Home' Asia Pacific Defence Reporter : APDR July-August 2014 Contents 26 Asia Pacific Defence Reporter JULY/AUG 2014
APDR 40th AnniveRsARy
CAN YOU REALLY TRUST THE ENTRUSTED
QinetiQ cyber security experts in the United Kingdom
have developed a “Security Culture Tool”. It’s an
application that assesses an organisation’s security
culture, recommending training or education based
on the results of the assessment. It has been
developed over two years and trialled across a range
of government and commercial companies.
It actually quantifies security behaviour and
compares the attitudes and responses of different
groups to identify the interventions needed to move
an organisation from its current to a desired state.
By targeting the interventions where they’re needed
most and measuring them, it reduces unnecessary
cost. Only interventions that change staff behaviour
are invested in.
If the insider’s colleagues had been attuned to
watch for suspicious behaviour in those high profile
cases, could these events have been avoided? Who
knows? It’s hard to tell. QinetiQ Australia believes,
however, measuring and adjusting an organisation’s
security culture in a tailored manner will assist with
understanding the threats imposed.
Mr Woolford adds, “The culture of an organisation
is what helps people who are in a position to act,
to monitor the health of their organisation’s security.
We believe organisational culture, the analysis of risk
factors in the human terrain of our workforce, cyber
awareness and social and professional networks are
all important in building an understanding of the cyber
vulnerabilities faced by Government and business
BUILDING A CYBER DEFENCE FORCE INSIDE
The days of protecting our perimeters alone are
beyond us. The model for “Cyber Security Defence-in-
Depth” must be inwardly facing as well as outwardly
facing. It must be able to monitor not only the viruses
and malware coming through the front door but also
the humans walking through the foyer or logging onto
their computers each morning.
Sufficiently educating, screening and constantly
monitoring the people, who interact with the
organisation’s network, is the most complete method
for protecting the system. The key question is: How
do you do this while respecting an individual’s privacy
concerns? QinetiQ Australia’s views on this are rather
simple – it’s a trade-off.
Mr Woolford says, “If someone is expected to be an
IT system administrator, they must be aware that their
actions too will be monitored. To use a military term, “IT
logs must be No Lone Zone’s”, that is, someone must
constantly be checking the checkers. This will ensure
the organisation’s security culture is at its highest.”
The threat from humans is everywhere – from a
visitor to the office, to someone at the other end
of a telephone, to a trusted 25-year employee of a
company and everything in between. Any individual
capable of interacting with a business is a possible
cyber threat. It’s a balancing act: You need people
to run the business but you also need to ensure they
pose a minimal security risk to the business.
Training employees to become a “Cyber Defence
Force” is paramount. QinetiQ has developed
a framework for providing organisations with the
expertise and awareness needed to know what to
look out for with the “Security Culture Tool”. We have,
however, only just begun to understand and define the
As a provider of cyber services to some of the
world’s most security conscious organisations for
more than 20 years, QinetiQ has built a reputable and
enviable understanding of where the next threat might
come from and how best to tackle it. For now, we
advise Government and business on how to establish
the best defence against the cyber threat – and that’s
with a security culture.
SUppORTING CRITICAL mISSIONS wITH
EFFECTIvE CROSS-DOmAIN SOLUTIONS.
In the aftermath of the September 11 terrorist attacks
in the US, the world’s security agencies recognised
that the wealth of information that had been collected
about the identities, possible targets and the method of
attack of the terrorist organisations responsible, could
not be effectively analysed or processed. Pockets
of information sat with a number of security and
intelligence agencies, in disparate data repositories
making the compilation of a complete picture of the
potential threat slow and impractical.
Without the ability to access critical data stored
on separate networks managed and maintained
by disparate agencies, Governments and civilian
organisations are constrained in their efforts to protect
citizens and vital infrastructure.
In addition to this need to access information,
agencies also need to be able to transfer documents,
imagery and databases between and across networks
secure in the knowledge that the data is secure and
protected against unintended release or infiltration.
Any breaches to this can be potentially catastrophic
and costly to Governments and their intelligence
agencies as well as critical human services such as
healthcare, law enforcement and financial systems.
When data resides (at rest) on an end point device
(desktop, laptop, tablet, smartphone, etc.), the risk
of exposing that data is very high if the device is
penetrated, lost, stolen, or becomes inoperable. By
implementing secure read-only end points (thin clients,
virtual machines with trusted operating systems,
encrypted portable devices, etc.) and moving data to a
secure cloud, sensitive data is only available to those
authorized to access it, whenever and wherever they
need it, without risk of leak or loss.
In the specific Australian context, the Government’s
National Security Information Environment Roadmap
and 2020 Vision clearly articulates an increasing
need to explore opportunities to seamlessly move
information from one classification domain to another.
A new generation of ‘cross domain sharing’ capability
would enhance the ability of the national security
community to collaborate and share mission critical
data even at the highest classification levels.
Recognising this need to share and distribute
protected data while mitigating the risk of unapproved
release, Raytheon Australia has invested heavily in
developing cross-domain solutions that support the
mission critical requirements of our customer.
As a global leader in cross-domain solutions,
Raytheon's multi-domain and cross-domain sharing
solutions deliver a suite of certified and accredited
software and services that enable the secure access
and transfer, delivery and printing of data between
networks at different classification or sensitivity levels,
including the most sensitive and classified networks. In
an increasingly interconnected society, this technology
can provide the data confidentiality, with the integrity
and availability necessary to Australia’s national
security. While the primary function of a cross-domain
solution is to protect data at rest or in transit; these
solutions are also used to achieve infrastructure and
personnel efficiencies and cost reductions.
Specialised Raytheon Products like High Speed
Guard, Trusted Print Delivery, Web Shield, Sim Shield,
and Trusted Mail System are currently deployed
with a number of government agencies worldwide,
including the classified domains of the US military and
Raytheon Australia has the ability to draw on these
products and our trusted partnerships with existing
national security customers to offer tailored cross-
domain solutions. This pedigree is demonstrated
through our ongoing delivery of a cross-domain data
transfer solution, centred on our Trusted Gateway
Server (TGS) product, for the Commonwealth under
contracts awarded in 2012 and 2014. Currently
undergoing certification and accreditation, Raytheon’s
25/07/14 4:05 PM
Links Archive APDR Sept 2014 APDR June 2014 Navigation Previous Page Next Page