Documente Academic
Documente Profesional
Documente Cultură
Cyber
Security
Report 2017
Managing risk
in a digital world.
Executive
summary
Organisations and individuals are of Australian organisations stating that The rapid adoption of cloud services, while
dealing with new security and business they experienced at least one ransomware delivering significant agility and portability
opportunities, many of which are fuelled incident in the last 12 months. Of benefits, continues to present a security
by mobility, cloud based service offerings the organisations who experienced a challenge. More than half of Australian
and the need to have an environment ransomware incident, 57 per cent paid organisations that adopted cloud services
that adapts to the way people and the ransom. Our research found that see data theft as their number one risk
organisations want to work and interact. In nearly one in three of the organisations in doing so; yet more than 30 per cent
order to capitalise on those opportunities, who paid a ransom did not recover their of those organisations adopting cloud
cyber security risk must be managed to files. This clearly dispels the myth held services reported that they are not yet
acceptable levels. Every organisation by a number of people that there is ready to handle this risk in Australia.
must determine for itself what honour among thieves in that if you That organisations are prepared to take
constitutes an acceptable level of risk. pay a ransom, the criminals will unlock such acknowledged risks speaks to the
your files and leave you alone. You really urgency of their move to cloud services.
The insights shared in this report are
are rolling the dice if you choose to pay
based on our understanding of the The heightened awareness of security
a ransom and your chances arent good.
security risks that organisations face breaches and the business impacts of
This problem is of particular importance
in the Asia Pacific region. We hope that these incidents has led to increased
to small- to medium-sized organisations
it offers useful guidance on identifying IT security spend, with 95 per cent
as they are less likely than large
and managing risk, and improve your of organisations in Asia increasing
organisations to have extensive security
awareness in the field of information their budget this year compared with
controls and to back up their data.
security. These insights aim to support 81 per cent in Australia. Last year we
your organisation as it strives to make We also found that C-level executives are reported an increase in the IT security
vital decisions about security and its taking a greater level of responsibility budget for 75 per cent of Australian
operational impact. It is important that in security initiatives such as education organisations, which demonstrates a
those decisions are well-informed as good and the sponsorship of security continued increase in importance of
information security is now critical to the improvement programs. Two out of three information security to organisations.
success of any modern organisation. C-level executives have a high or very
That finding is a welcome one, because
high involvement in their organisations
Some of the findings are sobering: we taking advantage of new technologies
cyber security initiatives in Australia
learned that 59 per cent of organisations requires a willingness to invest in people,
and Asia. This may well be due to the
in Australia have detected a business processes and technology appropriate for
finding that C-level executives are
interrupting security breach on at least todays information security environment.
being held to account more often in
a monthly basis, which is more than
the event of a security incident. The It is our hope that this report supports
twice as often compared to 2015 (24 per
recently passed amendments to the your organisations increased focus, as
cent). The findings aligned with Asian
Australian Privacy Act, affecting most it is designed to help you to understand
businesses who also experienced an
organisations and requiring data breach the threats you face and the actions
incident on at least a monthly basis, as
notifications to both the victims and the you can undertake to better secure
reported by 59 per cent of respondents.
Privacy Commissioner, will drive further your organisation and its success.
We found that ransomware was the awareness and accountability, as did
number one type of malware downloaded the first legislation of this kind when it
in the Asia Pacific region, with 60 per cent was introduced in California in 2003.
Telstra engaged a research firm, Frost in Asia have an Australian branch roles. All respondents either have some
& Sullivan, to interview professionals office and include responses from influence or complete control over
responsible for making IT security India, Singapore, Hong Kong, Indonesia the security investment within their
decisions within their organisation and the Philippines. 87 per cent were organisations for their respective regions.
to obtain a number of key insights on multi-national organisations1 and
A large proportion of our survey results
a range of security topics. The report the remainder only have offices in
were based on large organisations where
also draws on analysis of security Australia (13 per cent). C-level executives
77 per cent of total respondents worked
information and data gathered from including Chief Executive Officers, Chief
for organisations employing 500 or more
Telstra infrastructure, security products Financial Officers, Chief Information
employees globally. The responses from
and our third-party security partners. Officers, Chief Operating Officers, Chief
Asia with 500 or more employees (89 per
Technology Officers, Chief Information
The research firms online surveys cent) and the responses from Australian
Security Officers and Chief Security
obtained 360 responses. 58 per cent responses with 500 or more employees
Officers accounted for 37 per cent of
of these responses were from Asia and (61 per cent). 81 per cent worked for
respondents across both Australia (43
the remaining 42 per cent were from organisations with 200 or more locally
per cent) and Asia (33 per cent). The
respondents based in Australia. All based employees across Australia
remainder were in IT security managerial
the businesses who were interviewed (71 per cent) and Asia (89 per cent).
Hong Kong
India 13.1%
16.7%
Singapore
14.4%
ASEAN2
13.6%
Australia
42.2%
1. Includes organisations like government departments and utilities who dont identify as being an
MNC but have their head office and branch offices in both Asia and Australia
2. ASEAN is made up of both Indonesia (8.3 per cent) & Philippines (5.3 per cent) responses to obtain a reasonable sample size
60% 60%
23.7%
21.1%
27.9%
40% 40%
19.1%
63.0%
16.8%
20% 20% 40.1%
24.3%
15.9%
0% 0%
IT Security Architecture & Design 50 to 99 employees
IT Governance, Risk & Compliance 100 to 199 employees
IT & Security (operations, administrators, other) 200 to 499 employees
IT & Security (management) 500 to 999 employees
CTO/CIO/CSO/CISO 1,000 or more employees
CEO/CFO/COO
The industry segment with the highest for responses in Australia was the Public second highest industry for
percentage of responses was the IT & sector, which included health care and respondents from Asia.
