Security Leadership

The Latest

24 May 2022: Oracle has recently been recognised by the Digital Transformation Agency as a certified strategic hosting provider, the highest level of assurance which permits the Australian government to specify strict ownership and control conditions. The company now joins other accredited Cloud providers in Australia such as Microsoft, Amazon Web Services (AWS), Sliced Tech, AUCloud, and Vault Cloud. The Australian government has mandated that its agencies will only host accredited partners starting July 2022, to better manage supply chain issues.

Oracle partnered with Australian Data Centre (ADC) in 2021 to offer public Cloud services to government agencies. 

Why it’s Important

For organisations with existing investments in Oracle platforms, the company’s Cloud offering is considered a low-risk, quick and easy way to obtain the benefits of hyperscale Cloud. Through the accreditation, government agencies can now use Oracle as a government-ready Cloud services provider (CSP).

For Oracle’s other clients, the company’s regulatory compliance means that the services its users receive follow critical best practices in the areas of procedures, policies and designs. It also offers assurance that their security requirements are met by Oracle since it is more difficult to obtain government accreditation owing to practices that need to be demonstrated to conform to stringent standards.

While Oracle's Cloud platform does not have the breadth of a Platform-as-a-Service (PaaS) compared to its hyperscale Cloud rivals, it may have all the services its existing clients need. Organisations looking to retain Oracle's products should evaluate the Oracle Cloud platform from a financial perspective, as part of their multi-Cloud strategy. For instance, Oracle Cloud includes automated database tuning administration, so enterprises need to consider the costs associated with having trained staff to monitor the database, which could result in higher overheads.

Who’s impacted

  • CISO
  • Security teams
  • ICT strategy leads
  • Infrastructure architects

What’s Next?

Over the last three years, IBRS has noticed a significant mind shift in how organisations think about database infrastructure and, in particular, the Cloud. Many IBRS clients have reported that they are actively looking to embrace Cloud-native data platforms. The Oracle Cloud provides not only a 'stepping stone' for Oracle database customers, and those with Oracle's enterprise solutions, but a potential platform for running containers.

The Latest

12 April 2022: Research by risk consulting firm Kroll revealed a 356 per cent surge in common vulnerabilities and exposures (CVEs) or zero-day vulnerabilities (also known as freshly announced threats) in the last three months of 2021 compared to the previous quarter. By December, an increase in new ransomware variants was detected in ManageEngine, ProxyShell, VMWare, and SonicWal pushed CVE logs to an all-time high.

Kroll’s industry survey revealed that while phishing remained the most popular initial access infection vector, at 39 per cent in the fourth quarter, CVE increased from 6 per cent to 27 per cent in the same period.

 

Source: Q4 2021 Threat Landscape: Software Exploits Abound

 

Why it’s Important

Many incidents of ransomware continue to impact Australian organisations who are considered prime targets due to (a) their capacity to pay and (b) their relatively immature (from a global perspective) cyber-defence and cyber-response capabilities of a larger number of mid-sized enterprises. Many of these organisations struggle to close common vulnerabilities, let alone zero-day exploits, quickly enough to avoid intrusions due to their weak defence postures.

Organisations need to address their ability to defend against such attacks and respond appropriately to limit any impact caused by breaches. More effort is required across industries to contain the likelihood of attacks impacting productivity, reputation and financial resources, rather than just within individual businesses. This will support sharing of intelligence and the growth of cyber-defence nationally.

Who’s impacted

  • CMO
  • Development team leads
  • Business analysts

What’s Next?

  • Cyber-defence can no longer be left to a 'best effort' basis by ICT groups. Organisations that lack a dedicated cyber security specialist, must seek out specialist services, peer groups and forums, and actively leverage better practices from these groups.
  • Evaluate the status of your enterprise’s ransomware defence and look into the strengths and weaknesses of your current security posture.
  • Create a dedicated team that will develop a roadmap to improve the organisation’s stance against ransomware.

Related IBRS Advisory

  1. The Security Impact of Remote Working: Find the Gaps in (Zero) Trust
  2. Use Security Principles to Guide Security Strategy
  3. Reducing the Risk of a Successful Ransomware Attack

The Latest

28 October 2021: The US Senate voted unanimously to deny Huawei and ZTE from supplying equipment to US enterprises due to national security threats that would violate the Secure Equipment Act. Once approved by Pres. Joe Biden, the companies will not be granted equipment licenses by the Federal Communications Commission (FCC) under its ‘Covered Equipment or Services List’. A few days before, the Federal Bureau of Investigation (FBI) raided PAX Technology's Jacksonville warehouse after reports of alleged transmission of malware through the Chinese manufacturer's point-of-sale (PoS) terminals.

Why it’s Important.

As a member of Five Eyes (FVEY), an alliance of countries including Canada, New Zealand, the UK and the US, for joint cooperation in signals, military and human intelligence, Australia has previously followed the US in cutting off suspicious foreign tech companies' domestic presence due to national security concerns.

