitBit and Jawbone.    you feed them such as weight or
According to ABI Research, an          diet. Such personally identifiable
estimated 780 million wearable         information could be used as a
devices will be in circulation         base to target you for spear-phishing,
by 2019.                               or aid in identity theft. But the
                                       real opportunity is these devices
Now you might be wondering
                                       linking to your smartphone, where
just what would be so bad about
                                       phone numbers, more personally
hacking a fitness wearable? This
                                       identifiable information, emails,
is exactly the line of thinking
                                       web logins etc. could theoretically
that allows cybercrime to occur.
                                       be compromised.

                              Cybersecurity – Threats Challenges Opportunities 22
03
Cyberwarfare
                                    Once the domain of science fiction, cyberwarfare
Most modern countries
                                    is now very real, with most superpowers now
now are treating
cyberspace as another
                                    having dedicated cyberwarfare divisions of the
military domain, in                 military. And while there have been few known,
addition to land, air               co-ordinated cyberattacks on physical targets,
and sea.                            we don’t need a crystal ball to predict the future:
                                    they will only increase.
Dmitri Alperovitch, Cybersecurity
industry executive25                It’s telling that we are now in an       Automated attacks
                                    age where governments, political
                                                                             Much of what we talk about with
                                    groups, criminals and corporations
                                                                             regards to ‘hacking’ is a function
                                    can engage in cyberespionage,
                                                                             of people at keyboards finding and
                                    cyberwarfare, and cyberterrorism.
                                                                             abusing weak links in security. It is a
                                    The Prime Minister, Malcolm Turnbull,
                                                                             skilled and time-consuming process.
                                    announced at the Australia-US
                                    Cyber Security Dialogue in September     However, in the ever-evolving arms
                                    that Australia is well equipped to       race between subversive elements
                                    both defend against and carry out        and cybersecurity, a move to
                                    cyber-operations.                        automating such attacks would have
                                                                             clear benefits: whereas exfiltration
                                    We now live in a world where warfare
                                                                             may have taken days by skilled
                                    can be conducted entirely virtually –
                                                                             personnel, automated attacks can
                                    though the consequences will almost
                                                                             reduce this to hours – infiltrating,
                                    always have repercussions in the
                                                                             searching for a payload, gobbling it
                                    physical world.

                                    ENERGETIC BEAR
                                    One of the more well-known               in manufacturing, construction,
                                    nation-state sponsored tools of          health care and defence companies.
                                    cyberwarfare currently active is
                                                                             Primarily designed for
                                    Energetic Bear. First uncovered in
                                                                             cyberespionage, when the threat
                                    2012, and believed to be sponsored
                                                                             was first mapped in 2014 by
                                    by Russia, Energetic Bear used
                                                                             security firm Kaspersky Labs,
                                    the Havex Trojan to gain access to
                                                                             it identified nearly 2,800 victims
                                    company networks, particularly
                                                                             worldwide, affecting countries
                                    those in the energy sector,
                                                                             including the US, Spain, Japan
                                    though it has also been found
                                                                             and Germany.44

                                                                    Cybersecurity – Threats Challenges Opportunities 24
Almost half the security
     professionals surveyed
     think it is likely or
     extremely likely that a
     successful cyberattack
     will take down critical
     infrastructure and cause
     loss of human life within
     the next three years.

     Critical Infrastructure Readiness
     Report, Aspen Institute and
                                         2
                                         up, encrypting it, and sending it out
                                         over the network before the host
                                         machine’s security personnel even
                                         knows what’s happened.
                                         The defence to which, of course,
                                         is to automate security to combat
                                         automated attacks – computer
                                         software fighting computer software,
                                         all without human intervention. And
                                         while this sounds like a sci-fi movie,
                                         the reality is it’s already here – in
                                         August this year the world’s first
                                         automated cyber-hacking contest
                                         was held at DARPA (Defence
                                         Advanced Research Projects Agency),
     Intel Security, 201525
                                         which saw supercomputers battle
                                         it out for a $2 million prize, the win
                                         going to a perhaps appropriately
                                         named machine called ‘Mayhem’.45

