Cyber & Risk

Understanding cyber security has never been as critical as it is today.

The importance of having cyber security and risk mitigation strategies is now well-embedded in the corporate conscience, with more and more senior executives required to know their exact security posture and how to respond in the event of an incident.

In a complex world where new threat vectors appear almost daily, organisations must be ready. How well prepared are you?

IBRS can help organisations understand how resilient their systems are, develop incident response plans and get the right policies in place to ensure compliance with the most rigorous of security standards.

Conclusion: Credential theft is still one of the prime means of attacking systems. Dictionaries of passwords are readily available (many with millions of passwords). These allow attackers to perform credential stuffing attacks – often successfully.

Eliminating passwords has been difficult in the past. However, the consensus amongst vendors of both software and hardware is to bring to market methods of achieving authentication without passwords. The ubiquity of mobile devices with touch or facial authentication is one prime element.

This is a necessary evolution of authentication.

Details: Peter Sandilands; 11 January 2021

The latest

14 December 2020: FireEye announced it had been breached. An extremely comprehensive overview is available from FireEye. This blog post includes timelines, technical recommendations, and IoCs (indicators of compromise).

FireEye, a company that exists to track and thwart advanced and persistent adversaries, was itself compromised by an advanced and persistent adversary. FireEye was compromised through a product from SolarWinds.

What now?

There are four main areas worth exploring.

1) Check your SolarWinds instance(s)

The FireEye blog post includes instructions for what to look for. Good asset management will be useful in this verification process. One CISO noted they found an unmaintained SolarWinds instance in one of their OT environments.

A core lesson that many security executives drew from the MobileIron vulnerability (CVE-2020-15505) was that anything an organisation has that is internet facing needs to consistently receive critical patches quickly, even out of cycle.

This will require a process to identify critical patches, but for the process to actually be executed. Citrix, VPNs, staff home routers (see FF no.02), and now MDMs have all been leveraged this year for compromise. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained. This relates to patching but also asset management.

Further, it's an opportunity to review privilege. Just because a product can do something, doesn't mean it should. Does SolarWinds really need to talk to the Internet? There are technical controls like host firewalls and properly profiled application allow-listing that will significantly frustrate an adversary in this scenario. It’s a great example where a zero trust architecture would make a big difference.

2) Organised crime

The ACSC has noted that once a vulnerability is disclosed, threat actors can develop an exploit within 48 hours. We've seen this timeline achieved this year, with both F5 and MobileIron vulnerabilities. Now that the advanced and persistent actor has been ejected from FireEye (and hopefully from SolarWinds) it could be a matter of time before organised crime tries to exploit unpatched SolarWinds instances.

FireEye will recover, and have an even better story to tell. At this early stage it seems that FireEye was the last target compromised by this adversary, and probably compromised for the shortest duration before the adversary was detected and ejected. It sounds like FireEye was targeted as a source for further intel on government agencies.

I've got no evidence for this, but I wouldn't be surprised if FireEye was the last, trophy, "let's see if we can do this" target.

3) Supply chain

The critical point about FireEye being breached, is it points to what industry has been saying for years - "it's not if, it's when". What matters after bang (or 'right of bang'), is how the organisation responds and FireEye is giving a master class on how to respond. But FireEye is only able to do this on the back of years of refining their art.

However, going left of bang will encourage technology and security executives to look at their supply chain. What other products have access to systems, data and privileges that would be a nightmare if you did not have sole occupancy?

What other software has pervasive access like SolarWinds? What protocols are my service providers following when they use tools like SolarWinds on my environment? We cannot boil the ocean but, as Kevin Mandia said at a CISO Lens gathering in 2016, "protect most what matters most".

4) Cyber insurance

I've not heard anyone talking about cyber insurance regarding this whole hostile campaign. It seems inevitable that public attribution will end up pointing to a particular nation. If this is the case, many insurers will likely point to exclusion clauses that indemnify the insurer from costs incurred through nation-state activity.

If you have cyber insurance, it may be worth getting a position from your insurer on whether you would have been able to make a claim against your policy if your organisation had been compromised.