Technology sector from both Asia and education. The Manufacturing, Logistics &
Australia. The second highest percentage Transportation sector was the
6.7% 7.9%
Asia Australia
9.1% 9.2%
16.4%
20.2% 10.5%
17.3%
15.8%
In todays interconnected world, we do seen as the main group involved in cyber involvement of the C-suite executives
not operate in isolation; our business security initiatives and are identified in the cyber security strategy and
processes and systems collect, analyse as the key group who understand responsibility within their organisations.
and share data from financial, product, the importance of cyber security to
The research identified that there are
operational, customer and employee carry out their functions effectively.
a number of opportunities to improve
data to our partners, suppliers and
The good news is that C-level executives engagement within the business. Sales
distributors. Companies need to consider
are perceived to be taking a more active and marketing were seen as the least
the commercial and contractual risks by
role in cyber security by understanding the likely to view cyber security as an enabler
including cyber security capabilities as
importance of cyber security initiatives, and they were seen as having the lowest
part of their sourcing and selection criteria
increasing their involvement in these engagement in security initatives. This
and mandating the handling of data as
initiatives and are increasingly taking is despite the fact that they are heavily
part of contractual terms and conditions.
responsibility for security incidents involved in capturing and using customer
Companies need to progress from when they occur. In Australia, the CEO data. This is potentially a missed
layering security controls on top of is regarded as almost as responsible opportunity for sales and marketing to
their technology architectures, and as the IT department. Interestingly influence the online customer experience
business and commercial processes, though, the perceived responsibility of that occurs via their companys web
to embedding cyber security and the CISO in Asia is much greater than portals, mobile applications or social
integrating it into their business model in Australia. Our survey results indicate media channels. They need to be
in a way that does not adversely affect that the IT department is primarily engaged to ensure that customers are
the customer experience. The key is to held responsible for security breaches not overwhelmed with cumbersome
integrate cyber-resilience into enterprise- for the organisations surveyed in or clunky authentication experiences.
wide management and governance Australia in 2016, when compared to the There is an opportunity to tailor security
processes. This means conducting accountability of individual C-level roles controls to different types of customers
discussions across organisational silos in Australia. However, there has been a by getting their requirements from market
to integrate considerations related significant shift in responses towards the surveys and focus groups to ensure the
to protecting information deeply, but C-level executives as a group being held customers voice is heard on how they
also flexibly, into business processes responsible for security incidents from want to access their data, products
like product development, marketing, 19 per cent in 2015 to 61 per cent in 2016 and services in a secure manner. Sales
sales, customer care, operations and and away from the IT department being and marketing should be engaged and
procurement. The companies that do held responsible for security incidents take a more proactive role to ensure
this most aggressively will not only with a decrease in responses from 62 that customer data and marketing
reduce their risk, but also increase their per cent in 2015 to 34 per cent in 2016. information is secure; especially
operating efficiency and improve their when it is shared with ad agencies or
Similar to Australia, the perceived
value proposition with customers.4 marketing and analytic companies.
accountability of the IT department has
Our research has shown that the dropped significantly amongst Asian It was also surprising that HR was another
involvement of all stakeholders in organisations surveyed from 83 per group who had a lower involvement in
cyber security initiatives is high to very cent in 2015 to 54 per cent in 2016. The cyber security initiatives as they are
high amongst both Australian and C-level executives in Asia are perceived handling sensitive data for employees,
Asian organisations, with the majority to be the primary stakeholders in taking contractors and potential new hires.
of respondents also recognising the responsibility for security incidents, which They should be involved in how this
importance of cyber security to carry has increased from 35 per cent in 2015 data is collected, stored and secured as
out their functions across the business. to 65 per cent in 2016. This significant they need to consider the implications
Not surprisingly, the IT department is responsibility shift may reflect the growing if this data is corrupted, lost or stolen.
3. Handbook of System Safety and Security by James M. Kaplan (McKinsey and Company)
4. Handbook of System Safety and Security by James M. Kaplan (McKinsey and Company)
2.9%
62.0% 20.2% 13.5% 1.4%
IT department
49.3% 35.5% 9.2% 4.6%
1.3%
3.4%
C-level 37.0% 43.8% 13.9% 1.9%
Executives 32.9% 42.1% 19.1% 4.6% 1.3%
Asia
Very important Somewhat important Neutral Somewhat not important Not important at all
Aus
2.4%
47.1% 38.9% 11.1% 0.5%
IT department
42.8% 42.1% 12.5% 2.6%
0.0%
2.9%
25.5% 50.5% 20.7% 0.5%
Operations
17.8% 51.3% 19.1% 9.2% 2.6%
3.4%
Internal Auditors/ 29.8% 44.2% 20.2% 2.4%
Regulators 20.4% 43.4% 24.3% 9.2% 2.6%
3.4%
C-level 32.7% 38.5% 24.5% 1.0%
Executives 22.4% 41.4% 25.0% 9.9% 1.3%
Asia
Very high High Neutral Low Very low
Aus
2015 2016
IT
83.1% 61.8% 33.6% 54.3%
Department
Head of
71.4% 36.8% 20.4% 34.6%
Departments
Employees
27.3% 27.2% 17.8% 28.4%
involved
C-level
35.1% 18.9% 61.2% 65.4%
executives
Board of 17.8%
Director
14.9%
Legal 15.4%
Counsel
8.6%
CISO 21.6%
8.6%
COO 15.4%
3.9%
CFO 10.1%
7.9%
HR is responsible for handling personal information.5 This HR training initiative in cyber security. This highlights the
employee or contractor information such outlines the importance of providing need to improve communications and
as bank account details, tax file numbers, cyber security awareness training to engagement across the silos within
remuneration, rsums, employee key stakeholders who are handling the business to ensure that the right
contracts/offers and security checks sensitive and important company data. business and security engagements
that may be collected and shared with are in place to address legal, regulatory,
In Australia, the internal auditors and
other third parties like HR service, system privacy and commercial risks.
