The Non-Conventional Threat
Cyber Security Forum Asia
Singapore
3 December 2012, 10.50am
Cyber security and SNI protection in Australia
Dr Carolyn Patteson
Executive Director, CERT Australia
1|P age
[Acknowledgements]
Chair – Daniel Levy, Managing Director Asia,
IB Consultancy
Distinguished guests
Ladies and gentlemen
[Introduction]
It’s an honour to join you for this conference – and to be
presenting the keynote address.
CERT Australia places great value on the partnerships we
have with our colleagues in the Asian region.
And it’s always a pleasure to provide you with an update on
our latest activities in protecting Australia’s national
interests online.
[Cyber security in Australia]
One of the things I was asked to cover is cyber security in
Australia.
2|P age
And as I was thinking about our evolution, I realised that
over the last few years, we have come a long way.
But I would also suggest that we are still learning –
especially about business-government partnerships and
how we can really make the most of them.
So it was four years ago, almost to the day, that the then
Prime Minister delivered Australia’s inaugural National
Security Statement.
And while government agencies already had cyber security
responsibilities, the statement marked an important shift
– a line in the sand, if you like – by publicly acknowledging
that cyber security is a national priority.
The statement included these words ... …
The sophistication of our modern community is a
source of vulnerability in itself … …
This dependency on information technology makes us
potentially vulnerable to cyber attacks that may
disrupt the information that increasingly lubricates
our economy and system of government.
This acknowledgement then kicked off a whole-ofgovernment response to cyber security – in terms of both
policy and action.
3|P age
It brought together things we were already doing in the
government space, with a new focus on the importance of
protecting our corporate networks as well.
The emphasis on cyber security and cyber operations came
out in two key documents – the 2009 Defence White Paper
and Cyber Security Strategy.
The Defence White Paper affirmed the Government’s
commitment to the defence of Australia, as well as the
security and stability of the region.
It stated … …
In the past decade the growing importance of
operations in cyberspace has become more apparent.
Our national security could potentially be
compromised by cyber attacks … …
Therefore, we must focus on developing capabilities
that allow us to gain an edge in the cyberspace
domain … …
And the Cyber Security Strategy aimed to promote cyber
security and resilience – and protect Australian assets
from cyber threats, which had been and still are, assessed
as high.
The practicalities of making this happen involve a range of
Government agencies.
4|P age
In sum

the Department of the Prime Minister and Cabinet is
responsible for cyber security policy

the Australian Security Intelligence Organisation –
ASIO – focuses on cyber espionage

the Defence Signals Directorate – DSD – looks after
protecting government agencies

the Australian Federal Police – AFP – looks after cyber
crime

the Department of Broadband looks after cyber safety,
especially through the Stay Smart Online website, and