Details: James Turner; 17 December 2020

The Latest

10 Nov 2020: CyberArk launches an AI-based Cloud entitlements manager. The solution combines principles of ‘least privilege’ and ‘zero trust’ to reduce risks of poorly configured access privileges for the major hyperscale Cloud platforms. CyberArk uses AI to determine the context and intent, which in turn provides risk assessment and recommendations for appropriate actions, and automation of remediation.

Why it’s Important

Poorly configured privileges to Cloud solutions - in particular storage services - is a major cause of data breach. It is a significant risk for all organisations that leverage Cloud resources. Reviewing and maintaining privileges over resources is problematic, even with high levels of automation, because automation will only impact known entities in the environment, and can only address well-defined use cases.

Who’s Impacted

CISO
Cloud Teams

What’s Next?

The use of Machine Learning algorithms to interrogate Cloud services and identify and remediate risks is a welcome addition to Cloud security management. While the efficacy of the CyberArk solution is not yet known, IBRS anticipates that this approach will be beneficial and at least provide an additional ‘check’ over sprawling Cloud environments.

Related IBRS Advisory

Details: IBRS Advisor Team; 10 December 2020

The Latest

To cater for organisations with requirements to keep data in-country, VMware has opened a Sydney based Point of Presence (PoP) for Carbon Black Cloud in the AWS Sydney data centre. Carbon Black Cloud offers end-point security, which provides behaviour based analysis of devices.

Why it’s Important

The market for end-point security based on behavioural analytics is growing quickly. However, it relies upon hyper scale Cloud or Cloud-like resources. The paradox is that risk-averse organisations that can benefit from this type of endpoint protection are reticent to allow as-a-Service solutions not based domestically to have access to sensitive information about their staff activities. By opening a Sydney based PoP for Carbon Black Cloud, VMware removes a policy barrier to this type of end-point security.

Who’s Impacted

Desktop / digital workplace leads
CISO / security teams

What’s Next?

Carbon Black Cloud is one of a growing list of technology offerings in end-point security that leverage Cloud computing and AI. This market will grow rapidly as remote and hybrid working environments become a permanent part of the economy. And rightly so. In principle, IBRS does not see that data geolocation (keeping data domestically) significantly improves an organisation’s security stance, though it may provide regulatory compliance. Latency issues, especially for high-volume services, are also a consideration.

In practice, many organisations still need to address legacy policy regarding information management, and so the trend towards vendors setting up local data processing operations will continue..

Related IBRS Advisory

Details: IBRS Advisor Team; 26 November 2020

The Latest

10 Nov 2020: Microsoft has announced the general availability of its Data Loss Prevention (DLP) services. The DLP services are being rolled out to Office 365 customers with E3 and E5 licensing (see details on licensing below). Microsoft also introduced additional features for its DLP service, including:

Sensitivity labels for DLP policies
Dashboard within Microsoft 365 compliance center to manage DLP alerts
New conditions and exceptions for mail flow rules

Why it’s Important

The rapid introduction of collaboration tools has opened new vectors for data leakage. This was a particular worry of participants in IBRS’s recent Teams Governance Peer Roundtable, with 67% of executives having data leakage concerns. The current approach to reducing data leakage from products such as Teams is to block sharing and collaboration with external parties. While this does limit data leakage, it also eliminates one of the key benefits of new collaboration tools: the ability to create borderless work environments.

What’s covered

E3 licensing provides DLP for Exchange Online, SharePoint Online and OneDrive. However, organistions will need E5 licensing for access DLP for Teams Chat and Devices/ Endpoint.

Who’s Impacted

Organisations with Office 365 or Microsoft 365 investments.

Desktop / digital workplace lead
Office 365 deployment leads / administrators
Information management teams
CISO

What’s Next?

Microsoft’s general release of DLP, under existing E3 and E5 licensing levels, is a potent step to addressing collaboration’s woes. While Microsoft’s DLP is not as feature laden as dedicated competitive offerings, it requires no additional budget. Effectively, Microsoft is pushing DLP down into the broader market, to organisations that may not have previously considered such solutions. Along with Microsoft Information Protection (MIP), Microsoft DLP should be investigated as a priority feature for Office 365 deployments, especially where Microsoft Teams is being deployed with guest access enabled.

