The recent Cyber Risk Meetup in Perth demonstrated well the West Australian cyber community’s enthusiasm, strength and passion for learning. With an enticing title, “Exposing Dirty Habits”, the event kicked off in GHD Digital’s offices on Hay Street, with a very relevant discussion on big company exposures. It was delivered by Rapid7’s Vice President for APAC, Neil Campbell, who has a long and interesting career spanning law enforcement, forensics, cyber technology and consulting, through to most recently, sales.

Neil’s presentation entitled, The State of Security for Australia’s ASX 200 Orgs, focused on the key finding from Rapid7’s recently published report on ASX 200 companies and their cyber exposures. He covered the following aspects on a sector-by-sector basis:

• Number of exposed servers and devices;
• exposure to known common attacks;
• susceptibility to phishing attacks;
• evidence of infection from malware;
• third-party dependencies share risk; and
• evidence of vulnerability management.

As Neil explained, ASX 200 organisations are amongst the most well-funded and well-resourced in Australia. Each of these organisations will undoubtedly spend a significant amount of money each year on cyber security (likely into millions of dollars), but Rapid7 was able to discover many systemic cyber risks and exposures across every sector represented in the report.

A frightening fact was that Rapid7 showed ASX 200 organisations to have, on average, a public attack surface exposing 29 servers/devices, while many of them had more like 200–300 systems/devices directly reachable over the open Internet. Furthermore, none of the examined industry sectors were free from malware infections, with many individual companies signalling to Rapid7’s honeypot network, known as Project Heisenberg[1].

How Did Rapid7 Gather This Data?

The data that Rapid7 collected for this report was gathered using active scanning and special DNS queries. However, one additional capability Rapid7 has established, known as Project Heisenberg, is a global array of passive network sensors that advertise services such as HTTP/HTTPS, Telnet, SMB etc. As Neil said, no genuine Internet traffic should be hitting those systems, so when they do receive a connection from organisations, it’s a great indicator that they are compromised.

Neil Campbell looks at exposures affecting ASX 200 organisation

A further worrying statistic that Neil shared was that most ASX 200 companies don’t employ industry best practice for spam mitigation. 67% of the organisations could enhance their security posture by simply using DMARC (Domain-based Message Authentication, Reporting & Conformance) to their email infrastructure[1].

Exposed weak services was another major problem, with some organisations having open Telnet and Windows file-sharing (the security nightmare that is SMB). Each one of these exposed services elevates the organisation’s risk and exposure.

ASX organisations in every sector had serious issues with patch/version management of business-critical internet-facing systems. It is vital that organisations make configuration and patch management of internet-facing systems a top priority.

Next Up: Richard Addiscott, Silver Chain Group’s CISO

Following Neil Campbell’s talk was a fascinating discussion on the 3 C’s, from Richard Addiscott. Richard is Silver Chain CISO and over his tenure with them he’s been introducing systems and processes to better upskill the Silver Chain workforce to protect themselves and protect each other. His presentation had the extended title of, The 3 C’s – Delivering Effective Information Security in a Digitally Transforming Environment, which in essence boils down to the three main points:

1. Context;
2. Collaboration; and
3. Culture.

Context is important, because without knowing what the business does, who the users are and what is most important to them, security controls are often mismatched and slow business down rather than enabling it. In Silver Chain’s case, if a security control hinders getting employees to patients, then the context of the business is lost and so is the willingness to collaborate with the security team.

When security builds a collaborative approach with users for protecting the business, you get an increased willingness across the organisation to engage/work with the security team. Also, vitally important, the senior executive and stakeholder advocacy group is better informed and is consulted throughout the security programme on matters that affect the entire organisation, so collaboration breeds trust and demonstrates value in the security programme.

Richard Addiscott talks about Silver Chain’s Security Culture

Culture was the final ingredient of Silver Chain’s security programme that Richard discussed. It was also likely the most important. Context and collaboration both assist in developing the organisation’s willingness to support their security’s mission, but for new controls to stick, it’s important to take the business on a cultural journey, where the goal is to ensure, “the new security culture supports the transformed internal context.”

Are You Protecting Your Valuables?

Janette Opperman was the final speaker of this Cyber Riskers evening. She talked about Chevron’s approach to cyber security in the OT and process control space and it was an interesting and eye-opening discussion.

Janette Opperman discussed the security risks to Chevron’s Wheatstone and Gorgon Projects

Janette is Chevron’s Australasia Business Unit (ABU) Process Network Control (PCN) Support Team – Manager, so her area of responsibility includes making sure the process control network operates within Chevron’s agreed tolerances, and systems do what they are supposed to do. Janette’s team makes sure that data integrity and system availability is foremost in their mind since any failure in integrity or availability can see a false reading or failed control unit poses an extreme safety risk.

Janette provided some background on Chevron’s Gorgon and Wheatstone Projects, to illustrate how extreme a failure in security could be in terms of its threat to human life. Wheatstone[1] is Australia’s first liquefied natural gas (LNG) hub, with two LNG trains and a combined capacity of 8.9 million tonnes per annum. Gorgon[2] is located on Barrow Island and comprises, “a three-train, 15.6 million tonnes per annum LNG facility and a domestic gas plant with the capacity to supply 300 terajoules of gas per day to Western Australia.”

The Gorgon Project’s two massive LNG storage tanks

One of the most fascinating aspects of Janette’s talk was how she has adopted a zero-tolerance culture to security issues. If engineers fail to follow protocols and download malware or fall for a phishing campaign, they lose Internet access. If it happens again, she said, “They will likely end up working somewhere else.” There can be no exceptions since the stakes are so high.

Perth’s New Cyber Place to Be…

The enthusiasm and passion of the Cyber Riskers speakers, coupled with the obvious buzz amongst the crowd, was a welcome change for security meetups in Perth. Hats off to the team over at GHD Digital (especially Daniel Marsh) for giving the Perth security community something new, with a real focus on value and finding speakers who deliver engaging and interesting content.

Keep up the great work and we are all looking forward to the next Cyber Risker meetup in Perth.

By Tony Campbell, ACSM Editor

For the next scheduled Cyber Risk Meetup visit www.cyberriskmeetup.com

MELBOURNE APRIL 30 – https://www.cyberriskmeetup.com/evolutionofcyberrisks

REFERENCES

https://www.rapid7.com/research/project-heisenberg/

https://dmarc.org/

https://australia.chevron.com/our-businesses/wheatstone-project

https://australia.chevron.com/our-businesses/gorgon-project