Fish tank in a modern hotel
Cyber Security | Enterprise |

The unassuming threat of IoT devices in Australian workplaces

By Gerhard Loots February 21, 2020

When thinking of objects in a business that pose a data security risk, a fridge or fish tank wouldn’t likely come to mind.

IoT continues to grow more and more ubiquitous, fuelled by the promise of greater efficiency and advanced insight. The idea of cyber-attack may prompt images of server rooms being hacked or company laptops being stolen, but the reality is with the rise of IoT connected devices, mundane objects pose one of the biggest risks for businesses’ IT security.

A recent 2019 Report explores key issues in data security and has identified the huge threat that the growth of IoT poses to businesses of all kinds. With an estimated 29 billion connected devices by 2022, it is imperative we understand the problem that these devices pose.

The weakest link

Through the research it became clear the number one challenge for security professionals for 2019 continues to be detecting and responding to incidents in a timely fashion. This is complicated by the increasingly important task of managing the impact of new technologies such as IoT. The report found that Australian businesses are failing to improve their security, with 89 per cent having had breaches go undetected, up 12 per cent since 2018. These new technologies are being neglected; the Security Report noted only 43 per cent of Australian businesses are currently protecting their IoT security.

With the prevalence of cyber security attacks, the focus is on well-established aspects of security that seem more dangerous. From pacemakers in hospitals to vehicles in fleets and the company watercooler, more and more ordinary objects are being outfitted with IoT capabilities. As this technology continues to disrupt industries, the mad sprint to stay connected is arriving at the expense of security.

In 2016 we saw this play out in spectacular fashion with the Mirai botnet. This botnet took a huge toll on the East Coast of the United States’ internet. The culprit of this unprecedented outage was simple – IoT enabled cameras. In a similar incident in 2017, a North American casino was hacked through their IoT connected fish tank. While having access to a fish tank may initially seem like an absurd threat, it is through these unassuming objects that cyber criminals are able to successfully infiltrate other businesses’ critical systems. A study by Qualys, referenced in the Cisco 2018 Annual Cybersecurity Report, found that 83 per cent of IoT devices now carry critical vulnerabilities and this weakness is an open door for an attack.

Cyber security team

Mind the gap

A key reason this figure is so high is external vendors are often needed to update devices. In many cases, there are no clear indications of who is responsible for securing IoT connected objects. As more devices and ‘things’ connect to the internet, managing potential backdoor breaches frustratingly grows in importance and equally in difficulty.

Many businesses fail to realise a high proportion of internet-enabled devices are sold without in-built security. Some even lack an operating system that can support the installation of security software. Gaping vulnerabilities are often built-in weaknesses known as ‘backdoors’ that allow remote access maintenance, as well as stock passwords that are readily available online. Consequently, criminals can easily install malware on these devices and program them for future use or enlist them in a global army of bots with minimal investment. To make matters worse, the recent 2019 Report revealed 22 per cent of APAC organisations either don’t have or don’t know if they have an incident response plan to address breaches.

Update required

One example of how these issues are being addressed at the federal level is in the UK. The UK government recently introduced new laws to curb this issue of IoT device security. The new regulations will introduce IoT guidelines for manufacturers of connected devices, with a mandatory labelling system to determine the security level of an IoT enabled device. If an item falls short of these standards, it may be prohibited from sale. Regulation of this kind represents a big step forward in managing IoT security and has the potential to set global precedence.

IoT devices are on average more vulnerable than traditional IT endpoints. To beef up IoT security companies should look to employ basic endpoint security features like anti-malware, intrusion prevention and antivirus to secure networks against the barrage of attack. Another option is device authentication for IoT devices. Digital certificates or two-factor authentication ensure nobody can gain unauthorised entry to a device. Endpoint hardening can even be as easy as upgrading a product or deploying basic security patches, as many devices are built totally unpatched. The benefits of connected devices are numerous and are a necessary tool for businesses to succeed in the future marketplace. Businesses need to ensure they are vigilant in monitoring devices coming into the workplace and understanding how secure they really are.

This article first appeared on CSO Australia Online in January 2020.

Colleagues meeting in collaboration with tablet at work
Cyber Security | Enterprise |

Ransomware considered one of the greatest threats to Aussie businesses

By Kate Healy February 11, 2020

Every day in offices across the globe, employees swiftly clear out their email inboxes, opening hundreds of messages and clicking on links without a second thought. Yet just one wrong click could expose a business to malicious ransomware and the ultimate dilemma – being forced to pay up or risk losing everything.

It’s an issue that is increasingly becoming an inevitable part of the modern business world. According to theTelstra Security Report 2019,among Australian organisations disrupted by a security breach in the past 12 months, 81 per cent indicated it was a ransomware attack they experienced.

Alarmingly, this figure has increased five per cent compared to 2018. The same report highlighted 32 per cent of Australian organisations had been interrupted ‘on a weekly or monthly basis’ by ransomware attacks.

