Telstra has announced that it will be launching a new suite of managed security services and two new cybersecurity centres in Melbourne and Sydney. According to Neil Campbell, Telstra’s director of Security Solutions, the offerings will be ready for customers by July 19, with the aim to make the cybersecurity challenge easier for organisations to deal with.
Latest Australian news
“We’re taking this opportunity to rethink and reinvent really our product portfolio very much with that mindset of ‘it’s not enough to offer point solutions, it’s not enough to focus on today’s problem’,” Campbell told ZDNet.
“We need to help our customers and help the community to improve its cybersecurity resilience, to be more ready for attacks, more resilient against them, and therefore be more profitable, have more confidence in using the internet, and that confidence and reduction in interruption will play right across the entire spectrum through consumer and small business to enterprise, and should ultimately result in better gross domestic product outcome.”
Telstra said its new managed security services depart from traditional approaches, which Campbell labelled as being “slow and cumbersome and reactive”.
“Our new managed security services technology platform is built on open source, in part so that we can democratise that kind of SIM layer — security, information, management layer — we’re trying to make technology more available to a broader part of the market at a more cost-effective rate so that we can help to raise that base level of security, not just in enterprise but pushing down into the mid-market, who wouldn’t previously have been able to afford services like this,” Campbell said.
“The first set of offerings will be what you think of as traditional managed security services — managed firewall, managed intrusion prevention — and it will be that full stack … it will give us the ability to manage the vast majority of security infrastructure that a customer needs to operate.
“Using an open-source platform in a very much more cost-effective way giving the customer the kind of transparency they need, but also using technologies like big data to prepare ourselves on behalf of our customers for the kind of massive event flows that we will see as we see a greater uptake of Internet of Things connecting to their network.”
Telstra made its announcements off the back of the release of its annual cybersecurity report, which revealed that the rate of “business-interrupting” cyber attacks have doubled in the past year in the Asia-Pacific region. Telstra’s Cyber Security Report 2017, released on Wednesday, showed that 59 percent of organisations in both Australia and the wider Asia-Pacific region surveyed reported one security breach at minimum on a monthly basis during 2016.
Campbell said the results being mirrored in APAC show that it is not merely an Australian problem.
“This is very much an industry challenge,” Campbell told ZDNet. Of the respondents to Telstra’s report survey, 42.2 percent were from Australia; 16.7 percent from India; 14.4 percent from Singapore; 13.6 percent from Indonesia and the Philippines; and 13.1 percent from Hong Kong. Distributed denial-of-service (DDoS) attacks have also grown significantly over the year, with Telstra’s report citing Imperva experiencing 100 percent growth of network- and application-layer attacks and Akamai reporting a 71 percent increase in total global DDoS attacks.
According to the report, ransomware was the most downloaded malware in the Asia-Pacific region during the year, with around 60 percent of Australian businesses experiencing at least one incident in the 12-month period. Of those that experienced a ransomware incident, 42 percent paid the ransom. However, nearly 33 percent of organisations facing a ransomware demand never recovered their files, despite paying up.
(Image: Screenshot by Corinne Reichert/ZDNet)
Telstra reported the top ransomware botnet in the region as being Locky, which carried out 74 percent of all attacks, followed by CryptoWall, at 14 percent; Cerber, at 11 percent; TorrentLocker, at 0.5 percent, CryptXXX and TeslaCrypt, both at 0.04 percent; VirLock, at 0.03 percent; and Cerberus, at 0.00005 percent of all ransomware demands.
“Obviously, ransomware is big business now, a big focus for cybercriminals,” Campbell said, adding that businesses can avoid getting themselves in a situation where they are susceptible to ransomware demands.
“The absolute most important thing is backup, backup, backup, and then backup again. And make sure that your backup strategy runs frequently enough and has enough layers in it that it is a combination of on-premises and off-premises storage,” he said. According to Campbell, SMBs do not back up their files as diligently as larger organisations, with ransomware attackers relying on the “sweet spot” in the market where information is business-critical, but where businesses are far less likely to have a strong backup regime.
Businesses also need to implement a better security system to begin with, Campbell said.
“Backup is — you’re kind of treating a symptom. You also need to take on the cause, which is the malware arriving on your network in the first place,” he explained.
“So a better approach to end-point security, a better approach to perimeter security, will always stand you in good stead. You don’t apply security in single, thin layers; you apply security in depth.”
Telstra’s new cybersecurity offerings will also enable organisations to battle the ransomware problem, Campbell said.