the Australian Communications and Media Authority
looks after SCAMwatch.
In addition, and integral to delivering the Cyber Security
Strategy, are two mutually supporting organisations – the
Cyber Security Operations Centre – the CSOC – and CERT
Australia.
CERT Australia is located in the Attorney-General’s
Department and our focus is on protecting critical
businesses and Australia’s national interests online.
5|P age
The CSOC is located in the Department of Defence and
incorporates staff from ASIO, DSD, CERT Australia and
the AFP.
Importantly, it enables the operational agencies to work
closely together, sharing information and protecting
government and critical business networks.
This of course, is a very simple breakdown of who’s who in
Australian cyber security – and what we do.
As I’m sure you can appreciate, in practice it is a tad more
complex.
But having generally set the scene, I’ll now talk more about
the work of CERT Australia.
[CERT Australia]
We were established in 2010.
We operate from Canberra and Brisbane, and work in the
CSOC with other key agencies including ASIO, the AFP and
DSD.
6|P age
Essentially, we provide big business with information
about cyber threats, and support in responding to cyber
security incidents.
By ‘big business’ I refer to critical sectors of the Australian
economy such as communications, banking and finance,
water and energy.
The term ‘systems of national interest’ refers to the super
set of this critical infrastructure.
If these systems were rendered unavailable or otherwise
compromised, it could cause major harm to Australia’s
economic prosperity, national defence and security.
In CERT Australia, we work very much on a trust basis and
have established partnerships with approximately 500
private sector organisations.
We run a 24/7 incident response capability to help
businesses, and to coordinate larger or upstream
responses in the event of serious cyber attacks.
We’re not a substitute for internal or commercial security
teams but rather, we help them on difficult or unbounded
issues that need a greater degree of response.
As the national CERT, we are the initial point of contact for
cyber security incidents impacting Australian networks.
7|P age
We are responsible for making connections between
sectors – which are integrally linked.
And we are the voice of reason.
If media reports distort the accuracy of a cyber security
situation – CERT Australia reports the facts.
A good example from earlier this year was the Flame virus.
It received quite a bit of media hype.
But in reality – there have been no reports of Flame
infections in Australia.
The malware does not self-propagate.
And most anti-virus products have been updated to detect
it.
This was the official advice issued by CERT Australia.
Having said that, are we perfect?
No.
But we have proved the value we add in helping protect
Australia’s national interests online.
8|P age
We are continually learning lessons and improving our
systems and processes.
And one of our key strengths is the relationship we have
with other government agencies and industry.
[Partnerships]
As Australia’s national CERT, we are at the centre of
government engagement with business on cyber security.
We know that developing effective partnerships – close
working relationships – is vital to countering cyber attacks
and boosting cyber resilience.
Of course, partnerships at the international level are also
vital to combatting cyber threats.
And we have close working relationships with our
international counterparts too.
This national and international teamwork is essential to
providing business with timely information on emerging
threats – and advice on mitigation.
As we all know, cyber crime is rapidly evolving.
9|P age
It is a constant challenge.
And cyber criminals are relentless in their pursuits to
disrupt business systems and operations.
Because of the range and pervasive nature of cyber threats,
no single organisation or country, can adequately
recognise and counter them.
That’s why cyber security requires a partnership approach,
nationally and internationally.
This is a fight we are definitely in together.
And it’s by working together that we will be better
positioned for prevention and response.
One of the most important aspects of a partnership
approach is sharing information.
This helps increase our respective and combined
understanding and awareness of cyber security threats.
Just recently, in September, some of my CERT Australia
colleagues and I came to Singapore, to co-chair the ASEAN
Regional Forum Cyber Incident Response Workshop.
10 | P a g e
It was well attended by representatives from around the
region, who were presented with a range of evolving
scenarios.
One of the top observations that we all shared was the
importance of effective working relationships – as well as
access to timely, high quality information.
[Threats]
So what are the cyber threats we face?
Well, in Australia we’re experiencing increasingly
sophisticated attacks on networks and systems in both the
public and private sectors.
Our security and intelligence agencies are now stating this
publicly.
And a significant amount of attacks against Australian
organisations appear to be economically motivated.
Some recent research estimates that for a large
organisation, the average cost is as much as $3.2 million
per year.1
1
October 2012 – research by Ponemon Institute – case studies with 33 Australian large companies
11 | P a g e
The threats come from a range of sources including
individuals, issue-motivated groups, organised criminal
syndicates and the intelligence services of some foreign
governments.
So far this year, CERT Australia has had more than 5,000
incidents reported to us.
Although perhaps a scarily high number, many of these
incidents are scans of firewalls or website defacements.
But at the higher end, we are seeing broad-based and
targeted attacks, as well as everything in between.
In broad-based attacks, the offenders send out a lot of wellknown generic attempts – a scatter approach if you like.
This is very cheap – but the return rate can be very low.
Some of these attacks can also be quite naïve – but just
because they appear simple, doesn’t mean they don’t work.
For example, the Nigerian money scam has translated well
from the paper world to the electronic one.
To most of us it’s obvious – but some people still fall for it.
12 | P a g e