legal affairs team are perceived to have
providers or recruitment companies. The
a relatively low level of involvement in It is also worth noting the need for
HR departments involvement in cyber
cyber security. This is despite the fact that further engagement with physical and
security has increased in some countries,
cyber security has a relatively high level electronic security counterparts, driven
such as the UK, where initiatives such
of importance to their job functions and by the proliferation of connected security
as free cyber security courses for HR
responsibilities. Interestingly in Asia, for devices and increasing market demand
Professionals have been created by the UK
internal auditors and board of directors, for converged solutions that combine
Government and the Chartered Institute of
cyber security has a relatively low level electronic and physical security, identity
Personnel Development (CIPD). The course
of importance to their job functions and management and information security.
was developed to assist HR workers
responsibilities, despite both groups
to protect their companies sensitive
having a high level of involvement
5. https://www.cipd.co.uk/about/media/press/040216-cyber-security#
Security governance, processes and skills in your organisation Asia and Australia
57.7%
60%
52.9%
50.0% 49.5%
47.6% 46.6%
50% 45.4% 45.7%
42.3% 41.3%
39.4%
40% 36.8%
34.9% 42.8% 34.2%
32.2%
27.6%
30% 25.0%
23.7% 23.0%
20%
10%
0%
to protecting IP
Security
audits
Cyber security
awareness programs
Risk assessments
on internal systems
Incident management
response process
Classification of
business value of data
Program to identify
sensitive assets
Procedures dedicated
Risk assessments on
third-party vendors
Cyber
drill
Asia
Australia
Australian Prudential Regulation Australian respondents. The low adoption awareness or silos within the
Authority (APRA) and the Australian Cyber of PCI security standards with Australian organisation regarding PCI compliance.
Security Centre (ACSC) guidelines are respondents is surprising as every
Almost all of the organisations surveyed
the most popular security standards and Australian business who accepts and
in Australia and Asia adopt various
frameworks adopted by both Australian processes credit or debit card information
methods to control IT security risks with
and Asian organisations. Its important is required to comply to ensure a
their business suppliers and partners with
that the standards that companies adopt secure payment card environment. This
the most popular being the application
meet their regulatory, contractual and result may be due to the outsourcing
of access controls to data and systems.
commercial requirements and align with of credit card payment functions to
Two per cent of respondents from
their business objectives. In contrast, third parties or a lack of involvement in
Australia and one per cent from Asia
SANS Top Critical Controls and PCI the PCI compliance security initatives
indicate that they do not perform vendor
were chosen by only nine per cent of by the majority of respondents. This
checks on their business partners.
may be due to a lack of engagement,
0.5% 2.0%
27.4% 17.1% Apply access controls
to systems and data
19.1%
Address information
12.5% security issues
via contract
Engage a third-party to
perform an information
security audit of vendor
In Australia, the good news is that we reduced from 11 per cent in 2015 to However, 57 per cent of ASEAN (Indonesia
are conducting more frequent board two per cent in 2016. On the contrary, and the Philippines) and 50 per cent of
briefing sessions, the percentage of in Asia the frequency of briefings has Indian respondents are running monthly
enterprises conducting their briefings declined slightly, with 39 per cent of briefings, which is higher than the 32 per
on a yearly basis has significantly organisations now doing this monthly. cent recorded for Australian businesses.
60%
44.2%
39.9% 42.1%
39.4%
40% 37.7%
36.1%
32.2%
25.4%
18.4% 19.7%
20%
14.3%
11.4%
4.8% 3.8%
2.6%
0% 0% 1.3% 2% 1% 2.6% 0% 1.3%
0%
2015 2016
Asia
Monthly Quarterly Half-yearly Yearly Rarely Never
Aus
6. Note: these numbers are approximated by using statistical methods on representative data samples and provided by Firstwave
7. https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
8. https://www.ic3.gov/media/2016/160614.aspx#fn1
9. http://www.findlaw.com.au/articles/4266/workplace-discrimination-laws-in-australia.aspx
10. http://www.cio.com.au/article/400300/what_pci_compliance_/
250
100
50
0
2016-May-01 2016-Jul-01 2016-Jul-01 2016-Aug-01 2016-Sep-01
11. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/Threat-Report-FortiGuard-Eye-of-Storm.pdf
12. http://www.theregister.co.uk/2016/08/31/anglers_obituary_super_exploit_kit_was_the_work_of_russias_lurk_Group
13. http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017
100%
90%
80%
70%
60%
50% 47.06%
52.94%
40%
30%
25.81%
20%
12.90%
10%
0.00% 0.00%
0%
April May June July
The popularity and activity of exploit kits delivered in a Microsoft word document The majority of the Top five viruses
and malware is very dynamic with cyber within a phishing email but has also according to Fortinet were associated
criminals switching between different been delivered using exploit kits on with the JavaScript Nemucod family of
exploit kits and the malware used on a infected websites and most recently as malware in the Asia Pacific region. The
regular basis to keep ahead of the security JavaScripts inside zip files. Palo Alto Nemucod exploit kit is a popular delivery
defenders, as shown by the daily exploit found Usnif was also pervasive in 2016. method for ransomware and has also
kit graph provided by Palo Alto and the Usnif is a banking Trojan which has been used to deliver a new payload to its
monthly malware graph from Check Point. been targeting Australian banks with victims called Win 32/Kovter that delivers
recent variants utilising the Tor network a backdoor to a Command and Control
Palo Alto research indicated that Locky
and typically delivered using phishing (C&C) server with ad-clicking capability.14
ransomware was the most prevalent
emails or via the Neutrino exploit kit
malware family downloaded in the Asia
(with 21 per cent of downloads).
