You are on page 1of 72

November 2016

Cybersecurity
Threats
Challenges
Opportunities
It is only when
they go wrong
that machines
remind you
how powerful
they are. Clive James

Cybersecurity Threats Challenges Opportunities 3


Contents

01 03
Foreward 1
Executive summary 4
Threats in the
information age 13
The nature of threats 14

02
The Internet of Things (IoT) 16
Botnet armies 17
When security is an afterthought 18
Autonomous systems 19
Driverless cars and transport 19
ATMs and Point of Sale 21
What about wearables? 22
Cyberwarfare 24
A brave new world 5 Automated attacks 24
Cyber speak! 6 Energetic Bear 24
What is cybersecurity? 7 Cyberattacks on infrastructure 26
And the weakest link is 9 When software kills 28

A world without cybersecurity 11 Data manipulation 29


Backdoors and espionage 29
Cloud concerns 29
Blast from the past 30
Virtualised threats 32
Industry and the individual 33
Ransomware and Cryptoware 33
Multi-vector attacks 33
Identity theft 34
The world we live in 34
04
The future in our hands
The 100% secure computer
35
37
Opportunities 38

05
The data-driven economy 38
Technology as wealth creation 39
Cybersecurity as job growth 39
Leveraging technology talent 39
Challenges 40
Leadership 40
Learning from history 40
Collaboration 41
Education and awareness 41
You are what you do 43
Looking to the road ahead 45
State of the nation 46
Legal and regulatory 43
What role can you play? 47
Services and privacy 43
Government 47
Perception and practicality 44
Education and research 50
Business and industry 50
You, the individual 50
The five pillars of cybersecurity readiness 51
Online resources 52
Through the looking glass 53
Fast facts 55
Glossary 57
References 59

Cybersecurity Threats Challenges Opportunities 5


Foreword
Youve seen documents like this pass your desk
before, but we hope this one is a little different. You can
gloss over it, seeking the diamonds in the rough, but
take the time to delve into the information presented
here and you will walk away with a different
appreciation of the laptop on your desk, the car that
you drive, and the phone that you carry.
Not to mention the planes you fly, Logically, then, protecting that upon
Protecting that upon the banks that hold your money, the which we depend should be front
which we depend should hospitals that keep you alive and of mind for government, business
the very infrastructure that makes and industry, academia and every
be front of mind for our cities run. In short: the basis individual with a smartphone in
government, business of our modern lives. their pocket.
and industry, academia It can be hard to not overuse a word Which is to say, all of us.
and every individual thats become popular thanks to
If you are part of government, this
with a smartphone in public awareness, but cyber is now
primer serves as a guide to the
firmly entrenched in our language
their pocket. greater sphere of cybersecurity
and our mindset, by virtue of the fact
and how it relates to our national
that our society today depends so
security, our national interest, and
much on technology.
our economic prosperity.
So were going to talk about cyber
If you are an executive, board
with respect to security, as the two
member, business leader, or IT
are intimately intertwined. In this
professional this is an opportunity
guide we aim to break down what
to verse yourself in the language
is sometimes a large and complex
and the ecosystem, the threats and
issue into an easy to read and
the opportunities, and to better
digestible summary that should
communicate the issues and
if weve done our job well give
responsibilities around cybersecurity
you the tools to both talk confidently
within your organisation.
about the issues, as well as equip you
with the core information required to And if you are simply an individual
make decisions around cybersecurity. interested in understanding more
about the nature of our digitally-
Because, despite the technical
driven world, this guide will provide
nomenclature, the issue of cyber-
the basics and a clear overview of
security is as vital to our way of life
how cybersecurity relates to you.
as technology itself. In fact, they cant
be separated: our economic health, At the ACS we welcome every
our national security, and indeed the opportunity to educate and assist.
fabric of our society is now defined If you have any questions, or would
by the technology we depend on like more information, please feel
every day. free to contact me at:
anthony.wong@acs.org.au.
Whats left unsaid here, however, is
the assumption that this technology Enjoy this guide. We hope it will make
will continue to work as we intend a difference to you.

01
but this is only true if we can protect
it from being hacked, manipulated, Anthony Wong
and controlled. President, ACS
SECURING
AUSTRALIAS FUTURE
At ACS we are passionate about the services to identify and certify Nations in New York, where the
ICT profession being recognised as ICT professionals you can trust, importance of ICT professionalism
a driver of productivity, innovation including through the Professional was acknowledged by the UN
and business able to deliver real, Standards Scheme that assures General Assembly President in 2015.
tangible outcomes. professionals have the specialist
In May 2016 the President of
skills business can rely upon.
This year ACS celebrates 50 years IFIP participated in the European
of advancing ICT in Australia. Our ACS is part of the global federation Foresight Cyber Security
founders and pioneers worked of professional ICT societies, Meeting where he advocated
on the first innovative computers the International Federation for that professionalism of the ICT
in government, academia and Information Processing (IFIP), workforce is a key element in
industry, and our members now and the first professional body to building trustworthy and reliable
work at the coalface of technology receive accreditation under the systems and that it is important
development across every industry. International Professional Practice to ensure that cyber security
Partnership (IP3) providing a and cyber resilience is also a
In 2011, ACS brought together its
platform for accreditation for duty of care of the individual
own Cyber Taskforce from our
ICT professionals and mutual ICT professional.
23,000 members to respond to the
recognition across international
Federal Governments new cyber As we move forward another
boundaries. The ACS currently
discussion paper, Connecting with 50 years, ACS will be there
chairs IP3 and plays a leading
Confidence, where we highlighted at the forefront meeting the
role in the professionalism of the
the need to develop co-ordination challenges and opportunities
ICT workforce.
and a focus on the pipeline of of ICT, and supporting the
cyber professionals. IP3 has since gained global growth and potential of ICT
attention after successful professionals in Australia.
To play our part in securing
engagements at the World Summit
Australias future, we continue
on the Information Society (WSIS)
to perform the role of trusted
Forum in Geneva and the United
advisor to government, and deliver

Cybersecurity Threats Challenges Opportunities 2


01
Executive summary
As technology continues to evolve so also do the
opportunities and challenges it provides. We are
at a crossroads as we move from a society already
entwined with the internet to the coming age of
automation, Big Data, and the Internet of Things (IoT).
But as a society that runs largely Critically, this document clarifies Our aim is that this document
on technology, we are also as a result the importance for Australia to take provides an informative primer on
dependent on it. And just as technology responsibility for its own cybersecurity, the relevant issues facing Australia
brings ever greater benefits, it also especially with regards to essential in relation to cybersecurity, to
brings ever greater threats: by the infrastructure and governance. generate discussion and debate, and
very nature of the opportunities it to raise awareness with regards to
On the flip side and as one of the
presents it becomes a focal point for a fundamental building block of the
fastest growth industries globally
cybercrime, industrial espionage, and technologically-dependent society
developing our own cybersecurity
cyberattacks. Therefore, protecting which we have already become.
industry is also an opportunity for
it is of paramount priority.
economic growth, job creation, and As you will read in the following
This guide looks at some of the education ensuring Australia is pages, cybersecurity is not optional.
concerns facing us in the near future well positioned for a future as a It must form part of the design of
that include: digitally advanced nation. every product, of every database, of
every electronic communication. And
Attack vectors such as botnets, Finally, we look at some of the
through education, awareness, and
autonomous cars and ransomware. challenges that countries worldwide
proactive change we can all play a
Threats including data manipulation, are currently dealing with in regards
part in securing our future.
identify theft, and cyberwarfare. to cybersecurity, including:
Tangential issues such as data The need for more collaboration
sovereignty, digital trails, and in order to mitigate threats.
leveraging technology talent. Education and awareness; and
Additionally, it provides some The balance between privacy and
background to the nature of digital security.
ecosystems and the fundamentals
of cybersecurity.

Cybersecurity Threats Challenges Opportunities 4


A brave
new world
Youre reading this document written with, laid out
by, and printed using computers. From start to
finish it existed as 0s and 1s the binary blood of
our modern world.
In fact, our lives today are codified by data: almost
everything we do, and everything we depend on,
involves data and the technology that uses it there
are scant few areas not touched by this revolution
we call the information age.

02
CYBER SPEAK!
Every industry has its own lexicon,
and the cyber world is no different.
While built on technological
foundations that we all know
computers, the internet,
smartphones, and similar as you
delve deeper into the subject you
start to encounter acronyms and
technical concepts that you may
not be familiar with.
And, if were all to communicate
on the subject of cybersecurity
across all sectors of government,
business, industry, and academia
then it can help to familiarise
yourself with the nomenclature
associated with this diverse and
compelling subject.
To this end weve included a
Glossary on page 57. Feel free
to flick back and forth as you read
to ensure you get the most out this
document, spending more time
expanding your knowledge and
less time scratching your head!

And so it follows that in order to individual; at other times it can cause billion1 globally in the next seven
keep our way of life and to continue significant financial or operational years alone and the possibility
to prosper through technology we harm. At its worst, loss of life can be for Australia to establish itself as a
must ensure that it always operates a result. leader, pioneering new technologies
and works for us as intended. and exporting cybersecurity products
Cybersecurity, then, is not optional.
to the rest of the world.
And for the most part it does, until As our world transitions more
its hacked. In the hands of less than products and services online, and We are more than just the lucky
favourable individuals, organisations, we in turn depend on them, protecting country. We are early adopters. We
and governments, technology and this technological infrastructure has are tenacious innovators. We are a
the data it depends on can be turned become a fundamental building block nation with the skills and talent to
against us. for information systems globally. lead the world in cybersecurity
It must underpin every technology, and with the right mix of leadership
When you read yet another report
every gadget, every application, and and commitment from government,
of a multimillion-dollar bank theft,
anywhere data is stored. industry, and academia, we can make
yet another million usernames and
it happen.
passwords leaked on the web, or To help understand the risks, this
yet another scam milking millions document will explore the threats What part will you play?
from vulnerable people what you Australia faces in this digital age:
are reading about is the lack of to our economy, our sovereignty,
cybersecurity: a failure to protect and ultimately, our way of life.
systems, processes, or data and
It will also cover the opportunities
thereby enabling exploitation.
as a burgeoning industry one that
Sometimes the end result is just an
is projected to be worth $US639
embarrassment for a company or

Cybersecurity Threats Challenges Opportunities 6


46 What is
cybersecurity?
% OF THE WORLDS
POPULATION
IS CONNECTED
TO THE
INTERNET

As with any technological advance throughout


history, whenever new opportunities are created,
there will always be those that exploit them for
their own gain.
Despite the threat of viruses and
malware almost since the dawn
of computing, awareness of the
security and sanctity of data with
computer systems didnt gain
traction until the explosive growth of
the internet, whereby the exposure
of so many machines on the web
provided a veritable playground for
hackers to test their skills bringing
down websites, stealing data, or
committing fraud. Its something we
now call cybercrime.
Since then, and with internet
penetration globally at an estimated
3.4 billion users (approximately 46%

02
of the worlds population2), the
THREAT VECTORS BY INDUSTRY
The vectors by which industries are compromised.
Source: Verizon 2015 Data Breach Investigations Report

FINANCE
INFORMATION

PUBLIC SECTOR
EDUCATIONAL WEB
FINANCE APPLICATIONS RETAIL

9.4%
ENTERTAINMENT
HOSPITALITY

CRIMEWARE
POINT OF SALE
18.8% 28.5% MISCELLANEOUS

14.7%

PRIVILEGE
MISUSE
CYBER
ESPIONAGE
10.6% MINING

18% HEALTHCARE
ADMINISTRATIVE

PROFESSIONAL
INFORMATION
MANUFACTURING

opportunities for cybercrime have of critical business or government


ballooned exponentially. intelligence, that drives the cyber The increasing
underworld. prevalence and severity
Combating this is a multi-disciplinary
affair that spans hardware and One fact remains clear: its only of malicious cyber-
software through to policy and people going to increase. As we integrate
enabled activities
all of it aimed at both preventing technology further into our lives, the
cybercrime occurring in the first opportunities for abuse grow. So too, constitute an unusual
place, or minimising its impact then, must the defences we employ and extraordinary threat
when it does. This is the practice of to stop them through the education to the national security,
cybersecurity. and practice of cybersecurity.
foreign policy and
There is no silver bullet, however; economy of the United
cybersecurity is a constantly evolving,
States. I hereby declare
constantly active process just like the
threats it aims to prevent. a national emergency
to deal with this threat.
What happens when security fails?
While what frequently makes the
Barack Obama,
news are breaches of user accounts
President of the United States, 20153
and the publication of names and
passwords the type that the Ashley
Madison hack publicly exemplified
its often financial gain, or the theft

Cybersecurity Threats Challenges Opportunities 8


LAST
TO KNOW
MORE THAN
90%
OF BREACHES
ARE DISCOVERED
BY EXTERNAL
PARTIES

WHATS THE
PASSWORD?