“When you think about managed security services, that service will enable organisations to more rapidly detect attacks, both attempts and successful, and be in a better position to respond to those attacks and eradicate the cause of the attack before any significant damage is done.”
Telstra’s new offerings were partly inspired by the Australian government’s own cybersecurity initiatives — beginning with its cybersecurity strategy launched in April last year — according to Campbell.
“I’m really heartened by how the government has been driving cybersecurity in Australia,” he said.
“I think it’s fair to say that that in part has been an inspiration, certainly an input to our strategy. I think the government has it right in that this is a societal issue: You can’t address cybercrime by going to each individual affected party and trying to fix the symptom of cybercrime one by one. You have to take a far more systemic or national … approach to it.”
Campbell hailed the government for backing up its policy with action by opening its first Joint Cyber Security Centre in Brisbane last month. The government also opened its Cyber Security Growth Centre opened in December and announced AU$1.9 million in funding for universities to deliver specialised cybersecurity training and become Academic Centres of Cyber Security.
Telstra is also satisfied with the “massive increase” in the level of involvement now being seen from C-level executives across Australia, Campbell said, which shows that companies are focused on driving progress.
“Cybersecurity within an organisation has to be a top-down focus,” he said.
“We need to see executives recognising the importance, incorporating cybersecurity into their risk-management programs and then driving improvement through the organisation, and tracking it as rigorously as they would any other significant risk.”
While Telstra is backing the effectiveness of its new system, Campbell said it is imperative that businesses accept that some cyber attacks will be successful; otherwise, they won’t be prepared for when an attack does succeed.
“An attack will be successful,” he said.
“The whole industry needs to get over that.”
Following the news that Amber Rudd s Call for Whatsapp Messages to be Available to security services. IT security experts from Avast, CipherCloud, DomainTools, AlienVault, Tenable Network Security, Tripwire, Comparitech.com and FireMon commented below.
We understand why governments want to be able to access the content in these messages but, unfortunately, banning encryption in order to get to the communications of a select few opens the door to the communications of many, and renders us all less secure and our lives less private.
If you build a back door, it s there for everybody to access. And if you store that data you collect, even in encrypted form, how secure is it? All these data breaches we hear about show our privacy is regularly being breached by hackers, so the action suggested by the Home Secretary would only open us all up to further invasions of privacy.
A lot of these terrorist organisations are already well resourced. It would be na ve of us to think that by removing the public methods of encryption which we use to protect our identity, our freedom of speech and to keep us safe from persecution, that those terrorist organisations will not develop alternative methods to encrypt their communications. If this were to happen, we d only be pushing these people further underground, presenting a greater challenge to security intelligence services.
As we have seen with past terrorist incidents in Paris and Brussels, in the wake of the attack in London the debate over security and privacy has been ignited again, this time between UK government officials. The predictable clash between intelligence gathering and civil liberties is once again on display. Each time the topic of government access to end-to-end encryption is raised it is worth reviewing some of the reasons why backdoors that dilute encryption strength are an ineffective response:
Encryption is less of a technology and more of a concept or idea. Ideas are hard to control. Bad and good actors have used encryption over the course of history to communicate securely. Governments and businesses need to keep secrets too. Encryption is a highly effective way to protect legitimate rights and interests.
Controlling encryption is equivalent to controlling math. Modern encryption schemes (such as AES-256) are publicly available and can be implemented with skills of a college-level math major. If providers of secure messaging in western countries are forced to install backdoors, then bad actors will get their secure apps from regions where UK and US government enforcement do not reach. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible.
Legitimate users will be hurt if government demands backdoors. If there are any backdoors to data protection, it is inevitable that hackers will steal and exploit them. The very existence of government backdoors would undermine the confidence in security from firms in western countries. Other countries will quickly fill the gap. Encryption plays a critical role in online privacy, ecommerce and the cloud. Undermining the trust in personal data protection will hurt businesses and users alike. We live in scary times and should never underestimate the challenges we all face in deterring terror. But latching onto simplistic solutions that will not work, does not make us safer. In fact, if we undermine the effectiveness of our critical digital security mechanisms and damage an important industry, we will be handing the terrorists a victory. For these and many other reasons, this idea simply won t work and will have no impact on those seeking to commit acts of terror.