Related IBRS Advisory

Details: IBRS Advisor Team; 18 November 2020

Conclusion: Security breaches by insiders, whether deliberate or accidental, are on the increase and their consequences can be just as catastrophic as other types of security incidents. Organisations are typically reluctant to disclose insider security breaches and as a result, these breaches receive relatively little media attention. The insider threat may therefore be perceived as being of secondary importance in an organisation’s cyber security program. However, given the consequences, organisations need to ensure that this risk is given sufficient executive attention and resourcing.

Details: Dr. Philip Nesci; 12 November 2020

Talk to an IBRS Advisor

Conclusion: Passwords will continue to be part of the landscape for the foreseeable future. Organisations, driven by the concepts of defence in depth, must implement techniques that enhance the security of the authentication process. Both products and processes can be enabled or added to help secure the creation, use and storage of passwords.

Each of the techniques mentioned can be used on their own to enrich the security. Some or all of them can be combined to further build the security. Most of them have little associated costs apart from deployment and perhaps training, but the cumulative impact on the robustness of the authentication process is significant.

Details: Peter Sandilands; 12 November 2020

Conclusion: Cyber incidents and the protection of information have now taken enterprise and national significance.

Organisations will need to learn to operate securely in a zero trust world. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. The risk of a compromise for most organisations is increasing with the acceleration of digital transformation, adoption of technologies such as Cloud services, analytics and IoT. The threat landscape is further compounded by increased regulatory and compliance requirements.

A cyber compromise is almost inevitable and organisations are now focusing on improving the resilience of their organisation to a cyber incident. Many organisations now have cyber resilience programs in place which not only protect and defend their key information assets but are also well placed to respond should a cyber incident occur. Our cyber strategy, roadmap and implementation advisory are designed to assist on your cyber resilience journey.

Details: Dr. Philip Nesci; 21 October 2020

Conclusion: People are and will be using passwords for the foreseeable future despite the numerous efforts underway to dispense with them. Managing them and particularly resetting them are ongoing costs for organisations.

Passwords are also a significant contributor to breaches. They are either captured during credential-grabbing efforts, leaked in a data breach or just too easy to guess.

Yet there are excellent guidelines in existence to assist people to minimise the possibility of passwords being cracked or guessed. Some involve implementing good policies, and most involve making it easier for users to create, remember and use passwords.

Details: Peter Sandilands; 12 October 2020

Conclusion: Identity and access management is a crucial component of an organisation’s security posture. At its most basic, it is how an organisation determines whether an individual can access resources or not. In today’s world, it is also becoming the basis of how applications first identify then communicate with each other.

Assurance of identity is the cornerstone of managing access to information. An organisation must be confident in that assurance. One method of bolstering the strength of that assurance could be the deployment of multi-factor authentication – at a minimum to privileged users, but ideally to all users of the services and applications whether those users are staff or not.

As organisations move from office-bound networks to distributed workforces combined with Cloud-based Software-as-a-Service (SaaS) applications, identity will evolve to be almost the sole element used to assess and grant access. Identity is certainly a central element of zero trust environments.

Details: Peter Sandilands; 10 September 2020

Background: The federal government has finally unveiled its cyber security strategy. The Australia’s Cyber Security Strategy 2020, released on 6th August will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia's cyber security over the next decade. IBRS provides their key takeaways from the strategy.

Most of the funding for the Strategy 2020 is from July’s announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package much of the Strategy details will be contained in legislation to be put before parliament.

Details: Dr. Philip Nesci; 12 August 2020

Talk to an IBRS Advisor

Conclusion: Ransomware attacks are becoming increasingly common and Australian organisations have experienced several high-profile incidents in 2020. While the preferred option is to recover from backups, organisations may find that this is not feasible either because of the scale of the compromise or that backups themselves are compromised. While the decision to pay a ransom is complex and poses significant risks, it should be explored in parallel with the recovery from backup.

Details: Dr. Philip Nesci; 04 August 2020

Philip Nesci, IBRS adviser and former CIO, has warned that agencies will need to get their information management sorted out to capitalise on the new rules.

‘‘Agencies need to identify their high-value data sets and where they are located.’’

Details: Dr. Philip Nesci; 30 July 2020

Conclusion: Australian financial organisations have been bombarding their suppliers and partners with requests to complete security assessments. If servicing or dealing with financial organisations is part of the operational model for the organisation, this has probably already happened or is about to happen.