03
230
                                                                                            PEOPLE LOST
                                                                                            POWER WHEN
                                                                                            30 SUB-STATIONS
                                                                                            IN WESTERN
                                                                                            UKRAINE WERE
                                                                                            SHUT DOWN
                                                                                            VIA A REMOTE
                                                                                            ATTACK

                                                                                     ,000
 Cyberattacks on                         Iran’s nuclear-enrichment program        French Coldwell, Chief Evangelist
 infrastructure                          by sabotaging centrifuges.40             at governance, risk, and compliance
                                        • In 2014 a German steelworks was         apps company Metricstream, at a
 As societies around the world
                                          disabled and a furnace severely         cybersecurity summit earlier this
 depend ever more heavily on
                                          damaged when hackers infiltrated        year noted that “this is the canary
 technology, the ability to shut down
                                          its networks and prevented the          in the coalmine. Much more of this
 or destroy infrastructure, take
                                          furnace from shutting down.41           will come.”43
 control of machines and vehicles,
 and directly cause the loss of life    • In 2015, with an attack strongly        We can expect governments around
 has become a reality. To date, some      suspected to have originated            the world to strengthen their
 of the more well-known examples          from Russia, 230,000 people lost        cyberattack and defence capabilities,
 of cyberattacks on infrastructure        power when 30 sub-stations in           spurring an arms race that will
 include:                                 Western Ukraine were shut down          operate at a much faster pace than
                                          via a remote attack. Operators at       we saw in the Cold War. But here
 • In 2008 when Russia sent
                                          the Prykarpattyaoblenergo control       the results could be much more
   tanks into Georgia, the attack
                                          centre were even locked out of          subtle – as noted in the McAfee 2016
   coincided with a cyberattack on
                                          their systems during the attack and     Threats Predictions report, “they will
   Georgian government computing
                                          could only watch it unfold.42           improve their intelligence-gathering
   infrastructure. This is thought to
                                                                                  capabilities, they will grow their
   be one of the first land and cyber   In all of these, and as an indication
                                                                                  ability to surreptitiously manipulate
   coordinated attacks.39               of how the landscape of war is
                                                                                  markets, and they will continue to
 • Also in 2008, Stuxnet – a computer   changing, the weapon of choice for
                                                                                  expand the definition of and rules of
   worm purportedly jointly designed    these attacks wasn’t guns or bombs
                                                                                  engagement for cyberwarfare.”15
   by the US and Israel – crippled      – it was a keyboard.

                                                                         Cybersecurity – Threats Challenges Opportunities 26
03
WHEN SOFTWARE
                                KILLS
                                It’s easy to forget that computers       Toyota’s ETCS
America’s top spies say         can have life-threatening con-           Toyota recalled 8 million vehicles
the attacks that worry          sequences. Here are some well-           worldwide starting in 2009 after
                                known examples of what happens
them don’t involve the                                                   faults with the Electronic Throttle
                                when technology fails due to small       Control System resulted in the
theft of data, but the          mistakes in computer code.
direct manipulation of                                                   death of 89 people.31
it, changing perceptions        Therac 25                                Tesla’s autopilot
of what is real and             This is so well known that it’s now      In July 2016 a man died while
what is not.                    taught in computer science               relying on the autopilot function of
                                curriculums. Therac 25 was a             his Tesla Model S when it failed to
Patrick Tucker, Defense One27   Canadian medical machine designed        detect a trailer, crashing into it.32
                                to help save lives by administering
                                targeted doses of radiation to kill      These are examples of unintended
                                cancer. Instead, a rare software         software faults, but subtle manip-
                                glitch saw patients receiving 100        ulation of data could intentionally
                                times the necessary dose. In a           result in loss of life, and remain
                                period from 1985-1987 five patients      undetected until this occurs.
                                died, while many others were             Military officials in the US have
                                seriously injured.29                     even raised concerns that Chinese
                                                                         hackers known to have infiltrated
                                Patriot missile                          defence contractors over the
                                                                         last decade could have already
                                During the Gulf War in 1991 a
                                                                         altered code for weapon systems,
                                Patriot missile failed to intercept
                                                                         sitting dormant until the next
                                a Scud missile due to a software
                                                                         major conflict.33
                                fault, resulting in the death of
                                28 US soldiers and injuring
                                100 others.30

