Você está na página 1de 52

Telstra

Cyber
Security
Report 2017
Managing risk
in a digital world.
Executive
summary
Organisations and individuals are of Australian organisations stating that The rapid adoption of cloud services, while
dealing with new security and business they experienced at least one ransomware delivering significant agility and portability
opportunities, many of which are fuelled incident in the last 12 months. Of benefits, continues to present a security
by mobility, cloud based service offerings the organisations who experienced a challenge. More than half of Australian
and the need to have an environment ransomware incident, 57 per cent paid organisations that adopted cloud services
that adapts to the way people and the ransom. Our research found that see data theft as their number one risk
organisations want to work and interact. In nearly one in three of the organisations in doing so; yet more than 30 per cent
order to capitalise on those opportunities, who paid a ransom did not recover their of those organisations adopting cloud
cyber security risk must be managed to files. This clearly dispels the myth held services reported that they are not yet
acceptable levels. Every organisation by a number of people that there is ready to handle this risk in Australia.
must determine for itself what honour among thieves in that if you That organisations are prepared to take
constitutes an acceptable level of risk. pay a ransom, the criminals will unlock such acknowledged risks speaks to the
your files and leave you alone. You really urgency of their move to cloud services.
The insights shared in this report are
are rolling the dice if you choose to pay
based on our understanding of the The heightened awareness of security
a ransom and your chances arent good.
security risks that organisations face breaches and the business impacts of
This problem is of particular importance
in the Asia Pacific region. We hope that these incidents has led to increased
to small- to medium-sized organisations
it offers useful guidance on identifying IT security spend, with 95 per cent
as they are less likely than large
and managing risk, and improve your of organisations in Asia increasing
organisations to have extensive security
awareness in the field of information their budget this year compared with
controls and to back up their data.
security. These insights aim to support 81 per cent in Australia. Last year we
your organisation as it strives to make We also found that C-level executives are reported an increase in the IT security
vital decisions about security and its taking a greater level of responsibility budget for 75 per cent of Australian
operational impact. It is important that in security initiatives such as education organisations, which demonstrates a
those decisions are well-informed as good and the sponsorship of security continued increase in importance of
information security is now critical to the improvement programs. Two out of three information security to organisations.
success of any modern organisation. C-level executives have a high or very
That finding is a welcome one, because
high involvement in their organisations
Some of the findings are sobering: we taking advantage of new technologies
cyber security initiatives in Australia
learned that 59 per cent of organisations requires a willingness to invest in people,
and Asia. This may well be due to the
in Australia have detected a business processes and technology appropriate for
finding that C-level executives are
interrupting security breach on at least todays information security environment.
being held to account more often in
a monthly basis, which is more than
the event of a security incident. The It is our hope that this report supports
twice as often compared to 2015 (24 per
recently passed amendments to the your organisations increased focus, as
cent). The findings aligned with Asian
Australian Privacy Act, affecting most it is designed to help you to understand
businesses who also experienced an
organisations and requiring data breach the threats you face and the actions
incident on at least a monthly basis, as
notifications to both the victims and the you can undertake to better secure
reported by 59 per cent of respondents.
Privacy Commissioner, will drive further your organisation and its success.
We found that ransomware was the awareness and accountability, as did
number one type of malware downloaded the first legislation of this kind when it
in the Asia Pacific region, with 60 per cent was introduced in California in 2003.

Neil Campbell, Berin Lautenbach,


Director, Global Security Solutions Chief Information Security Officer (a/g)
Telstra Corporation Limited Telstra Corporation Limited

02 Cyber Security Report 2017


CISO Insight When you can answer these five questions
you are in a much better position to
There is no doubt as a large company we have effectively assess and manage the risk.
seen much of what is discussed in this report
whether amongst customers or ourselves. An issue the cyber security community is
Cyber security is a significant issue of global tackling and making progress but still
importance, however we must not get caught with a way to go is driving understanding
up in statistics and become paralysed. of this business risk at the Board level.
This is a business risk; organisations We as cyber security professionals have
need to delve into this and understand to provide assurance that while the risk
how to manage this risk effectively. cannot be eliminated it can be managed.
Successful organisations already manage To provide that assurance, ask
complex risks but even for great leaders yourself three simple questions:
understanding the cyber security risk 1. Have we identified the right risks?
and what it means for both the business
and customer can be challenging. 2. Are we managing these risks effectively?
To help with this challenge and effectively 3. When we get it wrong (because
manage the risk, we have developed and we will get it wrong) do we know
used ourselves Telstras Five Knows of Cyber how to respond and recover?
Security. These are five simple questions These questions, together with Telstras
to ask your organisation and it shifts the Five Knows will change the conversation
conversation from a technology discussion to and shift the focus to help organisations
one which senior management can engage understand that the business risk of cyber
with and thus contribute to the effective security can be managed effectively.
management of the cyber security risk.
1. Know the value of your data
Berin Lautenbach,
2. Know who has access to your data
Chief Information Security Officer (a/g)
3. Know where your data is
Telstra Corporation Limited
4. Know who is protecting your data
5. Know how well your data is protected

Cyber Security Report 2017 03


Methodology
Telstras Cyber Security Report 2017 provides insights into the
current cyber security landscape to arm organisations with
information on how to manage and mitigate their business risks.

Telstra engaged a research firm, Frost in Asia have an Australian branch roles. All respondents either have some
& Sullivan, to interview professionals office and include responses from influence or complete control over
responsible for making IT security India, Singapore, Hong Kong, Indonesia the security investment within their
decisions within their organisation and the Philippines. 87 per cent were organisations for their respective regions.
to obtain a number of key insights on multi-national organisations1 and
A large proportion of our survey results
a range of security topics. The report the remainder only have offices in
were based on large organisations where
also draws on analysis of security Australia (13 per cent). C-level executives
77 per cent of total respondents worked
information and data gathered from including Chief Executive Officers, Chief
for organisations employing 500 or more
Telstra infrastructure, security products Financial Officers, Chief Information
employees globally. The responses from
and our third-party security partners. Officers, Chief Operating Officers, Chief
Asia with 500 or more employees (89 per
Technology Officers, Chief Information
The research firms online surveys cent) and the responses from Australian
Security Officers and Chief Security
obtained 360 responses. 58 per cent responses with 500 or more employees
Officers accounted for 37 per cent of
of these responses were from Asia and (61 per cent). 81 per cent worked for
respondents across both Australia (43
the remaining 42 per cent were from organisations with 200 or more locally
per cent) and Asia (33 per cent). The
respondents based in Australia. All based employees across Australia
remainder were in IT security managerial
the businesses who were interviewed (71 per cent) and Asia (89 per cent).

Locations of respondents from Asia and Australia

Hong Kong
India 13.1%
16.7%

Singapore
14.4%

ASEAN2
13.6%

Australia
42.2%

1. Includes organisations like government departments and utilities who dont identify as being an
MNC but have their head office and branch offices in both Asia and Australia
2. ASEAN is made up of both Indonesia (8.3 per cent) & Philippines (5.3 per cent) responses to obtain a reasonable sample size

04 Cyber Security Report 2017


Respondents organisational Size of organisations
role from Asia and Australia globally
Asia Australia Asia Australia
2.4% 1.0%
100% 6.6% 100% 2.4%
8.2% 12.5%
8.2%
9.9%
11.2%
80% 80%
28.8% 16.4% 25.5%
15.1%

60% 60%
23.7%
21.1%
27.9%
40% 40%
19.1%
63.0%
16.8%
20% 20% 40.1%
24.3%
15.9%
0% 0%
IT Security Architecture & Design 50 to 99 employees
IT Governance, Risk & Compliance 100 to 199 employees
IT & Security (operations, administrators, other) 200 to 499 employees
IT & Security (management) 500 to 999 employees
CTO/CIO/CSO/CISO 1,000 or more employees
CEO/CFO/COO

The industry segment with the highest for responses in Australia was the Public second highest industry for
percentage of responses was the IT & sector, which included health care and respondents from Asia.
Technology sector from both Asia and education. The Manufacturing, Logistics &
Australia. The second highest percentage Transportation sector was the

Australian and Asian respondents by industry sector

1.9% 1.0% 3.3%


2.9% 3.3%
3.8% 3.9%
3.8%

4.3% 5.3% 24.3%


28.8%

6.7% 7.9%

Asia Australia
9.1% 9.2%
16.4%

20.2% 10.5%
17.3%
15.8%

Mining Oil & Gas Education Manufacturing, Logistic


Health Utilities Retail and Consumer & Transportation
Others Government & Public Sector Banking, Financial Services IT & Technology
and Insurance (BFSI)

Cyber Security Report 2017 05


06 Cyber Security Report 2017
Contents
1. Executive Summary 02
2. Methodology 04
3. Contents 07
4. Cyber security readiness and maturity 08
Cyber security engagement and involvement to enable your business 08
Adoption of security guidelines, governance and procedures 12
5. Security threats and trends 14
Email threats and phishing campaigns 14
Malware and ransomware 16
Mobile malware 21
Advanced Persistant Threats 22
Cloud security 26
Web and application vulnerabilities 30
Denial of Service (DoS) attacks leveraging the Internet of Things (IoT) 32
6. Security incidents and the business impacts 36
Frequency of security incidents and future threats 36
Business impacts 38
Security incidents in Australia 41
Financial impacts due to privacy data breaches 42
New data breach notification legislation 42
7. Security drivers and investment decisions 44
8. Summary 50
9. Acknowledgements 51

Cyber Security Report 2017 07


Cyber security
readiness and maturity
Cyber security engagement and
involvement to enable your business
Companies need to place an explicitly commercial lens on cybersecurity, coolly
assessing business risks and incorporating these risks implications deeply into
procurement, product development, sales, service and procurement processes.3

In todays interconnected world, we do seen as the main group involved in cyber involvement of the C-suite executives
not operate in isolation; our business security initiatives and are identified in the cyber security strategy and
processes and systems collect, analyse as the key group who understand responsibility within their organisations.
and share data from financial, product, the importance of cyber security to
The research identified that there are
operational, customer and employee carry out their functions effectively.
a number of opportunities to improve
data to our partners, suppliers and
The good news is that C-level executives engagement within the business. Sales
distributors. Companies need to consider
are perceived to be taking a more active and marketing were seen as the least
the commercial and contractual risks by
role in cyber security by understanding the likely to view cyber security as an enabler
including cyber security capabilities as
importance of cyber security initiatives, and they were seen as having the lowest
part of their sourcing and selection criteria
increasing their involvement in these engagement in security initatives. This
and mandating the handling of data as
initiatives and are increasingly taking is despite the fact that they are heavily
part of contractual terms and conditions.
responsibility for security incidents involved in capturing and using customer
Companies need to progress from when they occur. In Australia, the CEO data. This is potentially a missed
layering security controls on top of is regarded as almost as responsible opportunity for sales and marketing to
their technology architectures, and as the IT department. Interestingly influence the online customer experience
business and commercial processes, though, the perceived responsibility of that occurs via their companys web
to embedding cyber security and the CISO in Asia is much greater than portals, mobile applications or social
integrating it into their business model in Australia. Our survey results indicate media channels. They need to be
in a way that does not adversely affect that the IT department is primarily engaged to ensure that customers are
the customer experience. The key is to held responsible for security breaches not overwhelmed with cumbersome
integrate cyber-resilience into enterprise- for the organisations surveyed in or clunky authentication experiences.
wide management and governance Australia in 2016, when compared to the There is an opportunity to tailor security
processes. This means conducting accountability of individual C-level roles controls to different types of customers
discussions across organisational silos in Australia. However, there has been a by getting their requirements from market
to integrate considerations related significant shift in responses towards the surveys and focus groups to ensure the
to protecting information deeply, but C-level executives as a group being held customers voice is heard on how they
also flexibly, into business processes responsible for security incidents from want to access their data, products
like product development, marketing, 19 per cent in 2015 to 61 per cent in 2016 and services in a secure manner. Sales
sales, customer care, operations and and away from the IT department being and marketing should be engaged and
procurement. The companies that do held responsible for security incidents take a more proactive role to ensure
this most aggressively will not only with a decrease in responses from 62 that customer data and marketing
reduce their risk, but also increase their per cent in 2015 to 34 per cent in 2016. information is secure; especially
operating efficiency and improve their when it is shared with ad agencies or
Similar to Australia, the perceived
value proposition with customers.4 marketing and analytic companies.
accountability of the IT department has
Our research has shown that the dropped significantly amongst Asian It was also surprising that HR was another
involvement of all stakeholders in organisations surveyed from 83 per group who had a lower involvement in
cyber security initiatives is high to very cent in 2015 to 54 per cent in 2016. The cyber security initiatives as they are
high amongst both Australian and C-level executives in Asia are perceived handling sensitive data for employees,
Asian organisations, with the majority to be the primary stakeholders in taking contractors and potential new hires.
of respondents also recognising the responsibility for security incidents, which They should be involved in how this
importance of cyber security to carry has increased from 35 per cent in 2015 data is collected, stored and secured as
out their functions across the business. to 65 per cent in 2016. This significant they need to consider the implications
Not surprisingly, the IT department is responsibility shift may reflect the growing if this data is corrupted, lost or stolen.