Those financial bodies are being driven by an Australian Prudential Regulation Authority (APRA) issued prudential standard CPS 234 (Cross-industry Prudential Standard). This document lays out how a financial body should manage its cyber security with particular emphasis on extending that management to parties that support or supply the financial body.

These assessments can be tedious and raise concerns about cyber security maturity within the organisation. On the other hand, they bring a clear high-level focus on areas that all organisations should either be covering or working towards covering. This makes CPS 234 a valuable reference for senior executives building a cyber security program.

Details: Peter Sandilands; 08 July 2020

Conclusion: In the current COVID-19-driven environment, video conference calls have become the stuff of life. They are used for school, family, leisure and even work. Numbers of call attendees have jumped from tens of millions to more than 300 million worldwide. As is normal in technology, there are a plethora of options to choose from.

One of those, Zoom, has made the news repeatedly over the period of April-May, initially because of its popularity but then because security flaws were being discovered. With the flaws seemingly serious, commentators were recommending organisations abandon Zoom. Many organisations did so, given the amount of coverage the flaws received.

But the product was and is popular. It is one of the easiest video conferencing products to use. It works well and is simple to deploy. A valid question to ask is whether Zoom is safe to use for business purposes. Taking a realistic view of the flaws combined with efforts Zoom has made to correct some of them leads to the conclusion that Zoom is safe for general business usage.

Details: Peter Sandilands; 03 June 2020

Conclusion: Many vendors, consultants and managed service providers are pushing ‘security information and event management’ (SIEM) as a panacea to security failings. The intent is correct. Having visibility of what is or has happened in the infrastructure is essential to detecting and responding to intrusions.

What often gets glossed over is that SIEM is a tool, not a complete solution in itself. Deployment requires deep engagement with the IT operations team and a clear vision of what is expected from the SIEM. The vision will be driven by how SIEM will be used, what outcomes would be expected and how its use would evolve over time.

With careful planning prior to deployment, some, if not most, of these issues can be addressed.

Details: Peter Sandilands; 13 May 2020

Talk to an IBRS Advisor

Conclusion: With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to a strategic enterprise risk. While many organisations have enterprise crisis management and business continuity plans, specific plans to deal with various types of cyberattacks are much less common, even though many of the attack scenarios are well known. Every organisation should have an incident response plan in place and should regularly review and test it. Having a plan in place can dramatically limit damage, improve recovery time and improve the resilience of your business.

Details: Dr. Philip Nesci; 02 April 2020

"There is more security work to go round than there are resources. So I don't think the market is that crowded. It's important to remember that security is not something you buy and then it's done; it is an ongoing evolution within any organisation and requires constant care and feeding," IBRS adviser Peter Sandilands said.

"The big four has done a lot of their security work using fresh grads. They can use the tools but don't necessarily understand the real world implications."

Details: Peter Sandilands; 10 March 2020

Conclusion: The increased proliferation of critical digital services has resulted in ransomware attacks becoming one of hackers’ means to make money. As a consequence, many organisations have become the victims of such attacks. IT organisations should implement a full recovery strategy to restore IT services in the event of ransomware attacks. The recovery strategy should become an integral part of the disaster recovery plan. This will raise business stakeholders’ trust in the service security and reduce the spread of this type of IT organised crime.

Details: Wissam Raffoul; 08 March 2020

Conclusion: Cyber security is now one of the top priorities in many organisations. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to being regarded as a strategic enterprise risk. The role of the Chief Information Security Officer (CISO) has traditionally required strong technology skills to protect the organisation from security incidents. With boards and executives now requiring executive-level cyber leadership and accountability, the role of the CISO must evolve beyond the traditional technology domain to also encompass strategy, stewardship and compliance as well as being a trusted business advisor.

Details: Dr. Philip Nesci; 08 March 2020

The Role of the CISO

Conclusions: Patching systems is regularly touted as the panacea for security breaches, yet many organisations continue to struggle with that seemingly simple process. There is obviously more to the problem than just buying and deploying a patch management system.

Most organisations are well-intentioned; it is not that they do not want to patch. As one delves deeper into the tasks around patching, it soon becomes clear that many unintentional, and some intentional, roadblocks exist in almost every organisation.