63%
OF BREACHES ARE
CAUSED BY WEAK,
DEFAULT, OR STOLEN
PASSWORDS

EASY HACKS, EASY BREACHES TOP 10 ESPIONAGE TARGETED INDUSTRIES


Source: Verizon 2016 Data Breach The most targeted industries in 2015.
Investigations Report Source: Verizon 2015 Data Breach Investigations Report

MANUFACTURING 27.4%
PUBLIC 20.2%
PROFESSIONAL 13.3%
INFORMATION 6.2%
UTILITIES 3.9%
TRANSPORTATION 1.8%
EDUCATIONAL 1.7%
REAL ESTATE 1.3%
FINANCIAL SERVICES 0.8%
HEALTHCARE 0.7%

AND THE WEAKEST


LINK IS
Humans are inherently complex In fact a recent study by researchers
and multi-faceted creatures with at the Friedrich-Alexander
our own agendas, influences, University of Erlangen-Nuremberg,
faults, beliefs, and priorities. Germany, revealed that just over
50% of people click on links in
Sometimes were also simply just
emails from strangers, even when
too trusting.
they were aware of the risks.4
Even the most hardened system
And so, as a result, cybersecurity
can be breached through social
isnt just about technological
engineering the hacking of
defences: its also about people.
people. No amount of secure
From the home user through
network topologies and firewalls
to industry and government,
or security software can withstand
everyone needs a basic
a user innocently clicking on an
understanding of cyberthreats
email link, or being convinced to

02
and how to recognise them
give up login details over the phone
something which comes under the
by someone pretending to be from
umbrella of digital literacy.
the IT department.
Cybersecurity Threats Challenges Opportunities 10
A world without
cybersecurity
93% WHILE One the most damaging targets for a society embroiled
COMPANIES
OF CASES TOOK in cyberwarfare is infrastructure.
HACKERS WEEKS
TOOK JUST
OR MONTHS TO
MINUTES DISCOVER Our reliance on automation focuses single points
TO BREACH
of failure that can have dramatic consequences if
directed at power stations, communication networks,
SHOW
ME THE 95% transport and other utilities.
MONEY OF WEB
ATTACKS By way of example, and to draw terrorist, criminal, or foreign power.
ARE FINACIALLY from the emerging technology of Australia invaded without the invader
MOTIVATED
driverless cars gaining popularity ever stepping on our shores.
now, is the following example of
Its a stark example, but it
EMPLOYEE LOST ASSETS what might happen if we continue to
demonstrates the Achilles heel the
MISTAKES
100x
TIMES MORE
create products and services without
cybersecurity in mind:
inter-connected society that we are
heading for right now, and the reason
PREVALENT Thirty years from now our society cybersecurity must be part of all
THAN THEFT
runs on automated cars, buses and technology from the outset.
trains. Planes still require human
Consider this: the internet has
NEARLY 12% DO authority for now and drones
enabled entirely new business
CLICK
30% THE LINK OR
line the sky. On the one hand, this
advance in technology has brought
models that have already shaped
our planet. But the Googles and
OPEN
PHISHING
OPEN much greater efficiency: traffic
ATTACHED Facebooks and Amazons of this
EMAILS FILES jams eliminated, pollution lowered,
world are not the most profitable
cheaper cost of transport and more.
organisations that conduct business
Its a golden age.
SIMPLE MISTAKES, COSTLY LOSSES over the internet today that crown
Source: Verizon 2016 Data Breach Then a cyberattack compromises the belongs to cybercrime. It speaks
Investigations Report central network. The systems that volumes that the most lucrative
co-ordinate all transport shut down, business on the internet today
bringing the city of Sydney now is fraud.9
7 million people to an abrupt halt.
No cars, no buses, no trains.
Workers cant get to and from work,
and productivity stops. Life-saving
medicine doesnt arrive and people
die. Essential services begin to fail,
and chaos ensues. The economic and
social fallout is immense: a city held
hostage by an external force be it

02
Q2 2015 saw one of the
highest packet rate
attacks recorded... which
peaked at 214 million
packets per second (Mpps).
That volume is capable
of taking out Tier 1
routers, such as those
used by Internet service
providers (ISPs).

Akamai, State of the Internet


Q2 2015 Report10

CHINA 37.01%

US 17.88%

UK 10.21%

INDIA 7.43

SPAIN 6.03%

KOREA 4.53%

RUSSIAN FEDERATION 4.45%

GERMANY 4.29%

AUSTRALIA 4.18%

TAIWAN 4.0%

TOP 10 SOURCE COUNTRIES FOR DDOS ATTACKS, Q2 2015


Top sources of mitigated DDoS attacks on Akamais network.
Source: Akamai State of the Internet Report, Q2 2015

Cybersecurity Threats Challenges Opportunities 12


Threats
in the
information
age
Every minute, we are
seeing about half a
million attack attempts
that are happening in
cyberspace.

Derek Manky,
Fortinet Global Security Strategist5

03
500
500,000 ATTACKS
AGAINST FORTINET
EVERY MINUTE

To understand just how technology


becomes vulnerable to cybercrime,
it helps to first understand the nature
of threats and how they exploit
technological systems.
You might first ask why technology is
vulnerable at all, and the answer is
simple: trust. From its inception, the
protocols that drive Internet, by and
large, were not designed for a future
that involved exploitation there was
little expectation at its birth that we
might need to one day mitigate
against attacks such as a distributed
considered.
Thousand
for nefarious purposes isnt even

And the result is that today cybercrime


almost exclusively leverages the lack
of security-focused design in
everything from your smartphone and
web browser through to your credit
card and even the electronic systems
in your car.

The nature of threats


Cybercrime comes in a variety of
forms ranging from denial of service
attacks on websites through to theft,
by hardware and software. That is,
if a hacking exploit works on Apple
iPhones for example, and everyone
in your organisation has one, then
by definition the attack surface could
range in the dozens to the thousands
depending on the size of your
company. Or, looking at it another
way, if anyone with an iPhone is
vulnerable, the attack surface
worldwide totals in the hundreds
of millions.
This is further compounded by the
fact that hardware and software
denial of service (DDoS), or that a blackmail, extortion, manipulation, may provide multiple vectors for
webcam you buy off the shelf might and destruction. The tools are many attacks, such that and using the
need security protocols to prevent it and varied, and can include malware, above example again an iPhone
being hacked and used to spy on you. ransomware, spyware, social might have multiple different
engineering, and even alterations vulnerabilities, each of them a
There is much greater awareness
to physical devices (for example, possibility for exploitation. In some
today, but even so you can still buy
ATM skimmers). cases, multiple exploits can be used
devices that connect to the internet
in tandem to hack a device, as the
that have poor security measures or Its no surprise then that the sheer FBI recently demonstrated when it
no security at all built-in, because up scope of possible attacks is vast, gained access to the San Bernardino
until recently this simply wasnt part a problem compounded by whats shooters iPhone (yes, the good guys
of the design scope. In many cases, known as the attack surface: the can hack you, too)
the idea that a device might be used size of the vulnerability presented

Cybersecurity Threats Challenges Opportunities 14


And this is to say nothing of According to network security and
There were 19 distributed embedded systems the type that services company Fortinet, 500,000
denial-of-service (DDoS) of which power our infrastructure attacks occur against its networks
including transport, electricity, and every minute5. And thats just one
attacks that exceeded communications. Here, attacks are service provider.
100 Gbps during the often more targeted even down to
The bottom line is this: almost
first three months of the specific to systems in a particular
anything controllable by technology
year, almost four times plant but the repercussions are
will have a weak spot. In the past
also considerably more dangerous.
more than in the previous Shutting down an electrical grid, for
year weve seen everything from
cars (Hackers remotely kill jeep
quarter. In some cases example, can have life-threatening
on highway6) to medical devices
attackers dont even consequences.
(Hackers can send fatal dose to
have to deliver on their What you also dont see because drug pumps7) to toys (Hackers
threats. Researchers its hidden in the millions of fibre- hijack Hello Barbie Wi-Fi to spy
optic networks and routers that on children8) succumb to anyone
from CloudFlare reported
form the internet is that attacks with a little knowledge, time, and
that an extortion group are happening constantly all around opportunity.
earned $100,000 without the world, even as you read this.
To appreciate the scope of the
ever launching a single Your modem at home that gives you
challenge that lies ahead the new
access to the internet is constantly
DDoS attack. types of threats that we are starting
fending off queries to see if your
to see emerge now and thus the
IP address has any open ports (the
Lucien Constantin, importance of cybersecurity for
Network World, 201628
virtual addresses that allow software
the government, industry, and the
to communicate to and from your

03
individual, the following section
computers and network).
delves into our predictions of where
cybercrime is heading, and the type
of attacks we can expect to see.
The Internet of
Things (IoT)
Perhaps the most recognised buzzword of the
For $6 in Bitcoin, I can
moment, the Internet of Things (IoT) encompasses
rent time on a DDoS tool
and bring down most
the many and varied devices currently on the market,
websites. Better yet, if I or soon to be on the market, that will connect to and
send just the right type stay connected to the internet 24/7.
of packet to their web Typically this includes products like But this is just the beginning. IoT
servers, I can crash the webcams, smart TVs, and even the has the potential to encompass a lot
site for free. much touted internet-connected more heart monitoring implants,
fridges. But IoT actually encompasses pathogen monitoring for food,
A Thiefs Perspective (interview), a broad range of products most of transponders for animals on farms,
Intel Security, 201518 which you wont actually see environmental waste monitoring,
electronics, sensors, actuators field devices for police to detect
and software soon to be built into threats, feedback sensors for
everything from your car to your home: firefighters in search and rescue
technology to unlock your door and and much, much more.
turn on the lights when you arrive
Perhaps the best way to imagine
home; technology to allow cars to
IoT is and to borrow a phrase
talk to other cars and traffic lights
from a research paper at the Social
to prevent accidents; technology to
Science Research Network is
let entire cities regulate air-quality,
to think of IoT as an inextricable
manage energy distribution, and
mixture of hardware, software, data
regulate water supply all in real-time
and service11. Which of course is
from thousands of buildings, each with
to say that the potential is close to
thousands of sensors, all communi-
limitless.
cating through a city-wide network.
According to the CEO of Cisco, Chuck
Sound like fantasy? There is already a
Robbins, the IoT industry is expected
development in the UK by River Clyde
to be worth $US19 trillion globally
Homes and the Hypercat Consortium
by 202012. Closer to home, Frost &
to build a Smart Neighbourhood in
Sullivan is tipping the Australian
Scotland by installing hundreds of
market for IoT just in terms of
IoT devices to monitor everything
home devices, such as in security or
from temperature and local weather
energy management to be worth
through to carbon monoxide levels,
$200M by 2020.13
potential gas leaks, lift maintenance,
smoke detection and communal Taken together, this means is that in
lighting to name a few. All of these the near future just about everything
talk to each other to provide an you use, and everywhere you go,
overall real-time knowledge base devices will be hooked up to each
for the operating of neighbourhood other communicating, sharing data,
services, and to minimise health and and enabling a future that once
safety risks. was the realm of science-fiction.
The potential boon for society is
immense, but so too are the risks.

Cybersecurity Threats Challenges Opportunities 16


IOT A FUTURE OF CONNECTED DEVICES
As barriers to entry drop we will see an uptake of IoT, creating a future where
attack vectors are everywhere.
Source: IoT Alliance Australia

99% 1T
20x 40x 60x
OF THINGS IN THE COST OF COST OF COST OF 1 TRILLION
WORLD ARE STILL SENSORS BANDWIDTH PROCESSING CONNECTED
NOT CONNECTED PAST 10 YEARS PAST 10 YEARS PAST 10 YEARS THINGS BY 2035

Considerably more devices will be Botnet armies the Googles and Akamais of this world
connected to each other and the are able to withstand.
Somewhat related are botnets. A bot
internet: Intel predicts there will be as
(sometimes called a zombie) is a Analysis of the attack on OVH revealed
many as 200 billion devices by 2020.14
remotely-controlled and compromised it consisted of some 145,000 devices,
And if you remember our primer at unbeknownst to the owner computing the majority of which belonged to
the start of this document, that is device thats connected to the internet. internet-connected CCTV cameras
one very large, very vulnerable attack This could be a desktop computer or a and DVRs (digital video recorders)
surface. It should go without saying laptop, but it can also be a webcam, typically used in business and home
that the threat potential from IoT is a modem, or a Wi-Fi router, all of surveillance.
beyond vast, and therefore which almost everyone has in their
Such products make ideal bots because
cybersecurity practices must form home today. Unfortunately, again, poor
their limited functionality provides less
part of IoT development from the security design sees devices like
scope for security software; theyre
ground up. For example, car manufac- these come with only basic security
often headless, meaning a user doesnt
turers need to build security protocols that can be easily bypassed, allowing
have a display or other means to
into the sensors in smart cars to cybercriminals to install malware and
interact with them to monitor activity.
ensure they cant be turned against control the device remotely.
They almost always come with a
the driver to cause injury or death.
Collect enough bots and you have default administrator password that
Something which, unfortunately, is
a botnet, and with a botnet you can nobody changes because it requires
currently not the case (see next
launch a distributed denial-of-service effort and a bit of technical know-how
section, Autonomous systems).
(DDoS) attack. In large enough allowing cybercriminals to walk
numbers, such an attack can take through the front door and take it over.
down websites and knock services
This is a great example of how lack of
offline something we saw first-hand
Although a successful earlier this year when the Australian
security design enables cybercrime
attack on industrial IoT who would think to hack a CCTV?
Bureau of Statistics eCensus website
But thats the line of thinking that
devices with an installed was very publicly attacked.
engenders security flaws. And once a
base of hundreds of This is to say nothing of what happens flaw is out there, it often cant be fixed:
millions would likely when IoT devices take part in a DDoS, the cost of updating the devices could
which we know they already do. In fact, be ruinous for a company if they need
cause havoc, one device
the worlds largest DDoS occurred in to be recalled, as not every device sup-
at a key point in a critical August of this year knocking out French ports the ability to be updated remotely.
infrastructure control internet service provider OVH, suffering
Prevention, then, is better than cure.
system could be far more an attack that transmitted a record-
breaking 1Tbps17. To put this into Recently, cybercriminal botnet
devastating.
perspective, a 1Gbps attack is sufficient operators have moved to self-
to knock most businesses anywhere in sustaining botnets that continually
McAfee Labs 2016
Threats Predictions15
the world offline, and this attack was find new devices to infect and add to
1000 times stronger. It was only earlier the flock, even while others may
in 2016 that the previous record came be taken offline16. This has led to
in at 579GBps. That is, we have already cybercriminals to sub-lease access to

03
seen almost a doubling of capability their botnets on the cheap, meaning
in less than a year, and at a volume so anyone with a grudge and $50 can
high that very few very large players bring down a website.
TABLETS WEARABLE DEVICES

2015 248 MILLION 2019 269 MILLION 2015 200 MILLION 2019 780 MILLION

IOT DEVICES GLOBAL PUBLIC CLOUD MARKET SIZE

2015 15 BILLION 2020 200 BILLION 2015 $97 BILLION 2020 $159 BILLION

MORE DEVICES, MORE THREATS


The growth in user-centric mobile and IoT devices will see greater exploitation of personal data.
Source: McAfee 2016 Threats Predictions

WHEN SECURITY IS
AN AFTERTHOUGHT
One of the most potent botnets and passwords (usually all related
to date is Lizardstresser, by the to administrator logins).
infamous Lizard Squad DDoS
Its so successful because many
group. In 2015 the group released
IoT devices are manufactured with
the source code, allowing others to
the same default login credentials.
make their own. This has resulted
Additionally, these same devices
in copy-cat groups and a stark
are also often simply plugged in
increase in botnets-for-hire.
and turned on, and have unfettered
Lizardstresser relies on cheap access to the internet through
IoT hardware to build large botnet whatever corporate or home
armies, using shell scripts (simple networks they are connected to.
text-based scripted programs) This makes them easy targets
to scan IP ranges and to attempt to enslave into botnets.19
access using hardcoded usernames

Cybersecurity Threats Challenges Opportunities 18


Attacks on automobile
systems will increase
rapidly in 2016 due to
the rapid increase in
connected automobile
hardware built without
foundational security
principles.