3. Handbook of System Safety and Security by James M. Kaplan (McKinsey and Company)
4. Handbook of System Safety and Security by James M. Kaplan (McKinsey and Company)

08 Cyber Security Report 2017


Rating the importance of cyber security within the organisation Asia and Australia

2.9%
62.0% 20.2% 13.5% 1.4%
IT department
49.3% 35.5% 9.2% 4.6%
1.3%

45.2% 33.7% 13.5% 5.8% 1.9%


Operations
41.4% 36.8% 13.2% 4.6%
3.9%

Board of 39.4% 37.5% 13.9% 7.7% 1.4%


Directors 35.5% 34.9% 22.4% 7.2% 0.0%

Internal Auditors/ 39.4% 34.6% 18.3% 7.2% 0.5%


Regulators 36.8% 40.1% 15.1% 7.2% 0.7%

Legal 39.4% 35.1% 16.8% 5.3% 3.4%


Affairs 34.9% 36.2% 23.7% 4.6% 0.7%

Finance and 39.4% 35.6% 17.8% 6.3% 1.0%


Accounting 35.5% 35.5% 21.1% 5.9% 2.0%

3.4%
C-level 37.0% 43.8% 13.9% 1.9%
Executives 32.9% 42.1% 19.1% 4.6% 1.3%

Human 35.6% 36.5% 18.8% 9.1% 0.0%


Resources 30.3% 34.9% 24.3% 5.3% 5.3%

Sales and 32.2% 34.6% 17.8% 12.0% 3.4%


Marketing 22.4% 42.1% 25.0% 5.9% 4.6%

Asia
Very important Somewhat important Neutral Somewhat not important Not important at all
Aus

Level of involvement in cyber security initiatives Asia and Australia

2.4%
47.1% 38.9% 11.1% 0.5%
IT department
42.8% 42.1% 12.5% 2.6%
0.0%
2.9%
25.5% 50.5% 20.7% 0.5%
Operations
17.8% 51.3% 19.1% 9.2% 2.6%

Board of 33.2% 36.1% 23.1% 6.7% 1.0%


Directors 16.4% 51.3% 23.7% 5.9% 2.6%

3.4%
Internal Auditors/ 29.8% 44.2% 20.2% 2.4%
Regulators 20.4% 43.4% 24.3% 9.2% 2.6%

Legal 23.6% 48.6% 20.7% 6.3% 1.0%


Affairs 17.1% 41.4% 28.3% 9.9% 3.3%

Finance and 24.0% 42.3% 23.1% 8.7% 1.9%


Accounting 15.1% 48.7% 23.0% 9.9% 3.3%

3.4%
C-level 32.7% 38.5% 24.5% 1.0%
Executives 22.4% 41.4% 25.0% 9.9% 1.3%

Human 21.2% 38.0% 27.9% 11.5% 1.4%


Resources 15.8% 38.8% 29.6% 13.2% 2.6%

Sales and 17.3% 48.1% 20.2% 11.1% 3.4%


Marketing 8.6% 42.1% 27.6% 12.5% 9.2%

Asia
Very high High Neutral Low Very low
Aus

Cyber Security Report 2017 09


2015 vs 2016 comparison of responsibility for security breaches Asia and Australia

2015 2016
IT
83.1% 61.8% 33.6% 54.3%
Department

Head of
71.4% 36.8% 20.4% 34.6%
Departments

Employees
27.3% 27.2% 17.8% 28.4%
involved

C-level
35.1% 18.9% 61.2% 65.4%
executives

5.7% No attribution of 1.4%


responsibilities
2.6% 1.3%

Board of 17.8%
Director
14.9%
Legal 15.4%
Counsel
8.6%

CIO 19.1% 25.5%

CEO 28.8% 32.2%

CISO 21.6%
8.6%

COO 15.4%
3.9%

CFO 10.1%
7.9%

Australia CMO 7.2%


Asia 5.9%

HR is responsible for handling personal information.5 This HR training initiative in cyber security. This highlights the
employee or contractor information such outlines the importance of providing need to improve communications and
as bank account details, tax file numbers, cyber security awareness training to engagement across the silos within
remuneration, rsums, employee key stakeholders who are handling the business to ensure that the right
contracts/offers and security checks sensitive and important company data. business and security engagements
that may be collected and shared with are in place to address legal, regulatory,
In Australia, the internal auditors and
other third parties like HR service, system privacy and commercial risks.
legal affairs team are perceived to have
providers or recruitment companies. The
a relatively low level of involvement in It is also worth noting the need for
HR departments involvement in cyber
cyber security. This is despite the fact that further engagement with physical and
security has increased in some countries,
cyber security has a relatively high level electronic security counterparts, driven
such as the UK, where initiatives such
of importance to their job functions and by the proliferation of connected security
as free cyber security courses for HR
responsibilities. Interestingly in Asia, for devices and increasing market demand
Professionals have been created by the UK
internal auditors and board of directors, for converged solutions that combine
Government and the Chartered Institute of
cyber security has a relatively low level electronic and physical security, identity
Personnel Development (CIPD). The course
of importance to their job functions and management and information security.
was developed to assist HR workers
responsibilities, despite both groups
to protect their companies sensitive
having a high level of involvement

5. https://www.cipd.co.uk/about/media/press/040216-cyber-security#

10 Cyber Security Report 2017


Cyber Security Report 2017 11
Adoption of security guidelines,
governance and procedures
Cyber security awareness has increased across their business; they embed security underestimated as it can highlight any
and appears to be driving the adoption of into all areas of their business to ensure deficiencies within the incident response
certain frameworks to conduct security an integrated approach. Our results found procedures and the associated business
audits to assist with formulating security that Australian and Asian companies continuity plans. The business needs
policies within businesses; however, its tend to focus more on conducting security to continue to deliver key products and
important that this doesnt just become audits and less on conducting cyber drill services to acceptable business levels
a tick and flick exercise. As we have programs within their organisations. during a security incident and recover
discussed, companies with great security The value of conducting cyber drills for as quickly and effectively as possible.
posture dont just layer security controls a range of security incidents cannot be

Security governance, processes and skills in your organisation Asia and Australia

57.7%
60%
52.9%
50.0% 49.5%
47.6% 46.6%
50% 45.4% 45.7%
42.3% 41.3%
39.4%
40% 36.8%
34.9% 42.8% 34.2%
32.2%
27.6%
30% 25.0%
23.7% 23.0%

20%

10%

0%
to protecting IP
Security
audits

Cyber security
awareness programs

Risk assessments
on internal systems

Incident management
response process

Governance, risk, and


compliance tools

Classification of
business value of data

Program to identify
sensitive assets

Procedures dedicated

Risk assessments on
third-party vendors

Cyber
drill
Asia
Australia

Australian Prudential Regulation Australian respondents. The low adoption awareness or silos within the
Authority (APRA) and the Australian Cyber of PCI security standards with Australian organisation regarding PCI compliance.
Security Centre (ACSC) guidelines are respondents is surprising as every
Almost all of the organisations surveyed
the most popular security standards and Australian business who accepts and
in Australia and Asia adopt various
frameworks adopted by both Australian processes credit or debit card information
methods to control IT security risks with
and Asian organisations. Its important is required to comply to ensure a
their business suppliers and partners with
that the standards that companies adopt secure payment card environment. This
the most popular being the application
meet their regulatory, contractual and result may be due to the outsourcing
of access controls to data and systems.
commercial requirements and align with of credit card payment functions to
Two per cent of respondents from
their business objectives. In contrast, third parties or a lack of involvement in
Australia and one per cent from Asia
SANS Top Critical Controls and PCI the PCI compliance security initatives
indicate that they do not perform vendor
were chosen by only nine per cent of by the majority of respondents. This
checks on their business partners.
may be due to a lack of engagement,

12 Cyber Security Report 2017


Controlling IT security risks with business suppliers and partners Asia and Australia

0.5% 2.0%
27.4% 17.1% Apply access controls
to systems and data

19.1%
Address information
12.5% security issues
via contract

Perform random spot


22.4% checks of vendor sites
21.2% Asia Australia

Engage a third-party to
perform an information
security audit of vendor

38.5% 39.5% Do not perform


vendor checks

In Australia, the good news is that we reduced from 11 per cent in 2015 to However, 57 per cent of ASEAN (Indonesia
are conducting more frequent board two per cent in 2016. On the contrary, and the Philippines) and 50 per cent of
briefing sessions, the percentage of in Asia the frequency of briefings has Indian respondents are running monthly
enterprises conducting their briefings declined slightly, with 39 per cent of briefings, which is higher than the 32 per
on a yearly basis has significantly organisations now doing this monthly. cent recorded for Australian businesses.

Frequency of briefs to board members/senior management on


cyber risk and security mitigation Asia and Australia

60%

44.2%
39.9% 42.1%
39.4%
40% 37.7%
36.1%
32.2%

25.4%

18.4% 19.7%
20%
14.3%
11.4%

4.8% 3.8%
2.6%
0% 0% 1.3% 2% 1% 2.6% 0% 1.3%
0%
2015 2016
Asia
Monthly Quarterly Half-yearly Yearly Rarely Never
Aus

Cyber Security Report 2017 13


Security threats
and trends
Email threats and phishing campaigns
Phishing Campaigns According to our survey in 2016, level of defence has reduced by 13 per
approximately one-third of both Asian cent in 2016 compared with 2015.
Phishing emails remain the and Australian businesses experienced a
Firstwave also detects and scans
most popular method to phishing email incident which impacted
potentially infected zip files, which is a
their business on at least a monthly basis.
deliver malware. 21 per cent of respondents in Asia said
common method used to evade detection
by cyber criminals. This system generally
Email continues to be the primary that it took five hours or more to recover
captures between 30,000 and 45,000
communication channel for businesses so from these incidents compared to 13
potentially dangerous emails each month.
it is not surprising that the most popular per cent of respondents in Australia who
delivery method for cyber threats is via said that it took five hours or more to
phishing emails. The next most popular recover from phishing email incidents.
Business Email Compromise
delivery method is via malicious websites/ As social engineering attempts by cyber
URLs. Opportunistic phishing emails Business Email Compromise (BEC), as
attackers continue to improve and
aim to trick a recipient into clicking on defined by the FBI, is a sophisticated
become more sophisticated, organisations
a malicious link or attachment and the scam targeting businesses working with
should work on driving more cyber
malware is downloaded and executes foreign suppliers and/or businesses
security awareness training for their staff
on the end point into the network. The that regularly perform wire transfer
and implement social media and email
malware can then establish a backdoor to payments. The scam is carried out by
handling policies within the organisation.
the Command and Control (C&C) server, compromising legitimate business email
Mitigating the risks associated with staff
obtain escalated user privileges and accounts through social engineering or
and contractors using email or social
then move laterally through the network computer intrusion techniques to conduct
media cannot be underestimated where
to the target data. Typical examples of unauthorised transfers of funds.7 Formally
private and sensitive company information
phishing emails include delivery emails known as Man-in-the-Email scams,
may be exposed due to malware
related to parcels, invoice payments or these schemes typically compromise
infections or shared inappropriately.
utility bills, and when an end user clicks official business email accounts, by using
on the link or attachment it delivers spear-phishing emails, and key logger
malware to the end users device. malware, to then conduct unauthorised
Inbound Email Threats
fund transfers. This type of scam has not
Spear phishing emails target a specific Firstwave Cloud Technology delivers been widely publicised but is growing in
person within a company, and emails Telstras Internet Protection Email popularity due to the lucrative nature of
that target senior executives are and Web Content Security for this scam. According to the FBI, the BEC
sometimes called whaling. Whaling or government departments, enterprises scam attempts have hit US$3 billion in
spear phishing emails are typically well and businesses in Australia. In 2016, June 2016, and the FBI has recorded a
researched using both social media and Firstwave scanned over 500 million 1,300 per cent increase since January
publicly available company information inbound and outbound emails across 2015. This includes BEC reports by US
like annual reports and shareholder Australian customers mail servers. and foreign victims from a number of
updates. They will appear legitimate sources including complaints filed with
and to be from trusted contacts in the Email content security provides a
the FBI, international law enforcement
users social network, which makes them multi-layered approach to protecting
agencies and financial institutions.8 The
much harder to detect compared to other organisations against spam and malware.
results of our survey found 30 per cent of
opportunistic phishing emails. Typically In 2016, Firstwave identified almost 47
businesses in Australia experienced a BEC
the objective is to obtain sensitive data million inbound threats across inbound
on at least a monthly basis and 20 per
that may include customers personal emails, representing a range of threats
cent of these businesses took five hours
information, intellectual property (e.g. including profanities, offensive materials,
or more to recover from these incidents.
design blueprints and source code), PCI security standards breaches, spam
The results were similar in Asia with 30
commercially sensitive information like and malware. In 2016, Firstwave rejected
per cent of respondents who experienced
financial results, investments, merger 35 million emails6 at the reputation layer
a BEC on at least a monthly basis. 18 per
& acquisition information, corporate and then captured 12 million emails at
cent of these businesses took five hours
roadmaps and strategic information for the advanced second level of defence
or more to recover from these incidents.
fraudulent purposes or to block access preventing these threatening emails from
to a system or data files for financial gain reaching the recipient. The number of
through the delivery of ransomware. emails captured at the advanced second

6. Note: these numbers are approximated by using statistical methods on representative data samples and provided by Firstwave
7. https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
8. https://www.ic3.gov/media/2016/160614.aspx#fn1