This note attempts to sort through some of those roadblocks and offer some approaches to diminish their impact. Some resources are identified to help with the design and build of a patch service. There is a real dearth of well-structured information around the patching process overall.

Details: Peter Sandilands; 08 March 2020

Talk to an IBRS Advisor

Peter Sandilands, an advisor at analyst firm IBRS, called the discussion paper “a pre-judged survey” that is mostly looking for answers. He also questioned if the resulting recommendations would be published for review and commentary: “Is this window dressing, or are they going to do something out of this?”

The Australian government is charting its next cyber security strategy following an earlier A$230m blueprint laid out in 2016 to foster a safer cyber space for Australians.

In a discussion paper on Australia’s 2020 cyber security strategy, which is being led by an industry panel, minister for home affairs Peter Dutton said despite making strong progress against the goals set in 2016, the threat environment has changed significantly.

Details: Peter Sandilands; 11 February 2020

News

IBRSiQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Details: Mike Mitchelmore; 09 February 2020

Conclusion: As detailed in part one of this pair of notes, the Australian Signals Directorate’s Essential Eight (E8) are detailed technical recommendations for securing an information infrastructure. Implementing them has been touted as being effective against over 85 % of potential attacks. It is hard to ignore that benefit to an organisation’s security stance.

The first note went on to highlight the real-world implications of attempting to implement the E8; in particular, listing the prerequisites for the implementation. Each of the E8 assumes that an organisation has in place the underlying capabilities and information that provide the supporting base for each element of the E8.

While at first glance that appears to put a negative connotation on deploying the E8, in many ways it points to some basic processes and capabilities that any organisation should have in place to use its information infrastructure effectively. This note will explore those implications. It will help any organisation build the basics of an effective security regime.

Details: Peter Sandilands; 06 February 2020

Conclusion: Cyber security and data privacy are currently hot topics at both executive and board levels and security incidents feature in the media on an almost weekly basis. CIOs and executive teams will face increasing scrutiny from their boards with a focus on accountability, risk assessment, reporting and organisational resilience to cyber incidents. Boards are genuinely grappling with how to assess risks and how to ensure that the organisation is sufficiently well prepared to protect and respond appropriately to security incidents, within budget and resource constraints. CIOs and CISOs have a unique opportunity to engage with boards and provide the leadership that is expected, as the move to digital accelerates. In this note we highlight the recent trends and outline some of the key recommendations to practical steps to strengthen your organisation’s ability to protect itself holistically from cyber and data loss risks.

Details: Dr. Philip Nesci; 06 February 2020

Security Readiness

Conclusion: The Essential Eight from the Australian Signals Directorate constitutes a recommended set of strategies to reduce the risk of cyber intrusion. They are said to prevent up to 85% of potential attacks. They are certainly worth assessing as a strategy to apply as an organisation plans out its security strategy.

However, while they may seem simple at first glance, the prerequisites for their implementation are far reaching. These add significant cost and effort to any attempt to take advantage of the E8. In fact, the effort and planning can easily exceed the effort in seemingly just doing the E8.

This will be a two-part article. The first part will explain the question at hand and describe the premise being explored. The second part will work through the implications for an organisation and list the strategies to deal with them.

Details: Peter Sandilands; 09 January 2020

Talk to an IBRS Advisor

Conclusion: Current network and security deployments make many assumptions about the threat environment and which controls are effective. Many of these assumptions are predicated on an older security architecture that emphasised the perimeter. This perimeter then segregated the outside from the inside with an associated perception that inside was good or trustworthy and outside was bad and untrustworthy.

It is easy to see that for many, if not most organisations, the perimeter is no longer just considered a solid demarcation point between outside and inside. The internal network hosts contractors and consultants as well as integrates external services as if they are native to the network. Staff operate from partner and customer locations as well as from public networks via wi-fi hotspots in cafes, airport lounges and hotels.

This evolution requires a fresh security architecture to assist organisations to operate in the evolving network and service paradigms. The zero trust network (ZTN) philosophy lays out an architectural approach to deploying services, enabling staff and supporting customers. ZTN should be assessed by any organisation looking to move to an internet-driven, Cloud-supported and secure operating schema.