The idea of having a perfect end-to-end encryption solution with backdoors embedded only for police sounds great, in theory. However, in practice, it s not possible. If a backdoor is embedded into an application or service, it s present for anyone to find and use. The only difference between police and criminals at that point is awareness of the backdoor and intent. The ultimate victims are the end user and the organization required to comply with embedding vulnerabilities to allow for backdoors. Having embedded vulnerabilities leaves the end user vulnerable to criminals who leverage the backdoor that the organization willingly put into place. You can t necessarily control who finds or uses this vulnerability once the application is distributed and used.
Today, as we stand with technology and encryption deployment, backdoors simply aren t possible. It s an all or nothing approach. If backdoors are built in, then they could be exploited by anyone, not just authorised bodies.
As the computational power, complexity and value of these devices increases, the probability they ll be targeted by cyber criminals to monetize security flaws will also rise. Smartphones are a particular weak spot, with cherished photos being stored and rarely backed up.
As with traditional IT equipment, it s important connected devices are kept up to date, applying fixes the vendors release in a timely manner.
You can have true end-to-end encryption that nobody but the participants can read, or you can have a system where a central authority can decrypt any message they want. It doesn t make any sense to suggest that you can have both. It is either one or the other. It is a reasonable policy position to believe you should have a government backdoor in messaging systems, but this always worries security experts because that same backdoor you create for the government inevitably creates the potential for misuse, abuse, and being exploited by others.
Westminster gets tough on terrorists. MPs clampdown on encrypted communications. Amber Rudd foils imminent attack while chatting on WhatsApp.
Great headlines the lot of them, especially for politicians who like to curry favour with the electorate by pandering to, well, anything of note really.
In this case, however, we find the Home Secretary seriously out of her depth with her suggestion that a back door should be placed in all encrypted messaging services, a claim made all the more laughable by her assertion that this could be accomplished with hashtags. Perhaps she intends to tweet #no_more_encryption and then sit back and watch the magic happen?
Her crazy idea that a system could feature end-to-end encryption and a back door at the same time (which means it s no longer end-to-end and available to anyone who, good or bad, who can find said backdoor) is almost as baffling as the notion that terrorists would then continue using that service regardless.
Everyone knows that once one service is known to be broken, the bad guys will simply move onto the next. In the meantime, it is ordinary, law-abiding citizens who will be wondering whether their current government, or the next, or the one after that, is spying on their mundane but no less privacy-deserving lives.
Equally, businesses will get the jitters too, wondering whether Amber Rudd wishes to weaken their ability to communicate with clients in other, less paranoid, countries, or unravel all the hard work and funds they have invested into the secure web payments they offer their customers.
Encryption is a topic I am well familiar with; having spent 8 years in the military supporting encryption services and as a CISO. Much debate on this topic arose in the past with the Apple vs. FBI requesting backdoors.
The problem with backdoors is they are essentially a request for access to applications or systems using alternative means than the front door. Many companies spent a lot of time protecting the front doors of their products. Backdoors by design allow those with keys access, but like the analogy, it also means attackers can attempt to penetrate and hack these backdoor systems. In essence, backdoors compromise the security of the products allowing for potential broad exploitation to occur. Those with keys can also lose their keys. Who in the government would be responsible for protecting the keys to these back doors? What if I attack those with these keys? Or more commonly, what if a contract working for a government decides to steal these keys and perhaps flee to Russia? Sounds familiar to other events that have occurred.
Let s turn our attention to WhatsApp. Yes, this communication application has built-in security enabling end to end encryption. If the bad guys feel that this application has been compromised by government officials and backdoors become available, this leads to a simple response by the bad guys, use a different application. WhatsApp is a third party application on a mobile device. Nothing prevents the bad guys from moving to a lesser known third party application. Plus, anyone that is looking to compete with WhatsApp may see this new backdoor feature as an opportunity to compete, promoting the lack of backdoor in their product as a true for the people product.
Backdoors can have a negative financial impact to those companies providing these security type products.
- ^ Amber Rudd s Call for Whatsapp Messages to be Available to security services (www.theguardian.com)
- ^ Avast (www.avast.com)
- ^ CipherCloud (www.ciphercloud.com)
- ^ DomainTools (eu.vocuspr.com)
- ^ AlienVault: (eu.vocuspr.com)
- ^ Tenable Network Security (eu.vocuspr.com)
- ^ Tripwire (eu.vocuspr.com)
- ^ Comparitech.com (eu.vocuspr.com)
- ^ FireMon (eu.vocuspr.com)
LINCOLN Since originally being sentenced to death at 17 for shooting two men and killing one of them, Shakur Abdullah changed his name and found a new life helping others. He was released in January 2016 after more than 40 years in prison, and now works as a case manager for Omaha-based Reconnect Inc., a nonprofit organization founded by another former inmate that teaches current and former prisoners job and life skills. But under Nebraska law, Abdullah will not be able to vote until 2018. Nebraska lawmakers ended the state s permanent ban on felon voting in 2005, but added a two-year waiting period as a last-minute compromise to make sure the measure had enough votes.
