China cyber attack on Australian Bureau of Meteorology

OPSSG

Super Moderator
Staff member
A reminder to all posting in this thread. The posting of one-liners is a violation of Rule 2 of the Forum Rules. On occasion, the Mod Team may tolerate a post with one-line; but not all the time.

For new members or members with less than 50 posts, if you post a one-liner in this thread, it will be deleted. Thank you for your attention.
 

phreeky

Active Member
Without commenting about specific government organisations, or even the source of cyber attacks, what I find particularly concerning (and it's backed by the article in the original post) is the level of interconnect between the different networks.

Keep in mind that from a national interest PoV, defence networks don't have to be the target. The ability to gain a commercial advantage can be significant.

The main issues I see are the level of trust given to a particular interface with another network, whether the security implemented remains appropriate with scope/usage change over time, and whether monitoring systems and procedures in place are upheld over time.

For example weak targets may appear at first sight to be of little benefit in cracking, but the ability to act as them from an interface PoV can provide the link to a network that itself is otherwise are harder nut to crack, and this pattern can continue up the chain. The weaker targets often also have a lower level of monitoring in place and so the access can be maintained.

My experience is not that there's a lack of security experts, however there IS a lack of:
- co-operation between departments/agencies in understanding whole-of-system vulnerabilities; and
- security experts with an ability to convince management of the seriousness of these vulnerabilities (many lack the ability to speak using the appropriate 'language')

This is, without doubt, not a weakness that would be limited to Australia. The push for gov organisation co-operation, 'cloud' solutions, and 'enabling users' with mobility are worldwide and present real challenges for those involved in securing such systems.
 

gf0012-aust

Grumpy Old Man
Staff member
Verified Defense Pro
The push for gov organisation co-operation, 'cloud' solutions, and 'enabling users' with mobility are worldwide and present real challenges for those involved in securing such systems.
I've done security for what was once the 2nd largest non military network in the sthn hemisphere, and still have some peripheral involvement on other projects

IMO the current industry con job is the extolling of the virtues of the cloud

its an invitation to determined players.

I stay away from discussing IT security on open forums for a number of reasons. However, there are some others on here who are well placed to add some tech input at a "safe" level. I assume that they will do a driveby if relevant
 

Todjaeger

Potstirrer
I stay away from discussing IT security on open forums for a number of reasons. However, there are some others on here who are well placed to add some tech input at a "safe" level. I assume that they will do a driveby if relevant
I similarly avoid discussing IT security on open forums, likely for some similar reasons.

One of the key vulnerabilities in IT security has remained the same for years, if not decades. It is the human element.

As for cloud computing/storage... It has it's uses, and I use it myself. For low level things. Like certain PDF's I have that I occasionally want/need to access when away from my home network. Or for archival purposes for pictures of sentimental value. Honestly though, I would prefer to be able to have a more locked down system than I currently have, with discreet systems used for cloud and financial connections. If one operates on the assumption that the cloud content will become compromised, and therefore do not put anything sensitive onto the cloud, it can help.

There is another potential issue with the cloud which I will not discuss in the open.
 

phreeky

Active Member
I understand the sensitivity, though at a high level the discussion is no more sensitive than the discussions of military hardware that is on-going. The weaknesses are no secret to those looking to compromise them - it's merely a matter of budget/time/determination and the risk one is willing to take in getting caught.

You're bang on when it comes to the human element, though that in itself exists at various layers - management appreciation, user "I want to be able to", down to user stupidity.

I thought I'd get some more discussion going, and the network security topic is hardly limited to military networks, however if everyone is unwilling to discuss it then I guess doesn't give much purpose to this part of the forum.
 

ngatimozart

Super Moderator
Staff member
Verified Defense Pro
Regarding IT security in general, I always regard any internet based based system as compromised so I don't upload anything that I deem confidential. Same with handling info and data through phones or tablets. Even telephones and cellphones I assume to be compromised, so whilst it might appear to be a bit over the top, to me it's just SOP and habit so that I don't forget :D Unfortunately in today's world I am forced to undertake some activities like banking over the net and I can't get around that :(
 

gf0012-aust

Grumpy Old Man
Staff member
Verified Defense Pro
re discussions around security in general

those with a military history of some form will already understand this, so am preaching to the converted

for those who don't I'll add some colour as to why a few of us are being cautious - I'll give an australian context, but it generally applies to most nations

ADO personnel aren't permitted to discuss issues which are security related, security tagged or privileged info through association with the ADO - even if this info is in the public domain. ie you don't confirm from an ADO perspective even if its in the public domain. This might see bizarre but has a purpose.

People can cite from their personal exp as long as it doesn't tie back to defence outside of what comes from defence media sources

its not a matter of being precious etc.....
 