Details: Peter Sandilands; 05 December 2019

Conclusion: Organisations would hope that their data protection policies are in place and effective. Data loss protection is active on the email channel and data is encrypted while at rest within the organisation. Staff are often trying to share data with others or move data to where it may be easily accessible. A very common channel for this is one of the many Cloud-based file-sharing services such as Dropbox, iCloud or Google Drive.

These services conflict with data protection in several ways. In many cases the services used by staff are personal accounts owned by the staff member, not the organisation. This immediately places the data outside the control of the operation.
The sharing of the data can be open-ended where a) even the staff member loses control over who can access the data, and b) it is uncertain where the data is stored and in which jurisdiction.

If the data contains personal information, credit card details or confidential finance information, the organisation may find itself in breach of regulations such as the Notifiable Data Breach Regulation or Payment Card Industry requirements.

Details: Peter Sandilands; 02 November 2019

Conclusion: Many organisations are finding themselves being defrauded, especially when making or receiving payments electronically. It is not that the end systems are compromised but rather the payment information itself is being subverted in between the payer and the payee.

This is hard to defeat via technical means as the messages themselves look the same as any other payment request or invoice. A quality email filtering service will remove many of the clumsy attempts thus allowing more focus on the well-constructed efforts.

This article aims to help improve understanding of the threat and identify effective strategies to lessen the possibility of a business being impacted. Security defence consists of more than just technology. A well-rounded defence is composed of people, process and technology. Defeating business email compromise (BEC) is primarily achieved by the people and process segments.

The staff of a business are in the best position to detect attempts to compromise a payment, provided they have been armed with some knowledge of the types of attacks and permission to halt and question the details.

Many fraud attempts can be prevented by implementing a simple business process that allows all staff to question transactions that change payment details and use secondary channels to confirm those details.

Details: Peter Sandilands; 02 October 2019

Contract Vendor Management

Conclusion: The notifiable data breach regulations have had an impact on business priorities. For any organisation subject to the regulations, protection of personal information should have become a priority. One security technology, data loss prevention, could have offered some assistance. But it has had a mixed reception in the past due to many issues in both implementing and operating the service.

The continued move to SaaS for office systems such as document creation and email is also changing the market. Many capabilities that have been previously offered as standalone products are now being subsumed into the SaaS offerings as just adjunct functions.

This simplifies the selection of the products and their ongoing management. A prime example of this is data loss prevention which is now being offered as a check-box selected capability in several SaaS offerings.

This could put data loss prevention within reach of small to medium businesses as a component of their personal information protection strategy.

Details: Peter Sandilands; 04 September 2019

Governance

Conclusion: Given the reality of shrinking budgets, organisations can struggle deciding what new products to purchase or techniques to implement. They hope the new capabilities will enhance their security posture, but new tools often need additional staff to operate them. Employing skilled security staff can itself be a challenge. A simple but pragmatic approach is to leverage IT operation’s budget and skills to improve operational hygiene and hence, overall security hygiene.

Details: Peter Sandilands; 05 August 2019

Talk to an IBRS Advisor

Conclusion: IT auditors typically consult with, and report their findings to, the board’s Audit and Risk Committee. Their POW (program of work) or activities upon which they will focus may or may not be telegraphed in advance to stakeholders, including IT management.

To avoid getting a qualified audit report for IT, e. g. when internal (systems) controls are weak or IT risks are unmanaged, business and IT management must first get their house in order, by tightening controls and addressing risks before the possible arrival of the audit team. Failure to get the house in order, before an audit, could be career limiting for IT and business managers.

Details: Alan Hansell; 05 August 2019

Security Readiness

Conclusion: Increasing emphasis in the media and in industry literature on cyber security and the risks of data breaches with service disruptions is likely to get extra attention in future from the board and their audit and risk committee (or ICT governance group).

Not only must the committee be concerned with risk prevention, astute members will also want to know how the organisation will recover from a data breach or ransomware attempt and restore the organisation’s operations, if an unexpected disruption to services occurs.

To minimise business risks, committee members must stay aware of local and international cyber security incidents, how they occurred and were addressed and what they need to do to make sure they are not replicated in their organisation.

Details: Alan Hansell; 03 June 2019

The Role of the CISO

Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems profile.