  • Australia blacklisted Huawei and ZTE in 2018 from selling 5G equipment. The two firms vehemently dismissed accusations over high-speed mobile network espionage, citing discriminatory tactics even with a no-backdoor agreement. 
  • In the same year, the Australian Defence Department banned messaging and payment app WeChat for failing to meet the organisation's standards for use on networks and mobile devices but not necessarily because of security and privacy issues.
  • In late October 2021, PoS terminals from PAX were detected sending anomalous network traffic, which has seen formal requests to replace the equipment due to security concerns. 

The fundamental issue here is supply chain security - the ability of nation state actors to inject spyware (or other malware) into equipment that is broadly used globally. Even where the security risks are not validated, the potential remains. It must also be noted that in the recent past, allies of Australia have engaged in such activities.

With the current geopolitics on global telecommunications being influenced by the US, sweeping impacts on the global supply chain and reduced competition in the market are likely.  

IBRS expects this technology supply spat will expand into areas outside of telecommunications, such as industrial control systems and PoS. Any widespread technology that can be used to impact or monitor aspects of national economies are likely targets.

Who’s impacted

  • Telecommunications procurement

What’s Next?

For organisations considering foreign-manufactured tech products and services, look more closely at the implications of selecting such equipment or platforms. While there is still no public evidence on the credibility of allegations against specific state actors, senior leaders must take security concerns in their organisation and assess the risks they are willing to take when selecting any vendor.

In addition to the security risks, there are also reputational risks, and risks associated with having to replace key solutions, such as is the case with the PAX PoS hardware.

Related IBRS Advisory

  1. Choosing Huawei could be risky - but not why you think
  2. Are you FRUSTRATED with procurement? Why procurement often goes off the rails

The Latest

11 May 2021: Jamf is a market leader in Apple iOS device management, with a strong presence in education. It has announced its intention to acquire the zero-trust end-point security vendor Wandera. 

Why it’s Important

Vendors in the device management have two options for continued growth: add new services and grow horizontally within their market (as in VMWare), or specialise in increasingly niche areas. Jamf has remained firmly entrenched in providing Apple device management, so it is a niche (though important) player in device management. Its acquisition of Wandera, hot on the heels of its purchase of Mondad, will broaden its base and help cement its position against the broader players. 

Who’s impacted

  • End user computing/digital workspace teams
  • Security teams

What’s Next?

Globally, the move to working from home saw an uplift in Apple products being connected to enterprise (work) environments. Citing IDC, Jamf reports the penetration of macOS in 2019 was around 17%, and during 2020 this increased to 23%. In addition, globally 49% of smartphones connecting to work environments remain iOS, though this is slightly lower in Australia, where Android has gained small market share in a tight market last year. 

The challenge with supporting a mixed device ecosystem (Windows, Android, macOS, iOS, Chrome) is now more than just securing the end-point, but the entire information ecosystem. VPNs in particular proved difficult to scale and adapt to a myriad of end points. The need to patch reliability and manage software also becomes significantly difficult due to differing rates of change, patch cycles and tools needed. 

Jamf’s acquisition of Wandera will not eliminate these challenges completely, but will at least simplify the Apple slice of the situation. 

Related IBRS Advisory

  1. Requirements Check-List for Mobile Device Management Solutions
  2. Embracing security evolution with zero trust networking

The Latest

To cater for organisations with requirements to keep data in-country, VMware has opened a Sydney based Point of Presence (PoP) for Carbon Black Cloud in the AWS Sydney data centre. Carbon Black Cloud offers end-point security, which provides behaviour based analysis of devices. 

Why it’s Important

The market for end-point security based on behavioural analytics is growing quickly. However, it relies upon hyper scale Cloud or Cloud-like resources. The paradox is that risk-averse organisations that can benefit from this type of endpoint protection are reticent to allow as-a-Service solutions not based domestically to have access to sensitive information about their staff activities. By opening a Sydney based PoP for Carbon Black Cloud, VMware removes a policy barrier to this type of end-point security. 

Who’s Impacted

  • Desktop / digital workplace leads
  • CISO / security teams

What’s Next?

Carbon Black Cloud is one of a growing list of technology offerings in end-point security that leverage Cloud computing and AI. This market will grow rapidly as remote and hybrid working environments become a permanent part of the economy. And rightly so. In principle, IBRS does not see that data geolocation (keeping data domestically) significantly improves an organisation’s security stance, though it may provide regulatory compliance. Latency issues, especially for high-volume services, are also a consideration.

In practice, many organisations still need to address legacy policy regarding information management, and so the trend towards vendors setting up local data processing operations will continue..  

Related IBRS Advisory

  1. Embracing security evolution with zero trust networking
  2. What is the security agenda for 2019?
  3. When it comes to security, when is enough... enough?