BianLian is a cybercriminal group that deals in data extortion using ransomware

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory to provide information on the BianLian ransomware and data extortion group. This advisory is part of the ongoing #StopRansomware effort, which aims to help organizations defend against ransomware attacks by sharing advisories detailing different ransomware variants and threat actors.

BianLian is a cybercriminal group that develops, deploys, and conducts data extortion using ransomware. Since June 2022, they have targeted organizations in critical infrastructure sectors in the United States and Australia, as well as professional services and property development sectors. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting for reconnaissance and credential harvesting. They exfiltrate victim data using File Transfer Protocol (FTP), Rclone, or Mega. The BianLian group then extorts money by threatening to release the stolen data unless a ransom is paid. Initially, they employed a double-extortion model where they encrypted victims’ systems after exfiltrating the data, but they have since shifted primarily to exfiltration-based extortion.

The advisory includes known tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) associated with the BianLian ransomware and data extortion group. It encourages critical infrastructure organizations, as well as small- and medium-sized organizations, to implement the mitigation recommendations provided in the advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.

For more information on BianLian and other ransomware threats, as well as access to no-cost resources, organizations can visit the stopransomware.gov website and review the #StopRansomware advisories.

Tags: BianLiancyber

The post #StopRansomware: BianLian Ransomware Group appeared first on CIO Tech Asia.

BNE has valuable assets to protect from increasingly frequent and sophisticated cyberattacks

Brisbane Airport Corporation (BAC) operates Brisbane Airport (BNE), a vital part of Australia’s critical infrastructure that helps employ thousands of Queenslanders and contributes more than $US4 billion to the economy. The third-largest airport in the country by passenger numbers, BNE operates 24/7, connecting people and products with 76 domestic and international destinations.

There are more than 425 businesses at the airport precinct that employ over 24,000 people. BNE is also the largest airport in Australia by land size, covering 2,700 hectares. It’s even classified as a suburb with its own postcode.

All this means BNE has valuable assets to protect from increasingly frequent and sophisticated cyberattacks, including passenger management, staff management, air traffic control and emergency response systems.

Due to significant business disruptions caused by the COVID-19 pandemic, BAC was looking for a partner to manage its cybersecurity-related business risks. In particular, the company wanted to modernise its existing Splunk security information and event management (SIEM) solution into a holistic Managed Security Operations Centre (SOC) that provided end-to-end protection across its technology environment.

Recent amendments to Australia’s Security of Critical Infrastructure Act 2018, as well as aviation security requirements, acted as a catalyst for BAC to implement a Managed detection and response (MDR) service to reduce the impact and severity of malicious and progressively more complex cybersecurity incidents. This MDR service also needed to be ‘sovereign’, meaning it was hosted and managed entirely within Australia.

One of BAC’s main challenges was to tune, triage and respond to cybersecurity alerts.

“The alerts we were receiving weren’t very meaningful. So, we were looking for a solution that improved alert fidelity, helped our cyber team avoid alert fatigue and enabled us to effectively counter cyberthreats.” explains Craig Johnston, ICT Services Manager at BAC.

ParaFlare partnership enables complete cyber coverage

In August 2022, BAC engaged ParaFlare, one of only two partners in Australia to achieve Microsoft’s verified Managed Extended Detection and Response solution status. As such, ParaFlare will provide a 24/7 MDR service that leverages Microsoft Sentinel, Defender for Endpoint and Defender for Identity alongside its Splunk SIEM.

Sturt Maclennan, Chief Customer Officer at ParaFlare, says the solution is significantly improving BAC’s detection and response capabilities enhanced by the native integrations of Microsoft’s security stack.

“We’ve got a security platform that gives BAC coverage from their endpoints right through to edge cases in the SIEM, all from a single specialist provider, which is unique,” he says.

Additionally, ParaFlare is providing BAC with curated threat intelligence and advanced threat-hunting services, as well as digital forensics and incident response services.

Its team of threat-hunting specialists conduct monthly exercises to challenge the assumption that the detection strategies that have been implemented are suitable for the ever-changing cyber threat landscape.

“One of our key differentiators is that we don’t just rely on the tech vendor’s tools for detection – we’ve also created our own library of custom detections,” says Maclennan.

Meanwhile, ParaFlare’s Digital Forensics and Incident Response team, which specialises in investigation and remediation, works alongside its MDR team to ensure a smooth transition and continuity of service in the event of a cybersecurity breach.

Reducing dwell time and generating high fidelity alerts

BAC went live with the SOC in October 2022 following a rapid and comprehensive onboarding process with ParaFlare, resulting in immediate 24/7 eyes on glass.

While it’s still early days, the MDR service has already reduced the time between when a cyberattack occurs and when it’s detected for a priority one (or critical) case to within 15 minutes.

“Being able to receive meaningful alerts gives us a much greater level of end-to-end protection with cyber sovereignty,” says Johnston.

Maclennan says ParaFlare is proud to be partnering with BAC to protect an important part of Australia’s critical infrastructure.