The same sentence that has been discharged is being used to prevent you from voting, Abdullah said. It makes you feel like a pariah or a second-class citizen.
That would change under one of several bills moving forward in the Nebraska Legislature that aim to help felons re-entering society after prison stints. A measure Sen. Justin Wayne of Omaha designated as his priority bill, increasing the likelihood it will be debated by the full Legislature this session, could restore voting rights to about 7,800 Nebraska felons as soon as they finish their sentences. Wayne said his bill would reverse a racially motivated decision Nebraska lawmakers made more than 140 years ago to keep newly enfranchised black Americans from voting. People of color are disproportionately represented in Nebraska s prison system: racial minorities made up 15 percent of Nebraska s population in the last census but are nearly half of its prison population.
They knew it was a way to keep minority voters at the time disenfranchised, Wayne said. We cannot escape that history. Wayne s bill has advanced from committee and is awaiting a first vote from the full Legislature. So are measures that would require jails to offer inmates state-issued IDs before leaving, extend a 2014 ban on asking about criminal history on public employers job applications to include private employers and allow people who had been incarcerated to petition to have their convictions set aside. Bills that would allow drug felons to receive nutrition benefits are stalled in committee, but their sponsors plan to work on compromises over the summer.
The bills are part of a larger comprehensive approach Nebraska lawmakers are taking to the criminal justice system, American Civil Liberties Union of Nebraska executive director Danielle Conrad said. On the front end, senators have introduced legislation that would change how bail, fines and fees are charged to keep indigent people out of jail for being unable to pay, and the Legislature narrowly advanced a bill that would eliminate mandatory minimum sentences for drug offenders, though supporters lack the 30 votes to override a near-certain veto. And lawmakers are considering a measure that would limit solitary confinement and other restricted housing in the state s prison system.
We no longer have the luxury of focusing on one discreet area in the spectrum, Conrad said. Three of the four re-entry bills have no price tag, and the Secretary of State s office predicted the felon voting change would cost about $1,000 to remove references to the two-year waiting period on its website and other information. Those fiscal notes make the measures a common-sense, low-cost alternative to more prison spending as Nebraska faces a projected $895 million revenue shortfall during the upcoming two-year budget cycle, Conrad said.
Each of these pieces working together are critically important in ensuring we re presenting returning citizens with opportunities for civic engagement, Conrad said.
Article continued below advertisement
Those returning citizens now can get help through organizations like Omaha s Reconnect Inc. and church-based organizations, which Abdullah said have seen a groundswell of support in the decade since then-President George W. Bush signed the Second Chance Act of 2007. Reconnect Inc. helps current and recently released prisoners pay for state IDs and birth certificates, but it can t use grant money for IDs and would be able to do more if prisons would make sure inmates had IDs before they left, he said. State prisons now issue ID cards that identify the holder as a recently released inmate, but those aren t seen as official IDs needed to apply for a job or apartment. Prisons would offer state ID cards or driver s license renewals, but not new driver s licenses, under an amended bill sponsored by Sen. Matt Hansen of Lincoln and unanimously endorsed by the Judiciary Committee.
A measure sponsored by Sen. John McCollister of Omaha that would prevent private employers from asking about criminal history on job applications advanced on a 4-3 party line vote from the Business and Labor Committee. It s opposed by the Nebraska chapter of the National Federation of Independent Businesses, which says delays in learning about potential employees criminal history could lead to expensive hiring delays.
Knowing the criminal history certainly is relevant if they ve been convicted of identity theft and are going to work with credit cards, or if they re going to be a security guard or day care worker who was convicted of sexual assault, state director Bob Hostelman said.
Finding a job, voting and otherwise reintegrating with the community will help reduce recidivism rates, said Jasmine Harris, a member of the Urban League of Nebraska Young Professionals who organized an inaugural Black and Brown Legislative Day in February.
The most important thing that people need to know is that people deserve second chances, Harris said. We need to make them feel welcome.