                                                                Cybersecurity – Threats Challenges Opportunities 28
Data manipulation
                            Not all attacks are about theft or destruction.
The biggest threats in
                            A more sinister cause is the manipulation of data
cybersecurity today
are around the large
                            in place – such that machines can be controlled
scale proliferation         – or the wrong information reported to human
of targeted attacks –       operators without their knowledge.
from breach and email       It’s clear if a cybercriminal releases   By way of example, in 2015 Juniper
distribution of socially    stolen usernames and passwords           Networks announced it had
engineered ransomware       on the web. It’s much less clear if      discovered multiple backdoors in
                            data belonging to a business has         its firewall operating system code
to potentially harmful
                            been modified – with those who           installed with its products – the same
attacks on critical         own the data none the wiser. As no       products used to protect corporate
infrastructure like         destruction is caused such intrusions    and government systems around the
energy networks.            here can be harder to detect, if         world. These backdoors had been
                            they’re detected at all. Yet even the    active for at least three years.
Rodney Gedda,               smallest alterations can have serious
                                                                     One of the backdoors gave remote
Senior Analyst, Telsyte53   consequences and implications.
                                                                     control of the firewall to an outside
                            James Clapper, Director of US            user, while another disturbingly
                            National Intelligence, said it           allowed for the decryption of traffic
                            succinctly when he stated, “Decision     running through a Juniper Networks
                            making by senior government              firewall, allowing traffic to be
                            officials (civilian and military),       eavesdropped. The sophistication
                            corporate executives, investors,         and nature of this breach points to
                            or others will be impaired if they       a nation-state as the culprit.34
                            cannot trust the information they
                            are receiving.”27                        Cloud concerns
                                                                     As with any successful technology,
                            Backdoors and espionage                  the more popular it becomes the
                            Backdoors are particularly               larger a target it also becomes.
                            concerning because they can be           Cloud is now well entrenched as a
                            both hard to discover and provide        concept and a service offering, and
                            unfettered access to a system or         indeed many businesses now rely on
                            entire network.                          cloud services to operate.
                            A compromised system can provide         On the one hand this can make
                            cybercriminals or a nation-state the     security easier for companies
                            ability to spy on data, or alter the     outsourcing their data to lie on
                            data in place. And for as long as a      a cloud service where the cost of
                            system is compromised, abuse of          security is carried by the vendor,
                            privilege will be ongoing.               but on the other it centralises cloud
                                                                     services as highly viable targets

03
                                                                     for attack.
BLAST FROM
  THE PAST
  Perhaps one of the more               it was visible from space. Later
  prominent examples of                 the cause was revealed to be a
  cyberwarfare – even before the        Trojan horse implanted by the US
  internet became ubiquitous –          in pipeline equipment sold from a
  comes from the cold war in 1982       Canadian company on to Russia.
  when a Siberian oil pipeline          End result: economic sabotage
  exploded, creating at the time        facilitated by computer software.
  one of the largest non-nuclear
  explosions in history, so large

                                                        22°      LOCAL
                                                                 WEATHER

     GAS DETECTION   0%                                                                   22°      TEMPERATURE
                     LEL

          CARBON
         MONOXIDE     0                                                                  50%
                                                                                                   CISTERN
                                                                                                   AND TANK
           LEVELS    PPM                                                                           OVERFLOW

       PIR SENSORS   180°                                                                40%       HUMIDITY
                                                                                                   LEVEL

        COMMUNAL
         WINDOWS
                     35°
                     ANGLE
                                                                                          0%       SMOKE
                                                                                                   DETECTION

        COMMUNAL
          LIGHTING   KWH                                                                 1344      LIFTS

MOVEMENT AND NOISE
    RELATED TO ASB
                     80                                                                  17%       COMMUNAL
                     DBR                                                                  OPEN     DOORS