McAfee Labs 2016


Threats Predictions15

Autonomous
systems
As technology continues to permeate our lives, we
move from operating technology to integrating with
it. This is especially true of autonomous systems
that are by definition designed to blend in with our
society, becoming second nature.
By the same token however, Similar abuse of access has also
reliance on such systems makes the been demonstrated with cars from
outcome of their abuse potentially Mercedes, BMW, Toyota, Audi and
more damaging. Typically, these Fiat all due to poor security in the
technologies also integrate into design process.20 21 22
critical infrastructure, such as
Its not hard to see that in the wrong
payment systems and in the case
hands such abuse could result in
of autonomous cars the transport
cars being used as weapons to maim
network, making protecting them
or kill pedestrians or even the
from a cybercrime a pivotal focus for
occupants themselves on the road.
cybersecurity.
According to Business Insider in its
Connected-Car Report, there will be
Driverless cars and transport 220 million autonomous cars on the
At the moment, driverless cars are road by 2020.23
stealing the limelight of autonomous
McAfees 2016 Threats Predictions
systems. While so far there have
Report notes that poorly secured
been no documented cases of
driverless cars and smart highways
wilful misuse, its already been
will further expose drivers and
demonstrated that autonomous cars
passengers in 2017 and beyond,
can be remotely controlled.
likely resulting in lost lives, and
In 2015, 1.4 million Jeep Cherokees that recent vehicle hacks are a
were recalled after hackers great example selectively modifying
demonstrated that the cars could communications and commands
be taken over remotely through the so they can take control or affect

03
entertainment system.6 what the vehicle does. This has a
potentially terrifying result.15
DRX-BASED
AIRBAG ECU USB RECEIVER (VX2)

REMOTE LINK ONBOARD BLUETOOTH REMOTE KEY


TYPE APP DEVICES

STEERING AND PASSIVE


BRAKING ECU TPMS KEYLESS ENTRY

LIGHTING SYSTEM
VEHICLE ACCESS ENGINE AND ECU (INTERIOR AND ADAS SYSTEM
SYSTEM ECU TRANSMISSION ECU EXTERIOR) ECU

THE ATTACK SURFACE OF A MODERN CAR


Many car systems have not been designed with security in mind, making it possible to hack into a car via smartphone or laptop.
Source: McAfee 2016 Threats Predictions

Cybersecurity Threats Challenges Opportunities 20


EMAIL LINK

PHISHING PERSON USER DESKTOP

EMAIL ATTACHMENT MALWARE INSTALLATION

ALTER BEHAVIOUR

STEAL CREDENTIALS
USE OF STOLEN CREDENTIALS

DIRECT INSTALL MALWARE

BACKDOOR, C2, RAMSCRAPER, EXPORT DATA

PAYMENT

POS TERMINAL/CONTROLLER

BIRTH AND REBIRTH OF A DATA BREACH


An example of how one breach can lead to another (in this case, harvesting
payment data of consumers after first breaching a POS vendor).
Source: Verizon 2016 Data Breach Investigations Report

ATMs and Point of Sale processing system, and so its


Theyd been inside our Credit cards have long been the
not uncommon to find malware
network for a long period, specifically designed to pull data
target of fraudsters, spurring the
from embedded systems in POS
about two years. And the development of RFID chips and
terminals (see Birth and re-birth
other protective technology in the
way it was described to of a data breach diagram, above.)
banking ecosystem. However,
us was theyre so deep security is an arms race and threats Now, of course, the technology has
inside our network its such as skimming is now a global progressed further with contactless
like we had someone phenomenon that allows data from pay systems from the likes of Apple
cards to be read and transmitted (Apple Pay) and Google (Android Pay),
sitting over our shoulder
wirelessly in real time from ATM as well as players like Samsung
for anything we did. machines and point of sale devices. (Samsung Pay, of course) that allow
consumers to pay simply by waving
Daryl Peter, IT Manager,
Indeed, point of sale systems as a
their smartphone over a device
NewSat 2012-201485 whole are their own a sub-category
which presents yet another attack
of cybercrime infiltration, being
surface for cybercrime.
the weakest point of the payment

03
WHAT ABOUT
WEARABLES?
Wearables are rapidly gaining Wearables are tracking all sorts
popularity with smartwatches such of personal information including
as the Apple Watch and Samsung GPS location, blood pressure,
Gear, as well as exercise wearables heart rate, and anything else
like those from FitBit and Jawbone. you feed them such as weight or
According to ABI Research, an diet. Such personally identifiable
estimated 780 million wearable information could be used as a
devices will be in circulation base to target you for spear-phishing,
by 2019. or aid in identity theft. But the
real opportunity is these devices
Now you might be wondering
linking to your smartphone, where
just what would be so bad about
phone numbers, more personally
hacking a fitness wearable? This
identifiable information, emails,
is exactly the line of thinking
web logins etc. could theoretically
that allows cybercrime to occur.
be compromised.

Cybersecurity Threats Challenges Opportunities 22


03
Cyberwarfare
Once the domain of science fiction, cyberwarfare
Most modern countries
is now very real, with most superpowers now
now are treating
cyberspace as another
having dedicated cyberwarfare divisions of the
military domain, in military. And while there have been few known,
addition to land, air co-ordinated cyberattacks on physical targets,
and sea. we dont need a crystal ball to predict the future:
they will only increase.
Dmitri Alperovitch, Cybersecurity
industry executive25 Its telling that we are now in an Automated attacks
age where governments, political
Much of what we talk about with
groups, criminals and corporations
regards to hacking is a function
can engage in cyberespionage,
of people at keyboards finding and
cyberwarfare, and cyberterrorism.
abusing weak links in security. It is a
The Prime Minister, Malcolm Turnbull,
skilled and time-consuming process.
announced at the Australia-US
Cyber Security Dialogue in September However, in the ever-evolving arms
that Australia is well equipped to race between subversive elements
both defend against and carry out and cybersecurity, a move to
cyber-operations. automating such attacks would have
clear benefits: whereas exfiltration
We now live in a world where warfare
may have taken days by skilled
can be conducted entirely virtually
personnel, automated attacks can
though the consequences will almost
reduce this to hours infiltrating,
always have repercussions in the
searching for a payload, gobbling it
physical world.

ENERGETIC BEAR
One of the more well-known in manufacturing, construction,
nation-state sponsored tools of health care and defence companies.
cyberwarfare currently active is
Primarily designed for
Energetic Bear. First uncovered in
cyberespionage, when the threat
2012, and believed to be sponsored
was first mapped in 2014 by
by Russia, Energetic Bear used
security firm Kaspersky Labs,
the Havex Trojan to gain access to
it identified nearly 2,800 victims
company networks, particularly
worldwide, affecting countries
those in the energy sector,
including the US, Spain, Japan
though it has also been found
and Germany.44

Cybersecurity Threats Challenges Opportunities 24


Almost half the security
professionals surveyed
think it is likely or
extremely likely that a
successful cyberattack
will take down critical
infrastructure and cause
loss of human life within
the next three years.

Critical Infrastructure Readiness


Report, Aspen Institute and
2
up, encrypting it, and sending it out
over the network before the host
machines security personnel even
knows whats happened.
The defence to which, of course,
is to automate security to combat
automated attacks computer
software fighting computer software,
all without human intervention. And
while this sounds like a sci-fi movie,
the reality is its already here in
August this year the worlds first
automated cyber-hacking contest
was held at DARPA (Defence
Advanced Research Projects Agency),
Intel Security, 201525
which saw supercomputers battle
it out for a $2 million prize, the win
going to a perhaps appropriately
named machine called Mayhem.45

03
230
PEOPLE LOST
POWER WHEN
30 SUB-STATIONS
IN WESTERN
UKRAINE WERE
SHUT DOWN
VIA A REMOTE
ATTACK

,000
Cyberattacks on Irans nuclear-enrichment program French Coldwell, Chief Evangelist
infrastructure by sabotaging centrifuges.40 at governance, risk, and compliance
In 2014 a German steelworks was apps company Metricstream, at a
As societies around the world
disabled and a furnace severely cybersecurity summit earlier this
depend ever more heavily on
damaged when hackers infiltrated year noted that this is the canary
technology, the ability to shut down
its networks and prevented the in the coalmine. Much more of this
or destroy infrastructure, take
furnace from shutting down.41 will come.43
control of machines and vehicles,
and directly cause the loss of life In 2015, with an attack strongly We can expect governments around
has become a reality. To date, some suspected to have originated the world to strengthen their
of the more well-known examples from Russia, 230,000 people lost cyberattack and defence capabilities,
of cyberattacks on infrastructure power when 30 sub-stations in spurring an arms race that will
include: Western Ukraine were shut down operate at a much faster pace than
via a remote attack. Operators at we saw in the Cold War. But here
In 2008 when Russia sent
the Prykarpattyaoblenergo control the results could be much more
tanks into Georgia, the attack
centre were even locked out of subtle as noted in the McAfee 2016
coincided with a cyberattack on
their systems during the attack and Threats Predictions report, they will
Georgian government computing
could only watch it unfold.42 improve their intelligence-gathering
infrastructure. This is thought to
capabilities, they will grow their
be one of the first land and cyber In all of these, and as an indication
ability to surreptitiously manipulate
coordinated attacks.39 of how the landscape of war is
markets, and they will continue to
Also in 2008, Stuxnet a computer changing, the weapon of choice for
expand the definition of and rules of
worm purportedly jointly designed these attacks wasnt guns or bombs
engagement for cyberwarfare.15
by the US and Israel crippled it was a keyboard.

Cybersecurity Threats Challenges Opportunities 26


03
WHEN SOFTWARE
KILLS
Its easy to forget that computers Toyotas ETCS
Americas top spies say can have life-threatening con- Toyota recalled 8 million vehicles
the attacks that worry sequences. Here are some well- worldwide starting in 2009 after
known examples of what happens
them dont involve the faults with the Electronic Throttle
when technology fails due to small Control System resulted in the
theft of data, but the mistakes in computer code.
direct manipulation of death of 89 people.31
it, changing perceptions Therac 25 Teslas autopilot
of what is real and This is so well known that its now In July 2016 a man died while
what is not. taught in computer science relying on the autopilot function of
curriculums. Therac 25 was a his Tesla Model S when it failed to
Patrick Tucker, Defense One27 Canadian medical machine designed detect a trailer, crashing into it.32
to help save lives by administering
targeted doses of radiation to kill These are examples of unintended
cancer. Instead, a rare software software faults, but subtle manip-
glitch saw patients receiving 100 ulation of data could intentionally
times the necessary dose. In a result in loss of life, and remain
period from 1985-1987 five patients undetected until this occurs.
died, while many others were Military officials in the US have
seriously injured.29 even raised concerns that Chinese
hackers known to have infiltrated
Patriot missile defence contractors over the
last decade could have already
During the Gulf War in 1991 a
altered code for weapon systems,
Patriot missile failed to intercept
sitting dormant until the next
a Scud missile due to a software
major conflict.33
fault, resulting in the death of
28 US soldiers and injuring
100 others.30