14 Cyber Security Report 2017


To mitigate BEC risks its important The weight of this risk can be seen 2016. This is a big concern for companies
that the financial functions within the with approximately 10 million as cyberbullying is not only damaging to
business have appropriate governance outbound threats being recorded by the victim, but also has higher business
in place, with adequate approvals for the Firstwave platform in 2016. These costs due to potential impacts on
funds transfers. Transaction approval threats could have represented real company productivity and litigation costs.
should satisfy certain characteristics reputational risks if these companies
including but not limited to integrity, had not put in place measures to stop
non-repudiation and separation of duties. the outbound distribution of spam, PCI Compliance Impacts
The key point is that (above a certain viruses, malware, profanities, offensive
Protection of customers personal and
transaction value) an email shouldnt images and credit card information.
sensitive information is also of significant
constitute approval as its too easy to
importance for businesses. Compliance
forge. Finance policies may still want to
with the PCIs security standards is
conduct transfers using email approvals Impacts of Offensive Content
mandatory for all Australian businesses if
but the business needs to determine
Anti-discrimination legislation9 is they plan to accept and process payments
their risk tolerance levels depending
important for all Australian businesses via credit or debit cards.10 A companys
on how many low-value transactions
to understand and adhere to given email should be identified as a traceable
they are willing to lose due to fraudulent
the financial and reputational risks channel that can be proactively used
email requests. If the business still
associated with breaches. In 2016, to monitor and protect against these
insists on performing email transfer
Firstwave identified almost 810,000 data leaks. Firstwave have seen almost
approvals then its important that they
inbound and outbound emails, which 450,000 emails which contained PCI data
conduct appropriate cyber security
contained inappropriate content such and were attempted to be sent throughout
awareness training with the finance
as profanities and offensive images. 2016 (although this was a drop of over
department as financial staff need to be
half since the previous year). This shows
weary and scrutinise email requests to Offensive content being received and
that Australian businesses are exposed to
determine if the request is legitimate. It distributed by company employees can
potential PCI breaches when they do not
is also important to use only previously lead to businesses being exposed to
have appropriate data leakage protection
verified transfer details and to not harassment, bullying or discrimination
systems in place to mitigate this risk.
use transfer details provided in email. claims in some instances as well as
Implement appropriate transfer request reputational and financial losses as a There are real and serious email threats
processes to add phone verification result of these inappropriate emails being that are commonly taking place every
or implement a secondary sign-off by received or distributed by the organisation. day that can threaten your business
company personnel for these email reputation and brand. Failure to meet
This shows the importance of having in
payment transfer requests, especially compliance obligations can lead to
place a reliable content security system
when banking details have changed. financial losses, penalties and/or
to monitor and block inappropriate
litigation. With trends such as malware
emails from reaching employees or
bypassing reputation/signature-based
being sent outside the organisation,
Outbound Email Threats defence systems and internal staff
potentially to clients, suppliers or
continuing to expose businesses with
Organisations need to put in place other members of the public.
risky behaviour, it is essential that all
safeguards to protect themselves against
Firstwave also identified that businesses put in place appropriate
threats that may occur from internal
cyberbullying is still very prevalent, cyber security training and security
sources. Considered outbound threats,
particularly with inbound emails. While solutions to control, monitor and
these threats often occur when employees
there was a slight decrease from 2015 in block email threats from entering or
either intentionally or unintentionally
relation to inbound emails that contained exiting their internet communications
distribute email communications that
cyberbullying content, more than a million before the damage takes place.
contain inappropriate, confidential
were still identified across the platform in
or threatening content.

9. http://www.findlaw.com.au/articles/4266/workplace-discrimination-laws-in-australia.aspx
10. http://www.cio.com.au/article/400300/what_pci_compliance_/

Cyber Security Report 2017 15


Malware and ransomware
Malware Threats Australia and 27 per cent of respondents The two primary threat vectors used
in Asia said that it took five hours or to deliver malware are via large scale
Australia was the main target more to recover from these incidents. phishing emails and exploit kits. A typical
for malware in 2016 in the exploit kit provides criminals with a user-
The growth of malware threats
friendly web interface to deliver malicious
Asia Pacific region. targeting Australia and the Asia
software by taking advantage of certain
Pacific region is a booming industry
Australia was the main target for malware vulnerabilities in the targeted device.
due to a number of factors:
in 2016, with the highest number of Exploit kits are used primarily for drive-by
malware download attempts in the Asia The rising number of exploit kits and downloads, when a user is unknowingly
Pacific region, according to Palo Alto. malware tools that are being sold in the redirected to a malicious website from a
Australia is a likely cyber criminal target cyber criminal markets. legitimate vulnerable website, or infecting
due to its economic growth combined with a legitimate website using exploit kits to
its high adoption of technology compared The increasing number of malware target a specific group, called a watering
to other countries in the region. The most distributors who are using these hole attack.11 The exploit kit of choice for
common types of malware families seen user-friendly exploit kits and tools to cyber criminals prior to July 2016 has
by Palo Alto are Ransomware, RATs distribute unknown malware. been the Angler exploit kit. However, cyber
(Remote Access Trojans) and Infostealers criminal group Lurk, who had developed
The agility of exploit kits that are and were selling the Angler exploit kit as
(Information stealing malware). Check
continually evolving to evade detection a service to other cyber criminals, were
Point research has found that Australia
and taking advantage of new arrested in Russia around early June
is experiencing a significant growth
vulnerabilities, mobile devices and 2016.12 Palo Alto observed the number
in ransomware and a reduction in
Internet of Things (IoT) to widen their of Neutrino sessions increase in late
other types of malware. The decline in
infection campaigns. June 2016. This was the result of cyber
banking Trojans may be due to the large
investment required in infrastructure criminals moving to adopt the Neutrino
The rate of economic growth within exploit kit for their criminal campaigns.
and people to convert the compromise the Asia Pacific region making it an
into cash compared to the minimal effort However, Cisco recently reported that
attractive and lucrative target for the popular Nuclear and Neutrino exploit
required to distribute ransomware and cyber criminals.
the use of Bitcoins to launder the ransom kits have abruptly disappeared from
payments. Our research indicates, 26 per The rise of Ransomware-as-a-Service the threat landscape in 2016, which has
cent of Australian respondents and 30 per (RaaS) increasing the volume of created a void for other exploit owners
cent of Asian respondents experienced malware distributors and to take their place.13 RIG and Magnitude
a malware/virus outbreak on at least a ransomware distributed. may become prevalent in the future as
monthly basis. According to our survey they would be the next popular in the
results, 28 per cent of respondents in APAC region now that Angler, Nuclear
and Neutrino have disappeared.

Exploit kit activity in APAC - Palo Alto

250

Early June 2016 Lurk


200 gang arrested and Angler
Directions per day

exploit kit disappears


150

100

50

0
2016-May-01 2016-Jul-01 2016-Jul-01 2016-Aug-01 2016-Sep-01

Angler Magnitude Neutrino Rig

11. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/Threat-Report-FortiGuard-Eye-of-Storm.pdf
12. http://www.theregister.co.uk/2016/08/31/anglers_obituary_super_exploit_kit_was_the_work_of_russias_lurk_Group
13. http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017

16 Cyber Security Report 2017


Top 10 malware families 2016 in APAC region Check Point

100%

90%

80%

70%

60%

50% 47.06%
52.94%

40%

30%
25.81%

20%

12.90%
10%

0.00% 0.00%
0%
April May June July

Zeus Cryptowall CryptoLocker


Cryptodef Cryptoload CTB-Locker
Locky TorrentLocker Waltrix
Matsnu TeslaCrypt

The popularity and activity of exploit kits delivered in a Microsoft word document The majority of the Top five viruses
and malware is very dynamic with cyber within a phishing email but has also according to Fortinet were associated
criminals switching between different been delivered using exploit kits on with the JavaScript Nemucod family of
exploit kits and the malware used on a infected websites and most recently as malware in the Asia Pacific region. The
regular basis to keep ahead of the security JavaScripts inside zip files. Palo Alto Nemucod exploit kit is a popular delivery
defenders, as shown by the daily exploit found Usnif was also pervasive in 2016. method for ransomware and has also
kit graph provided by Palo Alto and the Usnif is a banking Trojan which has been used to deliver a new payload to its
monthly malware graph from Check Point. been targeting Australian banks with victims called Win 32/Kovter that delivers
recent variants utilising the Tor network a backdoor to a Command and Control
Palo Alto research indicated that Locky
and typically delivered using phishing (C&C) server with ad-clicking capability.14
ransomware was the most prevalent
emails or via the Neutrino exploit kit
malware family downloaded in the Asia
(with 21 per cent of downloads).
Pacific region, in 2016. It is typically

14. http://www.welivesecurity.com/2016/08/09/nemucod-back-serving-ad-clicking-backdoor-instead-ransomware/

Cyber Security Report 2017 17


Typical malware life cycle Palo Alto

Compromise
Conduct Endpoint
Reconnaissance
Silent infection via
Gather intelligence phishing email to
and plan the attack download exploit kit
and execute malware

Steal Data/ Established


Achieve Objective Control Channel
Data theft, extortion, Malware communicates
sabotage and with attacker to move
destruction laterally to target data

Ransomware According to our survey, in 2016 24 per in Singapore tended not to accede to
cent of Australian businesses experienced ransom requests and managed their
Ransomware was the most a ransomware incident which impacted recovery through backup files instead.
common malware in the their business on at least a monthly basis
Nearly one out of every three Australian
and it took the same proportion five hours
Asia Pacific region. or more to recover from these incidents.
organisations who experienced a
ransomware incident and paid the ransom
Ransomware is a form of malicious Similarly, 26 per cent of Asian businesses
did not recover their files. The impacts for
software that holds a device or system experienced a ransomware incident which
Asian organisations were slightly higher
hostage by blocking access until a impacted their business on at least a
with 40 per cent of respondents who paid
ransom is paid to remove the restriction. monthly basis. 22 per cent of respondents
the ransom but did not recover their files.
Ransomware can be delivered as in Asia said that it took five hours or
A number of companies are choosing
attachments or dropped onto vulnerable more to recover from these incidents.
to quietly pay a ransom demand, which
devices by exploit kits when the user Check Point research indicates that the
is typically in the hundreds of dollars,
visits or is redirected to a compromised average lifespan of new ransomware
to restore their business operations, to
website. The most common variants is now 58 seconds with 90 per cent
avoid embarrassment and the potential
are categorised as crypto-ransomware of attacks/exploits seen only once.
reputational impacts with the hope of
where certain files on the target device Our vendor research found that retrieving their lost data. The reality is
are encrypted and some are able to ransomware was the most downloaded that you could receive further ransom
spread across networks and servers to malware in the Asia Pacific region in 2016 demands, that the data may be exposed
encrypt other file systems. Certain types and that approximately 60 per cent of or sold on to other third parties and there
of ransomware are able to delete or Australian organisations reported that are no guarantees for recovering your
encrypt back-up files before demanding they experienced at least one ransomware data. It is evident that implementing a
payment for a decryption key. This may incident in the last 12 months. Of the proper back-up strategy helps to mitigate
make it more compelling to pay the Australian organisations surveyed, 42 the rising threat of ransomware, and
ransom if the backup cannot be used per cent reported paying a ransom to can be seen as an effective strategy
to restore the files but it is not the cyber criminals. However, the approach as per the survey results for the
recommended course of action. Other towards ransom requests in Asia varies majority of Singapore organisations.
variants of ransomware include locking with the majority of India, ASEAN and
the screen or preventing the operating Hong Kong enterprises agreeing to pay the
system from loading until a ransom is ransom, whilst the majority of enterprises
paid to remove these restrictions.

18 Cyber Security Report 2017


Ransomware recovery survey results Asia and Australia

4.1% 3.6% No, however we


10.5% 8.9% managed to recover the
files through backup
18.8%
19.3%

Yes, and the files


were recovered

Yes, however the files


29.2% were not recovered
Asia Australia 30.4%

No, however we
managed to recover
the files through
other means (i.e.
decryption tools)

36.8% 38.4% No, and the files


were not recovered

Benefits of hindsight - Invest different encryption options, the worm followed by CrytoWall with 14 per cent
feature to infect more users, multiple that was prevalent earlier in 2016,
in an appropriate back-up language options, the promise of future with nearly 100 thousand detections
strategy rather than paying a versions infecting mobile devices and per month in Australia alone. The third
customisation of the software to select most prevalent ransomware, according
ransomware demand. different target files, Bitcoin addresses to Fortinet, is Cerber with 11 per cent
Ransomware-as-a-Service (RaaS) and/or ransom amounts. RaaS prices vary of ransomware downloaded in the
is where ransomware authors have from US$9.95 for a limited use version Asia Pacific region the last year. Locky
developed user-friendly interfaces for to US$150 for a copy of the source code. can be delivered using the JavaScript
their malware and they offer it to others Some RaaS offerings are free initially Nemucod downloader malware and is
to become distributors. The service with approximately 15 per cent to 40 per primarily used as an infection vector to
offers cyber criminals, without coding cent of the profit share going back to the plant various families of ransomware
experience, the opportunity to make author, which maximises the returns for onto a victims computer to encrypt
money by either paying a once-only price the author if the malware is successful files and demand Bitcoin ransom
or a profit share arrangement to distribute in the long run.17 The FBI announced that payments.19 Cerber is a RaaS offering
the ransomware. Some examples of ransomware is expected to become a with a network of distributors with a
RaaS offerings that were promoted on US$1 billion dollar industry in 2016, which profit share arrangement.20 Palo Alto
underground forums and marketplaces is a substantial increase compared to research suggests that Locky is designed
include: Hostman Ransomware, Flux 2015, when ransomware was reported as by experienced cyber criminals and is
Ransomware, Cerber and Ransomware a mere US$24 million criminal industry.18 known to delete shadow copies of files
affiliate network.15,16 Each RaaS instance to make local backups unusable.
According to Fortinet in March 2017,
offers different features to recruit
Locky was the largest ransomware
distributors based on claims of detection
campaign in the last 12 months with 74
avoidance options and different profit
per cent of the ransomware downloads,
models. RaaS feature options may include

15. http://blog.fortinet.com/2017/02/16/ransomware-as-a-service-rampant-in-the-underground-black-market
16. http://blog.checkpoint.com/2016/08/16/cerberring/
17. http://blog.fortinet.com/2017/02/16/ransomware-as-a-service-rampant-in-the-underground-black-market
18. http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646
19. https://blog.fortinet.com/post/cryptowall-teslacrypt-and-locky-a-statistical-perspective
20. http://blog.checkpoint.com/2016/08/16/cerberring/

