Home' Asia Pacific Defence Reporter : APDR September 2016 Contents 76 Asia Pacific Defence Reporter SEPT 2016
becomes much more challenging. When an intruder
is caught, the security team need to be able to
quickly identify exactly what they did. FireEye says
with its solutions and expertise, the security team
can ‘play back the tape’ as one might from a closed
circuit security recording and capture all the
information on the attacker’s movement throughout
There is general agreement that there are seven
main steps which need to be taken after a cyber-
attack. These should form the basis of simulation
and training for all IT security staff, involving
senior officers and managers at appropriate times
to make sure they understand the importance
of a practised and effective response. These
training sessions should include senior staff and
commander engagement in the decision-making
process while confronting a cyber incident, just
as it would in real-world attacks, and having them
understand the implications and consequences of
cyber threats to the organisation in all aspects.
The immediate response must be to get the
incident response team on the job, gathering data
on the nature of the attack, where it has entered
into and travelled within the organisation, as well
as the involuntary or deliberate participation of
As soon as there is some clarity on the nature
and legitimacy of the attack, Defence will notify
and seek assistance from the Australian Signals
Directorate, who will then bring in their own experts
if necessary to assist with definition and resolution
of the problems which have been created. If
defence industry has been attacked they will go
to Computer Emergency Response Team Australia
(CERT Australia) and/or through them, the ACSC.
There may also be insurance issues involved,
whether cyber security liability insurance is in
place or not. Legal issues may also arise if vital
intellectual property or personnel data has been
At the same time, IT systems must be secured in
order to contain the breach and ensure capability/
business continuity is not compromised. This
may involve isolation of affected parts of the
network and activation of measures to ensure any
other parts of the network or other intrusions are
detected in real-time. It may mean going to restore
backed up databases and programs to parts of the
network whose integrity is assured.
Then the hard work begins. Hopefully the
computer network is supported by ‘big data’
analytics which can trawl through event databases
to determine where and how the breach occurred. If
an employee is implicated, they will need to be kept
apart from their systems while the investigation is
Most investigations of this type are iterative,
finding out something significant often causes a
fresh look at systems and data previously checked
to follow new lines of enquiry.
Not all security breaches become publicly known,
but there needs to be a rehearsed procedure in
place should this occur.
There may be regulatory and legal requirements
to be met, particularly if other parties are involved.
Deciding who to notify is no simple task, because
there is often a lack of clarity as to who or what has
Finally there may be liabilities to be managed.
These come in many forms and it is of little use trying
to predict them apart from the main categories
involving remediation; ex-gratia payments, goods
or services; replacement of stolen property; or
recreating stolen information.
In industry, cyber security is all about balancing risk
against the effectiveness of conducting business
through widespread use of on-line systems and
inter-connectivity with other organisations with
information, orders, status reports, financial
transactions, and a multiplicity of other data.
In military systems the option to balance risk and
convenience is not there. The ADF’s warfighting
networks and systems must be 100% secure all
day, every day, irrespective of geographic location.
Australia is fortunate to have the ASD, ACSC,
CERT Australia and many other groups working
together to ensure safe national security and
economic well-being. Embedded within Defence
and the ADF are personnel with expert knowledge
and skills, together with a very strong motivation to
All is not golden, however, as ASD in particular
has had to deal with insider incidents in the past
and will continue to do so in the future. There will
be constant vigilance in monitoring and analysing
traffic passing through major networks, including
links into and out of Australia.
The most important step for any organisation
is to at least follow ASD’s Top Four mitigation
strategies, available from ASD’s website which
they say will defeat 85% of all cyber-attacks.
They are applications whitelisting, patching stems,
restricting administrative privileges, and creating a
defence-in-depth system. It is worth looking at the
ASD website because it lists these and a further 33
Yes the threats are increasing, but so too is
awareness and defences against them.
The Australian Signals Directorate detected over 1,200 cyber
security incidents in 2015, including attacks on government
agencies and non-government sectors.
25/08/2016 6:32 PM
Links Archive APDR July-Aug 2016 APDR October 2016 Navigation Previous Page Next Page