Pacific region, in 2016. It is typically
14. http://www.welivesecurity.com/2016/08/09/nemucod-back-serving-ad-clicking-backdoor-instead-ransomware/
Compromise
Conduct Endpoint
Reconnaissance
Silent infection via
Gather intelligence phishing email to
and plan the attack download exploit kit
and execute malware
Ransomware According to our survey, in 2016 24 per in Singapore tended not to accede to
cent of Australian businesses experienced ransom requests and managed their
Ransomware was the most a ransomware incident which impacted recovery through backup files instead.
common malware in the their business on at least a monthly basis
Nearly one out of every three Australian
and it took the same proportion five hours
Asia Pacific region. or more to recover from these incidents.
organisations who experienced a
ransomware incident and paid the ransom
Ransomware is a form of malicious Similarly, 26 per cent of Asian businesses
did not recover their files. The impacts for
software that holds a device or system experienced a ransomware incident which
Asian organisations were slightly higher
hostage by blocking access until a impacted their business on at least a
with 40 per cent of respondents who paid
ransom is paid to remove the restriction. monthly basis. 22 per cent of respondents
the ransom but did not recover their files.
Ransomware can be delivered as in Asia said that it took five hours or
A number of companies are choosing
attachments or dropped onto vulnerable more to recover from these incidents.
to quietly pay a ransom demand, which
devices by exploit kits when the user Check Point research indicates that the
is typically in the hundreds of dollars,
visits or is redirected to a compromised average lifespan of new ransomware
to restore their business operations, to
website. The most common variants is now 58 seconds with 90 per cent
avoid embarrassment and the potential
are categorised as crypto-ransomware of attacks/exploits seen only once.
reputational impacts with the hope of
where certain files on the target device Our vendor research found that retrieving their lost data. The reality is
are encrypted and some are able to ransomware was the most downloaded that you could receive further ransom
spread across networks and servers to malware in the Asia Pacific region in 2016 demands, that the data may be exposed
encrypt other file systems. Certain types and that approximately 60 per cent of or sold on to other third parties and there
of ransomware are able to delete or Australian organisations reported that are no guarantees for recovering your
encrypt back-up files before demanding they experienced at least one ransomware data. It is evident that implementing a
payment for a decryption key. This may incident in the last 12 months. Of the proper back-up strategy helps to mitigate
make it more compelling to pay the Australian organisations surveyed, 42 the rising threat of ransomware, and
ransom if the backup cannot be used per cent reported paying a ransom to can be seen as an effective strategy
to restore the files but it is not the cyber criminals. However, the approach as per the survey results for the
recommended course of action. Other towards ransom requests in Asia varies majority of Singapore organisations.
variants of ransomware include locking with the majority of India, ASEAN and
the screen or preventing the operating Hong Kong enterprises agreeing to pay the
system from loading until a ransom is ransom, whilst the majority of enterprises
paid to remove these restrictions.
No, however we
managed to recover
the files through
other means (i.e.
decryption tools)
Benefits of hindsight - Invest different encryption options, the worm followed by CrytoWall with 14 per cent
feature to infect more users, multiple that was prevalent earlier in 2016,
in an appropriate back-up language options, the promise of future with nearly 100 thousand detections
strategy rather than paying a versions infecting mobile devices and per month in Australia alone. The third
customisation of the software to select most prevalent ransomware, according
ransomware demand. different target files, Bitcoin addresses to Fortinet, is Cerber with 11 per cent
Ransomware-as-a-Service (RaaS) and/or ransom amounts. RaaS prices vary of ransomware downloaded in the
is where ransomware authors have from US$9.95 for a limited use version Asia Pacific region the last year. Locky
developed user-friendly interfaces for to US$150 for a copy of the source code. can be delivered using the JavaScript
their malware and they offer it to others Some RaaS offerings are free initially Nemucod downloader malware and is
to become distributors. The service with approximately 15 per cent to 40 per primarily used as an infection vector to
offers cyber criminals, without coding cent of the profit share going back to the plant various families of ransomware
experience, the opportunity to make author, which maximises the returns for onto a victims computer to encrypt
money by either paying a once-only price the author if the malware is successful files and demand Bitcoin ransom
or a profit share arrangement to distribute in the long run.17 The FBI announced that payments.19 Cerber is a RaaS offering
the ransomware. Some examples of ransomware is expected to become a with a network of distributors with a
RaaS offerings that were promoted on US$1 billion dollar industry in 2016, which profit share arrangement.20 Palo Alto
underground forums and marketplaces is a substantial increase compared to research suggests that Locky is designed
include: Hostman Ransomware, Flux 2015, when ransomware was reported as by experienced cyber criminals and is
Ransomware, Cerber and Ransomware a mere US$24 million criminal industry.18 known to delete shadow copies of files
affiliate network.15,16 Each RaaS instance to make local backups unusable.