StingrayOZ

Super Moderator
Staff member
  • Thread Starter Thread Starter
  • #9
My experience is not that there's a lack of security experts, however there IS a lack of:
- co-operation between departments/agencies in understanding whole-of-system vulnerabilities; and
- security experts with an ability to convince management of the seriousness of these vulnerabilities (many lack the ability to speak using the appropriate 'language')
Various security agencies have been recruiting aggressively, combined with private sector recruitment, there is an acute shortage developing. Certainly there is a much bigger problem around shared systems and understandings. With well funded and large state players now entering the field, thing to be progressing from relatively simple attacks to much larger and much smarter attacks. Things will evolve from standard attacks, that might be any black hat, to well crafted attacks that utilse national infrastructure and capability on a scale we haven't previously seen.

Re directing all internet traffic through a particular country. Very advanced worms, complex targeting of thousands individuals, to build a whole picture. Using existing intelligence organisations with "cyber" capabilities.

This is, without doubt, not a weakness that would be limited to Australia. The push for gov organisation co-operation, 'cloud' solutions, and 'enabling users' with mobility are worldwide and present real challenges for those involved in securing such systems.
Australia would be a very small player in this. However, no doubt they are targeting small players that don't have the capabilities, monitoring, response or thought thrown at it as major players do.
 

Todjaeger

Potstirrer
Australia would be a very small player in this. However, no doubt they are targeting small players that don't have the capabilities, monitoring, response or thought thrown at it as major players do.
Yes, and no...

There are some multi-nationals which have a greater cyber presence and capability than a number of nations. They also can have significantly greater exposure due to where they operate and/or which data traffic has to be routed through, to connect to various company networks and servers.

Also, the trend that I have seen is that the greater the player, not only the greater the capabilities, but also the greater the exposure and risk. In many cases, to the point that the lesser players have more relative capabilities to exposure than the greater players do.
 

phreeky

Active Member
There are some multi-nationals which have a greater cyber presence and capability than a number of nations. They also can have significantly greater exposure due to where they operate and/or which data traffic has to be routed through, to connect to various company networks and servers.
That's a good point. If you think of the big mining companies, they have a need to put in similar protection at various small sites as they do at larger ones - and that would not just be on the electronic side of things, but physical security plays an important role too.

One that I find particularly concerning is both hardware and software vendors. IP protection means that the products are often treated like a "black box" and yet they're commonly at the pointy end of security importance - ERP software, network security appliances/firewalls, etc.

Even if not everyone improves their security situation directly - let's say the availability of IT security professionals is lacking - the weaknesses are often as a result of multiple attack vectors in parallel, so an improvement in some is an improvement in the overall picture.

Personally I don't believe that the lack of security experts is the core problem. Security is a concept that is best designed and built into a system from the get-go, and that means that engineers, system architects, developers, and so on lay the foundation for system security. My experience is that if security experts spent their time more wisely they would focus on the system evaluation and implementation phase and there would be less need for remediation work down the track.
 

StingrayOZ

Super Moderator
Staff member
  • Thread Starter Thread Starter
  • #12
I think Australia is moving out of the background to be a front line target. There is no doubt that things have stepped up for Australia. While thats not to say Australia is poorly prepared and able to deal with such issues. We don't have the vast resources to pour into it as say the US does. Often with Australia a single large employer can soak up a lot of talent nationally.

Certainly some government agencies and corporates believe there is a shortage.
Commonwealth Bank warns global cyber-security skills shortage leaves Australia open to attack - ABC News (Australian Broadcasting Corporation)
https://www.engineering.unsw.edu.au...a-and-unsw-confront-chronic-industry-shortage
Australian skills shortage is becoming critical: SAP - ARN

We have had to change our views a few times.
Turnbull orders rewrite of draft Australian cyber strategy - Security - iTnews
 

phreeky

Active Member
I work in IT so you could say I'm biased, but I believe the skills shortage is a great big load of rubbish. Perhaps coincidentally (or likely not) I'll make the same complaint many make regarding Australia's ability of other industries (just look at the ship-building arguments) - it's not one of inability or lacking skills, it's one of mismanagement.

There is a sad state of disbelief when it comes to the ability of our fellow Australians, always looking to overseas for our solutions. How ironic when we see some of our most capable working in senior roles overseas. We pump out IT grads without jobs for them, and more importantly are too afraid (in both private and public sector) to hire them and train them further. Instead we look to import 'experienced' workers, often with questionable tertiary qualifications and work experience at completely unknown employers - I can tell you first hand that the results are painful.


It's interesting to see the mention of university courses and "to build a workforce that you want in five or ten years time".