Cybersecurity Threats Challenges Opportunities 28


Data manipulation
Not all attacks are about theft or destruction.
The biggest threats in
A more sinister cause is the manipulation of data
cybersecurity today
are around the large
in place such that machines can be controlled
scale proliferation or the wrong information reported to human
of targeted attacks operators without their knowledge.
from breach and email Its clear if a cybercriminal releases By way of example, in 2015 Juniper
distribution of socially stolen usernames and passwords Networks announced it had
engineered ransomware on the web. Its much less clear if discovered multiple backdoors in
data belonging to a business has its firewall operating system code
to potentially harmful
been modified with those who installed with its products the same
attacks on critical own the data none the wiser. As no products used to protect corporate
infrastructure like destruction is caused such intrusions and government systems around the
energy networks. here can be harder to detect, if world. These backdoors had been
theyre detected at all. Yet even the active for at least three years.
Rodney Gedda, smallest alterations can have serious
One of the backdoors gave remote
Senior Analyst, Telsyte53 consequences and implications.
control of the firewall to an outside
James Clapper, Director of US user, while another disturbingly
National Intelligence, said it allowed for the decryption of traffic
succinctly when he stated, Decision running through a Juniper Networks
making by senior government firewall, allowing traffic to be
officials (civilian and military), eavesdropped. The sophistication
corporate executives, investors, and nature of this breach points to
or others will be impaired if they a nation-state as the culprit.34
cannot trust the information they
are receiving.27 Cloud concerns
As with any successful technology,
Backdoors and espionage the more popular it becomes the
Backdoors are particularly larger a target it also becomes.
concerning because they can be Cloud is now well entrenched as a
both hard to discover and provide concept and a service offering, and
unfettered access to a system or indeed many businesses now rely on
entire network. cloud services to operate.
A compromised system can provide On the one hand this can make
cybercriminals or a nation-state the security easier for companies
ability to spy on data, or alter the outsourcing their data to lie on
data in place. And for as long as a a cloud service where the cost of
system is compromised, abuse of security is carried by the vendor,
privilege will be ongoing. but on the other it centralises cloud
services as highly viable targets

03
for attack.
BLAST FROM
THE PAST
Perhaps one of the more it was visible from space. Later
prominent examples of the cause was revealed to be a
cyberwarfare even before the Trojan horse implanted by the US
internet became ubiquitous in pipeline equipment sold from a
comes from the cold war in 1982 Canadian company on to Russia.
when a Siberian oil pipeline End result: economic sabotage
exploded, creating at the time facilitated by computer software.
one of the largest non-nuclear
explosions in history, so large

22 LOCAL
WEATHER

GAS DETECTION 0% 22 TEMPERATURE


LEL

CARBON
MONOXIDE 0 50%
CISTERN
AND TANK
LEVELS PPM OVERFLOW

PIR SENSORS 180 40% HUMIDITY


LEVEL

COMMUNAL
WINDOWS
35
ANGLE
0% SMOKE
DETECTION

COMMUNAL
LIGHTING KWH 1344 LIFTS

MOVEMENT AND NOISE


RELATED TO ASB
80 17% COMMUNAL
DBR OPEN DOORS

SMART CITIES BRITAINS NEIGHBOURHOOD@BROOMHILL PROJECT


A small sample of the types of IoT sensors in a smart city apartment block.
Source: IoT Alliance Australia

Cybersecurity Threats Challenges Opportunities 30


90% OF AUSTRALIANS
WILL BE ONLINE BY 2017

2 IN 3 AUSTRALIANS
HAVE SOCIAL
MEDIA ACCOUNTS

1 IN 2 AUSTRALIAN
MOST AUSTRALIANS
SMALL AND MEDIUM
SPEND ALMOST 1 DAY
BUSINESSES RECEIVE
ONLINE PER WEEK
PAYMENTS ONLINE

THE MARKET BY 2019, THE AVERAGE


84% OF AUSTRALIAN
FOR CONNECTED AUSTRALIAN HOUSEHOLD
SMALL AND MEDIUM
HOME DEVICES IS WILL HAVE 24 DEVICES
BUSINESSES ARE ONLINE
EXPECTED TO GROW CONNECTED ONLINE
11-FOLD TO 2019

AUSTRALIANS ARE BECOMING INCREASINGLY CONNECTED ONLINE


As Australia becomes ever more connected, cybersecurity becomes ever more important.
Source: Commonwealth of Australia, Department of the Prime Minister and Cabinet,
Australias Cyber Security Strategy.

But theres also a less obvious A good example of how the landscape
Nation-state concern here: sovereignty. can change is the news earlier this
cyberwarfare will year that in Russia, ISPs are now
Security of cloud data is not just
required to store both the metadata
become an equaliser, about encryption, but also the
and content of communications,
sovereignty of access when data is
shifting the balance and hand over encryption keys for
physically located in an overseas
of power in many jurisdiction. The internet may have
any encrypted data36. Any cloud data
international passing through an ISP can become
no borders, but data itself still
readable by Russias government and
relationships just as lies within traditional real-world
intelligence services. This had the
boundaries and in turn may be bound
nuclear weapons did immediate fallout of some popular
by the laws of a foreign nation.35
starting in the 1950s. VPNs closing their Russian nodes,
Further, even if we trust in the and in at least one known case37
McAfee Labs 2016 laws of a foreign nation theres no servers were seized from the VPN
Threats Predictions15 guarantee they wont change, and provider under this law.
data that was previously protected
With cloud expected to grow by
could be subpoenaed, accessed by
around 18% through 201638,
government departments, or shared
concerns around the sanctity and
with third parties without consent.
sovereignty of cloud data are only
going to increase.

03
MORE USERS
2015 3.0 BILLION
2019 4.0 BILLION

MORE SMARTPHONE CONNECTIONS MORE DATA


2015 3.3 BILLION 2015 8.8 ZETTABYTES
2020 5.9 BILLION 2020 44.0 ZETTABYTES

MORE IP-CONNECTED DEVICES MORE NETWORK TRAFFIC


2015 16.3 BILLION 2015 72.4 EXABYTES PER MONTH
2019 24.4 BILLION 2019 168.0 EXABYTES PER MONTH

THE GROWING CYBERATTACK SURFACE


More devices, more users, more data every year.
Source: McAfee 2016 Threats Predictions

Virtualised threats run different operating systems


and different applications), we
As a result of the growth in cloud
have substantially broadened the
services, there has been an explosion
attack surface.
in the use of virtual machines for
business, making these prime targets Indeed, the use of apps that rely
for cybercrime. on the cloud will also allow mobile
devices running compromised apps
Fortinet notes, growing reliance on
as a way for hackers to remotely
virtualisation and both private and
attack and breach public and private
hybrid clouds will make these kinds
corporate networks.5
of attacks even more fruitful for
cybercriminals.5 Finally, theres one other
consideration: cybercriminals can
And, as the McAfees 2016 Threats
use cloud services themselves,
Predictions report notes, how do
providing powerful resources for
you accurately track and attribute
processing power and storage, and
an attack, with all of the obfuscation
the ability to appear and disappear
possible with clouds and
at the click of a button.
virtualisation?15 It goes on to state,
if we keep our stuff in the cloud and
access it from a phone, tablet, kiosk,
automobile, or watch (all of which

Cybersecurity Threats Challenges Opportunities 32


Industry and the
individual
While large security breaches make the news,
Malware is still very
the majority of cybercrime involves fraud targeting
popular and growing,
but the past year has
businesses and individuals. Here, a mixture of
marked the beginnings malware and social engineering can see financial
of a significant shift fraud resulting in the loss of thousands, all the way
toward new threats that up to millions, of dollars.
are more difficult to And, its also some of the hardest encourage extortion as a business
detect, including file- crime to combat largely due to the model with victims opting to
less attacks, exploits sheer scope of attack surfaces which restore data from backups instead,
of remote shell and can range from desktop computers the reality is that this isnt always
through to laptops, tablets and practical. This is especially true for
remote control protocols, smartphones. companies, where the downtime or
encrypted infiltrations, lost productivity from denied access
Sometimes, the vector is simply
and credential theft. a phone: using social engineering
to the data can be higher than the
price of the ransom.
through an employee to gain access
McAfee Labs 2016
to a network, or con an individual out Recently, however, the ante was
Threats Predictions15
of money as in the classic technical upped with the appearance of
support scam, of which the ransomware that claims to have
Government has a great summary encrypted files and asks for payment
at www.scamwatch.gov.au (also a for the decryption key, but in fact
great site to learn about other the files have simply been deleted
online scams). unbeknownst to the owner.46 Known
as Ranscam, the one upside to this
Ransomware and Cryptoware change in tactics is that if it becomes
The ease with which amateur the prevalent form of ransomware,
cybercriminals can get their hands it will destroy the trust or what
on tools to extort money is increasing. little there is between the criminal
So far in 2016 weve seen a prevalence and the victim that the data will
of cryptoware targeting both be recoverable. No honour among
enterprise and individuals, requiring thieves, it seems.
the payment of a ransom to unlock
encrypted files. Multi-vector attacks
Taking advantage of multiple
The most well-known of these was
concurrent attack mechanisms, a
Cryptolocker, said to have earned its
single attacker may try to penetrate
creators $US3 million before it was
an organisation on multiple levels in
shut down by a consortium involving
order to access different data, such
the US, the UK, and a number of
as targeting the CFO with social
security vendors and researchers.
engineering, with the aim to secure

03
While in an ideal world these ransoms financial information while using
would never be paid and thus not spear-phishing targeted at office
staff to get malware installed.
Utilising the cumulative
bandwidth available to
these IOT devices, one
group of threat actors
has been able to launch
attacks as large as
400Gbps.

Arbor Networks on LizardStresser19

THE WORLD
WE LIVE IN
Facebook CEO, Mark Zuckerberg,
has been observed in a
promotional photo for Instagram
with his laptop in the background
sporting tape covering both the
camera and the microphone the
implication being he doesnt trust
his own machine is secure from
cyberespionage.24
If the CEO of one of the worlds
technology innovators cant neces-
sarily trust his own computer, what
does that mean for the rest of us?

One of the largest known (considering targeted for the purpose of advancing However, identity theft is more than
not all companies like to own up to a different attack against another just financial fraud, its a central
having been scammed) scams to date victim. For instance, an attacker may pillar for all manner of cybercrimes:
resulted in the loss of =C 40 million hack a website to serve malware once you can impersonate an
from Leoni AG84 in August of this to visitors with the intentions of individual, you can gain access to
year, facilitated by tricking a financial infecting its true target.25 their accounts, commit multiple
officer into transferring funds to the types of fraud in their name, steal
A common adage in cybersecurity
wrong account. information only they have access
is that while defence must consider
to, and much more.
Importantly, success with one method every possible attack vector,
can lead to exploitation of others, attackers only need to find one weak As we share more of our lives online,
such as an employee clicking on point. An attack only needs to be we open ourselves to being exploited
a macro within an email which in successful once. further. In McAfees 2016 Threats
turn downloads a program, which Predictions report the authors note
then automatically pulls down Identity theft that the growing value of personal
targeted malware to access network Identity theft is the crime no one data is already more valuable than
resources (this is sometimes known thinks will happen to them until payment card information and will
as weaponised email attachments). it does. continue to climb.15
The Aspen Institutes Critical According to Javelin Strategy and
Infrastructure Readiness Report Research, some $US16 billion was
notes the analysis of this years data stolen from 12.7 million consumers
led to an interesting new revelation in the US alone during 2014 due to
nearly 70% of attack victims are identity theft.26

Cybersecurity Threats Challenges Opportunities 34


The future in
our hands
Asia-Pacific is rapidly
emerging as a potential
market for cybersecurity
solution providers,
driven by emerging
economies such as China,
India and South-East
Asian countries.

Cybersecurity Ventures48

04
639
$

It should be clear by now that we

with security in mind. While some


products and services are, many
more are not, and to this end the
development of cybersecurity tools,
skills, and education is essential to
protecting both our infrastructure
Billion
live in a world reliant on technology,
and that this technology can also
be vulnerable if its not designed
Additionally, as cybersecurity must
underpin the design of almost any
technology product that comes
to market, it goes without saying
that if we dont develop our own
cybersecurity products and services
then we need to purchase them
from overseas.
However, there is real value in
ESTIMATED WORTH OF
THE CYBERSECURITY
INDUSTRY BY 2023

Particularly when it comes to


national cyber defence, it would be
preferable to utilise home-grown
products. Not doing so is, in the
words of Alex Scundurra, CEO of
fintech hub Stone & Chalk, like
outsourcing our defence force to
someone else.56
Achieving any kind of growth for
producing cybersecurity products a local cybersecurity industry will
and way of life.
and services locally, not the least require support of the government,
Globally, the industry is worth of which is control over the source private sector, and academia. We
$US106 billion with estimates code ultimately, you must trust an know that as we depend more and
projecting its value at $US639 billion overseas vendor that there are no more on technology the demand for
by 20231. As a nascent industry, there backdoors or mechanisms in their qualified cybersecurity specialists,
is a real opportunity for Australia to software and firmware that would products, and services is only
become a centre of cybersecurity allow either exploitation by a foreign going to increase so its in our
excellence with the right leadership nations government departments best interests to work towards
and investment. (such as intelligence agencies), developing and harnessing our own
or exploitation by cybercriminals cybersecurity sector.
discovering these vulnerabilities.

Cybersecurity Threats Challenges Opportunities 36


THE 100% SECURE
COMPUTER
When it comes to security you can And turned off.
never completely eliminate risk,
Which is to say, not a very useful
you can only minimise and mitigate
computer.
it there is no such thing as the
100% secure system. Ultimately, for the majority of
cases, security is about making the
The adage goes that the only truly
cost of entry higher than the value
secure computer is locked in a lead
of the assets being protected.
box, buried fifty feet underground,
sealed with concrete, with no wired
or wireless connections in or out.