Cyber Security Report 2017 19


Ransomware Mitigation Deploy advanced endpoint protection on
Top ransomware in Asia Recommendations: laptops, mobiles and servers.
Pacific (March 2016 March Identify critical data and ensure regular Ensure security awareness and phishing
2017) Fortinet offline backups are performed to avoid awareness training is conducted by all
the situation where backups are also users on your network.
encrypted by the malware.
Unfortunately, ransomware is a situation
Locky.Botnet Conduct regular security patching/ where prevention is better than a cure
updates for operating systems and but if you find that you have been
74% affected by ransomware with all your
applications to mitigate risks associated
with exploit kits and malware, especially back-up files encrypted, it is worth
CryptoWall.Botnet calling in incident response experts
for Java, Adobe Reader, Flash, Silverlight
14% and other applications regularly targeted to see if they can assist you. There is
by exploit kits. also a new anti-ransomware alliance
Cerber.Botnet made up of security vendors and law
Ensure that incident response plans and enforcement organisations that has been
11% business continuity plans are in place established a website to assist affected
and regular disaster recovery drills are organisations. The alliance website is
TorrentLocker.Botnet performed to ensure that back-up data called the No More Ransom Project; it
can be used to return the business back offers prevention advice and you can
0.5%
to normal operation within acceptable check to see whether they have the tools
CryptXXX.Botnet time frames. for decrypting your files using recovered
keys.21 Some direct links to keys are
0.04% Email security gateways with Anti-spam available where the ransomware has been
to block phishing emails. reverse engineered or if law enforcement
Teslacrypt.Botnet agencies have taken down control servers
Employ web security gateways to block and obtained decryption keys.22 Other
0.04% malicious code being downloaded and advice is available from CERT Australia23
block connections to command and to assist with managing ransomware
VirLock.Botnet control servers. risks, reputable security vendors and
0.03% Implement application whitelisting security service providers.24 Paying the
to keep unknown executable files ransom should always be an activity of
Cerberus.Botnet from running. last resort and avoided where possible.
0.00005%

21. https://www.nomoreransom.org/
22. http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
23. https://www.cert.gov.au/advisories/ransomware
24. https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-from-ransomware

20 Cyber Security Report 2017


Mobile malware
Mobile malware is becoming more There are a number of different ways that may also be able to perform functions
popular and is expected to take over mobile malware can be delivered to a such as remotely make a phone call and
traditional malware as the popularity of mobile device; obviously phishing emails send texts, take pictures, stream video
mobile devices increases. Check Point and compromised websites can be used and audio, open a URL in the internet
is seeing 300 per cent growth in mobile as a delivery mechanism for malware browser, delete call logs, record calls and
malware month over month in the Asia targeting mobile devices. Another method audio, intercept text messages, initiate
Pacific region. Mobile malware infection is when users have mobile operating a HTTP DoS flood, open an application
rates in Australia have increased by two systems or applications that may have and retrieve information like contacts,
per cent to be over seven per cent in Q3 security flaws or vulnerabilities that may status, call logs, messages and location.
2016, compared to Q2 2016, according to be exploited by malware on the same
According to Check Point, mobile users
McAfee.25 This trend is not surprising as network segment or Wi-Fi network. The
are using new jailbreak/rooting kits to
traffic from wireless and mobile devices malware could be delivered via social
bypass Mobile Device Management
is expected to account for 66 per cent of media applications or SMS or MMS or
(MDM) systems that exposes these
total IP traffic by 2020 and wired devices other mobile messaging applications.
mobile devices to exploitation and
will account for only 34 per cent.26 Many The mobile application may already
makes them vulnerable. Gartner is now
of the countries in Asia connect via mobile contain malware when it is downloaded
recommending additional security to
rather than fixed-line broadband. For from an online application store or
mobile devices in addition to MDM. Its
instance, fixed-line internet only reaches users may be vulnerable if they are
worth investing in a reputable mobile IPS
one per cent of the Indonesian population using jailbreak/root kits to bypass their
(Intrusion Prevention System) client as
and three per cent of the population in Mobile Device Management (MDM)
cyber criminals can buy AV (Anti-Virus)
the Philippines while mobile connectivity corporate solutions. Unfortunately, when
bypassing software for as little as US$7,
reaches 42 per cent of the population in a mobile is affected by mobile malware
where the software is able to obscure
these countries. China has the worlds the worst case scenario is that they may
any known malicious signature pattern. It
largest online population with more than obtain full remote escalated privileged
is also important to ensure applications
688 million internet users with 66 per access or root access to the device that
and mobile operating systems are kept
cent of these connecting via smartphones would give them full access to the data
up to date with patches and upgrades
(~ 459 million mobile users).27 available through your mobile device.
to mitigate the threats associated with
If the device is used to access your
using older versions of software.
corporate network or corporate email
then the cyber criminal would have access
to this data as well. The cyber criminal

25. http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
26. http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017
27. https://www.aspi.org.au/publications/cyber-maturity-2016/ASPI-Cyber-Maturity-2016.pdf

Cyber Security Report 2017 21


Advanced Persistent Threats
These new waves of targeted cyber-
attacks are well researched, co- APT attack life cycle model shows the
ordinated, continually evolving and
highly sophisticated in nature. Advanced
typical phases of an attack29
malware that employs many intrusion
techniques to evade detection and
silently extract company or government
Move
information is collectively known as Laterally
Advanced Persistant Threats (APTs).
APT threat actors use social engineering
Maintain
reconnaissance to research a target Presence
organisation and initial victim. Further Internal
Recon
investigation is performed on the target
IT infrastructure to gather further Initial Initial Establish Escalate Complete
information including: network topologies, Recon Compromise Foothold Privileges Mission
domains, DNS and DHCP servers, internal
IP addressing and exploitable ports The Initial Recon Escalate Privileges
and services. The initial compromise is Socal engineering reconnaissance Steals privileged credentials.
typically achieved through spear-phishing of target organisation and network
Internal Recon
emails or a malicious payload delivered infrastructure investigation.
To identify their target data.
from a compromised website. Many APT The Initial Compromise
Move Laterally
attacks utilise zero-day vulnerabilities May be through a spear-phishing email
Infiltrating other computers or servers through
or strategic web compromise.
to evade detection, where once the zero- further reconnaissance and credential theft.
day exploit executes on the device it Establish Foothold
Maintain Presence
Move laterally within the environment
delivers malware to install a backdoor Establish multiple backdoors to C&C
to establish persistence by deploying
servers and typically removal of malware
to communicate back to Command and backdoors on multiple computers. Backdoors
once privileged credentials are obtained.
Control (C&C) servers and/or obtain root are programs for communicatingback
to C&C servers on the internet. Complete Mission
access on the compromised device. The Exfiltrating and stealing sensitive data.
attacker then harvests access credentials
from users to obtain escalated privileges.
The persistent nature of an APT attack is seen a good amount of activity from communiqu leaves room for the pursuit
achieved through establishing presence adversaries in India and Pakistan this of legitimate intelligence and national
by deploying backdoors on multiple year, but much of this is focused on each security activities, but distinguishes those
computers that are used to communicate other. At the 2015 G20 Summit in Turkey, activities from the theft of intellectual
back to C&C Servers. These are used there was a provision discussed that has property, including trade secrets or
for remote discovery activities and led to a number of informal international other confidential business information,
then moving laterally to the targeted agreements between China and some G20 with the intent of providing competitive
systems to exfiltrate the desired data. countries and includes provisions relating advantages to companies or commercial
According to our survey in 2016, 22 to commercial cyberespionage and sectors.30 China has established new
per cent of Australian respondents hacking outlined in Paragraph 26 in the bilateral cyber security agreements
and 26 per cent of Asian businesses G20 Leaders Communiqu. Paragraph 26 with the US, UK, India,and Russia
experienced an APT attack on at least a is clearly aimed at addressing specifically covering issues including intellectual
monthly basis and reported an increasing commercial cyberespionage. The property theft and cybercrime. 31
recovery time compared to the 2015
survey results. These results indicate In the ICT environment, just as elsewhere, states have a
that the time to remediate and recover special responsibility to promote security, stability, and
from an APT attack is getting more
complex. The research from Mandiant economic ties with other nations. In support of that
indicates the extent of the remediation objective, we affirm that no country should conduct or
activity required for these threats is
extensive with the average number of
support ICT-enabled theft of intellectual property, including
compromised machines found equal to trade secrets or other confidential business information,
78 and an average time the compromises with the intent of providing competitive advantages to
went undiscovered of 17 months.28
companies or commercial sectors. All states in ensuring the
CrowdStrike research has found that
China appears to be the most active in secure use of ICTs, should respect and protect the principles
carrying out targeted intrusion activity of freedom from unlawful and arbitrary interference of
in the APAC region; however, they have
privacy, including in the context of digital communications.32
28. https://www2.fireeye.com/m-trends-2016-asia-pacific.html
29. http://resources.infosecinstitute.com/anatomy-of-an-apt-attack-step-by-step-approach/#gref
30. https://www.lawfareblog.com/cyber-sections-latest-g20-leaders-communiqu%C3%A9
31. https://www.aspi.org.au/publications/cyber-maturity-2016/ASPI-Cyber-Maturity-2016.pdf
32. A brief extract from Paragraph 26, in the G20 leaders communiqu is provided:https://www.
lawfareblog.com/cyber-sections-latest-g20-leaders-communiqu%C3%A9

22 Cyber Security Report 2017


APT statistics by targeted country
in APAC region CrowdStrike

Japan 2.0%
Mongolia 1.0% 1.0% Myanmar
China 1.0%
Singapore 1.0%
Tibet 5.0%

Pakistan 5.0% India 24.0%


Australia 1.0%
Macau 2.0%

South Korea 6.0%

Hong Kong 9.0%


Russia 10.0%

Phillipines 6.0%

Taiwan17.0%
Vietnam 9.0%

APT statistics by sector in APAC region CrowdStrike

2.0% 34% 11% 6.0% 18% 3.0% 15% 3.0% 3.0% 2.0% 3.0%

Research Government Political Defence Dissident Aerospace Military Technology NGO Gaming Academic

Cyber Security Report 2017 23


24 Cyber Security Report 2017
Mandiant APAC Incident Response investigation statistics for 201533

APAC IR Response Results Quantity (Average)

Number of days compromise went undiscovered (median) 520


Number of machines analysed in an organisation 21,584
Number of internet points 4
Number of compromised machines 78
Number of user accounts compromised 10
Number of admin accounts compromised 3
Average amount of stolen data 3.7GB

The APT statistics, provided by Average compromised machines = Ensure operating systems are supported
CrowdStrike, indicates that the 78. Once an attacker has full access and patch maintenance is performed
focus of APT activities in the Asia to an environment with escalated and enable automatic updates, if
Pacific region is primarily against privileges they minimise the number of possible, to minimise vulnerabilities on
Government departments, political compromised machines and typically your devices and host servers.
organisations, dissident groups remove the malware and migrate to
opposing official policy of a ruling entity, use corporate remote access solutions. Conduct regular penetration tests and
military and defence organisations The compromised systems now have external and internal vulnerability scans
who supply arms and technology. no malware installed making them and then implement security plans to
undetectable to Anti-Virus and End mitigate the prioritised vulnerabilities
These results align with the informal and weaknesses found.
Point Protection solutions.
bilateral agreements that have been
agreed to in regards to protecting Average user accounts compromised Deploy advanced end point protection on
intellectual property, trade secrets = 10 and average admin accounts both laptops/desktops and host servers.
and confidential business information compromised = 3. Investigators must
with the exclusion of activities hunt for threat actors who pose as Deploy Mobile Intrusion Prevention
associated with cyberespionage. insiders using legitimate credentials. System (MIPS) and Mobile Device
Determining which compromised Management (MDM) to provide security
Key Mandiant APAC Findings: protection for mobile devices.
credentials were used during the attack
The majority of breaches never made is critical to understanding the full Deploy appropriate network
news headlines as most governments extent of a breach. segmentation and User and Entity
and industry-governing bodies did not Behaviour Analytics (UEBA) within
report breaches. The average amount of stolen data =
3.7GB. Likely to be under reported as this your network to identify any
is based on the forensic data available behavioural anomalies to protect
Many organisations had conducted
during the investigation and sometimes your key data assets.
forensic investigations in the past but
failed to eradicate the attackers from there are missing log files, which may be Ensure number of staff with
their environments. They sometimes due to some logs being overwritten over administrator passwords is limited
made matters worse as they destroyed time due to storage constraints. based on business need, not easy to
or damaged forensic evidence needed obtain/guess and unique across
to understand the full extent of a breach Classification of information stolen from
APAC organisations was 40 per cent multiple IP domains.
or to attribute activity to a specific
threat actor/group. email, 20 per cent sensitive documents, Ensure that you have incident response
20 per cent Personally Identifiable plans in place and that you review and
Average machines analysed in an Information (PII) and 20 per cent test them regularly to ensure that you
organisation = 21,584. Comprehensive Infrastructure Documents.34 are prepared to respond and remediate
investigations are required to cover incidents in a timely fashion.
APT Mitigation Recommendations:
every system in the environment to
understand the full extent of the breach Conduct phishing awareness training Consider the use of inherence factors
and remediate effectively. Otherwise to mitigate initial compromises. from electronic and biometric security
you risk tipping off the attackers and data for additional authentication.
being re-compromised.