                              SMART CITIES – BRITAIN’S NEIGHBOURHOOD@BROOMHILL PROJECT
                              A small sample of the types of IoT sensors in a smart city apartment block.
                              Source: IoT Alliance Australia

                                                                   Cybersecurity – Threats Challenges Opportunities 30
90% OF AUSTRALIANS
                                                                                                         WILL BE ONLINE BY 2017

                   2 IN 3 AUSTRALIANS
                           HAVE SOCIAL
                      MEDIA ACCOUNTS

                                                                                                         1 IN 2 AUSTRALIAN
  MOST AUSTRALIANS
                                                                                                         SMALL AND MEDIUM
SPEND ALMOST 1 DAY
                                                                                                         BUSINESSES RECEIVE
   ONLINE PER WEEK
                                                                                                         PAYMENTS ONLINE

                                                            THE MARKET                                    BY 2019, THE AVERAGE
                  84% OF AUSTRALIAN
                                                            FOR CONNECTED                                 AUSTRALIAN HOUSEHOLD
                  SMALL AND MEDIUM
                                                            HOME DEVICES IS                               WILL HAVE 24 DEVICES
              BUSINESSES ARE ONLINE
                                                            EXPECTED TO GROW                              CONNECTED ONLINE
                                                            11-FOLD TO 2019

                                         AUSTRALIANS ARE BECOMING INCREASINGLY CONNECTED ONLINE
                                         As Australia becomes ever more connected, cybersecurity becomes ever more important.
                                         Source: Commonwealth of Australia, Department of the Prime Minister and Cabinet,
                                         Australia’s Cyber Security Strategy.

                                         But there’s also a less obvious             A good example of how the landscape
Nation-state                             concern here: sovereignty.                  can change is the news earlier this
cyberwarfare will                                                                    year that in Russia, ISPs are now
                                         Security of cloud data is not just
                                                                                     required to store both the metadata
become an equaliser,                     about encryption, but also the
                                                                                     and content of communications,
                                         sovereignty of access when data is
shifting the balance                                                                 and hand over encryption keys for
                                         physically located in an overseas
of power in many                         jurisdiction. The internet may have
                                                                                     any encrypted data36. Any cloud data
international                                                                        passing through an ISP can become
                                         no borders, but data itself still
                                                                                     readable by Russia’s government and
relationships just as                    lies within traditional real-world
                                                                                     intelligence services. This had the
                                         boundaries and in turn may be bound
nuclear weapons did                                                                  immediate fallout of some popular
                                         by the laws of a foreign nation.35
starting in the 1950s.                                                               VPNs closing their Russian nodes,
                                         Further, even if we trust in the            and in at least one known case37
McAfee Labs 2016                         laws of a foreign nation there’s no         servers were seized from the VPN
Threats Predictions15                    guarantee they won’t change, and            provider under this law.
                                         data that was previously protected
                                                                                     With cloud expected to grow by
                                         could be subpoenaed, accessed by
                                                                                     around 18% through 201638,
                                         government departments, or shared
                                                                                     concerns around the sanctity and
                                         with third parties without consent.
                                                                                     sovereignty of cloud data are only
                                                                                     going to increase.

03
MORE USERS
                                                     2015 – 3.0 BILLION
                                                     2019 – 4.0 BILLION

MORE SMARTPHONE CONNECTIONS                          MORE DATA
2015 – 3.3 BILLION                                   2015 – 8.8 ZETTABYTES
2020 – 5.9 BILLION                                   2020 – 44.0 ZETTABYTES

MORE IP-CONNECTED DEVICES                            MORE NETWORK TRAFFIC
2015 – 16.3 BILLION                                  2015 – 72.4 EXABYTES PER MONTH
2019 – 24.4 BILLION                                  2019 – 168.0 EXABYTES PER MONTH

                   THE GROWING CYBERATTACK SURFACE
                   More devices, more users, more data – every year.
                   Source: McAfee 2016 Threats Predictions