Organisations should ensure microsegmentation is included in their security strategy. However, there are several different architectural approaches and organisations should explore these and select the approach that most suits their current or planned enterprise architecture and assess the benefits each approach may offer.

Details: zzPeter Hall; 03 June 2019

Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.

The Agency Head/CEO remains responsible as the Accreditation Authority (AA) to accredit the security readiness for the services to be delivered for their organisation. In practice the CIO/CISO will lead the accreditation process on behalf of the CEO.

ASD’s role as the Certifying Authority (CA) for PROTECTED Cloud services provides the agency/organisation using the CSP with independent assurance that the services offered meet government Information Security Registered Assessors Program (IRAP) requirements and vulnerability assessment requirements at the PROTECTED level. The certification process provides a consistent approach to the cyber risk assessment of the CSP’s environment only. The PROTECTED Cloud certification does not cover security assessment related to the design and maintenance of the customers’ services and/or software to be run on the PROTECTED Cloud platform.

The adoption of a PROTECTED Cloud solution will still require a regular review of the security posture. ASD will conduct regular reviews of their processes as the certifying authority (CA), and the Agency Head/CEO will be required to regularly review the accreditation of the service as a whole.

Details: Mike Mitchelmore; 05 April 2019

Security Readiness

Conclusion: Over the past decade, the role of the Chief Information Security Officer (CISO) has risen to be one of great importance in many large and mid-sized organisations. While this remains the case, protecting information assets is more likely to be successful through ensuring all threats are managed under the same set of policies and principles. Managing threats to organisations can no longer be separated between departments or siloed out to service providers. With data in the Cloud and people on the ground in new geographies, the need to evolve the relationship between logical and physical controls has increased. The key to holistic security is to bring all aspects of security under one umbrella to ensure all bases are covered.

Details: Claire Pales; 05 March 2019

The Role of the CISO

Talk to an IBRS Advisor

Conclusion: Australians have become increasingly concerned not only with what data is being held about them and others, but how this data is being used and whether the resulting information or analysis can or should be trusted by them or third parties.

The 2018 amendments to the Privacy Act for mandatory data breach notification provisions are only the start of the reform process, with Australia lagging a decade behind the US, Europe and UK in data regulation.

Therefore, organisations seeking to address the increasing concerns should look beyond existing data risk frameworks for security and privacy, moving instead to adopt robust ethical controls across the data supply chain¹ that embodies principles designed to mitigate these new risks. Risks that include the amplification of negative bias that may artificially intensify social, racial or economic discord, or using data for purposes to which individual sources would not have agreed to.

Early adopters of effective data ethics will then have a competitive advantage over those who fail to address the concerns, particularly of consumers, as to how their data is used and if the results should be trusted.

Details: Sam Higgins; 04 February 2019

Conclusion: Throughout the year, most businesses invite in a third party to conduct an information security risk assessment – as per best practice. Often this is a compliance exercise, other times it is just good housekeeping. Assessors are paid to find gaps in security controls based on the threat landscape and risk profile and provide recommendations for how to better secure the organisation with appropriate controls. With a thud-worthy report in hand, those charged with remediation must prioritise the recommended tasks to best use their resources to appropriately protect the organisation.

Details: Claire Pales; 04 February 2019

Security Readiness

Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients.

While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectations and educating the workforce.

Details: Claire Pales; 07 January 2019

Security Policy and Frameworks

Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any CIO.

The Australian Government has identified PROTECTED ratings be applied where systems and data are at risk and where the systems or data are critical to ensuring national interest, business continuity and integrity of an individual’s data. Critical business functions are a combination of the IT systems they run on and the data they consume.

Defining what should be afforded a PROTECTED rating and therefore adequately protected is an ongoing challenge. The Australian Government’s Information Security Manual (ISM) and recent legislation “Security of Critical Infrastructure Act 2018” detail the requirements and framework for reporting, on government-run IT systems and critical infrastructure. Using this framework as a base, organisations should assess whether the data or IT environments that support critical business functions should be treated as PROTECTED.

Details: Mike Mitchelmore; 07 January 2019

Security Readiness

Page 2 of 8

Start
Prev
1
2
3
4
5
6
7
8
Next
End

info@ibrs.com.au

© IBRS. All Rights Reserved. 2022