33. https://www2.fireeye.com/m-trends-2016-asia-pacific.html
34. https://www2.fireeye.com/m-trends-2016-asia-pacific.html

Cyber Security Report 2017 25


Cloud security
The migration of applications and and is therefore not visible or controlled and services through a centrally
services to virtualised private and public within the virtual cloud environment. managed, software-based, distributed
cloud environments is not surprising Security management is complicated micro-segmented security solution.
due to the speed, flexibility and ease further due to the dynamic nature of
According to our research, 93 per cent of
of application deployments. Traditional these virtualised applications that are
the respondents in Asia have indicated
data centres add months to these new able to be moved between host servers
they are currently using cloud services
application deployments and arent as their resource demands change. The
compared to 80 per cent of Australian
very scalable; however, the security is rise of mobile applications and cloud
respondents. The adoption of cloud
simpler as the traffic only travels between based environments means that there is
services amongst Australian organisations
servers and the security gateway in a a heightened risk of malware spreading
was 80 per cent in 2016 up from 64 per
north-south direction so all traffic is laterally throughout your IT environments.
cent in 2015. According to F5, 47 per cent
inspected for threats by the security
Therefore, to maintain IT security in of respondents in Asia Pacific (excluding
gateway. The security implications of
virtualised public and private clouds, it is Japan) indicated that on-premise private
running applications and services in
important to segment your network, users clouds will see the largest amount of
these virtualised cloud environments or
and applications by using a virtual secure investment in 2017 and Asia-Pacific leads
software defined network environments
gateway at the switch layer to obtain the other regions in cloud-first strategies
need to be considered as the traffic
visibility and control of any malicious with 54 per cent reporting a cloud-
changes to allow east/west data flows
traffic moving laterally in your cloud first preference before making new IT
of up to 80 per cent between virtualised
environment. High visibility and control investments. However, almost 33 per cent
applications and network sectors. 35 This
of cloud based applications, network of Asia Pacific respondents expressed
east/west traffic is effectively able to
segmentation and user groups is critical concerns with implementing consistent
bypass the perimeter security gateway
for securing cloud-based applications cloud security policies, according to F5.36

Organisations using cloud services year on year trend in Australia and Asia

79.6% 16.4% 3.9%

2016
92.8% 1.4%

5.8%

63.6% 31.6% 4.8%

2015
94.8% 5.2%31.6%

Asia
Yes No Unsure
Aus

35. http://pages.checkpoint.com/security-report.html
36. https://f5.com/about-us/news/the-state-of-application-delivery

26 Cyber Security Report 2017


Ranking of potential risks due to adoption of cloud services Asia and Australia

Rank 1
Rank 2
Rank 3

34.7%
36.3%

40.5%

No Rank

46.3%
49.7%
51.2%

52.9%
53.7%

Asia
Aus
55.4%
57.5%

60.6%
61.1%
16.6%
20.2%

14.9%

15.7%
19.2%
19.0%
10.7%

14.0%
17.4%

19.0%
24.4%
16.6%

15.5%

12.4%

16.1%
25.6%
12.4%
14.9%
14.9%
17.4%
13.5%

16.5%
17.1%
33.9%

16.1%
26.9%

24.4%

18.7%
15.7%
14.0%
13.5%

12.4%

12.4%

11.6%
9.3%

7.3%
Theft of Data Network Employee Malware/ Denial of
company sovereignty attack or actions/human virus legitimate
data outage error outbreak access

Organisations level of readiness to handle cloud service risks Asia and Australia

4.2% 5.1% 1.6% 7.1% 1.9% 1.0% 1.5% 3.5%

6.1% 5.3% 6.6%


Not ready at all
8.7%

15.5%
14.8%

3.4%
Somewhat not ready
20.0%
9.3%

19.3%
13.2%
14.6%
29.3%

16.1%

Neutral
26.4%

25.4%

Somewhat ready
14.4%
26.7%

Ready
27.8%

20.0%
23.2%

49.2%

27.6%
23.2%

Asia
Aus
26.3%
16.3%

26.4%

25.4%

35.1%

16.9%
20.0%
11.4%

17.1%

24.1%
25.0%

23.7%

21.1%
13.9%

18.6%
43.1%

41.5%
39.0%

38.9%

38.7%

34.0%
31.5%

29.8%
29.2%

28.9%
28.6%
23.7%

Theft of Data Network Employee Malware/ Denial of


company sovereignty attack or actions/human virus legitimate
data outage error outbreak access

Cyber Security Report 2017 27


Cloud Security The majority of respondents from Asia security risks adds an additional layer
indicate that they are ready to handle all of complexity to managing the security
Theft of company data was the most the cloud adoption risks in the survey. threats when adopting cloud services.
nominated top potential risk of adopting
cloud services by both Australian However, respondents from both Australia
and Asian organisations. Australian and Asia have the lowest confidence
Shadow IT Data Exposure Risks
respondents were also concerned about in their ability to handle the theft of
employee actions/human error, whilst company data. The survey indicates that Shadow IT refers to the adoption and use
Asian respondents were also concerned 43 per cent of Asian respondents are of applications/services by employees
about network attacks or outages. prepared to manage the risks of data without the knowledge or consent of
theft, whilst 27 per cent of them classify the IT department. Gaining visibility
However, in the survey results from theft of corporate data to be their top and control of these cloud applications
2015, data sovereignty was rated as threat. This suggests that despite the is an important step for cloud security.
the top potential risk of adopting cloud fact that most organisations are either Even when an organisation has
services. Our research indicates that currently using or considering the use implemented a successful Shadow IT
this is due to the increasing presence of of the latest cyber security tools, they policy that limits employees to use of
local cloud service providers in Asia, so still lack the confidence in dealing sanctioned enterprise applications, like
data sovereignty has become less of a with data theft incidents in the cloud. Box or Salesforce or Office365, there
concern for Asian enterprises. The focus Australia is even less confident in dealing is still a risk of data being exposed
now shifts towards effective security with cloud related data theft incidents due to compromises through users
controls to mitigate risks of using cloud compared to their Asian counterparts. uploading and sharing sensitive data.37
services, such as SaaS, where 80 per This could be attributed to the fact that
cent of Australian respondents and Insights into cloud application usage:
many organisations are lacking the
95 per cent of Asian respondents are visibility into privileged users that have
already adopting or considering adopting An enterprise has, on average, 841
access to the data stored in private cloud applications in use.
Cloud Access Security Broker (CASB) clouds on-premise or in public cloud
solutions. This further supports the environments. The lack of controls in 11 per cent of enterprise cloud apps
notion that the paradigm has shifted place makes it harder for organisations are still vulnerable to one or more
from whether to migrate to the cloud to, to detect or identify internal threats major exploits.
How can I secure my data in the cloud? that may cause the loss of corporate
data. In addition, the shortage of skilled 71 per cent of business cloud apps do
Data theft from cloud services security professionals and/or IT security not provide multi-factor authentication.
remains a top concern. resources to manage these cloud related

37. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-
de48041ab3c9%7D_ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf

28 Cyber Security Report 2017


87 per cent of cloud applications do not to six per cent respectively but the Determine if accounts or devices have
adequately encrypt data. Only 13 per good news is that exposure of source been compromised and for risky exploit/
cent of business applications encrypt code data has decreased from 48 per data exfiltration.
data at rest and 85 per cent use SSL to cent to 43 per cent compared to last
secure data in transit. If your business years report. Determine users risk rating to your
application is used for Personally organisation.
Identifiable Information (PII) or Payment The potential financial impact on the
average organisation from the leakage of Monitor data that is stored and shared
Card Industry (PCI) data then it should
sensitive cloud data was just over US$2 in the cloud: Source code, PII, PHI or
encrypt data at rest and in transit.
million compared to US$1.9 million in PCI data.
23 per cent of all files stored in the the previous year.38 Governance and Control Phase
cloud are broadly shared (within the
Shadow IT Cloud Recommendations: Develop a cloud governance strategy.
whole organisation, with third parties
and publically on the internet) and 12 Discovery Phase
Develop guidelines for approved or
per cent of these broadly shared files blocked cloud applications and vendors.
Discover the cloud applications that
contain sensitive data.
are being used.
43 per cent of the broadly shared Develop Acceptable Use Policy for
documents contain source Identify suitable applications to be Cloud Applications based on
code e.g Java, Python, etc. endorsed by the business, based on departments/roles.
business risk, and block unsuitable
36 per cent of the broadly shared Establish Data Classification scheme
applications.
documents contain PII data. and establish a corporate usage policy.
Monitoring Phase
14 per cent of the broadly shared Define and develop a Data Loss
documents contain PHI data. Monitor how employees and external
Prevention policy that defines the
users are sharing and collaborating
Six per cent of the broadly shared types of sensitive data and risk
with applications.
documents contain PCI data. assessment if exposed.
Monitor data sharing to ensure that
Unfortunately, the percentage of PII Develop an Incident Response Plan for
it is appropriate and not shared
and PCI exposed data has increased when/if sensitive data is exposed.39
indiscriminately.
compared to last years report from 33
per cent to 36 per cent and five per cent

38. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-de48041ab3c9%7D_
ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf
39. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-de48041ab3c9%7D_
ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf

Cyber Security Report 2017 29


Web and application vulnerabilities
According to Qualys, there is no slow- In terms of SSH (OpenSSH), which make should be immediately addressed,
down in the rate of new vulnerabilities up another four of the top 10 external especially when new vulnerabilities
that were found during 2016 with vulnerabilities, keeping up to date with the are being disclosed every day.
an increase of 16 per cent in total most recent releases and patching for this
To clearly and precisely prioritise
vulnerabilities seen, compared with 2015. software is critical. For the internal top 10
remediation work, security teams
Looking at the top 10 vulnerabilities found vulnerabilities found in the Asia Pacific
must correlate the steady stream of
for both external and internal networks region in 2016, SSL implementation
vulnerability disclosures against their
in the Asia Pacific region, it is clear that again rears its head as the number one
organisations IT asset inventory, a
remediation activities are still lagging internal vulnerability. The uncomfortable
connect-the-dots process that requires
with the majority of these vulnerabilities reality is that no security control will ever
intense data analysis. Today, organisations
disclosed in 2014 or earlier. 80 per cent of be perfect, so its best to focus on those
live in a perimeter-less world. Those
vulnerability exploit kits are now available controls that have the biggest impact
clearly defined physical boundaries
within a few days of the vulnerabilitys in reducing risk while optimising an
in which their IT infrastructure were
public release if not already available. automated approach for implementing
housed have been pushed out, blurred,
and measuring these controls to maintain
Secure Socket Layer (SSL) and other transformed and in some cases even
continuous security and compliance.
encryption technologies like Secure Shell erased. It is therefore critical that
(SSH) were developed to provide secure Its not easy being a CISO or CIO today, with as a first step organisations need to
online communication but the delays the advent of cloud computing, Shadow gain visibility of their assets and their
with organisations implementing patch IT, and mobility, and with increasing security posture that is unique to their
management is leaving organisations convergence with electronic security, the business and its supporting systems.
exposed to cyber criminals eavesdropping surface area of risk for enterprises has
According to our survey results, 23 per
on these secure communications. In increased dramatically, while IT budgets
cent of Australian businesses experienced
terms of the external top 10 vulnerabilities for patching and upgrades is constrained
a web application attack on at least a
found in the Asia Pacific region in 2016, and skilled cyber security talent is
monthly basis and 26 per cent said that
it is worth noting that five of the top 10 difficult to find. No two vulnerabilities
it took five hours or more to recover from
are related to SSL with POODLE40 and are equal and are different for each
these types of attacks. 29 per cent of
BEAST41 vulnerabilities still prevalent environment, which is dependent on
Asian businesses experienced a web
in 2016. These can be addressed by technology and controls. Therefore you
application attack on at least a monthly
making the appropriate SSL configuration cannot treat all vulnerabilities with the
basis and 24 per cent of respondents in
changes and one of the best resources same priority level as you will leave
Asia said that it took five hours or more
with recommendations can be found dangerous gaps that attackers are actively
to recover from these types of attacks.
at the following website: https://www. trying to exploit. The question is how to
ssllabs.com/projects/best-practices/. prioritise and know which vulnerabilities

Top 10 external and internal vulnerabilities in Asia Pacific region in 2016 Qualys

Rank External vulnerability name Qualys ID Rank Internal vulnerability name Qualys ID

1 SSL/TLS use of weak RC4 cipher 38601 1 SSL/TLS use of weak RC4 cipher 38601

2 SSL/TLS Server supports TLSv1.0 38628 2 SMB Signing Disabled or SMB Signing Not Required 90043

3
SSLv3 Padding Oracle Attack Information
38603 3 Enabled DCOM 90042
Disclosure Vulnerability (POODLE)
4 Administrator Account's Password Does Not Expire 90080
4 SSL Server Has SSLv3 Enabled Vulnerability 38606
5 Oracle Java SE Critical Patch Update October 2012 120604
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode
5 42366
Server Side Vulnerability (BEAST) 6 Oracle Java SE Critical Patch Update June 2013 121279

Windows Remote Desktop Protocol Weak Insecure Microsoft Internet Explorer


6 Encryption Method Allowed
90882 7 100012
Intranet Zone User Setting Detected

OpenSSH LoginGraceTime Denial of Service Oracle Java SE JVM 2D Subcomponent


7 42413
Vulnerability 8 Remote Code Execution Vulnerability 120970
(Oracle Security Alert for CVE-2013-1493)
OpenSSH Commands Information Disclosure
8 Vulnerability
42382
Microsoft Windows Gadgets Remote Code
9 Execution Vulnerability (KB2719662)
90961
9 OpenSSH "X SECURITY" Bypass Vulnerability 38611
EOL/Obsolete Software: Microsoft XML Core
10 OpenSSH Xauth Command Injection Vulnerability 38623 10 Services 4.0 Service Pack 2 Detected
105458