The report’s findings are clear, ransomware attacks are happening to more businesses, more frequently. Phishing scams are just the tip of the iceberg when it comes to ransomware. In 2017 over two-thirds of CCTV cameras that monitored public areas in Washington DC stopped operating due to a ransomware attack. It was just eight days before the swearing-in of President Donald Trump and wreaked havoc on security plans for the impending inauguration.This increasing threat of ransomware creates an impossible choice for businesses.

Pay or get played

If you ask any government body globally what to do in the face of an attack, the advice would be the same – don’t work with cyber criminals and don’t make the payment. There’s a multitude of reasons why paying up could put your business in even more hot water.

If a cyber-criminal knows you’re willing to pay the price of an attack, it’s likely that you’ll become a regular target. Additionally, attackers often ask for funds in cryptocurrencies and securing that kind of payment can make your business even more at risk, possibly funding future criminal activity.

The biggest deterrent is that even if payment is made, there is no guarantee that you’ll ever see your data again. Despite all warnings from experts, Australian businesses continue to make payments, while experiencing less and less certainty around retrieving their data.

TheTelstra Security Reportrevealed over half of organisations that experienced ransomware attacks ultimately paid the ransom. Although the report revealed that 77 per cent of Australian businesses that paid a ransom were able to retrieve their data, this is a figure that has decreased by nine per cent since 2018. As ransomware payments become more common, the safe return of data is becoming more unlikely.

However, alarmingly, 79 per cent of respondents indicated they would pay the ransom again next time if there were no back-up files available.

So why are Australian businesses routinely admitting defeat and paying cyber criminals, even with the risk that they still may lose it all?

Face the fear

When faced with the options presented by a ransomware attack, it’s understandable that the cost of a significant data loss could pose a larger threat than a monetary lump sum. Beyond the payment of the ransom, is the costly threat of downtime and operational disruption to the supply chain. In a business context, even a minor disruption can incur major financial losses.

As a result, we see decisions driven by fear. Yet this is a fear that can be countered with the right expert advice and proper preparation.

Paying the ransom is never the answer. Businesses must continue to identify critical data and ensure regular offline backups and versioning is performed, so that the threat of a loss is lessened.

Regular security patching and updates for operating systems and applications will mitigate the risk of vulnerability to ransomware. Technical vigilance is just one piece of the puzzle; it’s important to consult with experts in the event of an attack, so you can understand your options and take the next steps towards securing your data.

In an increasingly digitally-led world, the threat of a ransomware attack is almost inevitable. It’s important not to let fear take over and put in place measures that will prevent an attack from proving catastrophic for your business.

This article first appeared on Australian Cyber Security Magazine in October 2019.

Cyber security control and monitoring
Cyber Security | Enterprise |

Partnering globally to counter malicious activity online

By Berin Lautenbach January 29, 2020

It’s well recognised that the internet has greatly reduced geographical limitations and as such, in cyber security we need to think globally.

International cooperation and strong partnerships are crucial to help positively shape the global cyber security ecosystem and help better protect our customer and networks from cyber threats.

Our heritage is proudly Australian, but we have a longstanding international presence. We operate in 20 countries outside of Australia and hold telecommunications licences in Asia, Europe and the Americas, as well as maintaining 2000 points-of-presence in more than 200 countries and territories globally.

Critical infrastructure providers, including Telstra, rely upon the stable and secure functioning of the internet to deliver essential services in Australia and populations across the world. As the interconnectedness of our technologies and society continues to grow, we need to take a community-based approach to cyber resilience.

That is why we have partnered with other leading global internet service providers (ISPs), multilateral organisations and the World Economic Forum’s Centre for Cybersecurity to identify the best practices for countering malicious activity online.

A new set of guiding principles, released at the World Economic Forum’s annual meeting in Davos last week, focuses on strategic actions network operators can take to strengthen their defences against malicious actors.

It includes practical advice and real-world case studies aligned to four key principles:

  1. Protect consumers by default from widespread cyber attacks and act collectively with peers to identify and respond to known threats
  2. Take action to raise awareness and understanding of threats and support consumers in protecting themselves and their networks
  3. Work more closely with manufacturers and vendors of hardware, software and infrastructure to increase minimum levels of security
  4. Take action to shore up the security of routing and signalling to reinforce effective defence against attacks

We are proud to work alongside the World Economic Forum and partner organisations to help make the internet a safer place, and fully endorse and support these four key principles.

We shared a case study of just one way we’re demonstrating our support and endorsement of the principles, detailing how we work with industry and government partners to identify and combat phishing campaigns that target all Australians. Email credential harvesting continues to be one of the most prevalent forms of phishing we see; using our threat visibility, we are able to provide actionable ecosystem-wide threat information that helps protect a range of Australian end users and organisations.

This is just one of the ways that we are working to exemplify the principles outlined in this document.

We will continue to collaborate with the World Economic Forum and partner organisations on initiatives supportive of the four key principles, including bespoke initiatives with global ISP peers which align to these principles.

Read the full report.

Man calling on his mobile phone from a cafe
Consumer | Cyber Security | Enterprise | Small Business |

A solution to reduce scam calls across Australia

By Michael Ackland September 16, 2019

Getting suspicious calls on your mobile from faraway countries or long-lost relations is nothing new – everyone is aware of phone scams. We believe there’s more that our industry can do to reduce the number of scam calls in Australia, and we know that a fix is well overdue.