04
700,000

639,000

525,000

350,000

175,000

$0 BILLION

2000 2023

ESTIMATED GLOBAL CYBERSECURITY SPENDING TO 2023


An estimated ten-fold increase in spending as cybercrime becomes a pivotal focus.
Source: IT-Harvest

Opportunities
The threats are many and varied, but so are the
Cyberattacks are costing
opportunities technology constantly teases us with
global businesses as
much as $500 billion per
new ideas, new products, and new ways of living our
year The banking and lives. It also presents new economic opportunities,
financial sectors have led new ways of doing business, and new ways to make
the way as top targets for a difference.
cyberattacks in the last
The data-driven economy to increase exponentially already
five years, with IT and we are creating new ways to mine
If theres one prediction we can make
telecom, defence, and about the next decade it is this:
data and produce new services (right
the oil and gas sectors down to robot lawyers86). Combined
data will be king. From machine-
with the Internet of Things, there is
following behind. learning AI to the Internet of Things,
tremendous economic opportunity
the accumulation and analysis
for Australian technology companies
Cybersecurity Ventures48 of data from every aspect of our
to innovate and produce products for
lives will drive entirely new insights
the world stage.
and products.
But all of these will also require
We already have advanced local
cybersecurity as a fundamental
information system industries to
building block. Regardless of the
support this, including the emerging
level of investment or development
FinTech sector (where already nine
in Australian technology businesses,
Australian FinTech businesses are
we will need a vibrant cybersecurity
listed in the worlds top 100 FinTech
sector to support innovation and
companies47).
guarantee the economic prosperity
But the opportunities for products of technology initiatives.
and services involving data are going

Cybersecurity Threats Challenges Opportunities 38


Security is as much about
software as it is about
awareness. It takes
sophisticated coding to
develop ransomware,
but only one click to
activate it.

Rodney Gedda,
Senior Analyst, Telsyte53

Technology as wealth creation Cybersecurity as job growth Australia can galvanise its own
cybersecurity industry with
The benefits of technology have According to SEEK, cybersecurity
government and private-sector
created tremendous wealth over the roles are already in demand, having
support but part of this involves
last decade you only need to look at grown 57% in the last year.50 This
addressing the need for more
household names like Google, Apple, includes jobs like Security Analyst,
trained scientists, mathematicians,
or Facebook for examples. Security Architect, Security Engineer,
engineers, and ICT workers. As
and Chief Information Security
As we move to a world populated a nation we need a scientifically
Officer, all of which represent the
by internet-connected devices literate community capable of
new type of opportunities that are
from your car to your fridge, your engaging in a national conversation
developing in the workforce.
childrens toys and even the clothes on vital technology issues like
you wear there are still Googles We have the skills and talent in cybersecurity.
and Apples and Facebooks to be Australia to support and capitalise
discovered. on this growth, which will only see Leveraging technology talent
more demand as the importance of
This alone represents tremendous Which leads us to the talent we
cybersecurity in the development
opportunities for Australias ICT already have Australia has some of
of new technologies and products
sector, but for any of this to be the worlds top universities, but as a
continues to grow.
possible, the gadgets and the previously resource-driven economy
networks they communicate on There are lessons to be learned from we currently lack a technology focus,
must be secure, and this means Israels high proportion of security the type of which Israel recognised
cybersecurity will need to form vendors here: moving from a high as essential for a data-driven future.
the basis of every new technology proportion of agricultural exports
Collaboration of government, industry
going forward. some 50 years ago, one of Israels
and research organisations to
primary exports is now software.
The end result, as it happens, is that incentivise new developments and
Government support for a startup
good cybersecurity is good for the monetise research to bring products
culture and the belief that technology
bottom line. There is an inherent and services to market will be key.
is the backbone of a strong economy
interest for companies to implement This includes interacting with
has seen Israel now lead the world
good cybersecurity strategies to ensure incubators and accelerators, sharing
in cybersecurity, second only to the
their profitability is protected, and key learnings from innovation, and
US globally.
this in turn will require cybersecurity encouraging entrepreneurial thinking.
products and skilled cybersecurity Currently there are some 228
Diversity is also a critical component
professionals in the workforce. cybersecurity vendors in Israel, and
in order to meet demand for skilled
only 15 in Australia. Israel has one
The economic opportunity for Australia ICT workers. This includes utilising
third the population of Australia.
then for a strong cybersecurity sector a greater proportion of our aged
is clear. Meanwhile in the UK, and since the workforce, and galvanising interest
British government published its in ICT with women, who are currently
cybersecurity strategy in 2011, the underrepresented in the technology
cybersecurity sector in the UK has sector (just 28% of ICT roles are held
almost doubled from 10 billion to by women50) and represent a large
17 billion and is now responsible for untapped resource.
employing 100 thousand people.49

04
Challenges
While the opportunities are clear for ICT in Australia
Many of these devices
and the nation as a whole, there are a number of
are always on, always
listening, and always
challenges we need to address. Ideally, all sectors
communicating... from government and industry, to enterprise and
raising concerns about academia, need to play a part in the development
transparency and privacy. and promotion of cyber education, skills and products.
With homeowners
Leadership The foundation of any society is
unprepared and ill- trust, as well as the foundation for
Lack of leadership is a key challenge,
equipped to detect and if only because it takes a concerted
security itself. Security helps build
remediate most security trust between people and technology.
effort to both recognise and take
If we cannot protect for example
threats, some highly action on what is clearly a vital
personal data, it will have negative
successful attacks will function in todays technologically
consequences for technology
savvy world.
collect personal info on adoption and the ICT industry as
This is true across government, a whole.
an ongoing basis.
the private sector, education and
As a result, leadership is required to
academia the rate at which
McAfee Labs 2016 tackle issues around cybersecurity,
Threats Predictions15
technology adoption occurs in
governance, private-sector support
Australia far outstrips our ability
and education to ensure we can
to predict the implications of
adequately protect the foundation of
technology, particularly when it
trust upon which we all depend.
comes to the results of cybercrime.

LEARNING
FROM HISTORY
In 1958 when the National Defense Today we face a similar situation
Education Act was signed into law where we are already in a skills
in the US, the goal was to provide shortage for ICT in Australia, and
funding to education institutions at if we are to create a blossoming
all levels. The impetus was Russia cybersecurity ecosystem we will
beating the Americans to space, first need a strong emphasis on
and a national feeling that America and promotion of STEM-based
was falling behind. Over a period of skillsets for Australians throughout
four years $USD1 billion was spent the educational pathway.
on science education.57

Cybersecurity Threats Challenges Opportunities 40


695K
Collaboration
If theres one lesson to learn from
cybercriminals it is this: collaboration
is king. Analysis of attacks over the
years has revealed that cybercriminals
work together exceptionally well:
sharing knowledge of exploits, selling
stolen data in an open market, and
working together to develop new
hacking techniques for infiltration.
By contrast, compare this with the
other side of the coin those of us
who defend against cyberattacks:
siloed security vendors with competing
products, little co-operation between
THE DEMAND
FOR SKILLED
ICT WORKERS
WILL INCREASE
FROM 638K
TODAY TO
695K BY 2020

on the next company, and the next.


In order to stop it, free sharing of
information among business and
enterprise, cybersecurity professionals,
and security software vendors is
essential. As Ron Moritz of TrueBit
Cyber Partners notes, while industry
remains separate, the bad guys will
always be ahead.52
Therefore, developing the knowledge
and software to protect against
cyberattacks cannot happen in a
vacuum. No one company or security
vendor is able to withstand the
collective might of an opponent who
As we move to a knowledge economy,
we will need more scientists,
mathematicians, engineers and
programmers. Promotion and
support of STEM subjects in schools,
expanded degrees specific to
cybersecurity disciplines at university,
and an increased emphasis on
entrepreneurial businesses skills will
all help get Australians on track for
roles in a cybersecurity industry as
well as ICT at large.
Its interesting to note that
professionals like lawyers and
doctors are seen as prestigious, yet
collaborates. This is a key lesson the skills and knowledge required
government and industry, and
many in the private sector will have to be a cybersecurity professional
companies afraid to share that theyve
to learn if we are to keep pace in the doesnt demand quite the same
been hacked for fear of impacting
cyber arms race. esteem. However, we are already at
share price.
a stage where skilled cybersecurity
The latter is particularly important: Education and awareness professionals are essential to
knowledge is power, as we know, the operation of most industries
According to Australias Digital
and so keeping a breach secret only in Australia. Can we generate a
Pulse, a report commissioned by
helps the attackers if an exploit profession that garners a similar
the ACS, the demand for skilled ICT
isnt made public, it can be used level of respect as other highly-
workers will increase from 638K
today to 695K by 2020, with ICT skilled career paths?
university graduates meeting only Education also includes embedding

04
1% of this demand.50 Additionally, cybersecurity in current workplace
there has been a 35% drop in practice: as noted earlier, the
enrolment rates for ICT subjects weakest link is often people so
at universities since 2001.50 good cybersecurity policies and
Infrastructure has
always been considered
a legitimate target. In
WWII we bombed and
destroyed the electrical
infrastructure of our
enemies. Now we have
the ability, through a
cyberattack, to just shut
the grid down.

General Michael Hayden,


former CIA & NSA director85

Cybersecurity Threats Challenges Opportunities 42


YOU ARE WHAT
YOU DO
The famous adage you are what While much is for analytics, once and some purchasing history to
you eat has an interesting parallel its out there you have no control include frequently visited locations,
in the digital world its easy to over it, let alone ownership (most normal behaviours, what we eat,
forget that almost anything you do applications and programs will watch, and listen to, our weight,
online involves data, and that this prompt you to sign over your blood pressure, prescriptions,
data tells a story about who you are permission on first use). Even sleeping habits, daily schedule,
and where you have been. From Microsofts latest Windows 10 and exercise routine.15
web browsing to smartphones, you comes with mandatory data
The more information that is out
and everyone you know is tracked, collection about your use of the
there about you, the greater the
logged, and the data shared among operating system.
risk there is for it to be abused.
a variety of services.
McAfees 2016 Threats Predictions Not just by cybercriminals seeking
Whether its a connection from report notes that within the to develop correlations that can
your IP address in a applications next five years, the volume and be used in fraud such as identity
log, or cookies about a website types of personal information theft, but also intentional or
stored on your computer, every day gathered and stored will grow unintentional misuse by companies
you leave a trail often called your from a persons name, address, or government services.
digital exhaust or data exhaust. phone number, email address,

procedures are as essential to the information could breach privacy


Were entering this operation of any business. If you are laws. Where necessary, reviewing
world where everything in an organisation that currently does laws and regulations to facilitate
not have policies and procedures better communication and
is catalogued and in place to both prevent and mitigate collaboration for the purposes of
everything is documented cybercrime, now is a good time cybersecurity may be required.
and companies and to start.
governments will be Finally, perhaps the biggest hurdle Services and privacy
making decisions about here is educating the sector, particu- Increasingly in our digital world
larly among CEOs and Boards. There services come at the cost of privacy.
you as an individual There is an inherent trade-off, and
is a dearth of knowledge among
based on your data decision makers on cybersecurity while we accept some encroachment
trail. If you want to be risks and the investment required of privacy over data we share, it
considered an individual to manage them. nonetheless remains a fundamental
building block of our society and
and not just a data point, According to a survey by The
must factor into any solutions.
then its in your interest Economist Intelligence Unit, IT and
security leaders in Australia think We now know there is no such thing
to protect your privacy. as a 100% secure system, any
cybersecurity is the #1 issue at
present but less than 6% of C-Suite personal data stored on any server
Josh Lifton, CEO of Crowd Supply55 be it government, enterprise, or
executives agree. There is a large
disconnect between the reality of otherwise has the possibility of being
threats and awareness of them at the breached and personal information
executive level.58 being made public.
Its also important to note how the
Legal and regulatory type and volume of data stored also
While collaboration is key, the good acts as a target for cybercrime, in
guys do have some hurdles the cases of identity theft, for example.

04
bad guys dont. For one, there may The trend today for many companies
be legal or regulatory limitations, is to capture as much personal
particularly where the sharing of information as possible, all the better
USA 827
ISRAEL 228
UK 76
CANADA 49
INDIA 41
GERMANY 33
FRANCE 25
AUSTRALIA 15
SWEDEN 12
IRELAND 10
SWITZERLAND 9

0 200 400 600 800 VENDOR COUNT

CYBERSECURITY VENDORS BY COUNTRY AS AT 2016


USA and Israel currently lead cybersecurity research and products.
Source: IT-Harvest

to mine for advertising or other for 2016 notes that Government capability to create highly successful
products, but as more breaches identity records such as birth/death, companies and products that compete
come to light this trade-off of taxes, and national insurance IDs; on the world stage.
personal data for services will and banking accounts and ATM
Changing this perception will
come under increased scrutiny. transactions will also be targeted.15
involve, in part, the promotion of
This has implications for mass Increasingly, as governments and the value of home-grown ICT and
surveillance and the storage of corporations turn to big data, it raising awareness of Australian
metadata. As Jill Slay, Director of will become paramount that this technological solutions.
the Australian Centre for Cyber data be de-identified when possible
Practically, it also helps for the
Security, and Greg Austin, Professor to limit the damage from data
private sector and the ICT industry as
Australian Centre for Cyber Security, breaches as well as preserve privacy
a whole to seek Australian products
succinctly noted, you cannot of individuals.
when canvassing for solutions.
demand mass surveillance and
metadata retention without there Perception and practicality
being costs that make us much Finally, there is a perception
less safe. Metadata retention is that Australia is not currently a Its a market economy
retrospective it wont predict or stop
crimes, but it will open up breaches
technology leader not just in the price of a compromised
cybersecurity, but as a whole. The
that bad actors can waltz through.54 system of $5 shows you
current view with technological
The DDoS against the Australian products is that its better if it comes exactly how far down
Bureau of Statistics eCensus servers from overseas.56 the road we are of the
in August this year demonstrated just This is a perception that needs to cybersecurity story.
how easily a service can be knocked change. We have all the ingredients
offline and, typically, DDoS attacks to create world-class products and Tim Wellsmore, Former Manager,
can often hide secondary attacks services in Australia, particularly in Fusion Special Intelligence 2013-1685
aimed at breaching a system. Any relation to ICT and cybersecurity.
large database such as census data
is a prime target for cybercriminals Pioneers like Atlassian and WiseTech
as its a jackpot for identity theft. Global demonstrate we have the
McAfees Threats Predictions report

Cybersecurity Threats Challenges Opportunities 44


Looking
to the
road ahead
Its clear cybersecurity is pivotal to both the
economic future of Australia and indeed the fabric
of our society. As we develop and embrace more
and more technology, this will become ever
more important.