Broad-based attacks can also include denials-of-service,
although we do see those targeted at particular sectors as
well.
As for sophisticated attacks, offenders send out a small
number of highly targeted and often very novel attempts to
compromise their intended victims.
We frequently see very carefully crafted emails that are
designed to get someone to open them.
This way the attacker can gain a foothold on the network
undetected, and then snoop around to extract valuable
company or client information.
A lot of these attacks are directed at senior managers and
their staff – because they’re the people who are likely to
have high levels of access to sensitive corporate and
operational information.
We’re also seeing trends in cyber incidents which show
that specific sectors can be targeted – rather than just
individual companies – depending on the type of activity.
This includes distributed denial-of-service – or DDoS –
attacks being used for extortion purposes.
13 | P a g e
Just recently, we’ve seen emails purporting to be from the
CEO going to the CFO asking for details of company
finances.
Of course, the email isn’t from the CEO and fortunately
this is fairly easy to spot.
But we have seen this form of attack targeting a particular
sector.
Earlier this year we received reports from a range of
Australian financial businesses that were being targeted by
denial-of-service attacks.
The companies had been called and threatened with an
attack against their websites unless a payment was made.
This type of attack can cause serious problems.
It can not only disrupt the companies’ online activities via
their websites, it can also stop clients from doing business
with them online.
Recently, we’ve also encountered a number of particular
malware attacks, which make for an interesting case study.
14 | P a g e
[Case study]
In late September, we received a series of calls from more
than 25 organisations being targeted by ransomware.
The attacks encrypted files on the compromised system
and/or locked the victim out of the desktop environment.
The attacks also encrypted files in the system backups.
The victims were then asked by the attacker to pay a fine
using a payment or money transfer service, to obtain the
codes that would unlock the computer and/or decrypt the
data.
In some cases, the ransomware included scareware,
displaying a fake warning screen, claiming that the victim’s
computer had been associated with criminal activity.
This was a tactic to discourage the victim from reporting
the attacks to law enforcement agencies or CERT Australia.
For example, one warning screen was set up to look like it
was from the Anti Cyber Crime Department of the Federal
Internet Security Agency.
There is no such agency.
15 | P a g e
In the majority of cases, the attackers used Microsoft
Remote Desktop Protocol as an entry point to the target
network.
This was possibly using authentication credentials
obtained by key loggers, or accessing systems with weak
credentials.
The severity of the damage done by the attacks varied
across the target organisations.
In the worst case scenario reported to us, one victim lost
15 years’ worth of critical business data.
That’s a serious compromise.
To provide some insight into how we work on these types
of issues, here’s a rundown of the actions we took.
Firstly, we worked directly with the affected organisation
to help it better defend against the attack.
Where the organisation had outsourced management of its
website, we worked with the service provider to help them
take steps to protect the affected network.
We worked with law enforcement locally because of the
criminal nature of the activity.
16 | P a g e
We also worked with Microsoft – sharing data and
analysis.
And we contacted our international CERT colleagues, as
the threat actors used infrastructure based overseas.
Unfortunately, as yet the actors have not been found.
They have been meticulous in hiding their tracks.
At this point, I’d like to note that the focus of CERT
Australia is on helping business detect and then respond to
attacks.
It’s not about tracing the attacker.
Attribution is really difficult.
Where you think something comes from may not be where
it actually comes from.
So, with the ransomware attacks, in addition to working
with the affected organisations, we also started to identify
others in Australia that had not yet reported the activity.
We contacted these organisations to warn them that the
attacks were happening in their sector.
And we gave them advice about how to protect themselves.
17 | P a g e
We also issued a guidance paper on the ransomware
threat, which we made publicly available on our website.
This case study highlights well the nature of CERT
Australia’s mission – it’s all about helping business best
prepare for and respond to cyber attacks.
We use our government, industry and international
partnerships to provide the most useful advice we can – as
soon as we can.
[Lessons Learnt]
So what lessons can we learn from the ransomware
incidents?
Well, it definitely reinforced the need for us to be
communicating with the law enforcement community.
These types of incidents tend to be reported to a range of
different organisations and agencies.
In Australia, we have federal government agencies, and
law enforcement agencies.
We also have state and territory government agencies, and
law enforcement agencies.
18 | P a g e
The organisations affected by these types of incidents can
contact one or more of these agencies.
We’ve found it’s only by communicating with others that
we can gain a clear understanding of the extent of the
problem, and also develop a consistent approach to
dealing with the problem.
This is one of the primary roles and strengths of a national
CERT.
We need to be the organisation that has contacts with
many others.
And we need to be the organisation that those who are
affected by cyber attacks feel comfortable talking to, and
seeking help from.
Sometimes it won’t be our role to help.
But we’re in a perfect position because of our contacts, to
know who can help.
We’re also finding that organisations are becoming more
aware and are getting better at protecting their systems.
This is something we consistently encourage and promote.
19 | P a g e
It’s important for an organisation to know its network,
understand the value of its information, and how it’s
protected.
This includes understanding enough to work out