According to Fortinet in March 2017,
offers different features to recruit
Locky was the largest ransomware
distributors based on claims of detection
campaign in the last 12 months with 74
avoidance options and different profit
per cent of the ransomware downloads,
models. RaaS feature options may include
15. http://blog.fortinet.com/2017/02/16/ransomware-as-a-service-rampant-in-the-underground-black-market
16. http://blog.checkpoint.com/2016/08/16/cerberring/
17. http://blog.fortinet.com/2017/02/16/ransomware-as-a-service-rampant-in-the-underground-black-market
18. http://www.nbcnews.com/tech/security/ransomware-now-billion-dollar-year-crime-growing-n704646
19. https://blog.fortinet.com/post/cryptowall-teslacrypt-and-locky-a-statistical-perspective
20. http://blog.checkpoint.com/2016/08/16/cerberring/
21. https://www.nomoreransom.org/
22. http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
23. https://www.cert.gov.au/advisories/ransomware
24. https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-from-ransomware
25. http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
26. http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017
27. https://www.aspi.org.au/publications/cyber-maturity-2016/ASPI-Cyber-Maturity-2016.pdf
Japan 2.0%
Mongolia 1.0% 1.0% Myanmar
China 1.0%
Singapore 1.0%
Tibet 5.0%
Phillipines 6.0%
Taiwan17.0%
Vietnam 9.0%
2.0% 34% 11% 6.0% 18% 3.0% 15% 3.0% 3.0% 2.0% 3.0%
Research Government Political Defence Dissident Aerospace Military Technology NGO Gaming Academic
The APT statistics, provided by Average compromised machines = Ensure operating systems are supported
CrowdStrike, indicates that the 78. Once an attacker has full access and patch maintenance is performed
focus of APT activities in the Asia to an environment with escalated and enable automatic updates, if
Pacific region is primarily against privileges they minimise the number of possible, to minimise vulnerabilities on
Government departments, political compromised machines and typically your devices and host servers.
organisations, dissident groups remove the malware and migrate to
opposing official policy of a ruling entity, use corporate remote access solutions. Conduct regular penetration tests and
military and defence organisations The compromised systems now have external and internal vulnerability scans
who supply arms and technology. no malware installed making them and then implement security plans to
undetectable to Anti-Virus and End mitigate the prioritised vulnerabilities
These results align with the informal and weaknesses found.
Point Protection solutions.
bilateral agreements that have been
agreed to in regards to protecting Average user accounts compromised Deploy advanced end point protection on
intellectual property, trade secrets = 10 and average admin accounts both laptops/desktops and host servers.
and confidential business information compromised = 3. Investigators must
with the exclusion of activities hunt for threat actors who pose as Deploy Mobile Intrusion Prevention
associated with cyberespionage. insiders using legitimate credentials. System (MIPS) and Mobile Device
Determining which compromised Management (MDM) to provide security
Key Mandiant APAC Findings: protection for mobile devices.
credentials were used during the attack
The majority of breaches never made is critical to understanding the full Deploy appropriate network
news headlines as most governments extent of a breach. segmentation and User and Entity
and industry-governing bodies did not Behaviour Analytics (UEBA) within
report breaches. The average amount of stolen data =
3.7GB. Likely to be under reported as this your network to identify any
is based on the forensic data available behavioural anomalies to protect
Many organisations had conducted
during the investigation and sometimes your key data assets.
forensic investigations in the past but
failed to eradicate the attackers from there are missing log files, which may be Ensure number of staff with
their environments. They sometimes due to some logs being overwritten over administrator passwords is limited
made matters worse as they destroyed time due to storage constraints. based on business need, not easy to
or damaged forensic evidence needed obtain/guess and unique across
to understand the full extent of a breach Classification of information stolen from
APAC organisations was 40 per cent multiple IP domains.
or to attribute activity to a specific
threat actor/group. email, 20 per cent sensitive documents, Ensure that you have incident response
20 per cent Personally Identifiable plans in place and that you review and
Average machines analysed in an Information (PII) and 20 per cent test them regularly to ensure that you
organisation = 21,584. Comprehensive Infrastructure Documents.34 are prepared to respond and remediate
investigations are required to cover incidents in a timely fashion.
APT Mitigation Recommendations:
every system in the environment to
understand the full extent of the breach Conduct phishing awareness training Consider the use of inherence factors
and remediate effectively. Otherwise to mitigate initial compromises. from electronic and biometric security
you risk tipping off the attackers and data for additional authentication.
being re-compromised.
