OVERCOMING THE RISKS BY EXPERTS EMPLOYING SOPHISTICATED TOOLS AND ORGANISATIONS ENSURING ALL COMPUTER USERS ARE PROPERLY TRAINED
Rarely does a day go by without some media report on the results of a cyber-attack either on individuals, businesses, critical infrastructure, medical facilities, financial institutions or governments at various levels.
Is this the new normal?
The Australian Signals Directorate (ASD) in its own words ‘defends Australia from global threats, and advances the national interest through the provision of foreign signals intelligence, cyber security and offensive cyber operations, as directed by Government.’ As part of ASD, the Australian Cyber Security Centre (ACSC), is responsible for cyber security.
The ASD’s Annual Report 2018-19, submitted to the Minister for Defence the Hon Senator Linda Reynolds CSC, was published on 10th October and gives tabular categorised information on the 2164 cyber incidents of varying significance, including Australia’s first national cyber crisis.
ACSC concluded that this was a major targeted attack by a sophisticated state-sponsored actor. Their case study in the Report notes ‘In the first half of 2019, the ACSC investigated an incident on government networks that included the major political parties and the Australian Parliament House network. While the intrusion was widespread, it was caught early. The Department of Parliament Services had implemented security practices that helped to identify and restrict the extent of the compromise, minimising the potential impact.’
Since the ACSC introduced its new online portal in July 2019, more than 13,500 reports of cybercrime have been reported in its first three months, where people lost an average of $700 to cyber-crimes.
The most common type of crime reported has been online fraud after people click links in messages claiming to be from their bank and then fill out online banking details. Sad stories abound of identity fraud and also where online love rats have convinced people to send thousands of dollars abroad to them.
There have been “watering hole” attacks on university sites, where the attackers guess or observe users’ connections to websites, seeking to infect one or more of them with malware which then gives the attackers further access to internal systems.
The Department of Defence, including the Australian Defence Force, is very conscious of the need to both protect its networks from cyber-attack but also to train its people in the correct use of computer systems and smart phones so that they do not respond to phishing expeditions which create an opportunity for the attacker to enter and reside in these networks.
Speaking at the Sydney Seapower Conference on 8th October, Chief of Navy Vice-Admiral Michael Noonan CSC spoke of RAN’s Cyber Worthiness. “In preparing for future operations the navy is drawing on the many lessons it has learned about seaworthiness and airworthiness. Ultimately, we’ll learn from those two domains as we move into other domains such as cyber. I’m applying the term “cyber worthiness” to the fleet to ensure that our ships, our aircraft and our systems can operate in a sustained manner in a cyber environment.”
However, the need for good cyber defences is not confined to the ADF, or other parts of Defence, but needs to extend out to Australia’s defence industry and academic researchers, as their working life requires regular electronic exchanges with Defence and other government agencies.
Fortunately, this message is getting through, particularly at major national conferences like the Australian Cyber Conference 2019 held 7-9 October in Melbourne and the Military Communications and Information Systems (MilCIS) Conference 2019 being held 12-14 November in Canberra.
Overseas, the 3rd ASEAN Ministerial Conference on Cybersecurity was held in Singapore in September. Included was a progress report on the SingaporeASEAN Cybersecurity Centre of Excellence (ASSCE) which noted that Australia, Canada, the European Union, the Republic of Korea, New Zealand, the United Kingdom and the United States had indicated keen interest to work with them to develop and deliver programmes under the ASCCE.
There are also a number of Australian organisations which have been set up specifically to research sophisticated tools to ensure cyber security, like the Cyber Security Cooperative Research Centre.
The cyber domain is now widely accepted as standing alongside the other four traditional domains – maritime, land, air and space. This does raise questions about the conduct of cyber warfare.
CAN CYBER WARFARE BE REGULATED?
Joseph S. Nye, a professor at Harvard University, has written on cyber warfare in ASPI’s The Strategist in these terms ‘Whether or not a conflict spirals out of control depends on the ability to understand and communicate about the scale of hostility.
Unfortunately, when it comes to cyber conflict, there’s no agreement on scale or how it relates to traditional military measures. What some regard as an agreed game or battle may not look the same to the other side.