40. https://www.wired.com/2014/10/poodle-explained/
41. https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat

30 Cyber Security Report 2017


Cyber Security Report 2017 31
Denial of Service (DoS) attacks leveraging
the Internet of Things (IoT)

DDoS Overview customers or employees, which means businesses experienced a DDoS attack
that any business is a potential target. on at least a yearly basis and reported a
Distributed Denial of Service (DDoS) Cyber criminals can easily turn a profit recovery time within 30 minutes (36 per
attacks are an attempt to make an online by sending DDoS extortion requests for cent). 68 per cent of Asian businesses
service unavailable by overwhelming it Bitcoin payments and using DDoS-for- experienced a DDoS attack on at least a
with traffic from multiple compromised hire services to launch their attacks. yearly basis. 43 per cent of respondents
devices. DDoS attacks are growing Criminal perpetrators of DDoS attacks in Asia indicated that the time to recover
significantly year-on-year with Imperva often target services on e-commerce from these attacks was within 30 minutes.
experiencing 100 per cent42 growth of web servers, which can lead to a loss of
both Network and Application layer sales revenue, business disruption, and
attacks and Akamai seeing a 71 per cent reputational damage and in some cases
increase in total DDoS attacks globally.43
New DDoS Attack Utilising
used to hide network breaches and the IoT Devices
One of the main drivers behind this is the extraction of sensitive data. The waves
increasing use of DDoS-for-hire services of DDoS attacks are likely to increase On the 20 September 2016, the website
that enable anyone to launch attacks for in volume and quantity with the advent of cyber security writer and blogger,
as little as US$5 per minute.44 The ease of new malware targeting unsecured Brian Krebs, (www.krebsonsecurity.com)
of access to these services means that internet-enabled devices that can be used was on the receiving end of a 623 Gbps
anyone can launch an attack, from cyber to launch these attacks. According to our attack, the biggest attack that Akamai
criminals and activists to disgruntled survey in 2016, 59 per cent of Australian had ever mitigated to date, which used IoT

42. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
43. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
44. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf

32 Cyber Security Report 2017


devices including CCTV cameras, Digital 1. Mirai performs wide-ranging scans of 4. Mirais attack function enables it to
Video Recorders (DVRs) and routers to IP addresses to locate unprotected IoT launch application and various network
launch the attack.45 Subsequently, on 30 devices that are remotely accessible. (OSI layer 3-4) DDoS attacks at its
September 2016, a HackForum user by the intended target by its C&C system.47
2. The next stage is to use a brute force
name of Anna-senpai leaked the source
login technique for guessing passwords Juniper performed audits of firewall
code for the botnet malware behind this
based on a dictionary list of more than configurations and identified that
attack called Mirai.46 Imperva found that
60 default usernames and passwords approximately 30-35 per cent of hosted
Mirai botnets were also behind a similar
to gain remote access to the device. customers have created security
GRE DDoS attack on 17 August with peak
policies to explicitly permit all telnet
network/application layer attacks of 280 3. Once it has control, it has several
traffic from the untrusted internet.
Gbps and 130 Mpps. Imperva uncovered scripts that eradicate other
This could allow a threat actor to
49,657 unique IPs in 164 different malware and prevent other malware
obtain remote admin access to their
countries with Mirai-infected devices. from hijacking the device by
infrastructure using a similar brute
prohibiting remote connections.
Mirai is a piece of malware that infects IoT force login technique to obtain an
devices and is used as a launch pad for appropriate username/password and is
DDoS attacks from a remotely distributed not a recommended security practice.
Command and Control (C&C) system.

45. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
46. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
47. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Cyber Security Report 2017 33


Network DDoS attacks in APAC region Imperva

SYD: In Traffic SYD (1d 1h 13m)

300 Mbit/s

250 Mbit/s

200 Mbit/s

150 Mbit/s

100 Mbit/s

50 Mbit/s

0 Mbit/s
10:00

11:00

12:00

13:00

14:00

15:00

16:00

17:00

18:00

19:00

20:00

21:00

22:00

23:00

00:00

01:00

02:00

03:00

04:00

05:00

06:00

07:00

08:00

09:00

10:00

11:00

12:00

02.02 03.02

last min avg max


In bit/s (avg) 4.86 Mbit/s 257.32 Kbit/s 7.99 Mbit/s 51.39 Mbit/s
In bit/s (avg) 34.4 Mbit/s 8.04 Kbit/s 61.89 Mbit/s 342.35 Mbit/s

34 Cyber Security Report 2017


How to Prevent the Spread Application DDoS Attacks Ensure that your key stakeholders,
of IoT Botnets security, operations, customer service
According to Imperva, 46 per cent groups are engaged so that if a DDoS
Everyone can take precautions to prevent of all targeted APAC businesses attack does strike everyone understands
their IoT devices from being hijacked by were attacked more than once by their role to ensure there is a co-
malware and used in DDoS attacks: application layer attacks and 10 per ordinated response to the attack.
cent were attacked more than five times,
Purchase IoT devices from reputable according to Imperva. The increase Communication during an attack is
manufacturers that provide regular in multiple attacks could be linked to essential so that customers, staff and
security upgrades/patches on their the use of hit-and-run tactics such as affected third parties know that you have
website to mitigate new security consecutive bursts launched against control of the situation.
vulnerabilities. a target over a long period of time to:
Ensure that the plan protects against
Update administrator username and Exhaust mitigation teams by keeping both network and application DDoS
passwords to become strong and unique. them on high alert around the clock attacks and test these plans on a
for weeks. regular basis.
Disable remote access to your devices
and block/close unauthorised access Force prolonged activation of on- The IoT botnet threat has now become
using the following protocol ports but demand mitigation solutions, often a reality and Mirai has shown how easy
not limited to: SSH (22), Telnet (23) and leading to service degradation. it is to take advantage of poor security
HTTP/HTTPS (80/443). practices within a range of consumer
Create a state of stress and confusion appliances. There are many more
Universal Plug and Play (UPnP) and other to draw attention away from other IoT devices, such as toys, household
similar technologies should be disabled malicious activities (e.g. network breach, appliances and IP-enabled surveillance
on home routers and modems as they data extraction, etc.) cameras, which may have similar
automatically program some firewalls vulnerabilities and will prove tempting
which support this technology and pose The largest application attack seen by
Imperva peaked at 80,065 requests for malware developers. It is highly likely
a potential security risk. that malicious actors are now working
per second (RPS) in APAC and 268,000
RPS globally. This is large when you to understand how they can capture
Perform updates/patching and review
compare it to the fact that most servers their own huge botnet of IoT to create
changes in features and settings on a
can only handle a few hundred RPS. the next tsunami of DDoS attacks. There
regular basis for IoT as per any other
Compared to network layer assaults,it is also the potential for a range of new
computer on your network.
requires far fewer botnet resources to types of security breaches if IP-enabled
Ensure staff responsible for Electronic launch application layer attacks and as a surveillance cameras and electronic
Security and Physical Security are result 31 per cent of application attacks access systems are exploited then the
educated on the precautions required last longer than one hour according to potential losses are even greater and
when purchasing and deploying Imperva in APAC (compared to 44 per cent could extend beyond network downtime
security devices such as IP-enabled globally). Three vectors account for 95 and data losses to the loss of physical
surveillance cameras. per cent of all web application attacks: assets as well. The manufacturers of
SQL Injection (SQLi), Local File Inclusion these consumer-grade electronics are
(LFI) and Cross-Site Scripting (XSS) and connecting them to stream data on the
Network DDoS Attacks the majority of web application attacks internet but many are omitting to build
continue to take place over HTTP (68 per the appropriate security controls and
DDoS attacks have increased by 211 software that can be updated and patched
per cent year-on-year. This may be due cent) as opposed to HTTPS (32 per cent).50
to address new security vulnerabilities.51
to the increasing use of DDoS-for-hire
services and account for 90 per cent of
all network-based attacks.48 According How to Mitigate DDoS Attacks
to Imperva, the majority of these network Engage with DDoS prevention
attacks are under 30 minutes in duration specialists to put together a
in the Asia Pacific region (60 per cent). DDoS incident response plan:
The largest network attack seen by
Imperva peaked at 470 Gbps but many Incorporate business continuity plans
attacks were over the 200 Gbps and into your response plan to ensure that
are becoming more frequent.49 The the restoration time frames meet the
largest network attack seen in APAC business requirements.
by Imperva peaked at 342 Mbps.

48. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
49. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
50. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
51. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf

Cyber Security Report 2017 35


Security incidents
andbusiness impacts
Frequency of security incidents and future threats
Security incidents are continuing to by at least one security incident on at with the exception of Singapore who
hit headlines across the world with a least a monthly basis. A small percentage ranked phishing emails as the highest
number of high-profile data breaches (~one per cent) of organisations weekly occurring security incidents
announced in 2016. Not surprisingly, indicate that their business is never impacting their businesses. Weekly
C-suite managers and boards of impacted by any security incident. attacks are reported as impacting
directors are beginning to understand Asian organisations more regularly
Phishing email attacks and Business
the importance of implementing than Australian organisations.
Email Compromise (BEC) are the top
appropriate cyber security controls to
two incident types occurring on a weekly Respondents from both Australia and
mitigate these types of incidents and are
basis in Australia. In Asia, virus/malware Asia highlight that external hackers
increasingly taking more responsibility.
outbreak is the top incident type reported followed by criminal syndicates and then
Our research found 59 per cent of on a weekly basis. Phishing email attacks employees are the greatest potential
respondents from both Australia and Asia are selected as the second highest threat to their organisations in the future.
indicate that their business is impacted amongst Asian organisations surveyed,

Occurence of business impacting security incidents in 2016 Asia and Australia

4.8%
1.4% 0%
37.5% 21.2% 16.3% 9.1% 9.6%

Asia
Australia

7.2%
3.9% 1.3% 2.0% Unsure
33.6% 25.0% 17.1% 9.9% Never
Rarely
Yearly
Half-yearly
Quarterly
Monthly
Weekly

36 Cyber Security Report 2017


Occurence of business impacting security incidents in 2016 Asia and Australia (%)

2.4%
Virus/malware 17.8% 12.5% 20.7% 13.5% 16.8% 12.5% 3.8%
outbreak 7.9% 17.8% 13.2% 15.8% 14.5% 13.8%
5.3% 11.8%
1.9%
Web application 12.5% 16.8% 15.9% 12.5% 13.5% 16.3% 10.6%
attack 6.6% 17.1% 15.8% 11.2% 7.9% 18.4% 1.3%
3.9% 17.8%
1.4%
Vulnerability of 13.5% 19.7% 20.2% 12.0% 9.6% 13.0% 10.1% 0.5%
unpatched systems 9.2% 15.8% 17.1% 15.8% 11.2% 11.2% 2.6%
5.3% 11.8%
1.9%
Ransomware 8.2% 18.3% 17.8% 10.6% 10.6% 16.8% 14.9% 1.0%
attack 19.1% 13.8% 13.2% 8.6% 13.8% 0.7%
5.3% 3.9% 21.7%
1.9%
Phishing 16.8% 16.8% 16.3% 12.5% 16.3% 9.1% 9.6% 0.5%
email attack 12.5% 20.4% 22.4% 10.5% 9.2% 11.2% 1.3%
4.6% 7.9%
2.4%
12% 13.9% 17.8% 12.5% 10.1% 17.3% 13% 1.0%
APT attack 16.4% 11.8% 14.5% 11.2% 13.8% 7.2%
5.3% 19.7%
2.4%
12% 13.9% 17.8% 14.9% 9.1% 20.2% 8.2% 1.4%
DDoS attack 13.2% 16.4% 16.4% 7.9% 14.5% 0.7%
4.6% 5.3% 21.1%

Employee actions - 12.5% 18.8% 18.8% 15.9% 13% 13.9% 7.2%


human error 9.9% 19.1% 21.1% 12.5% 11.2% 16.4%
(unintentional) 4.6% 5.3%
4.3%
Employee actions - 11.5% 15.4% 15.4% 14.4% 11.5% 13.9% 13.5%
malicious motives 7.2% 12.5% 17.1% 13.2% 12.5% 17.8% 1.3%
(intentional) 5.3% 13.2%
2.4%
12% 18.3% 15.4% 13.5% 7.7% 18.3% 12.5%
Identity theft 7.9% 18.4% 12.5% 11.8% 9.9% 10.5% 0.7%
4.6% 23.7%
1.4%
Business Email 12% 18.3% 15.9% 13.5% 12.5% 13% 12.5% 1.0%
Compromise (BEC) 11.2% 18.4% 10.5% 11.2% 9.2% 18.4% 0.7%
3.9% 16.4%

Asia Yes- Yes- Yes- Yes- Yes- Yes- No- Dont


Unsure
Aus Weekly Monthly Quarterly Rarely Yearly Rarely Never know

Potential sources of future threats Asia and Australia (%)

Nation state 14.4%


15.1%
Customers 16.3%
13.2%
Business partners 21.6%
15.1%
External contractors 33.2%
21.1%
Employees 34.6%
30.9%
Criminal syndicates 50.5%
33.6%
External hackers 59.6%
52.6%
Asia
0%