05
For all my enthusiasm
for governments
responsibilities in
cyberspace, good cyber
policy requires the
cooperation and creativity
of academia and industry.
Indeed, government needs
to be challenged by
academia and industry.

Malcolm Turnbull,
Prime Minister of Australia.
September 2016

Helping ensure a secure and State of the nation While in Japan the Japanese
successful environment ultimately Government in August announced
Economies of scale aside, the US
comes down to every government, plans for a government institute,
administration, under Obama and
business, academic institution and as part of Japans Information
now Trump, allocated $US14 billion
individual around the world. All three Technology Promotion Agency (IPA),
to cybersecurity spending in the 2016
are the targets of cybercrime and any to train and educate employees to
budget3, and has asked for $US19
government department, corporate recognise and counter cyberattacks.88
billion for the 2017 fiscal year.60
network, or the smartphone in your
So where are we now in Australia?
pocket could be used as a vector In the UK the British Government
In September this year Prime Minister
for attack. has allocated 860 million over a
Malcolm Turnbull addressed the
five-year period from 2011-2016,
Thats not to say we should all stop Australia-US Cybersecurity Dialogue
and is increasing this to 1.9 billion
using technology because the risks at the Center for Strategic and
to 2021.51 The UK also conducts
are too high its all about process International Studies, in which
three exercises each month to test
and procedure. Good government he reiterated the importance of
cyber resilience and response, and
regulation, skilled and qualified IT cybersecurity and noted for all
has a joint program with the US to
staff in an organisation, and education my enthusiasm for governments
prepare for a cyber-enabled terrorist
about common scams and how responsibilities in cyberspace, good
attack on nuclear power stations.
to avoid them, can dramatically cyber policy requires the cooperation
UK Chancellor George Osborne
shrink the surface of exposure and and creativity of academia and industry.
has called it one of the greatest
minimise or prevent data breaches, Indeed, government needs to be
challenges of our lifetime.54
cybercrime, and many of the threats challenged by academia and industry.
covered here. Elsewhere in Europe, the European
On the 21st April, the Federal Govern-
Parliament in June imposed security
So what are other parts of the world ments Cyber Security Strategy59 was
and reporting obligations for
doing, and what are we doing here launched and encompassed:
industries such as banking, energy,
in Australia?
transport and health and on digital A national cyber partnership
operators like search engines and between government, researchers
online marketplaces.87 and business including regular
meetings to strengthen leadership
and tackle emerging issues.

Cybersecurity Threats Challenges Opportunities 46


Strong cyber defences to better What role can you play?
At the end of the day this detect, deter and respond to
We know cybersecurity isnt just
really is about steward- threats and anticipate risks.
about technological defences; its
Working with international partners
ship for us as a country. also about people and the way we
through the new Cyber Ambassador handle data in the workplace, the
Its really about them, and other channels to champion a emails we click or the sites we
about the next generation. secure, open and free internet browse, and how good we are at
Bear in mind that they while building regional cyber identifying social engineering and
capacity to crack down on cyber
are only entrusting us other scams and tricks.
criminals and shut safe havens
with their future for for cybercrime. Good cybersecurity needs both good
a little while longer, technological solutions and good
Help Australian cybersecurity
people solutions. And, it requires all
because theyre coming, businesses to grow and prosper,
of us to participate.
and theyre coming with nurturing our home-grown
expertise to generate jobs and In which case whatever your
or without us. responsibilities what role can you
growth, and support new business
models, markets and investment. play to make a difference?
Adrian Turner, CEO, Data 6193
Create more Australian cybersecurity
professionals by establishing Government
Academic Centres of Cyber Security If you work in government, Prime
Excellence in universities, fostering Minister Malcolm Turnbull has
skills throughout the education already laid out in his address at the
system and raising awareness Australia-US Cyber Security Dialogue
of cybersecurity. that leaders at government levels
must know that cyber is one of
Additionally, initiatives like the
their essential functions and
Australian Centre for Cyber Security,
to question what barriers can
(now in its second year), and an
government continue to remove,
injection of $30 million to establish
either through deregulation or
an industry-led Cyber Security
positive action to ensure the adoption
Growth Centre charged with
of cybersecurity practices.
creating business opportunities for
Australias cybersecurity sector Regardless of your role in government,
as part of the National Innovation and you can raise the conversation
Science Agenda further establishes around cybersecurity and how it
the governments commitment fits into your sector, and what the
to cybersecurity development in next steps are in bringing the
Australia. governments cybersecurity strategy
to fruition.
Meanwhile, the CyCSA national
Cyber Security Challenge
(www.cyberchallenge.com.au)
encourages students to participate
in a cybersecurity competition. Its

05
now in its fourth year.
SHAKEN AND THREAT LEVEL THREAT AGENT THREAT VECTOR
STIRRED CRITICAL Nation state Espionage, theft,
sabotage, product alteration
In security parlance a threat
agent (not the James Bond type) Competitor Espionage, theft,
product alteration
is an attack source combining
Organised crime Espionage, fraud, theft
motivation and capability. In
general, threat agents can be Terrorist Sabotage, violence
categorised from benign to HIGH Activist/hacktivist Espionage, data theft, sabotage
critical. To the right is a Disgruntled employee (All of the below)
breakdown of common threat
agent categories and their Reckless, untrained Accidental breach or
or distracted misuse of data
typical vectors:25 employees
MEDIUM Thief Physical theft, espionage, fraud
Irrational individual Physical theft or sabotage
Vendor or partner Accidental leak, but also
intentional fraud or theft
LOW Outward sympathiser Deliberate data leak or
misuse of data

Cybersecurity Threats Challenges Opportunities 48


05
Education and research attack in the company you work for. Each of us has plenty of data
Its in everyones best interests to be personal information that should
If you work in academia, university,
informed, prepared, and responsible. remain personal and not be used
research or other educational
Remember, cybersecurity is not just a against us for extortion, identity theft,
institutions you have a great
safety risk, its a business risk. or as part of a scam.
opportunity to see how cybersecurity
principles can either be applied to If you are an executive, it is incumbent Its telling that we lock our doors
your work, or considered in the on management to be well-versed when leave home, or lock our cars
application and delivery of your work. in cybersecurity language and the when we arrive at work, and yet dont
realities of cybersecurity threats to consider the safety of the data on our
Educational institutions from
your business. If not already, appoint computers when we browse the web
pre-school through to university
a CISO (Chief Information Security or install an application.
all play a vital part in the promotion
Officer) or CSO (Chief Security Officer)
of STEM-based skills upon which And theres actually a lot you can do
and ensure they have a place in
disciplines such as cybersecurity are to help ensure your data remains
board-level decision making. Also
based. And, as weve noted in this yours. There are plenty of guides
ensure clear and easy lines of
guide, we are already in a shortage of online, but a good summary includes:
communication between security,
skilled cybersecurity professionals.
IT staff and upper management Use complex passwords over
What you can do to promote this
these employees are your front line simple ones, and dont re-use
challenging and rewarding career
of defence. passwords between sites and
pathway is of benefit not just to your
services. If you find passwords
students but Australia as a whole. Remember that just as your business
hard to remember, use a
does not operate in a vacuum, the
Within research and academic password manager.
same is true for cybersecurity. You
institutions the results of your work When on offer, use two-factor
may have all the best policies and
may be critical in any number of ways, authentication. This is becoming
procedures in the world but be
and so if not already the access to and more common now with various
vulnerable through a third party
handling of data needs to be guided services to ensure others cant
such as suppliers or distributors
by solid cybersecurity principles in log in as you, even if they manage
with which you do business. It is
order to minimise or prevent any loss to attain your passwords.
important to ensure they, too, have
through a cyberattack.
adequate cybersecurity preparations Learn to recognise phishing emails
and resources to protect themselves listen to that nagging voice in
Business and industry and the businesses they work with your head: if it sounds suspicious,
In your workplace, the single most and you can help them. it is. Banks, government services,
important step you can take is to and reputable companies wont ask
draw attention to cybersecurity Finally, its important to ensure
for your login details over email.
or the lack of it within your your IT staff and security specialists
are trained with up-to-date Dont open files from someone
company. Write a cybersecurity report
qualifications, as well as ensuring you dont know, and dont download
card looking at your organisations
the have the necessary skills and or install any files delivered
policies, training and awareness
expertise, and are certified to a through pop-ups or pop-unders
programs, technical controls,
recognised standard. during web browsing.
management processes and general
security culture. Keep your operating system and
You, the individual your applications up-to-date with
Every business plays its part just the latest patches.
Because we all use a variety of
as every one of us plays a part. The
devices every day, cybersecurity Theres plenty more to learn. See the
smartphone in your pocket could
isnt just about protecting corporate Online Resources on page 52 for a
act as a vector for the theft of your
networks or organisational assets. good place to start.
own personal data, or as a vector of

Cybersecurity Threats Challenges Opportunities 50


The five pillars
of cybersecurity
readiness
As the peak body for ICT professionals in Australia,
the ACS considers the following to be the five core
pillars of cybersecurity readiness.

1
Education and Awareness
First and foremost, its essential
2
Planning and Preparation
A cybersecurity incident isnt an
3
Detection and Recovery
When a breach happens, the quicker
that cybersecurity forms part of the if but a when, and to that end, it is detected and responded to, the
conversation in every organisation, preparation is essential. This can greater the chance of minimising
from the lunch room to the include management systems, loss be it financial, reputational,
boardroom. Only through keeping best practice policies, IT auditing, or otherwise.
cybersecurity front of mind can it and dedicated staff responsible for
How quickly can your organisation
form part of the decision-making cybersecurity operations.
identify and respond to the theft of
process, infrastructure investment,
Good cybersecurity readiness data or the disabling of key services?
and regulatory and governance
encompasses an understanding How fast can affected servers or
requirements.
of risks and threats to assets and workstations be quarantined for
Additionally, as people can themselves information relevant to the forensic analysis? How quickly and
be an attack vector through social organisation and its people, monitoring easily can lost or corrupted data
engineering, everyone within an and detecting cybersecurity threats be restored? What is the incident
organisation ultimately shares regularly, protecting critical systems response plan and who are the
responsibility in ensuring best-practice and information, ensuring the stakeholders that need to be notified
cybersecurity processes are carried organisation meets all relevant immediately?
out. This requires staff education standards compliance, has incident
Importantly, the preservation and
with regular updates to material response plans in place in the event
analysis of logs that can help identify
as new threats arise. In fact, of a breach, and clear business
how the breach happened, and thus
parallels have been drawn between continuity plans to minimize any loss.
how it can be closed, is part of the
cybersecurity and healthcare
Typically, many of the above recovery process. Its not enough
everyone needs some form of
responsibilities belong to the CISO just to close the hole; an
cybersecurity education.
(Chief Information Security Officer) understanding of how the breach
Finally, the employment of qualified or equivalent, though other stake- occurred can lead to preventing
cybersecurity professionals or holders such as senior leadership, other, similar, breaches.
certified training for key staff both in legal and communications staff,
IT and management should form part and public relations may also need
of any cybersecurity readiness. to have preparations in the event of
an incident.

05
ONLINE
RESOURCES
For further reading and more

4 5
information, visit the following
websites:
Australias Cybersecurity Strategy
cybersecuritystrategy.dpmc.gov.au
Australian Center for Cyber Security
Sharing and Collaboration Ethics and Certification www.acsc.gov.au
As weve covered in this guide, It may initially seem a less Australian Computer Emergency
collaboration is essential to practical pillar, but the difference Response Team (AusCERT)
mitigating current and future risks. between a white hat hacker and
www.auscert.org.au
black hat hacker is mindset.
Sharing the results of your breach
Australian Cybercrime Online
analysis with government and In any company or organisation,
industry can help stop a known ethics plays a role and should Reporting Network (ACORN)
attack vector hitting other organisa- be of particular concern when www.acorn.gov.au
tions. In turn, your company may it comes to cybersecurity. While Australian Internet Security Initiative
be able to prevent an exploit by some sectors, such as defence, www.acma.gov.au/Industry/
learning from a breach that another will have their own means to vet
Internet/e-Security/Australian-
organisation shared. credentials, for an industry as
Internet-Security-Initiative
diverse and skilled as ICT it helps
Also consider joining or providing
if professionals can demonstrate Australian Signals Directorate
information to an ISAC (Information
adherence to a code of ethics Top 4 Mitigation Strategies
Sharing and Analysis Centers, www.
through membership of a www.asd.gov.au/infosec/
nationalisacs.org) if there is an
professional institution. mitigationstrategies.htm
equivalent for your industry.
Many professional organisations
In some cases, your organisation Australian Signals Directorate
hold their members to standards
may be bound by legislative CyberSense Videos
that ensure the reputation and
requirements to report an incident. www.asd.gov.au/videos/
respectability of a profession is
At a minimum, a breach should cybersense.htm
preserved. ACS, for example,
be reported to government or
has a code of ethics all Certified Australian Government
organisations such as AusCERT
Professionals must abide by, in Stay Smart Online
(www.auscert.org.au) and the
addition to other requirements www.staysmartonline.gov.au
Australian Centre for Cyber Security
such as demonstrating continued
(www.acsc.gov.au).
education and personal ACCC Scam Watch
development in their chosen www.scamwatch.gov.au
professional field of expertise.
Australian Computer Society (ACS)
www.acs.org.au

Cybersecurity Threats Challenges Opportunities 52


Through the
looking glass
The following is a snapshot just a sample of the
stories that made the news during the production of
this guide. These headlines give you an insight to the
ongoing, every day, occurrences of what happens in
the absence of cybersecurity.