‘A decade ago, the United States used cyber sabotage instead of bombs to destroy Iranian nuclear enrichment facilities. Iran responded with cyberattacks that destroyed 30,000 Saudi Aramco computers and disrupted American banks.
‘In June this year, following the imposition of crippling sanctions by US President Donald Trump’s administration, Iran shot down an unmanned American surveillance drone.
There were no casualties.
Trump initially planned a missile strike in response, but cancelled it at the last moment in favour of a cyberattack that destroyed a key database used by the Iranian military to target oil tankers. Again, there were costs but not casualties. Iran then carried out, directly or indirectly, a sophisticated drone and cruise-missile strike against two major Saudi oil facilities. While it appears there were no or only light casualties, the attack represented a significant increase in costs and risks.’
His conclusion is ‘As states and organisations come to understand better the limitations and uncertainties of cyber-attacks and the growing importance of internet entanglement to their economic well-being, cost-benefit calculations of the utility of cyberwarfare may change.
‘At this point, however, the key to deterrence, conflict management and de-escalation in the cyber realm is to acknowledge that we all still have a lot to learn and expand the process of communication among adversaries.’
INTELLECTUAL PROPERTY THEFT
APDR often reads allegations of intellectual property theft by state actors, but rarely are any unclassified details revealed. CrowdStrike Holdings Inc. is a cybersecurity technology company based in Sunnyvale, California, and has just published detailed research on one set of IP thefts.
APDR has received a full copy of CrowdStrike’s description of ‘How TURBINE PANDA and China’s Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet’. The detailed evidence is compelling but because of copyright restrictions details cannot be revealed here. Interested readers can go to firstname.lastname@example.org and seek to download the product ‘Cyber insecurity: Managing threats from within’. This will provide a copy of CrowdStrike’s Intelligence Report on this subject.
ASD INFORMATION SECURITY MANUAL 2019
This 177 page manual, absolutely up-to-date as it was just published in October 2019, is an important resource for anyone who needs to understand information security principles and practical methods of ensuring their organisation’s systems and staff use their information system resources safely.
The main topics covered include cyber security principles, guidelines for cyber security roles, how to detect, manage and report cyber security incidents, outsourcing, security documentation, physical security and personnel security. There are guidelines for communications infrastructure, communication systems and enterprise mobility of devices. Sound advice is given on the ASD evaluated products program, ICT equipment and media management.
System hardening, management and monitoring occupy 25 pages. As well as providing guidelines for software development, there is coverage of database and email systems together with network and gateway management.
As one would expect in an ASD publication, there are 14 pages on using cryptography covering cryptographic fundamentals, ASD approved cryptographic algorithms, ASD approved cryptographic protocols, transport layer security, secure shell, secure/multipurpose internet mail extension, internet protocol security and cryptographic system management.
AN AUSTRALIAN RESEARCH PARTNERSHIP
On 3rd October the Cyber Security Cooperative Research Centre (CSCRC) announced a research project to build Artificial Intelligence (AI) enabled cyber traps and decoys to extend the country’s sovereign advantage in autonomous and active defence.
This will provide Australian cyber security company Penten with access to CSIRO’s Data61’s AI research expertise. The research will focus on extending Penten’s world-leading work on applying AI to turn the tables on cyber attackers, using deception technology like ‘cyber traps’ and ‘decoys’, part of an emerging category of cyber security defence.
Data61 has delivered world leading research in AI-driven security solutions. Dr Surya Nepal, Senior Principal Research Scientist at CSIRO’s Data61 said the partnership could help Australia create new technologies that can reach global scale.
“As cyber threats increase in volume and sophistication, AI and machine learning offer an opportunity to assist overwhelmed human defenders and speed up decision making and response. It also allows us to deliver more agile defences in a way that we were not able to before,” Dr Nepal said.
Penten CEO Matthew Wilson said, “We have been exploring how to fight back against these attackers by interspersing decoy computers and data amongst real assets. Because they don’t have any real value, the decoys act as digital tripwires. We discover the attackers and learn more about them by capturing their actions, observing what they choose to interact with and placing homing beacons in the decoys.
