According to the Australian Cyber Security Centre, 164 cybercrime reports are made by Australians every day. create meets the engineers trying to thwart these attacks.
Cybersecurity and data protection are a rapidly growing industry that the Australian Government projects will be worth $7.6 billion by 2024.
Even with all eyes on the online crooks, so far in 2023 there have been 39 large corporate data breaches.
Victims include major banks and state governments as well as giants in health, telecom and retail.
In the Optus network breach alone, cybercriminals believed to be working for a state-sponsored operation may have accessed data of up to 9.8 million customers — accounting for about 38 per cent of Australians.
The Medibank attack similarly saw the sensitive information of 7.8 million national and 1.8 million international customers leaked.
Combating cybercrime requires robust prevention and response, but a number of leading cyber engineers say that’s only the beginning.
Think like a hacker
For large corporations, trying to get ahead of the bad guys is key to maintaining good cyber defences.
‘White-hat’ or ethical hackers are cybersecurity engineers who test system vulnerabilities. Kat Ramos is one such hacker for ANZ.
Just one day after winning two gold medals for archery at the World Dwarf Games, Ramos sat down with create to explain how penetration testing helps engineers to prepare for an attack.
“We test our web and mobile applications by simulating a real-world attack,” she said. “Then we can advise our applications team on what we did, and the best way to prevent a similar attack in future.”
Ramos said that testing is done using checklists in a timebox manner — racing the clock to see where they find vulnerabilities in a way that sounds a bit like a Hollywood film.
“We might only have one week to test input validations and proper encryptions are in place,” she said.
That’s because white-hat hackers are always trying to expose weaknesses and have them patched up before bad actors can step in — so they’re operating under time constraints, just like cyber criminals.
“There’s always a new attack, so we can’t rely on replicating the ways that systems have been attacked in the past,” Ramos said. “Technology keeps changing and hackers keep improving, so it’s really important to continue learning.”
She points out that criminal hackers have more time to learn than engineers playing defence.
“You have to learn to think like an attacker,” she said. “And information is gold to them.”
“Unsexy” security
For Alex Tilley, Secureworks’ head of threat intelligence in Asia–Pacific and Japan, private companies have to work hand-in-hand with governments to combat online crime.
Prevention is the hard part, he told create, because “if bad guys want to get in, they’ll find a way to get in”.
Tilley, who has worked in cybercrime operations for online casinos, banking, security and law enforcement, maintains a government security clearance, which means he can’t go into specifics about state-sponsored cybercrime.
But no matter who is attacking systems, he said, “prevention is about things like patching, configuration and restriction of access, and secure coding practices”.
Equally, it’s important to be able to spot when a breach occurs.
“A lot of places don’t have the visibility to spot the breach as it’s happening, or at least quickly after it’s happened,” he said.
A number of recent ‘name-and-shame’ ransomware attacks have also seen the “bad guys control the narrative around the breach”.
Spotting a breach, even if it is a day later or a week later, allows businesses to exert more control over the situation.
“You can’t form a good risk-based approach if it’s a bad guy who comes to you saying, ‘We’ve just taken all your data’ — and you do not know if that is true,” Tilley said.
That means getting what he calls the “unsexy security” right in the first place, through secure coding practices and secure development practices, as well as regular internal and external reviews.
Under the radar
One common problem is constantly adding to systems without going back to check that the fundamentals are still in place.
“Companies will have an authentication scheme, but it might have been implemented 12 years ago,” Tilley said.
The way to get visibility, he said, is through the practice of logging, which is a record of the events — such as failures or changes to an application — occurring within a company’s IT systems and networks.
“Everyone hates it, but what we find when we do incident response engagements is that they often involve someone making a decision five years ago that is no longer best practice.”
Reviewing web and database servers ensures that the logging of activity and actions or strange activity can filter out the normal from the malicious.
“The worst day to find out that your data logging hasn’t been up to date is the day of an attack,” Tilley said.
Even if logging history is stored on a USB drive, he said, it’s better than nothing. Modern attacks require sorting through a lot of logging data to find out what has happened.
Creating meaningful data visibility is the aim of the game, as hackers tend to use web shells to gain access to systems.
“Web shells are where someone finds a mistake, or security flaw, in a web application that lets them upload malicious code and tricks the web server to run it, and they can use that to execute commands on your internal network,” Tilley said.
Not logging extra details of what the web application is doing — such as the commands it is running on the web server, who is connecting to the web server, and what they are sending or receiving — means that “in the event that an attacker is trying to extort you, you can’t see how much data was stolen”.
Tilley points out that engineers of all stripes often work in highly regulated environments, and that requires them to know what has actually happened in the event of a security breach.
“You can’t reconstruct the log from nothing,” he said. “No one likes to be in a situation where you’re trying to infer what happened.”
Not only do firms want to have the actual data, but third parties such as regulators and stock markets will expect you to as well.
“The last thing you want to say is ‘we don’t know’ — and that puts the bad guys in charge of the narrative,” Tilley said.
When it comes to responding to an attack, Tilley said that he’s a realist. Having a proper action plan in place, which covers everything from insurance, communications and even what to do with staff makes a stressful day a little bit easier.
“I’ve been involved in a lot of crisis situations, and they tend to involve people sitting around a table yelling at each other,” he said.
“That’s not helpful, and it slows down responses. Having agreed ways of dealing with certain issues upfront can help you focus on what matters most.”
Engineering solutions
Shireane McKinnie, chair of Engineers Australia’s Cyber Engineering Working Group, has worked on cybersecurity at the highest level.
Specialising in electronic warfare in the defence industry, she has worked to secure assets including ships and submarines, as well as sensitive surveillance and telecommunications systems.
McKinnie said that engineers — and not only those working in cyber — have a broad role to play in both preventing and responding to online attacks.
“Engineers need to work across the full lifecycle from the initial planning and understand the requirements for the system to designing, implementing and transitioning it into service,” she said.
When it comes to building systems that shore up electronic defences, McKinnie said engineers need to be “constantly looking at the threat environment”, and understand what implications that environment has for a system.
“We must be designing around that threat environment but constantly reviewing and modelling the threat environment, because it is changing all the time,” she said.
The terrain is always shifting, as bad actors continue evolving and sharing new ways to exploit systems.
Assume that you’re going to have an incident, McKinnie advised, so you already have a plan in place.
“The quicker you can respond, then the more likely you are to protect your data,” she said.
All hands on deck
The Australian Cyber Security Centre (ACSC), run by the Australian Signals Directorate, has platforms and networks that everyone from individuals to large enterprises can join.
There, tech professionals can find out about threats detected by the ACSC, and information on how to patch systems to defend against them.
McKinnie said that the Engineers Australia working group is also putting together a career development roadmap and competency framework for cyber engineers, and coordinating a number of continuing professional development events as well as developing guidance on standards for use in the field.
Last year, Engineers Australia delivered a comprehensive submission to the federal government’s national data security action plan discussion paper. “As digital transformation takes hold across many sectors, and control systems are used in a whole range of applications, everyone has a part to play in keeping them secure,” McKinnie said.
“Engineers need to bear in mind these very real threats as they develop solutions to a wide range of problems.”