AISA Cyber Conference 2018 takeaways

Information Security professionals from all over Australia congregated at the Melbourne Convention & Exhibition Centre from the 7th to 9th October for the 2018 Australian Information Security Association (AISA) Cyber Conference. With over 2,000 individuals from a broad range of industries, the conference was jam packed full of focus groups, conferences, presentations, and networking events. Whilst it was impossible to attend all 57 sessions I’ve put together my takeaways from the event.

Keynote speaker Dan Gregory posed the question ‘How do we rebrand Cybersecurity in such a way that people will want to engage’. This is relevant for both internal and external stakeholders. We need to identify our audiences’ key values and consider how we can help them achieve their goals. Whether this be providing Security Awareness Training, implementing a Cybersecurity solution or developing a Security Strategy, ask yourself how can I help my key stakeholders accomplish their goals, aligned with their key values and make their role easier?

Melissa Misuraca and Dan Maslin got to the heart of what security aware means, providing plenty of ideas to bring security culture to life. We live in a digital age and a culture focused around security is becoming ever more popular. To foster a positive security culture we should engage with employees and get them to think about why security matters to them. One of their recommendations was to make Cybersecurity awareness a holistic behaviour. By showing people how to be cyber safe at home, this will translate into a behaviour that they bring into the workplace. Make it relevant to their everyday life and show employees ‘what’s in it for me’. From their experience things to avoid are ‘Death by Policy’ and running phishing campaigns without follow up education/training.

They finished with a reminder that your Security team is everyone. To better your security culture you need to start with people. Focus on progress not perfection, ask for feedback and have fun.

American journalist and investigative reporter Brian Krebs drew a large crowd for his talk on Security and Cybercrime. Krebs is best known for his breaking stories oh high-profile data breaches and coverage of profit-seeking Cybercriminals. So much so that Cybercriminals sent illicit drugs and SWAT Teams to his house in an attempt to frame him.

I’m sure we’ve all heard about the recent voice phishing scams, with a “representative” of the ATO threatening legal action unless payment is made by purchasing iTunes gift cards from the nearest retailer and reading out the digit code on the back. Whilst you may be thinking “Who would be silly enough to do that”, you would be surprised how easily the instilment of fear can make people do irrational things. Phone phishing calls invoke fear and urgency to get people to let their guard down. Whilst you may be aware of these scams and it may come as second nature to doubt their legitimacy, it’s important to let our loved ones and those less tech savvy know not to give personal information over the phone. If they’re worried by a phone call don’t call back the number provided by the caller. Similar to phishing emails, don’t click the link but go to the official website and use the ‘contact us’ page. If our Security Consultants are able to extract sensitive data from businesses through Social Engineering, imagine the elderly getting a phishing call.

You’ve heard Trump consistently banging on about “Fake News”. Krebs warned us that as AI continues to develop, fake news is only going to become more prevalent. As you can see from the video below, AI face-swapping tools could be used to fabricate fake news. Whilst the below video is tongue in cheek, imagine the repercussions from a fake video of Donald Trump saying the US are going to start nuking North Korea. What happens when AI becomes so realistic that another AI can’t tell it’s fake? Elon Musk spoke about his concern about AI in his interview with Joe Rogan, which I highly recommend listening to.

Why remediation fails was the key point for Del Slight’s talk. Whilst organisations are recognising the need to incorporate Cybersecurity into their overall business strategy, and in spite of faster threat detection, organisations are still failing to remediate effectively. When resetting passwords after an attack, hackers may get wind and deploy malware that you aren’t looking for, thus further compromising the environment or never leaving. “We scanned with antivirus” is a major pitfall and so ensure you aren’t under scoping an incident. Carry out checks, delve deeper with agents and were possible, threat hunting may be appropriate. If a compromise is of a particularly sensitive nature, have a plausible cover for remediation activities. An explanation to staff for resetting passwords may be that new password complexities have been implemented, so please reset your password.

“Ruin your life feat. Google Chrome”. I’m sure just the title for Sam Reid’s talk was enough to get a few people through the door, however his content had people intrigued and checking which extensions were living on their computer. Whilst we’re all wary of third-party apps on your Android phone, your Google Chrome extensions may be hiding malware. Last year Google removed three extensions impersonating AdBlock Plus, one of which had almost 40,000 downloads. As Chrome is a trusted application and you’ve given certain permission to the extension, your operating system and antivirus products may not pick up on what nasty code lies within. Alongside this, Cybercriminals are finding new ways to infiltrate your computer, such as smuggling their extension into the Chrome web store then once downloaded, modify them remotely to add or activate malware. Whilst Google are using machine learning to detect malicious behaviour in extensions, it’s recommended to only download trusted extensions. If you wish to remain extra vigilant, check what permissions each extension asks for when you install and review your existing list of extensions to ensure nothing has snuck in when you opened the door.

Mike Webber, CISO at BlackBerry, spoke on how Australian businesses can prepare for IoT and the Cyberthreat onslaught with incident and breach. With over 300 breaches since February coming from organised Cybercriminals, security needs to be built into our systems and our people.

It’s common knowledge that there is a skills shortage in the IT Security industry. Webber advised organisations to look to their IT SME’s and bring them into security. Upskilled IT staff will already know the organisational language, internal processes and have a vested interest in the company.

To ensure appropriate technology and solutions are in place Webber recommends organisations conduct a comprehensive tool review to identify gaps and opportunities. This can be done by analysing current state, creating a priority list and looking to projects to help achieve future state. MITRE have listed every threat tactic which can help you map against the tools you have to identify gaps.

On a side note, The Missing Link can help you understand your current state and develop a roadmap / strategy to reach your target levels of security maturity with our Security Controls Review.

Webber posed to the audience ‘Are you ready to be breached? It is not an “if” but a “when” question’. 52% of companies don’t have an incident response process. So what can you do to protect yourself? Examples included make people your first line of defence, patch promptly, use two-factor authentication and only keep data on a need-to-know basis. Companies should periodically conduct red/blue team simulations and ensure everyone knows their role and responsibility. Webber left us with the lasting quote “The more you sweat in training, the less you bleed in battle”.

The Missing Link has over 20 years’ experience offering our clients complete IT solutions from start to finish in Network Infrastructure and Cyber Security.

Our Cyber Security division provide end to end Security solutions including Vulnerability Assessments, Penetration Testing, Security Consultation, Architecture, Product Implementation and Managed Services.

We are also the only Security Integrator to offer a fully managed service around the ASD Top 4 and Essential 8 from our onshore Security Operations Centre in Sydney.

Our security specialists can assess your entire environment and advise, implement or consult with you on the best strategy to ensure your business is strong enough to keep the bad guys out. Feel free to reach out for a confidential discussion to help The Missing Link can help strengthen your Cybersecurity posture.

Thomas Naylor

[email protected]