                   Virtualised threats                           run different operating systems
                                                                 and different applications), we
                   As a result of the growth in cloud
                                                                 have substantially broadened the
                   services, there has been an explosion
                                                                 attack surface.”
                   in the use of virtual machines for
                   business, making these prime targets          Indeed, the use of apps that rely
                   for cybercrime.                               on the cloud will also allow mobile
                                                                 devices running compromised apps
                   Fortinet notes, “growing reliance on
                                                                 as a way for hackers to remotely
                   virtualisation and both private and
                                                                 attack and breach public and private
                   hybrid clouds will make these kinds
                                                                 corporate networks.5
                   of attacks even more fruitful for
                   cybercriminals.”5                             Finally, there’s one other
                                                                 consideration: cybercriminals can
                   And, as the McAfee’s 2016 Threats
                                                                 use cloud services themselves,
                   Predictions report notes, “how do
                                                                 providing powerful resources for
                   you accurately track and attribute
                                                                 processing power and storage, and
                   an attack, with all of the obfuscation
                                                                 the ability to appear and disappear
                   possible with clouds and
                                                                 at the click of a button.
                   virtualisation?”15 It goes on to state,
                   “if we keep our stuff in the cloud and
                   access it from a phone, tablet, kiosk,
                   automobile, or watch (all of which

                                                        Cybersecurity – Threats Challenges Opportunities 32
Industry and the
                            individual
                            While large security breaches make the news,
Malware is still very
                            the majority of cybercrime involves fraud targeting
popular and growing,
but the past year has
                            businesses and individuals. Here, a mixture of
marked the beginnings       malware and social engineering can see financial
of a significant shift      fraud resulting in the loss of thousands, all the way
toward new threats that     up to millions, of dollars.
are more difficult to       And, it’s also some of the hardest        encourage extortion as a business
detect, including file-     crime to combat – largely due to the      model – with victims opting to
less attacks, exploits      sheer scope of attack surfaces which      restore data from backups instead,
of remote shell and         can range from desktop computers          the reality is that this isn’t always
                            through to laptops, tablets and           practical. This is especially true for
remote control protocols,   smartphones.                              companies, where the downtime or
encrypted infiltrations,                                              lost productivity from denied access
                            Sometimes, the vector is simply
and credential theft.       a phone: using social engineering
                                                                      to the data can be higher than the
                                                                      price of the ransom.
                            through an employee to gain access
McAfee Labs 2016
                            to a network, or con an individual out    Recently, however, the ante was
Threats Predictions15
                            of money – as in the classic technical    upped with the appearance of
                            support scam, of which the                ransomware that claims to have
                            Government has a great summary            encrypted files and asks for payment
                            at www.scamwatch.gov.au (also a           for the decryption key, but in fact
                            great site to learn about other           the files have simply been deleted
                            online scams).                            unbeknownst to the owner.46 Known
                                                                      as Ranscam, the one upside to this
                            Ransomware and Cryptoware                 change in tactics is that if it becomes
                            The ease with which amateur               the prevalent form of ransomware,
                            cybercriminals can get their hands        it will destroy the trust – or what
                            on tools to extort money is increasing.   little there is – between the criminal
                            So far in 2016 we’ve seen a prevalence    and the victim that the data will
                            of cryptoware targeting both              be recoverable. No honour among
                            enterprise and individuals, requiring     thieves, it seems.
                            the payment of a ransom to unlock
                            encrypted files.                          Multi-vector attacks
                                                                      Taking advantage of multiple
                            The most well-known of these was
                                                                      concurrent attack mechanisms, a
                            Cryptolocker, said to have earned its
                                                                      single attacker may try to penetrate
                            creators $US3 million before it was
                                                                      an organisation on multiple levels in
                            shut down by a consortium involving
                                                                      order to access different data, such
                            the US, the UK, and a number of
                                                                      as targeting the CFO with social
                            security vendors and researchers.
                                                                      engineering, with the aim to secure

03
                            While in an ideal world these ransoms     financial information while using
                            would never be paid – and thus not        spear-phishing targeted at office
                                                                      staff to get malware installed.
You can also read