10%

20%

30%

40%

50%

60%

Australia

Cyber Security Report 2017 37


Business Impacts
Among Asian respondents, the time taken APT attack is getting more complex. The to 2015. This may be attributed to the
to recover from APT attacks has become research from Mandiant indicates the increased sophistication of APTs in
significantly slower when compared extent of the remediation activity required Australia and the increased volume of
to 2015. Enterprises in Asia are facing to remove these threats, with the average network based DDoS attacks, and the
challenges in recovering from any attack, number of compromised machines of 78 multiple instances of application based
with an increase in the numbers of attacks and the average time the compromises DDoS attacks on targeted businesses in
that require a recovery time of more than went undiscovered was 17 months.52 the APAC region. According to Imperva,
24 hours across all types of attacks in 46 per cent of all targeted APAC
Australian respondents have indicated
2016. These results indicate that the businesses were attacked more than
that both APT and DDoS recovery times
time to remediate and recover from an once by application layer attacks.
in 2016 have slowed when compared

Recovery time for business-affecting new security incidents in 2016 Asia and Australia

4.1% 4.1% 7.1% 5.4% 1.7% 5.6% 10.8% 2.5%


7.6% 8.0%
10.2% 7.5%
13.5% 11.6% 13.0%
7.3% 10.0%
15.2% 24.2%
Asia 12.5% Australia 21.4% 13.0% Asia 10.0% Australia
9.9% 28.1%
31.6%
14.3% 12.5%
17.5% 19.6% 17.5%
22.5%

Business email
Ransomware attack compromise (BEC)

<1 minute =30 minute <2 hours =24 hours


=1 minute <5 minutes =2 hours <5 hours Unsure/Dont know
=5 minutes <30 minutes =5 hours<24 hours

52. https://www2.fireeye.com/m-trends-2016-asia-pacific.html

38 Cyber Security Report 2017


2015
2016
8.8% 20.6% 29.4% 20.6% 11.8% 13.3% 23.1% 20.5% 12.8% 14.9% 11.8%

3.1%

2.9%
8.7% 14.5% 33.3% 24.6% 10.1% 8.7% 19.8% 17.5% 18.3% 19.8%

Malware
0.5% 7.1%

4.3%
5 .9% 4.3%
7.9%

<1 minute
outbreak
0.8%
9.7% 25.8% 32.3% 16.1% 12.4% 31.6% 16.6% 10.9% 13.0% 11.4%

6.5%
6.5%
3.2%

=1 minute <5 minutes


=5 minutes <30 minutes
error
Human
8.2% 11.5% 24.6% 26.2% 16.4% 13.9% 22.6% 21.9% 10.9% 10.9% 10.2%
1.6% 6.6%

2.6% 2.9%

6.6%
6.6%
20.0% 23.3% 23.3% 16.7% 13.3% 18.0% 29.0% 15.3% 11.5% 14.8%

2.7%
6.6%

email
27.5% 33.3% 19.6% 14.5% 29.0% 18.3% 13.7%

Phishing
6.1%
2.2% 4.6%

6.9%
6.9%

3.3% 3.9%
5.9%
3.9%
5.9%
2.2%
12.5% 8.3% 33.3% 33.3% 12.5% 12.1% 27.5% 19.2% 12.6% 13.7% 10.4%

attack
13.5% 32.4% 29.7% 10.8% 13.7% 20.5% 20.5% 14.5% 14.5% 10.3%
2.2% 6.0%

2.7%
5.4%
5.4%
Web application

=2 hours <5 hours


=5 hours<24 hours
=30 minute <2 hours
20.0% 30.0% 15.0% 25.0% 11.1% 29.8% 15.2% 13.5% 14.6% 11.7%

2.9%

5.0%
Asia and Australia

11.5% 22.1% 19.7% 12.3% 11.5% 14.8%

motives
10.3% 10.3% 24.1% 31.0% 17.2%
1.2% 6.6%

5.0% 6.9%
Malicious
1.6%
20.0% 13.3% 20.0% 26.7% 20.0% 13.1% 26.8% 18.0% 14.2% 13.1% 9.3%

7.4% 11.1% 14.8% 29.6% 14.8% 22.2% 8.2% 25.4% 19.7% 11.5% 13.9% 11.5%
3.3% 3.3%
2.2% 6.6%

Vulnerability/

Asia
patching issues
1.1%

=24 hours
17.6% 11.8% 11.8% 29.4% 23.5% 12.1% 22.4% 21.3% 14.9% 16.1% 9.2%
5.9%
APT

9.1% 9.1% 40.9% 27.3% 9.1% 15.3% 17.1% 14.4% 17.1% 12.6% 10.8%

Unsure/Dont know
4.5%
2.9% 10.8%

Australia
1.8%
Recovery time for business-affecting security incidents in 2016 compared to 2015

9.1% 22.7% 22.7% 22.7% 22.7% 11.5% 27.9% 16.9% 13.1% 14.2% 10.9%
DDoS

9.1% 9.1% 13.6% 45.5% 18.2% 9.0% 23.4% 21.6% 13.5% 9.9%
8.1%

4.5%
3.3% 3.6%
2.2% 10.8%

Cyber Security Report 2017 39


Whilst 15 per cent of respondents from Compared to Asia, Australian lawsuits with negative press coverage,
Australia indicate loss of intellectual organisations surveyed tend to pay more etc. It is vital that companies put in
property as the most detrimental attention to the protection of IP. In general, place incident response plans tailored to
outcome of a security incident, 14 per cent organisations in both Australia and Asia address each potential incident. Examples
of Asian respondents highlight corrupted have to pay greater attention to the series seen recently are enterprises investing in
business data and 13 per cent highlight of events that may result in reputational cyber insurance and associated incident
reputational loss as the most detrimental loss when there is a data breach i.e. response services to mitigate bad
outcome of a security incident. web defacements, discovery of leaked publicity in the event of a data breach.
company files and customer data dumps,

Top business impacts of security incidents Asia and Australia

Revenue loss
13.5%

13.0%
10.1%

Asia
9.6%

6.7%

8.2%

8.2%

5.8%
7.2%

8.7%
9.1%

Losing customers
Psychological stress to workers
Productivity loss
Corrupted business data
100%

80%

60%

40%

20%

0%
Loss or jobs for key executives
Distrust from consumers and/or partners
2.0%

Reputational loss
Lawsuits
Massive fines to be paid to authorities
12.5%

12.5%

13.8%

14.5%

15.1%

Australia
5.9%
4.6%

9.2%

5.9%
3.9%

Loss of intellectual property

According to our survey, 88 per cent of test of their plans on a regular basis, the impacts to your business processes and
respondents in Australia and 91 per cent most common being quarterly. Regular to ensure business continuity. The incident
in Asia either have, or are in the process testing and reviews of incident response response plan also needs to manage
of developing, an incident response plans for all the business impacting communications for key stakeholders and
plan. Most of these respondents have security incident types is recommended manage notifications to affected parties
indicated that they conduct a review and to reduce recovery times, to reduce the where private data is compromised.

Incident response plan in place and frequency of testing and review Asia and Australia

0% Rarely 66.4% Rarely 4.0%


5.3% Half-Yearly Half-Yearly 9.9%
81.8%
16.5% Yearly 81.8% Asia Australia 66.4% Yearly 12.9%
30.6% Monthly Monthly 30.7%
47.6% Quarterly Quarterly 42.6%

21.7%
No 9.1%
It is currently being developed 9.1% 11.8%
Yes

40 Cyber Security Report 2017


Security incidents in Australia
AustralianGovernment Australian Industries According to CERT Australia, the energy
and communications sectors had the
Between 1 January 2015 and 30 June Between 1 January 2015 and 30 June highest number of reported compromised
2016, the Australian Signals Directorate 2016, CERT (Computer Emergency systems. The banking and financial
(ASD), as part of the Australian Cyber Response Team) Australia responded services and communications sectors
Security Centre (ACSC) responded to 14,804 cyber security incidents had the highest incidence of DDoS
to 1,095 cyber security incidents on affecting Australian businesses, 418 activity and the energy and mining/
government systems that were serious of which involved systems of national resources sectors had the highest number
enough to warrant operational responses. interest (SNI) and critical infrastructure of malicious emails being received.
The good news is that the number of (CI). CERT relies on the voluntary self-
incidents are reducing due to improved reporting of cyber security incidents
security awareness and government from a wide variety of sources both
organisation improvements in managing in Australia and internationally. This
low level cyber security incidents. assists ACSC to develop a better
Australian Government organisations are understanding of the threat environment
required to report incidents to improve and will be used to assist other
ACSCs understanding of the threat organisations who are at also at risk.54
and to gain experience to assist other
organisations facing similar threats.53

Incidents affecting Systems of National Interest (SNI)


and Critial Infrastructure (CI) by Industry Sector55

Retail 1.9%
Health 1.9%
Manufacturing 2.2% Energy 18.0%
Legal and professional
services 2.4%
Food and agriculture 2.6%
Education and
research 2.6%
Water 2.9%
Defence industry 5.5%

Information
technology 6.0%
Banking and financial
services 17.0%

Other 6.4%

Mining and resources 8.6% Communications 11.7%

Transport 10.3%

53. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
54. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
55. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf

Cyber Security Report 2017 41


Financial impacts due to privacy data breaches
The financial impacts for all the different US$4 million. The number of breached Notification costs in Australia (US$0.06
types of cyber security incidents is records per incident ranged from 4,000 million) were much lower when compared
difficult to quantify as the extent of an to 68,700 records. The average number of to the United States (US$0.59 million).58
incident and the business impacts can breached records in 2016 was 19,663. The This may be due to the mandatory
reach far and wide and require an in- average size of a data breach increased breach notification legislation in
depth analysis and investigation of both slightly compared to the previous years the US compared to Australia that
the incident and associated costs. The results with two per cent more records did not have this legislation in place
full costs of an incident may include lost or stolen but Australian companies when this report was compiled.
brand and reputation damages, PR costs, were more successful in retaining
Improvements in prevention activities
investigation, incident response services, customers following a data breach.56
like cyber security governance programs,
IT infrastructure repairs, defence and
Lost business costs were significantly appointment of a CISO, employee training
legal fees, regulatory penalties and fines,
higher in the US at US$3.97 million and security awareness programs,
ransom demands, business interruption
compared with Australia at US$0.78 business continuity management, data
and loss of revenue, loss of customers,
million, which included the abnormal loss prevention solutions, encryption
loss of IP, public apologies and incident
turnover of customers, increased and deployment of advanced end
notifications to impacted customers/staff/
customer acquisition activities, reputation point security solutions and incident
organisations and privacy commissioner.
losses and diminished goodwill. Post response plans go a long way to reduce
The Cost of Data Breach Study in Australia data breach response costs were the likelyhood of breaches occurring
by Ponemon provides an insight into higher in the US at US$1.72 million and the subsequent costs. A number of
the costs and impacts due to the loss compared to Australia at US$0.59 organisations are looking into purchasing
or theft of protected personal data. million, which included investigative cyber security insurance to mitigate cost
The study examined the costs incurred activities, remediation, legal expenditures, impacts if a breach occurs. Research from
by 26 Australian companies after the product discounts, identity protection Telstras cyber security report in 201659,
loss or theft of protected personal data. services and regulatory interventions. found that 11 per cent of Australian
These costs are based on estimates The detection and escalation costs were organisations indicated that they were
due to actual data loss incidents over a lower for the US compared to Australia interested in purchasing cyber insurance,
10-month period. A$2.64 million is the at US$0.73 million compared to US$0.86 but were unsure how to go about it.
average total cost of the data breach million respectively for forensic and
within Australia, which is good news investigative activities, assessment and
when compared to the average cost in audit services, crisis team management
2015 of A$2.82 million and the Global and communications to executive
average total cost of a data breach of management and board of directors.57

New data breach notification legislation


On the 13th February 2017, the Australian As these data breach notification laws
senate passed new laws that will take effect and are implemented into the
require businesses and government business processes and cyber security
agencies governed by the Privacy Act practices of Australian businesses and
to notify the Privacy Commissioner and government agencies, it will be interesting
affected customers individuals if they to monitor their impact on cyber security
have experienced a data breach.60 awareness, accountability, incident
response, and the cost and reputational
In particular, the notification requirements
impact of security incidents in future.
apply to data breaches where
unauthorised access, disclosure and
loss of personal information is likely to
result in serious harm to the individual.

56. http://www-03.ibm.com/security/au/data-breach/index.html
57. http://www-03.ibm.com/security/au/data-breach/index.html
58. http://www-03.ibm.com/security/au/data-breach/index.html
59. https://www.telstra.com.au/business-enterprise/campaigns/cyber-security-report
60. Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), amending the Privacy Act 1988 (Cth).

42 Cyber Security Report 2017


Cyber Security Report 2017 43
Security drivers and
investment decisions
Increases in IT security budgets are driven by the increased stakeholder
engagement on security initiatives and security incidents by C-level executives.

IT Security Investment Our survey results indicate, 48 per The percentage of Australian
cent of Australian and 68 per cent of respondents expecting to decrease
To participate in our survey, respondents Asian organisations will increase IT their IT security spending has fallen
were required to have either some security spending by more than 10 significantly from six per cent in 2015
involvement in or be primarily responsible per cent in 2017. to one per cent in 2016.
for IT security budget decisions. 62 per
cent of Australian respondents and 79 per The majority of Asian respondents in Only four per cent of organisations
cent of Asian respondents indicated that 2016 indicate that they are looking to in Asia have the same IT security
they are the key decision maker for the IT increase their IT security spending, most budget as 2015, which is significantly
security budget. The majority of surveyed commonly by 11 per cent to 15 per cent. lower compared to the 17 per cent of
respondents in both Australia and Asia organisations in Australia with the same
have indicated that they will increase According to our survey, 24 per cent of budget constraints.
their IT security spending within the organisations in Australia have indicated
next 12 months. that they will increase their IT spending According to our research, 41 per cent
by six per cent to 10 per cent. of organisations surveyed in Australia
and 36 per cent in Asia set aside four
per cent to five per cent of their total IT
expenditure for IT security.