LINKEDIN USER? HACKER STEALS 45


YOUR DATA MAY BE MILLION ACCOUNTS FROM
HUNDREDS OF CAR, TECH,
UP FOR SALE61
SPORTS FORUMS71

EASYDOC
MALWARE ADDS 10 MILLION
TOR BACKDOOR ANDROID
TO MACS DEVICES
FOR BOTNET REPORTEDLY
CONTROL63 INFECTED
LIZARDSTRESSER BOTNETS
WITH CHINESE
USING WEBCAMS, IOT MALWARE73
GADGETS TO LAUNCH
DDOS ATTACKS65 THIEVES GO HIGH-TECH
TO STEAL CARS75

DDOS ATTACK
TAKES DOWN CROOKS ARE
US CONGRESS WINNING THE
WEBSITE FOR CYBER ARMS
THREE DAYS67 RACE, ADMIT
HACKERS FIND 138
COPS77
SECURITY GAPS IN
PENTAGON WEBSITES69

05
The US government
has increased its annual
cybersecurity budget
by 35%, going from $14
billion budgeted in 2016
to $19 billion in 2017.
This is a sign of the times
and theres no end in sight.
Incremental increases in
cybersecurity spending
are not enough. We expect
businesses of all sizes
and types, and govern-
ments globally, to double
down on cyber protection.

Cybersecurity Ventures48

A HACK WILL CITING ATTACK, GOTOMYPC


RESETS ALL PASSWORDS68
WHY YOU
KILL SOMEONE SHOULD
WITHIN 10 YEARS POLITICAL PARTYS DELETE THE
AND IT MAY VIDEO CONFERENCE ONLINE
HAVE ALREADY SYSTEM HACKED,
ALLOWED SPYING ACCOUNTS
HAPPENED79
ON DEMAND70 YOU DONT
CHINA HACKED US USE ANYMORE
ONLINE BACKUP FIRM
BANKING REGULATOR81
CARBONITE TELLS USERS RIGHT NOW80
TO CHANGE THEIR
APPLE DEVICES PASSWORDS NOW72 MASSIVE DDOS ATTACKS
REACH RECORD LEVELS28
HELD FOR RANSOM,
RUMOURS CLAIM ANDROID
HACKER
40M ICLOUD RANSOMWARE HITS DEMONSTRATES HOW
ACCOUNTS HACKED62 SMART TVS74 VOTING MACHINES CAN
BE COMPROMISED89
RESEARCHERS HACKERS CAN USE
DISCOVER TOR NODES SMART WATCH
DESIGNED TO SPY ON MOVEMENTS TO REVEAL
FTC WARNS
HIDDEN SERVICES64 A WEARERS ATM PIN76 CONSUMERS OF
RENTAL CAR DATA
RESEARCHERS FOUND IDENTITY FRAUD THEFT RISK90
A HACKING TOOL THAT UP BY 57% AS
TARGETS ENERGY GRIDS YAHOO CONFIRMS MASSIVE
ON THE DARK WEB66
THIEVES HUNT ON DATA BREACH, 500 MILLION
SOCIAL MEDIA78 USERS IMPACTED91

Cybersecurity Threats Challenges Opportunities 54


Fast facts
Its hard to choose just a handful of
facts that highlight the threats and
opportunities facing Australia, but
here is a sample.

THREATS
IN 2014-15 CERT (COMPUTER THE WORLD ECONOMIC FORUMS CYBERSECURITY IS A BUSINESS
EMERGENCY RESPONSE TEAM) GLOBAL RISKS 2015 REPORT ISSUE, NOT JUST A TECHNOLOGY
AUSTRALIA RESPONDED TO HIGHLIGHTED CYBERATTACKS AND ONE. IN A SURVEY OF CLOSE TO

11,733 4,000
THREATS AS ONE OF THE MOST LIKELY
HIGH-IMPACT RISKS. IN THE UNITED
STATES, FOR EXAMPLE, CYBER CRIME
ALREADY COSTS AN ESTIMATED

INCIDENTS, 218 OF WHICH INVOLVED


SYSTEMS OF NATIONAL INTEREST
OR CRITICAL INFRASTRUCTURE.
$US100
BILLION A YEAR.50
COMPANY DIRECTORS IN AUSTRALIA,
ROUGHLY ONLY HALF REPORTED
TO BE CYBER LITERATE, AND OF
OF THESE, ENERGY, BANKING AND CO-DIRECTORS ONLY

FIFTEEN
FINANCE, AND COMMUNICATIONS
WERE THE TOP THREE TARGETS.82
IOT SENSORS AND DEVICES
ARE EXPECTED TO EXCEED MOBILE
PHONES AS THE LARGEST CATEGORY PERCENT CLASSED AS CYBER
THE AUSTRALIAN GOVERNMENT
OF CONNECTED DEVICES IN 2018, LITERATE. THERE IS A LACK
DEPARTMENT OF COMMUNICATIONS

23%
GROWING AT A OF KNOWLEDGE ABOUT
HAS REPORTED THAT THE AVERAGE
CYBERSECURITY AT THE EXECUTIVE
COST OF A CYBERCRIME ATTACK
LEVEL IN MANY BUSINESSES
TO A BUSINESS IS AROUND
IN AUSTRALIA.1

$276,000
92

COMPOUND ANNUAL GROWTH RATE


(CAGR) FROM 2015 TO 2021.83 SOLID
CYBERSECURITY POLICY MUST BE

05
IN PLACE FOR THIS FUTURE.
OPPORTUNITIES
IN 2003 THE CYBERSECURITY THE UK PUBLISHED ITS CYBER- JOB ADVERTISEMENTS FOR CYBER-

57%
INDUSTRY WAS TAGGED AT SECURITY STRATEGY IN 2011 SECURITY ALONE HAVE GROWN

$US2.5
SINCE THEN THE SECTOR
ALMOST DOUBLED FROM TEN
BILLION POUNDS TO

BILLION TODAY THE GLOBAL


SEVENTEEN
CYBERSECURITY MARKET TOTALS BILLION POUNDS AND IS NOW IN THE LAST 12 MONTHS ACCORDING
MORE THAN $US106 BILLION. RESPONSIBLE FOR EMPLOYING TO JOBS WEBSITE SEEK. NETWORK
SOME ESTIMATES PEG THE SECTOR 100K PEOPLE.51 SECURITY CONSULTANTS WERE THE

SIXTH
WILL BE WORTH $US639 BILLION
BY 2023.1

1,404
THERE ARE
MOST ADVERTISED ICT
BY 2030 ITS ESTIMATED OCCUPATION ON LINKEDIN
DATA ANALYTICS, MOBILE IN 2015.50
INTERNET, CLOUD AND IOT
COULD GENERATE $US625

BILLION
CYBERSECURITY VENDORS IN
THE WORLD TODAY. AUSTRALIA
SPORTS ONLY FIFTEEN.
VENDORS BY COUNTRY:
IN SALES PER YEAR IN APAC.1
USA 827, ISRAEL 228, UK 76,
INDIA 41, AUSTRALIA 15.1

Cybersecurity Threats Challenges Opportunities 56


Glossary
A collection of some common words and
phrases you will see used for discussions
in and around cybersecurity.

05
Administrator: Person who Cyberthreat: A potential threat Malware: Catch-all term to refer
administers a computer system targeting computer systems to any type of malicious software,
or network and has access to the and technology, typically from typically used in reference to viruses,
Administrator account. the internet. ransomware, spyware and similar.
Black Hat: Programmers who hack Cyberwarfare: Internet-based Phishing: Deceptive attempt, usually
into systems to test their capabilities, conflict to attack computer systems over email, to trick users into
and exploit vulnerabilities for personal to disrupt or destroy. Usually in handing over personally identifiable
or financial gain. See Cybercrime. reference to nation states but can or critical information (such as
also refer to companies, terrorist or passwords or credit card numbers).
Advanced Persistent Threat: Usually
political groups, or activists. A form of social engineering.
refers to long-term stealth attacks
on or infiltration of a system, but can DoS/DDoS: Denial of Service/ Ransomware: Malware used to
also be used to describe a group, Distributed Denial of Service. A hold an individual or organisation
such as a foreign government, with common attack involving thousands to ransom, typically by encrypting
advanced cyberattack capabilities. of devices accessing a site simultan- files or an entire hard drive and
eously and continually to overload its demanding payment to unlock the
CIO/CISO: Chief Information Officer/
ability to serve web pages. data. Also known as Cryptoware.
Chief Information Security Officer.
Executive position responsible for Hacker/Hacking: While originally Social engineering: The practice of
ensuring the security of systems and in reference to a programmer manipulating human beings to gain
data in an organisation (can include hacking at code, its now become access to data or computer systems.
physical security). mainstream to represent individuals
Spear-phishing: Highly-targeted
who maliciously breach (hack into)
Critical infrastructure: Physical form of phishing towards an
computers and related systems.
and virtual assets that are vital to individual or business, often utilising
the operation of an organisation or ICT: Information and social engineering techniques to
nation, for example, the electrical grid. Communications Technology. appear to be from a trusted source.
Overarching term encompassing
Cyberattack: An offensive act against Spyware: Covert software designed
all forms of computing and
computer systems, networks, or to steal data or monitor people
telecommunications technology
infrastructure. and systems for cybercriminals,
inclusive of hardware, software,
organisations, or nation states.
Cybercrime: Computer-facilitated and networks.
crimes, though frequently can Threat actor: an individual or entity
IoT: Internet of Things. An evolving
be used to refer to all forms of that has the potential to impact, or
definition of the wide-variety of
technology-enabled crimes. has already impacted, the security
internet-connected devices ranging
of an organisation.
Cyberespionage: The practice and from sensors to smartphones.
theft of confidential information from White Hat: Programmers who hack
Internet security: A general term
an individual or organisation. into systems to test their capabilities,
referring to the security of internet-
and report vulnerabilities to
Cybersecurity: The discipline and related technologies, such as web
authorities to be fixed.
practice of preventing and mitigating browsers, but also that of the
attacks on computer systems underlying operating system
and networks. or networks.

Cybersecurity Threats Challenges Opportunities 58


References

05
1 Richard Stiennon, Chief Research Analyst, IT-Harvest,
National Fintech Cybersecurity Summit 2016
2 Internet Users by Country 2016, Internet Life Stats, July 2016
www.internetlivestats.com/internet-users-by-country
3 Cybersecurity Market Expected To Reach $170 Billion By 2020, Forbes, Dec 2015
www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-
%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-
%E2%80%8Bexpected-to-reach-170-billion-by-2020
4 One in two users click on links from unknown senders, Fau.eu, August 2016
www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-
from-unknown-senders
5 Biggest cybersecurity threats in 2016, CNBC, Dec 2015
www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html
6 Hackers remotely kill a jeep on the highway, Wired, July 2015
www.wired.com/2015/07/hackers-remotely-kill-jeep-highway
7 Hackers can send fatal dose to hospital drug pumps, Wired, June 2015
www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps
8 Hackers can hijack Wi-Fi Hello Barbie to spy on your children, The Guardian, November 2015
www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-
barbie-to-spy-on-your-children
9 Simi Bajaj, Cyber Fraud: A Digital Crime,
www.academia.edu/8353884/cyber_fraud_a_digital_crime
10 Akamais State of the Internet Security Report Q2 2015
media.scmagazine.com/documents/144/q2_2015_soti_security_report_-_35820.pdf
11 Contracting for the Internet of Things: Looking into the Nest,
Social Science Research Network, February 2016
ssrn.com/abstract=2725913
12 Cisco CEO Pegs Internet of Things as $19 Trillion Market,
Bloomberg Technology, January 2014
www.bloomberg.com/news/articles/2014-01-08/cisco-ceo-pegs-internet-of-things-
as-19-trillion-market
13 Aussie IoT in the home spend tipped to top $200m in 2020, IoT Australia, November 2015
www.iotaustralia.org.au/2015/11/06/iot-facts-and-forecasts/aussie-iot-in-the-
home-spend-tipped-to-top-200m-in-2020
14 A guide to the Internet of Things Infographic, Intel
www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
15 2016 Threats Predictions, McAfee Labs, 2016
www.mcafee.com/au/resources/reports/rp-threats-predictions-2016.pdf
16 Lax Security Opens the Door for Mass-Scale Abuse, Imperva Incapsula, May 2015
www.incapsula.com/blog/ddos-botnet-soho-router.html