how an attack got onto the network

what data may have been accessed, and

what needs to be done to increase the protections of
the network.
We also encourage critical businesses to partner with us
before they actually need us because of an incident.
By partnering with us – we can keep them informed about
potential threats – as well as assisting them with detection
and mitigation.
This leads me to talk in more general terms about lessons
learnt.
And I’d like to address expectation management.
It’s all very well to set up partnerships – but are the roles
of each party clearly understood?
20 | P a g e
For example, we find that some organisations expect us to
be their dedicated CERT.
We aren’t. And we won’t be.
This means we need to clearly and consistently make sure
our role is communicated and understood.
As the national CERT, we have a niche.
We’re able to provide information that is not available in
the public domain.
And we’re able to look for patterns or trends that a single
organisation may not see.
Basically, it takes time to get to know who’s who.
And it takes experience to build trust as a two-way street.
The fact is, that business-government partnerships are
hard.
They take constant work.
But – they are worth it.
21 | P a g e
[Cyber Crime and Security Survey]
So having talked about threat, and the criticality of
business-government partnerships, I’d now like to focus
on what we don’t know.
At the moment in Australia, we know there is a growing
impact of cyber crime and security incidents.
But the true extent of these evolving threats is difficult to
determine.
That’s why we recently conducted the Cyber Crime and
Security Survey, in collaboration with the Centre for
Internet Safety at the University of Canberra.
The survey was designed to help build a better picture of
how cyber incidents affect Australian business and our
economy.
While international reports and experiences are
informative, they don’t necessarily provide a clear picture
of what’s happening in Australia.
To ensure we had a representative sample, more than 450
organisations that work with us were contacted.
Analysis of the data is underway and the final report is due
soon.
22 | P a g e
Meanwhile, we do have some preliminary results.
Around 60 per cent of organisations contacted responded
to the survey.
This is a great response rate and reflects the trusted
relationships we have with our business partners.
Initial results also show that

more than 90 per cent of respondents deployed
firewalls, anti-spam filters and anti-virus software

two-thirds of respondents leveraged IT security related
standards

more than 20 per cent of respondents were aware they
had experienced a cyber incident in the last year, and

more than 50 per cent of respondents have increased
their expenditure on IT security in the last year.
It will be very interesting to see the final report and get a
better picture of our cyber threat environment.
[Conclusion]
To recap though, this is what we currently know for sure.
23 | P a g e
So far this year we’ve had more than 5,000 incidents
reported to CERT Australia.
Most of them are what we categorise as less severe.
But we do see more serious incidents too, including cyber
crime and state sponsored activities.
This is a good reminder that while some actors are hacking
for fun, there are others with much more sinister motives.
It’s now publicly acknowledged in Australia that cyber
operations is one of the most rapidly evolving threats to
our national security.
So what do we predict for the future?
In sum – we predict more.
More players, more tools, and more attacks.
This is not cause for panic.
It is cause for concern.
It’s why we must have strong business-government
partnerships.
24 | P a g e
It’s why we must have strong international partnerships.
And it’s why we must keep sharing important information
in regional forums such as this.
Thank you.
25 | P a g e