33. https://www2.fireeye.com/m-trends-2016-asia-pacific.html
34. https://www2.fireeye.com/m-trends-2016-asia-pacific.html
Organisations using cloud services year on year trend in Australia and Asia
2016
92.8% 1.4%
5.8%
2015
94.8% 5.2%31.6%
Asia
Yes No Unsure
Aus
35. http://pages.checkpoint.com/security-report.html
36. https://f5.com/about-us/news/the-state-of-application-delivery
Rank 1
Rank 2
Rank 3
34.7%
36.3%
40.5%
No Rank
46.3%
49.7%
51.2%
52.9%
53.7%
Asia
Aus
55.4%
57.5%
60.6%
61.1%
16.6%
20.2%
14.9%
15.7%
19.2%
19.0%
10.7%
14.0%
17.4%
19.0%
24.4%
16.6%
15.5%
12.4%
16.1%
25.6%
12.4%
14.9%
14.9%
17.4%
13.5%
16.5%
17.1%
33.9%
16.1%
26.9%
24.4%
18.7%
15.7%
14.0%
13.5%
12.4%
12.4%
11.6%
9.3%
7.3%
Theft of Data Network Employee Malware/ Denial of
company sovereignty attack or actions/human virus legitimate
data outage error outbreak access
Organisations level of readiness to handle cloud service risks Asia and Australia
15.5%
14.8%
3.4%
Somewhat not ready
20.0%
9.3%
19.3%
13.2%
14.6%
29.3%
16.1%
Neutral
26.4%
25.4%
Somewhat ready
14.4%
26.7%
Ready
27.8%
20.0%
23.2%
49.2%
27.6%
23.2%
Asia
Aus
26.3%
16.3%
26.4%
25.4%
35.1%
16.9%
20.0%
11.4%
17.1%
24.1%
25.0%
23.7%
21.1%
13.9%
18.6%
43.1%
41.5%
39.0%
38.9%
38.7%
34.0%
31.5%
29.8%
29.2%
28.9%
28.6%
23.7%
37. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-
de48041ab3c9%7D_ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf
38. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-de48041ab3c9%7D_
ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf
39. http://images.machspeed.bluecoat.com/Web/BlueCoat/%7B2f3a44c7-7445-442a-9425-de48041ab3c9%7D_
ShadowDataReport_1H_2016_Digital-Screen_compressed.pdf
Top 10 external and internal vulnerabilities in Asia Pacific region in 2016 Qualys
Rank External vulnerability name Qualys ID Rank Internal vulnerability name Qualys ID
1 SSL/TLS use of weak RC4 cipher 38601 1 SSL/TLS use of weak RC4 cipher 38601
2 SSL/TLS Server supports TLSv1.0 38628 2 SMB Signing Disabled or SMB Signing Not Required 90043
3
SSLv3 Padding Oracle Attack Information
38603 3 Enabled DCOM 90042
Disclosure Vulnerability (POODLE)
4 Administrator Account's Password Does Not Expire 90080
4 SSL Server Has SSLv3 Enabled Vulnerability 38606
5 Oracle Java SE Critical Patch Update October 2012 120604
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode
5 42366
Server Side Vulnerability (BEAST) 6 Oracle Java SE Critical Patch Update June 2013 121279
40. https://www.wired.com/2014/10/poodle-explained/
41. https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat
DDoS Overview customers or employees, which means businesses experienced a DDoS attack
that any business is a potential target. on at least a yearly basis and reported a
Distributed Denial of Service (DDoS) Cyber criminals can easily turn a profit recovery time within 30 minutes (36 per
attacks are an attempt to make an online by sending DDoS extortion requests for cent). 68 per cent of Asian businesses
service unavailable by overwhelming it Bitcoin payments and using DDoS-for- experienced a DDoS attack on at least a
with traffic from multiple compromised hire services to launch their attacks. yearly basis. 43 per cent of respondents
devices. DDoS attacks are growing Criminal perpetrators of DDoS attacks in Asia indicated that the time to recover
significantly year-on-year with Imperva often target services on e-commerce from these attacks was within 30 minutes.
experiencing 100 per cent42 growth of web servers, which can lead to a loss of
both Network and Application layer sales revenue, business disruption, and
attacks and Akamai seeing a 71 per cent reputational damage and in some cases
increase in total DDoS attacks globally.43
New DDoS Attack Utilising
used to hide network breaches and the IoT Devices
One of the main drivers behind this is the extraction of sensitive data. The waves
increasing use of DDoS-for-hire services of DDoS attacks are likely to increase On the 20 September 2016, the website
that enable anyone to launch attacks for in volume and quantity with the advent of cyber security writer and blogger,
as little as US$5 per minute.44 The ease of new malware targeting unsecured Brian Krebs, (www.krebsonsecurity.com)
of access to these services means that internet-enabled devices that can be used was on the receiving end of a 623 Gbps
anyone can launch an attack, from cyber to launch these attacks. According to our attack, the biggest attack that Akamai
criminals and activists to disgruntled survey in 2016, 59 per cent of Australian had ever mitigated to date, which used IoT
42. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
43. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
44. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
45. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
46. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
47. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
300 Mbit/s
250 Mbit/s
200 Mbit/s
150 Mbit/s
100 Mbit/s
50 Mbit/s
0 Mbit/s
10:00
11:00
12:00
13:00
14:00
15:00
16:00
17:00
18:00
19:00
20:00
21:00
22:00
23:00
00:00
01:00
02:00
03:00
04:00
05:00
06:00
07:00
08:00
09:00
10:00
11:00
12:00
02.02 03.02
48. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
49. https://www.imperva.com/docs/gated/2015-16-DDoS-Threat-Landscape-Report.pdf
50. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
51. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf
4.8%
1.4% 0%
37.5% 21.2% 16.3% 9.1% 9.6%
Asia
Australia
7.2%
3.9% 1.3% 2.0% Unsure
33.6% 25.0% 17.1% 9.9% Never
Rarely
Yearly
Half-yearly
Quarterly
Monthly
Weekly
2.4%
Virus/malware 17.8% 12.5% 20.7% 13.5% 16.8% 12.5% 3.8%
outbreak 7.9% 17.8% 13.2% 15.8% 14.5% 13.8%
5.3% 11.8%
1.9%
Web application 12.5% 16.8% 15.9% 12.5% 13.5% 16.3% 10.6%
attack 6.6% 17.1% 15.8% 11.2% 7.9% 18.4% 1.3%
3.9% 17.8%
1.4%
Vulnerability of 13.5% 19.7% 20.2% 12.0% 9.6% 13.0% 10.1% 0.5%
unpatched systems 9.2% 15.8% 17.1% 15.8% 11.2% 11.2% 2.6%
5.3% 11.8%
1.9%
Ransomware 8.2% 18.3% 17.8% 10.6% 10.6% 16.8% 14.9% 1.0%
attack 19.1% 13.8% 13.2% 8.6% 13.8% 0.7%
5.3% 3.9% 21.7%
1.9%
Phishing 16.8% 16.8% 16.3% 12.5% 16.3% 9.1% 9.6% 0.5%
email attack 12.5% 20.4% 22.4% 10.5% 9.2% 11.2% 1.3%
4.6% 7.9%
2.4%
12% 13.9% 17.8% 12.5% 10.1% 17.3% 13% 1.0%
APT attack 16.4% 11.8% 14.5% 11.2% 13.8% 7.2%
5.3% 19.7%
2.4%
12% 13.9% 17.8% 14.9% 9.1% 20.2% 8.2% 1.4%
DDoS attack 13.2% 16.4% 16.4% 7.9% 14.5% 0.7%
4.6% 5.3% 21.1%
10%
20%
30%
40%
50%
60%
Australia
Recovery time for business-affecting new security incidents in 2016 Asia and Australia
Business email
Ransomware attack compromise (BEC)
52. https://www2.fireeye.com/m-trends-2016-asia-pacific.html
3.1%
2.9%
8.7% 14.5% 33.3% 24.6% 10.1% 8.7% 19.8% 17.5% 18.3% 19.8%
Malware
0.5% 7.1%
4.3%
5 .9% 4.3%
7.9%
<1 minute
outbreak
0.8%
9.7% 25.8% 32.3% 16.1% 12.4% 31.6% 16.6% 10.9% 13.0% 11.4%
6.5%
6.5%
3.2%
2.6% 2.9%
6.6%
6.6%
20.0% 23.3% 23.3% 16.7% 13.3% 18.0% 29.0% 15.3% 11.5% 14.8%
2.7%
6.6%
email
27.5% 33.3% 19.6% 14.5% 29.0% 18.3% 13.7%
Phishing
6.1%
2.2% 4.6%
6.9%
6.9%
3.3% 3.9%
5.9%
3.9%
5.9%
2.2%
12.5% 8.3% 33.3% 33.3% 12.5% 12.1% 27.5% 19.2% 12.6% 13.7% 10.4%
attack
13.5% 32.4% 29.7% 10.8% 13.7% 20.5% 20.5% 14.5% 14.5% 10.3%
2.2% 6.0%
2.7%
5.4%
5.4%
Web application
2.9%
5.0%
Asia and Australia
motives
10.3% 10.3% 24.1% 31.0% 17.2%
1.2% 6.6%
5.0% 6.9%
Malicious
1.6%
20.0% 13.3% 20.0% 26.7% 20.0% 13.1% 26.8% 18.0% 14.2% 13.1% 9.3%
7.4% 11.1% 14.8% 29.6% 14.8% 22.2% 8.2% 25.4% 19.7% 11.5% 13.9% 11.5%
3.3% 3.3%
2.2% 6.6%
Vulnerability/
Asia
patching issues
1.1%
=24 hours
17.6% 11.8% 11.8% 29.4% 23.5% 12.1% 22.4% 21.3% 14.9% 16.1% 9.2%
5.9%
APT
9.1% 9.1% 40.9% 27.3% 9.1% 15.3% 17.1% 14.4% 17.1% 12.6% 10.8%
Unsure/Dont know
4.5%
2.9% 10.8%
Australia
1.8%
Recovery time for business-affecting security incidents in 2016 compared to 2015
9.1% 22.7% 22.7% 22.7% 22.7% 11.5% 27.9% 16.9% 13.1% 14.2% 10.9%
DDoS
9.1% 9.1% 13.6% 45.5% 18.2% 9.0% 23.4% 21.6% 13.5% 9.9%
8.1%
4.5%
3.3% 3.6%
2.2% 10.8%
Revenue loss
13.5%
13.0%
10.1%
Asia
9.6%
6.7%
8.2%
8.2%
5.8%
7.2%
8.7%
9.1%
Losing customers
Psychological stress to workers
Productivity loss
Corrupted business data
100%
80%
60%
40%
20%
0%
Loss or jobs for key executives
Distrust from consumers and/or partners
2.0%
Reputational loss
Lawsuits
Massive fines to be paid to authorities
12.5%
12.5%
13.8%
14.5%
15.1%
Australia
5.9%
4.6%
9.2%
5.9%
3.9%
According to our survey, 88 per cent of test of their plans on a regular basis, the impacts to your business processes and
respondents in Australia and 91 per cent most common being quarterly. Regular to ensure business continuity. The incident
in Asia either have, or are in the process testing and reviews of incident response response plan also needs to manage
of developing, an incident response plans for all the business impacting communications for key stakeholders and
plan. Most of these respondents have security incident types is recommended manage notifications to affected parties
indicated that they conduct a review and to reduce recovery times, to reduce the where private data is compromised.