Ownership of security budgets from respondents in Australia and Asia (%)

8.6
20.7
29.6

38.2 Australia Asia

23.7
79.3

I am involved in the I am the key decsion I am the key decision I am involved in


decision making of our maker for our maker for our the decision making
organisations IT security organisations overall organisations overall IT of our organisations
budget (regional, IT security budget security budget (regional, IT security budget
including Australia) (local office only) including Australia) (local office only)

44 Cyber Security Report 2017


Forecast IT security budget for next 12 months (2016 vs 2015) Asia and Australia (%)

26.4
24.3

17.3 17.1
2016

14.4 16.4 15.1

10.1 11.2
8.6
5.9
4.3 4.3
0.5 0.7 0.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 0.0 0.7

Increase Remain Decrease


Increase Increase Increase Increase Increase Decrease Decrease Decrease Decrease Decrease
more than about the more than
21-25% 16-20% 11-15% 6-10% 1-5% 1-5% 6-10% 11-15% 16-20% 21-25%
25% same 25%

1.3 0.0 1.3 1.3 1.3 0.0 1.8 0.0 0.0 1.3 0.4 0.0 0.9

7.0 6.6
2015

9.1 11.4 10.1


15.6
13.0 17.5
19.3
22.4 11.7
23.4 23.4

Asia Aus

The increased adoption purchase threat intelligence services take


of incident response
the lead in Australia and Next Generation IT security budget /
Endpoint security is popular in Asia.
drives the growth of the Total IT expenditure
after breach market. User and Entity Behaviour Australia and Asia (%)
Analytics (UEBA) is the tool of
In Australia, the highest usage for choice for mitigating the rising 1.4%
emerging security solutions is in incident 100%
response, and Cloud Access Security
issue of internal threats. 5.9%

Brokers (CASB) are used the most 15.4%


in Asia. 47 per cent of organisations When comparing UEBA to other emerging 19.1%
surveyed in Australia and 55 per cent in areas such as CASB, the adoption level is 80%
Asia have adopted incident response lower, possibly due to the fact that certain
toolsets or services. The adoption of service providers offer Security Incident
incident response services is likely to and Event Managers (SIEMs) with built-in 35.6%
increase in Australia with the recent UEBA functionalities. However, the fact 60%
announcement of legislation around that human error ranks as the second 40.8%
mandatory data breach notification highest cloud adoption concern amongst
by the Australian Government. There Australian enterprises is indicative of
is an increasing number of incident the risks due to insider threats. Thus,
40%
response tools and incident response weak adoption of UEBA is possibly 18.8%
services on offer to organisations and seen as a lack of awareness towards
government departments that may be effective tools that can mitigate this risk 13.2%
due to the high profile announcements but may also be due the assumption
of a number of data breaches and the that UEBA is being delivered as part 20% 14.9%
negative impacts to reputation and of their SIEM service. It is also worth 11.2%
customer confidence. This may have noting there is an opportunity to use
increased the adoption and investments electronic security device data to enable 13.9%
9.9%
in incident response tools and services more inherence-based authentication 0%
due to the heightened awareness with processes, as well as advancing analytics
C-level executives towards managing Asia Australia
capabilities in video surveillance,
these security breaches. In terms of including facial recognition applications. Less than 1% Between 6-7%
technologies under consideration for Between 1-3% Between 8-10%
Between 4-5% More than 10%

Cyber Security Report 2017 45


Investments in emerging security solutions
Asia and Australia

Cloud Access 65.4% 29.8% 4.8%


Security Broker 42.1% 41.4% 16.4%

Application 57.7% 36.5% 5.8%


security testing 39.5% 37.5% 23.0%

SIEM / Security 56.3% 38.5% 5.3%


analytics 37.5% 41.4% 21.1%

54.8% 40.9% 4.3%


Incident
response 46.7% 34.9% 18.4%

Threats intelligence 53.8% 38.5% 7.7%


services 37.5% 46.1% 16.4%

Cyber-security 53.8% 38.5% 7.7%


insurance 43.4% 34.9% 21.7%

BYOD 51.9% 40.4% 7.7%


management 40.1% 38.2% 21.7%

3.4%

Next Generation 45.2% 51.4%


Endpoint Security 31.6% 44.1% 24.3%

User and Entity 45.2% 47.1% 7.7%


Behaviour 28.9% 42.1% 28.9%

Asia Currently Considering Not currently


Aus using using

The majority of respondents from cyber security experts as they may be Cyber security awareness
Australia and Asia indicate that sourcing this function from Managed
they already have or are currently Security Service Providers (MSSPs). training is moving beyond
implementing cyber security initiatives The organisations who are not planning the enterprise and into
related to training and resourcing. to invest in cyber security training for
Cyber security technical training for business partners/suppliers may be
the supply chain.
IT staff and cyber security awareness utilising other security initiatives to
training for employees were chosen as control these risks; such as the use of
The survey reveals that both Australian
the top initiatives by respondents from access controls for systems and data,
and Asian respondents are looking
both Australia and Asia. A number of contractual controls or security audits
to provide cyber security training and
organisations may not have plans to hire for business partners/suppliers.

46 Cyber Security Report 2017


Implementation stage of the following resource and training cyber security initiatives
Asia and Australia

36.5% 32.9%

36.5% 27.6%

21.6% 21.7%
Hiring cyber
security experts 5.3% 17.8%

45.2% 33.6%

35.6% 40.1%

Cyber security 17.8% 14.5%


technical training
1.4% 11.8%
for IT staff

46.6% 36.8%

37.5% 37.5%
Cyber security
14.9% 17.8%
awareness training/
campaigns for 1.0% 7.9%
employees

36.5% 25.0%

41.3% 37.5%
Cyber security
17.3% 21.1%
awareness training/
campaigns for business 4.8% 16.4%
partners/suppliers

Asia Currently Planning to implement Not planning


Already in place
Aus implementing in the next 12 months to implement

campaigns to their business partners Cloud-based and managed an understanding of the value offered
and suppliers. Organisations may want by these services. The majority of
to weigh up the costs and benefits security services are expected Australian and Asian respondents indicate
of different approaches to mitigate to grow due to the strong that their organisations have either
cyber security risks with their business already implemented, or are currently
partners/suppliers and whether other
interest indicated in the implementing, all of the listed security
security initiatives may be more suitable Asia Pacific study. services. Australian organisations
or a combination of initiatives like the use indicated a higher percentage in not
of access controls for systems and data, planning to implement compared to
contractual controls, security audits and/ There is a strong uptake of cloud- Asian organisations for all security
or cyber security awareness training. based and managed security services services surveyed that may be due
by organisations in Asia and Australia, to tighter budget constraints.
which indicates their popularity and

Cyber Security Report 2017 47


Implementation stage of the following security service initiatives
Responses from Asia and Australia

Advisory and 31.7% 41.3% 21.6% 5.3%


Assessment services 28.9% 40.1% 21.1% 9.9%

IR planning and 35.6% 40.9% 21.6% 1.9%


management services 35.5% 28.3% 25.0% 11.2%

Remediation/ 34.1% 43.8% 19.2% 2.9%


IR services 32.9% 36.8% 21.1% 9.2%

Managed security 44.7% 34.6% 17.8% 2.9%


services 30.9% 36.2% 20.4% 12.5%

Cloud-based 47.6% 30.3% 19.2% 2.9%


security services 32.9% 36.8% 20.4% 9.9%

Threat intelligence 28.4% 46.2% 21.6% 3.8%


services 28.3% 32.9% 26.3% 12.5%

Security design 34.1% 37.0% 25.0% 3.8%


and architecture 32.9% 32.9% 24.3% 9.9%

Application 35.1% 38.5% 21.2% 5.3%


security testing 30.9% 29.6% 21.7% 17.8%

Compliance and 38.5% 35.1% 21.2% 5.3%


framework services 34.2% 38.8% 17.8% 9.2%

Asia Currently Planning to implement Not planning


Already in place
Aus implementing in the next 12 months to implement

48 Cyber Security Report 2017


Implementation stage of the following security solutions
Responses from Asia and Australia

3.8% 3.4% 4.8%

%
24

13.8 12.5 17.

.8
26

%
1%

% 8
%

.0%

28
0% 0%

28
.4%
34.6

35.

%
%

.8%
.

.
27

25
37.5

2 2. 4 %
27.0%

%
19.7
32 37
.2% 2 7. 6 % .5%

35.1% 37.5% 37.5%

Cyber security technologies Endpoint security User behaviour analytics

5.8% 4.8% 5.3%


.3 %

22

18. 12.5
7%

20.
22
7%

4 4 %
.1%
26

3%
29

.6%

%
31.

%
33.
.0%
%

%
6

9
24
29.

30.

%
7%

30.3
.0%
19.

2.
23

26
3

32. 2%
2% .3%

38.9% 39.4% 40.4%

Security forensics/SIEM Cloud Access Security Broker BYOD management


and analysis tools

Asia Currently Planning to implement Not planning


Already in place
Aus implementing in the next 12 months to implement

Cyber Security Report 2017 49


Summary
As the data collected in this years As organisations evolve so do their When conducting business in the digitised
survey indicates, more organisations adversaries. We are seeing cyber- world, integrating cyber-resilience into all
are being successfully targeted by criminal adversaries operating more aspects of the organisation and connected
cyber security attacks than ever regular business models. For example, third parties is imperative. The data
before, but it is not all bad news. malware/exploit kit developers have we have collected indicates that more
black market sales campaigns, licensing organisations understand this. However,
One of the interesting findings in this
and maintenance programs to continue it is still early days for most in terms
years survey was the very large jump in
to evolve their products to evade of transforming their operations and
C-level executives taking responsibility for
detection by security defenders, to activities to ensure that cyber security is
security breaches in Australia. The jump
achieve successful infection rates, and embedded into all their people, processes
from 19 per cent to 61 per cent is one of
increase their illegal profits. They have and technologies to ensure their data and
the largest year-on-year changes we have
also evolved to deliver service models like their customers data, which is the oil of
seen and is repeated for the rest of Asia,
Ransomware-as-a-service and DDoS-for- the digital age, is protected. Cyber security
increasing from 35 per cent to 65 per cent.
hire services that can be used by affiliates is everyones responsibility and it needs to
There is a correlation in Australia or distributors to extract extortion be built into the DNA of the organisation.
regarding this increase and several payments from their victims. This is How well organisations respond to this
key changes in the local regulatory and yet another reason why organisations challenge may well be an indicator of how
legislative environments. For example, must regularly review the efficacy of successful they will be in the future.
in 2016 the Australian Government their cyber security strategies to ensure
We hope you found this report informative
released a draft of the serious data they still provide the organisation with
and of value to you and your organisation
breach notification legislation, which appropriate cyber resiliency (which is the
and look forward to working with many
has since been ratified by both houses of effective management of cyber risk).
of you to secure your business.
parliament. Several key industry groups
There have been improvements in the
including ASIC and the AICD have been With well over 500 cyber security
resources companies can access to help
actively discussing this topic and the need professionals across the Asia Pacific
guide their journey to higher resilience.
for company directors and boards to take region, Telstra is well positioned to
More organisations are using cyber
more responsibility for cyber security. help organisations improve their
security frameworks, guidelines and
cyber resiliency. To find out more
Whilst this is good news for organisations standards such as the ISM, ISO27001
about how we can help secure
and individuals alike, as recently as and NIST. These resources are being
your business, please visit:
September 2016 ASIC were publicly updated regularly and contain excellent
stating that boards are underprepared advice that most organisations can www.telstra.com/enterprisesecurity
for cyber threats.62 The message here is apply to real world scenarios, such as
that there is still room for improvement in which security controls to implement
addressing data breaches in organisations when using public cloud services.
but the majority of executives are at last
taking responsibility for this problem.

62. http://www.afr.com/technology/asic-says-boards-underprepared-for-cyber-threat-20160913-grfaoc

50 Cyber Security Report 2017


Acknowledgements
Telstra Contributions an organisations internal capabilities. faced by organisations and are well
Our managed Security services continue placed to provide advice and guidance
Global Security Solutions. to evolve in response to the demand for on all security-related issues.
new solution sets to secure against
Security Operations. Telstra Consulting works with
a continually evolving set of cyber
organisations across multiple sectors
security risks.
Corporate Affairs Communications. including Government, Finance,
An integral part of this offering is Utilities, Transport and Manufacturing.
Telstra Legal Services. Each has different security needs,
the Telstra Security Operations Centre
(TSOC), a dedicated monitoring facility and Telstra Consulting experts are
Enterprise Solutions Marketing.
that operates 24 hours a day, 365 well placed to deliver the type and
Transport and Routing Engineering. days a year to detect malicious extent of support that is required.
activity and help ensure ICT
resources are not compromised.
About Telstra Security Services For More Information
Managed Security Solutions: We can assist your organisation to manage
Consulting Services risk and meet your security requirements.
As more security technologies are
Telstras teams of security consultants For more information contact your Telstra
deployed within organisations, their
have been involved in the design, build Account Executive or visit: www.telstra.
monitoring and management becomes
and management of some of the largest com/enterprisesecurity for additional
increasingly complex. To assist with this,
and most complex networks in the information about our security services.
Telstra can provide a suite of Managed
Security Services that can supplement country. This real-world experience
means they understand the challenges

Telstra Partner Contributions

Cyber Security Report 2017 51


Contact your Telstra Account Executive
Visit telstra.com/enterprisesecurity

2017 Telstra Corporation Limited. All rights reserved. The spectrum device is a trade mark of Telstra Corporation Limited.
and are trade marks and registered trade marks of Telstra Corporation Limited ABN 33 051 775 556. 19013-0317/Telstra