Cybersecurity Threats Challenges Opportunities 60


References continued
17 Hosting company OVH suffers worlds largest 1 Tbps DDoS attack, TheTechPortal.com
thetechportal.com/2016/09/28/worlds-largest-ddos-attack-ovh-iot
18 Dissecting the Top Five Network Attack Methods: A Thiefs Perspective,
McAfee & Intel Security, 2015
www.mcafee.com/us/resources/reports/rp-dissecting-top-5-network-methods-
thiefs-perspective.pdf
19 The Lizard Brain of Lizard Stresser, Arbor Networks, June 2016
www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser
20 BMW, Mercedes Vulnerable to Remote-Unlocking Hack, Car and Driver, August 2015
blog.caranddriver.com/researcher-bmw-mercedes-vulnerable-to-remote-unlocking-hack
21 BMW, Audi and Toyota cars can be unlocked and started with hacked radios,
The Telegraph UK, April 2016.
www.telegraph.co.uk/technology/2016/03/23/hackers-can-unlock-and-start-
dozens-of-high-end-cars-through-the
22 Fiat Chrysler recalls 1.4 million cars after Jeep hack, BBC News, July 2015
www.bbc.com/news/technology-33650491
23 The Connected Car Report, Business Insider, March 2015
www.businessinsider.com.au/connected-car-forecasts-top-manufacturers-
leading-car-makers-2015-3
24 Mark Zuckerberg covers his laptop camera and you should too,
Australian Financial Review, June 2016.
www.afr.com/technology/web/security/mark-zuckerberg-
covers-his-laptop-camera-and-you-should-too-20160623-gppvwy
25 Critical Infrastructure Readiness Report, The Aspen Institute & Intel Security, 2015
www.mcafee.com/us/resources/reports/rp-aspen-holding-line-cyberthreats.pdf
26 Identity Theft Prevention ID Theft Facts and Figures 2016, Kaspersky Lab, May 2016
youtu.be/Fztuohj3Fck
27 The Next Wave of Cyberattacks Wont Steal Data -- Theyll Change It,
Defense One, September 2015
www.defenseone.com/threats/2015/09/next-wave-cyberattacks-wont-steal-
data-theyll-change-it/120701
28 Massive DDoS attacks reach record levels as botnets make them cheaper to launch,
Network World, June 2016
www.networkworld.com/article/3079987/massive-ddos-attacks-reach-
record-levels-as-botnets-make-them-cheaper-tolaunch.html
29 Therac-25, Wikipedia, 2016
en.wikipedia.org/wiki/Therac-25
30 The Patriot Missile Failure, Douglas Arnold, August 2000
ima.umn.edu/~arnold/disasters/patriot.html
31 Toyotas killer firmware: bad design and its consequences, EDN Network, October 2013
www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware--
Bad-design-and-its-consequences
32 Tesla Autopilot Enthusiast Killed In First Self-Driving Car Death, Forbes, June 2016

05
www.forbes.com/sites/briansolomon/2016/06/30/the-first-self-driving-car-
death-launches-tesla-investigation/
33 Chinese cyberattacks hit key US weapons systems. Are they still reliable?,
Christian Science Monitor, May 2013
www.csmonitor.com/USA/Military/2013/0528/Chinese-cyberattacks-hit-key-US-
weapons-systems.-Are-they-still-reliable
34 Secret Code Found in Junipers Firewalls Shows Risk of Government Backdoors,
Wired, December 2015
www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-
of-government-backdoors
35 The 10 Commandments of Data Sovereignty, CSO Online, July 2013
www.cso.com.au/article/466539/10_commandments_data_sovereignty
36 Russia Imposes New Data Storage Requirements for Telecoms and ISPs,
Hogan Lovells Media, July 2016
www.hlmediacomms.com/2016/07/11/russia-imposes-new-data-storage-requirements-
for-telecoms-and-isps
37 We are removing our Russian presence, PrivateInternetAccess.com
www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-
our-russian-presence
38 Image, Cyber Security Trends 2016, Cybernetic Global Intelligence, November 2015
cgi-content-imagesandcode.cyberneticglobal.netdna-cdn.com/wp-contentuploads/
2015/11/cyber-predictions-2016-v2.png
39 Russo-Georgian War, Wikipedia, 2016
en.wikipedia.org/wiki/Russo-Georgian_War
40 An Unprecedented Look at Stuxnet, the Worlds First Digital Weapon, Wired, November 2014
www.wired.com/2014/11/countdown-to-zero-day-stuxnet
41 A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever,
Wired, January 2015
www.wired.com/2015/01/german-steel-mill-hack-destruction
42 Inside the Cunning, Unprecedented Hack of Ukraines Power Grid, Wired, March 2016.
www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid
43 French Coldwell, Chief Evangelist, Metricstream,
National Fintech Cybersecurity Summit 2016, Sydney
44 Kaspersky report on Energetic Bear, Security Affairs, August 2014
securityaffairs.co/wordpress/27224/cyber-crime/kaspersky-report-energetic-bear.html
45 Mayhem program wins grand hacking challenge, BBC News, August 2016
www.bbc.com/news/technology-36980307
46 When Paying Out Doesnt Pay Off, Talos Intel, July 2016
blog.talosintel.com/2016/07/ranscam.html
47 Fintech 100: Nine Australian companies make the cut
www.home.kpmg.com/au/en/home/media/press-releases/2016/10/the-fintech-
100-announcing-the-worlds-leading-fintech-innovators-for-2016.html
48 Cybersecurity Market Report, Cybersecurity Ventures, 2016
cybersecurityventures.com/cybersecurity-market-report
49 Chancellors speech to GCHQ on cyber security
www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security

Cybersecurity Threats Challenges Opportunities 62


References continued
50 Australias Digital Pulse 2016, ACS & Deloitte Access Economics
www.acs.org.au/content/dam/acs/acs-documents/PJ52569-Australias-
Digital-Pulse-2016_LAYOUT_Final_Web.pdf
51 The UK Cyber Security Strategy 2011-2016, Annual Report, April 2016
www.gov.uk/government/uploads/system/uploads/attachment_data/file/516331/
UK_Cyber_Security_Strategy_Annual_Report_2016.pdf
52 Ron Moritz, TrueBit Cyber Partners, National Fintech Cybersecurity Summit 2016, Sydney
53 Email interview, Rodney Gedda Senior Analyst, Telsyte, July 2016
54 The Australian government must take cyber security more seriously,
The Conversation, June 2016
theconversation.com/the-australian-government-must-take-cyber-security-
more-seriously-60231
55 The dark side of wearables: How theyre secretly jeopardizing your security and privacy,
Tech Republic, April 2016
www.techrepublic.com/article/the-dark-side-of-wearables-how-theyre-secretly-
jeopardizing-your-security-and-privacy/
56 Alex Scundurra, CEO Stone & Chalk, National Fintech Cybersecurity Summit 2016, Sydney
57 National Defense Education Act, Wikipedia, 2016
en.wikipedia.org/wiki/National_Defense_Education_Act
58 The cyber-chasm: How the disconnect between the C-suite and
security endangers the enterprise
www.vmware.com/radius/wp-content/uploads/2015/08/EIU-VMware-Data-
Security-Briefing.pdf
59 Australias Cybersecurity Strategy, Commonwealth of Australia, Department of the
Prime Minister and Cabinet, 2016
cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf
60 Concerned by cyber threat, Obama seeks big increase in funding, Reuters, February 2016
www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1
516331/UK_Cyber_Security_Strategy_Annual_Report_2016.pdf
theconversation.com/the-australian-government-must-take-cyber-
security-more-seriously-60231
61 LinkedIn user? Your data may be up for sale, ZDNet, May 2016
www.zdnet.com/article/linkedin-user-millions-of-users-data-is-up-for-sale
62 Apple devices held for ransom, CSO Online, July 2016
www.csoonline.com/article/3093016/security/apple-devices-held-for-ransom-
rumors-claim-40m-icloud-accounts-hacked.html
63 EasyDoc malware adds Tor backdoor to Macs for botnet control, The Register, July 2016
www.theregister.co.uk/2016/07/05/easydoc_malware_adds_tor_backdoor_to_
mac_systems_for_botnet_control/
64 Researchers Discover Tor Nodes Designed to Spy on Hidden Services,
Schneier on Security, July 2016
www.schneier.com/blog/archives/2016/07/researchers_dis.html

05
65 LizardStresser botnets using webcams, IoT gadgets to launch DDoS attacks,
SC Magazine, July 2016
www.scmagazineuk.com/lizardstresser-botnets-using-webcams-iot-gadgets-to-launch-
ddos-attacks/article/506962
66 Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web,
Motherboard, July 2016
motherboard.vice.com/read/researchers-found-a-hacking-tool-that-targets-
energy-grids-on-dark-web-forum
67 DDoS Attack Takes Down US Congress Website for Three Days, Softpedia News, July 2016
news.softpedia.com/news/ddos-attack-takes-down-us-congress-website-for-three-
days-506451.shtml
68 Citing Attack, GoToMyPC Resets All Passwords, Krebs On Security, June 2016
krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-passwords
69 Hackers Find Security Gaps in Pentagon Websites, ABC News, June 2016
abcnews.go.com/Technology/wireStory/hackers-find-security-gaps-
pentagon-websites-39945560
70 Political Partys Videoconference System Hacked,
Allowed Spying On Demand, Slashdot, June 2016
news.slashdot.org/story/16/06/18/1831235/political-partys-videoconference-system-
hacked-allowed-spying-on-demand
71 Hacker steals 45 million accounts from hundreds of car, tech,
sports forums, ZDNet, June 2016
www.zdnet.com/article/hacker-steals-45-million-accounts-from-hundreds-of-
verticalscope-car-tech-sports-forums/
72 Online Backup Firm Carbonite Tells Users To Change Their Passwords Now,
Slashdot, June 2016
it.slashdot.org/story/16/06/21/2032209/online-backup-firm-carbonite-tells-users-
to-change-their-passwords-now
73 10 million Android devices reportedly infected with Chinese malware, CNet, July 2016
www.cnet.com/news/malware-from-china-infects-over-10-million-android-
users-report-says
74 FLocker Mobile Ransomware Crosses to Smart TV, Trend Micro, June 2016
yro.slashdot.org/story/16/06/13/1845221/android-ransomware-hits-smart-tvs
75 Thieves Go High-Tech to Steal Cars, The Wall Street Journal, July 2016
www.wsj.com/articles/thieves-go-high-tech-to-steal-cars-1467744606
76 Hackers Can Use Smart Watch Movements To Reveal A Wearers ATM PIN,
Slashdot, July 2016
news.slashdot.org/story/16/07/06/2132206/hackers-can-use-smart-watch-
movements-to-reveal-a-wearers-atm-pin
77 Crooks are winning the cyber arms race admit cops, ZDNet, July 2016
www.zdnet.com/article/crooks-are-winning-the-cyber-arms-race-admit-cops
78 Identity fraud up by 57% as thieves hunt on social media, BBC News, July 2016
www.bbc.com/news/uk-36701297
79 A hack will kill someone within 10 years and it may have already happened,
Yahoo News, June 2016
uk.news.yahoo.com/hack-kill-someone-within-10-091800465.html

Cybersecurity Threats Challenges Opportunities 64


References continued
80 Why you should delete the online accounts you dont use anymore - right now,
Sydney Morning Herald, June 2016.
www.smh.com.au/technology/technology-news/why-you-should-delete-the-
online-accounts-you-dont-use-anymore--right-now-20160602-gp9n18.html
81 China Hacked US Banking Regulator From 2010 Until 2013, Slashdot, July 2016
yro.slashdot.org/story/16/07/13/1923215/china-hacked-us-banking-regulator-from-
2010-until-2013---and-us-officials-covered-itup-report
82 2015 Threat Report, Australian Cyber Security Centre, 2015
www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf
83 Internet Of Things On Pace To Replace Mobile Phones As Most Connected Device In 2018,
Forbes, July 2016
www.forbes.com/sites/louiscolumbus/2016/07/09/internet-of-things-on-pace-to-
replace-mobile- phones-as-most-connecteddevice-in-2018/#468e81846aef

84 One of Europes Biggest Companies Loses =C 40 Million in Online Scam, Softpedia


news.softpedia.com/news/one-of-europe-s-biggest-companies-loses-40-million-
in-online-scam-507818.shtml
85 Cyber War, ABC, 4 Corners, August 2015
www.abc.net.au/4corners/stories/2016/08/29/4526527.htm
86 Robot Lawyers Could Make Time-Consuming, Expensive Court Conflict Thing Of The Past,
ABC, July 2016
www.abc.net.au/news/2016-07-06/robot-lawyers-dutch-conflict-resolution-
technology-on-its-way/7572488
87 European Unions First Cybersecurity Law Gets Green Light, Bloomberg Technology, July 6
www.bloomberg.com/news/articles/2016-07-06/european-union-s-first-cybersecurity-
law-gets-green-light
88 Japanese Government Plans Cyber Attack Institute, The Stack, August 2016
thestack.com/security/2016/08/24/japanese-government-plans-cyber-attack-institute
89 Hacker Demonstrates How Voting Machines Can Be Compromised, CBS News, August 2016
www.cbsnews.com/news/rigged-presidential-elections-hackers-demonstrate-voting-
threat-old-machines
90 FTC Warns Consumers: Dont Sync To Your Rental Car!, Slashdot, September 2016
tech.slashdot.org/story/16/09/04/0912201/ftc-warns-consumers-dont-sync-
to-your-rental-car
91 Yahoo Confirms Massive Data Breach, 500 Million Users Impacted,
Slashdot, September 2016
it.slashdot.org/story/16/09/22/095255/yahoo-confirms-massive-data-breach-
500-million-users-impacted-updated
92 Image, StaySmartOnline.gov.au, October 2015
www.staysmartonline.gov.au/sites/g/files/net301/f/Cost%20of%20cybercrime_
INFOGRAPHIC_WEB_published_08102015.pdf
93 Adrian Turner, CEO, Data 61, National Fintech Cybersecurity Summit 2016, Sydney

05
ABOUT THE ACS
The Australian Computer Society is the
professional association for Australias
Information and Communications
Technology sector.
We are passionate about recognising and
developing ICT skills and provide more than
60 products and services to our members.
We are also the voice of Australian ICT,
representing all practitioners in business,
government and education.
In everything we do, our goal is to advance
ICT in Australia and help our members be
the best they can be.

COPYRIGHT NOTICE
This work is licensed under a Creative
Commons Attribution-ShareAlike 4.0
International License.
creativecommons.org/licenses/by-sa/4.0

Cybersecurity Threats Challenges Opportunities 66


ACS
Level 11
50 Carrington Street
Sydney NSW 2000

P: 02 9299 3666
F: 02 9299 3997
E: info@acs.org.au
W: www.acs.org.au