Incident response plan in place and frequency of testing and review Asia and Australia
21.7%
No 9.1%
It is currently being developed 9.1% 11.8%
Yes
Retail 1.9%
Health 1.9%
Manufacturing 2.2% Energy 18.0%
Legal and professional
services 2.4%
Food and agriculture 2.6%
Education and
research 2.6%
Water 2.9%
Defence industry 5.5%
Information
technology 6.0%
Banking and financial
services 17.0%
Other 6.4%
Transport 10.3%
53. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
54. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
55. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf
56. http://www-03.ibm.com/security/au/data-breach/index.html
57. http://www-03.ibm.com/security/au/data-breach/index.html
58. http://www-03.ibm.com/security/au/data-breach/index.html
59. https://www.telstra.com.au/business-enterprise/campaigns/cyber-security-report
60. Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), amending the Privacy Act 1988 (Cth).
IT Security Investment Our survey results indicate, 48 per The percentage of Australian
cent of Australian and 68 per cent of respondents expecting to decrease
To participate in our survey, respondents Asian organisations will increase IT their IT security spending has fallen
were required to have either some security spending by more than 10 significantly from six per cent in 2015
involvement in or be primarily responsible per cent in 2017. to one per cent in 2016.
for IT security budget decisions. 62 per
cent of Australian respondents and 79 per The majority of Asian respondents in Only four per cent of organisations
cent of Asian respondents indicated that 2016 indicate that they are looking to in Asia have the same IT security
they are the key decision maker for the IT increase their IT security spending, most budget as 2015, which is significantly
security budget. The majority of surveyed commonly by 11 per cent to 15 per cent. lower compared to the 17 per cent of
respondents in both Australia and Asia organisations in Australia with the same
have indicated that they will increase According to our survey, 24 per cent of budget constraints.
their IT security spending within the organisations in Australia have indicated
next 12 months. that they will increase their IT spending According to our research, 41 per cent
by six per cent to 10 per cent. of organisations surveyed in Australia
and 36 per cent in Asia set aside four
per cent to five per cent of their total IT
expenditure for IT security.
8.6
20.7
29.6
23.7
79.3
26.4
24.3
17.3 17.1
2016
10.1 11.2
8.6
5.9
4.3 4.3
0.5 0.7 0.0 0.0 0.5 0.0 0.0 0.0 0.0 0.0 0.0 0.7
1.3 0.0 1.3 1.3 1.3 0.0 1.8 0.0 0.0 1.3 0.4 0.0 0.9
7.0 6.6
2015
Asia Aus
3.4%
The majority of respondents from cyber security experts as they may be Cyber security awareness
Australia and Asia indicate that sourcing this function from Managed
they already have or are currently Security Service Providers (MSSPs). training is moving beyond
implementing cyber security initiatives The organisations who are not planning the enterprise and into
related to training and resourcing. to invest in cyber security training for
Cyber security technical training for business partners/suppliers may be
the supply chain.
IT staff and cyber security awareness utilising other security initiatives to
training for employees were chosen as control these risks; such as the use of
The survey reveals that both Australian
the top initiatives by respondents from access controls for systems and data,
and Asian respondents are looking
both Australia and Asia. A number of contractual controls or security audits
to provide cyber security training and
organisations may not have plans to hire for business partners/suppliers.
36.5% 32.9%
36.5% 27.6%
21.6% 21.7%
Hiring cyber
security experts 5.3% 17.8%
45.2% 33.6%
35.6% 40.1%
46.6% 36.8%
37.5% 37.5%
Cyber security
14.9% 17.8%
awareness training/
campaigns for 1.0% 7.9%
employees
36.5% 25.0%
41.3% 37.5%
Cyber security
17.3% 21.1%
awareness training/
campaigns for business 4.8% 16.4%
partners/suppliers
campaigns to their business partners Cloud-based and managed an understanding of the value offered
and suppliers. Organisations may want by these services. The majority of
to weigh up the costs and benefits security services are expected Australian and Asian respondents indicate
of different approaches to mitigate to grow due to the strong that their organisations have either
cyber security risks with their business already implemented, or are currently
partners/suppliers and whether other
interest indicated in the implementing, all of the listed security
security initiatives may be more suitable Asia Pacific study. services. Australian organisations
or a combination of initiatives like the use indicated a higher percentage in not
of access controls for systems and data, planning to implement compared to
contractual controls, security audits and/ There is a strong uptake of cloud- Asian organisations for all security
or cyber security awareness training. based and managed security services services surveyed that may be due
by organisations in Asia and Australia, to tighter budget constraints.
which indicates their popularity and
%
24
.8
26
%
1%
% 8
%
.0%
28
0% 0%
28
.4%
34.6
35.
%
%
.8%
.
.
27
25
37.5
2 2. 4 %
27.0%
%
19.7
32 37
.2% 2 7. 6 % .5%
22
18. 12.5
7%
20.
22
7%
4 4 %
.1%
26
3%
29
.6%
%
31.
%
33.
.0%
%
%
6
9
24
29.
30.
%
7%
30.3
.0%
19.
2.
23
26
3
32. 2%
2% .3%
62. http://www.afr.com/technology/asic-says-boards-underprepared-for-cyber-threat-20160913-grfaoc
2017 Telstra Corporation Limited. All rights reserved. The spectrum device is a trade mark of Telstra Corporation Limited.
and are trade marks and registered trade marks of Telstra Corporation Limited ABN 33 051 775 556. 19013-0317/Telstra