Scam calls are frustrating, particularly to those who may fall prey to one or more of the scams currently in circulation. What might just seem like an annoying phone call for you can turn into money for scammers, too – whether it is through convincing you to share personal information that can then be used for fraud, or by engineering a call to a premium number that charges high rates.

A technology and industry solution

There are some things that telcos can do to reduce the number of scam calls that reach our customers. We don’t let our customers in Australia use fake numbers, for example, which makes it very difficult for scammers to operate from Australia. We also block calls using numbers that are known to be used for scam calling.  As an example of how prevalent scam is – we block millions of scam calls from reaching our customers each month.

We are also working hard with other carriers, and liaising closely with the ACMA and the ACCC, to better identify the sources of scam calls that still get through and then take appropriate action to disrupt and prevent those sources from scamming in future.

However, we cannot fix this on our own. We need all telcos, big and small, to work together to help identify the source of scams to resolve this situation and make Australia safer for everyone.

We are calling on all telcos to help our industry stop scam calls reaching our customers and proposing ways we can work together to fight this issue. If we can get this fixed, we’ll be able to significantly reduce the more than $500m Australians are expected to lose to scam this year.

Education to assist our customers

Man working on laptop in coffee shop on mobile phone

Until we have reached a consensus and implemented a solution, our customers can take steps to protect themselves in the interim. Everyone should understand how scams work so that they can understand when to hang up and not to call back.

There are three main phone scams currently popular around the world.

Getting you to call them back: Here, the scammer will call your mobile phone, making it look like the call has come from another country. Often the phone rings once or twice and then hangs up. In this scenario, particularly prevalent at the moment, if you do call the number back you’ll be placed on hold or play a recording. What you don’t know is that you’re calling a premium number which costs you a lot of money – and the profits go directly to the scammers. 

Getting your details: These scams are simply about trying to get access to your personal details. Scammers might call and claim to be from a major company (like Telstra) or government department (like the ATO) seeking to provide you with information. Before they can do that, they’ll ask you to complete an identity verification process by providing your personal information. They’ll use this information to try and access your bank account or online services to steal your money.

Variations of this scam include calls saying your computer has a virus and asking you to provide access so they can remove it. The scammer will then download your personal data or implant a virus that will collect data they can use at a later date to access your money or identity.

Getting you to pay for services: These scams are about convincing you that you owe a company money and that you must pay immediately. Often, the scammer will claim to be from a major utility or telecommunication company – scammers know the chances are high that you’ll get a call relating to a company where you have some services. Callers often talk in an aggressive manner or with a sense of urgency, or they may threaten to cut off your services, so you panic and pay immediately.

We know that education is only part of the battle because it is often our most vulnerable customers who are preyed upon by scammers. That’s why, in addition to operating our misuse of service and cyber scam reporting services, we’re calling on all of Australia’s telecommunications industry and its partner organisations to work together to find an effective technology solution to scam calls.

The opportunity for all telcos here is to set the bar high for what we do with our customers to make sure we never miss a heartbeat and no customer ever gets left behind.

Cyber Security | Enterprise | Small Business |

Cyber security: Towards greater collaboration

By Berin Lautenbach February 24, 2017

Today marks the launch of the government’s inaugural Joint Cyber Security Centre, an initiative identified in Australia’s National Cyber Security Strategy.

This private-public intel-sharing centre is designed to co-locate government, business and academic cyber experts to facilitate working together, the sharing of information and the development of new approaches to cyber security.

The launch of Australia’s Cyber Security Strategy in April 2016 by Prime Minister Malcolm Turnbull was a significant achievement. A key theme throughout the strategy was the need for the government and businesses to work together in partnership to drive strong cyber security and ensure our ongoing growth and prosperity in a global economy.

That need is becoming more pressing. New threats and attacks are being seen on an almost daily basis now and the cyber security industry needs to be working together to share and innovate in ways that protect our community.  We have some fantastic Cyber Security capability in Australia – if we can bring together that knowledge, expertise and talent it will have a noticeable impact on our capacity to deal with the threat.

At the same time we need to be finding better ways to share data and intelligence in near real time.  We see this happen well in industry sectors (the finance industry is traditionally very good in this area) but we need to extend that across all parts of government and industry.

There is a therefore tangible need and appetite for the government and businesses to work more closely and share threat information in a timely and actionable way and we welcome the establishment of the first Joint Cyber Security Centre, located in Brisbane, as a strong step towards greater collaboration between businesses and government.

Telstra, as operator of Australia’s largest telecommunications network, understands that the internet and connectivity are fundamental to the lives of all Australians and the ongoing prosperity of our economy, and strong cyber security capabilities to protect this connectivity are critical.

We are excited about the opportunity the Joint Cyber Security Centre presents to share expertise with other big industry partners and government, and are looking forward to contributing to initiatives through the centre that will make a real difference to the online safety of Australians, proactively strengthen Australia’s cyber defences and make Australia a safe place to do business online.