Further to that, as I stated in my previous post, the job of a security expert is vastly simplified if security is in the forefront of the mind of those implementing IT solutions. That means making security a design principle, not an after thought. That doesn't necessarily require a great deal of experience or specific training, in many ways it's about finding people with the right mindset.
 

ngatimozart

Super Moderator
Staff member
Verified Defense Pro
I work in IT so you could say I'm biased, but I believe the skills shortage is a great big load of rubbish. Perhaps coincidentally (or likely not) I'll make the same complaint many make regarding Australia's ability of other industries (just look at the ship-building arguments) - it's not one of inability or lacking skills, it's one of mismanagement.

There is a sad state of disbelief when it comes to the ability of our fellow Australians, always looking to overseas for our solutions. How ironic when we see some of our most capable working in senior roles overseas. We pump out IT grads without jobs for them, and more importantly are too afraid (in both private and public sector) to hire them and train them further. Instead we look to import 'experienced' workers, often with questionable tertiary qualifications and work experience at completely unknown employers - I can tell you first hand that the results are painful.




It's interesting to see the mention of university courses and "to build a workforce that you want in five or ten years time".
That is not just an Australian phenomena. The same thing happens here in NZ, with our brightest and best scientists, engineers and IT people having to go offshore because of the lack of jobs here, yet they bring foreigners in to fill the gaps. Makes you wonder.
 

StingrayOZ

Super Moderator
Staff member
  • Thread Starter Thread Starter
  • #15
Further to that, as I stated in my previous post, the job of a security expert is vastly simplified if security is in the forefront of the mind of those implementing IT solutions. That means making security a design principle, not an after thought. That doesn't necessarily require a great deal of experience or specific training, in many ways it's about finding people with the right mindset.
Its always a bit more complicated when its state based. In a normal corporate environment you might assume your router, computer, software, people, aren't literally out to get you at ever single moment.

Telcos could face Huawei ban, Malcolm Turnbull confirms

Things get complicated when things get licenced. Google nexus for example will be built by Huawei. Excluding Huawei and ZTE from everything your data may ever touch is going to become more and more difficult.
Is it safe for Americans to buy Huawei-built Nexus phones? | ZDNet

So its not as simple as what it first may appear. Design out all risks. You can imagine the capability you would need to keep the US government out of your work place or network, imagine a more determined and well funded player than even the US. Can you keep your systems secured if your IT staff are working against you (snowden style or perhaps even more complicated, your suppliers, some of your staff, your developers, etc).

The shortage, as ever, isn't usually with fresh grads. Its with highly experienced top of their game type people. In fast growing fields your going to struggle to significantly expand your workforce.
 

phreeky

Active Member
Its always a bit more complicated when its state based. In a normal corporate environment you might assume your router, computer, software, people, aren't literally out to get you at ever single moment.
No way do corporates all go placing full trust in their hardware, software or people. Admittedly hardware is one of the tricky areas - there's a hell of a lot of "networking gear from Cisco, PCs from Dell, mobiles from Apple, end of" that happens. Software is typically more complex due to the large range of vendors and probably the weakest area of the lot, and it's very organisation dependent so difficult to comment on. People on the other hand, I can't say I've experienced the assumption of trust much - a whole lot of orgs wouldn't get through their annual audit if that approach were taken.

Things get complicated when things get licenced. Google nexus for example will be built by Huawei. Excluding Huawei and ZTE from everything your data may ever touch is going to become more and more difficult.
Is it safe for Americans to buy Huawei-built Nexus phones? | ZDNet
That really depends on what we're talking about here. The scrutiny should match the risk - a device used directly by employees with limited system access, where network connectivity is via a restricted segment, does not need to be equal to those of a greater level of trust. And the security considerations for devices differs greatly between core networking equipment and endpoint devices, where endpoint devices for example require a different approach to device management and may directly influence the trust placed in people.

So its not as simple as what it first may appear. Design out all risks. You can imagine the capability you would need to keep the US government out of your work place or network, imagine a more determined and well funded player than even the US. Can you keep your systems secured if your IT staff are working against you (snowden style or perhaps even more complicated, your suppliers, some of your staff, your developers, etc).
I'm not suggesting to design out all risks, in fact for complex systems it's simply impossible. What I'm suggesting is that designs have security in mind, as sadly they often don't (i.e. get it working, then "how do we make it secure?"). Things will get missed, however exploits are typically achieved via multiple layers and if just some of those layers are improved, well you might slow them down, detect them or even stop them.

The shortage, as ever, isn't usually with fresh grads. Its with highly experienced top of their game type people. In fast growing fields your going to struggle to significantly expand your workforce.
And herein lies the problem. People at the top of their game aren't born, they're developed, and we need to develop them. If you keep recruiting them from elsewhere well then you pay more and you'll never have home grown ones.

As for fast growing fields, well sadly the security implications of IT are nothing new. There's no sudden need to consider it, simply a sudden realisation that we haven't been doing a good enough job of it.
 

phreeky

Active Member
It's a tough one to fund, because security vulnerabilities are often inherit in designs - a large part will need to go towards contributing process improvements, and then getting people on board.
 
Top