“Cyber traps work best if the content is realistic, enticing and does not interfere with legitimate users. Making these cyber traps by hand and optimising for these requirements is very time consuming for cyber defenders. Our solutions use artificial intelligence to learn the patterns of activity and content from surrounding computers and data. We then use this information to create realistic and believable mimics.
This means we can deliver suitable content extremely efficiently, tailored to a customer environment and with minimal effort on the part of the defender.” Mr Wilson said.
TACKLING THE THREAT OF RANSOMWARE
81% of Australian organisations who reported cyber incidents in the past 12 months have indicated that they had experienced a malicious ransomware attack. This is where their important records were encrypted and/or locked away with the attacker indicating a ransom would have to be paid before they would hand over codes to access their organisation’s data again.
Many organisations have a strategic principle of not paying ransoms, but does this mean that they might go out of business if they have not prepared for this type of event? Maybe a commercial firm might, but important data rich organisations like hospital authorities, emergency services, or critical infrastructure providers do not have this option.
On 1st October 2019 it was announced in Melbourne that ‘The Victorian Government is investigating the scale of a ransomware attack by “sophisticated cyber criminals” on some of the state’s major regional hospitals that has forced healthcare providers to go offline.’
Regional hospitals and medical services around Victoria, but not in Melbourne, were affected.
“The cyber incident, which was uncovered on Monday (30 September), has blocked access to several systems by the infiltration of ransomware, including financial management,” a Department of Premier and Cabinet spokesperson said in a statement.
The Government said it was working with Victoria Police to manage the incident and experts from the Australian Cyber Security Centre would arrive from Canberra to help secure the system.
Quarantine of some computer systems had led to the shutdown of “some patient record, booking and management systems” and some hospitals had reverted to manual systems to maintain services.
“The affected hospitals are now working on their bookings and scheduling to minimise impact on patients, but may need to reschedule some services where they don’t have computer access to patient histories, charts, images and other information” said a spokesperson.
Expert advice to prepare for ransomware is to identify critical data and ensure regular, probably daily, offline backups and versioning is performed, so that the threat of a loss is lessened. Regular security patching and updates for operating systems and applications will mitigate the risk of vulnerability to ransomware. ACSC’s advice is that the possibility of a ransomware attack is real. The key preparation for such an attack is to put in place measures that will prevent an attack from proving catastrophic for the organisation.
A great place to access informative and a very practical set of tips on personal cyber security is available on CERT NZ’s website cert.govt.nz by selecting the Individuals tag which has an excellent set of guides gathered together under the heading ‘Getting started with cyber security.’ Management cannot delegate responsibility and policies for cyber security to technical experts, but must have a proper appreciation of what is required and regularly monitor the organisation’s cyber-attack preparedness.
Finally, no article on cyber security from Australia’s perspective would be complete without considering ASD’s capability for offensive cyber operations.
ASD’s Annual Report states that it ‘masters technology and its application to inform (signals intelligence), protect (cyber security) and disrupt (offensive cyber operations). ‘ASD’s offensive cyber capability protects Australians and Australia’s national interests through a broad range of offshore activities designed to disrupt, degrade or deny our adversaries.
• deter and respond to malicious cyber intrusions and attacks
• support the Australian Defence Force (ADF) and coalition partners, to conduct military campaigns in the Middle East and degrade Daesh propaganda networks
• disrupt, degrade, deny and deter organised offshore cyber criminals.
‘On 27 March 2019, Director-General ASD gave a public speech that, for the first time, disclosed operational details of ASD’s offensive cyber capability. The first example highlighted how an ASD offensive cyber operation, conducted in support of the ADF, planned and executed under direction of the ADF’s Chief of Joint Operations, helped degrade Daesh communications on the battlefield in order to disrupt their ability to launch attacks.
‘The second example highlighted how an ASD covert online operator developed a false online identity to build rapport with an extremist. Through effective analyst tradecraft techniques, ASD successfully persuaded him not to become a foreign fighter in an overseas terrorist organisation, preventing harm to himself and others.’