Tags: Brisbane airportBrisbane Airport CorporationMicrosoft

The post Brisbane Airport Corporation scales up its security operations appeared first on CIO Tech Asia.

Tool used by Russia’s Federal Security Service

The Australian Cyber Security Centre has released a Joint Cybersecurity Advisory with its international partners on the Snake implant. The Snake implant is a sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets.

The Australian Cyber Security Centre has identified Snake infrastructure in over 50 countries; its targeting is purposeful and tactical, designed to collect intelligence from high-priority targets, such as government networks, research facilities, and journalists.

This Cybersecurity Advisory provides background on Snake’s attribution and detailed descriptions of the implant’s host architecture and network communications.

The technical information and mitigation recommendations provided are designed to assist network defenders in detecting Snake and associated activity. The Snake implant is considered the most sophisticated cyber espionage tool developed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets.

Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.

As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a North Atlantic Treaty Organization (NATO) country.

The FSB has victimised industries within the United States, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed.

The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity.

For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage. Introduction What is Snake? We consider Snake the most sophisticated cyber espionage tool in the FSB’s arsenal.

The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture easily incorporates new or replacement components.

This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs, given its complexity.

Following open-source reporting by cybersecurity and threat intelligence companies on Snake tactics, techniques, and procedures (TTPs), the FSB implemented new techniques to evade detection. The modifications to the implant enhanced challenges in identifying and collecting Snake and related artifacts, directly hampering detection from both host- and network-based defensive tools.

The effectiveness of this type of cyber espionage implant depends entirely on its long-term stealth since the objective of an extended espionage operation involves remaining on the target for months or years to provide consistent access to important intelligence. The uniquely sophisticated aspects of Snake represent a significant effort by the FSB over many years to enable this type of covert access.

The FSB began developing Snake as “Uroburos” in late 2003. Development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly after that.

The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it. The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including “Ur0bUr()sGoTyOu#”, which have publicly returned to haunt them.

Unique features in early versions of Uroburos included a low-resolution image of a portion of a historical illustration of an Uroboros by the German philosopher and theologian Jakob Böhme. One approach to a tertiary backdoor used this image as the key. The same image had also been embedded in other Snake-related components. The image, blown up to a higher resolution, is shown right.

In addition, early FSB developers of the Snake implant left portions of unique code throughout the implant, which revealed inside jokes, personal interests, and taunts directed at security researchers. For instance, the “Ur0bUr()sGoTyOu#” string referenced above was replaced with “gLASs D1cK” in 2014 following some of the public cybersecurity reporting.

Snake operations have been attributed to an available unit within Center 16 of the FSB. This unit more broadly operates the numerous elements of the Turla2 toolset and has subunits spread throughout Russia reflecting historical KGB signals intelligence operations in the Soviet Union.

Snake has been a core component of this unit’s operations for almost as long as Center 16 has been part of the FSB.3 The extensive influence of Snake across the Turla toolset demonstrates its impact on practically every aspect of the unit’s modern era of cyber operations. Daily operations using Snake have been carried out from an FSB facility in Ryazan, Russia, with an increase in Snake activity during FSB working hours in Ryazan, approximately 7:00 AM to 8:00 PM, Moscow Standard Time (GMT+3).

The leading developers were Ryazan-based FSB officers known by monikers included in the code of some versions of Snake. In addition to developing Snake, Ryazan-based FSB officers used it to conduct worldwide operations; these operations differed from others launched from Moscow or other FSB sites based on infrastructure and techniques. While the development and re-tooling of Snake have historically been done by Ryazan-based FSB officers, Snake operations were also launched from an FSB Center 16-occupied building in Moscow.

According to the ACSC, the investigations have identified examples of FSB operators using Snake to their full potential and FSB operators who appeared unfamiliar with Snake’s more advanced capabilities. These observations illustrate the difficulty in using such an advanced toolset across the various geographically dispersed teams comprising this unit within FSB Center 16.

ACSC has been collectively investigating Snake and Snake-related tools for almost 20 years, and other operations by this unit since the 1990s. During that time, the FSB has used Snake in many different operations. They have demonstrated the value placed in this tool by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations.

Snake’s code and multiple Snake-related tools have been either a starting point or a key influence factor for a diverse range of other highly prolific implants and operational tools in the Turla family. Most notably, this has included Carbon (aka Cobra)—derived from Snake’s code base—and the similarly Snake-adjacent implant Chinch (currently known in open sources as ComRAT).

ACSC has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical. For instance, if an infected system did not respond to Snake communications, the FSB actors would strategically re-infect it within days.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a NATO country.

Within the United States, the FSB has victimised industries, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications. Other Tools and TTPs Employed with Snake The FSB typically deploys Snake to external-facing infrastructure nodes on a network and, from there, uses other tools and TTPs on the internal network to conduct additional exploitation operations.

Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. Various mechanisms have been employed to gather user and administrator credentials to expand laterally across the network, including keyloggers, network sniffers, and open-source tools.

Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell and Snake to enable interactive operations.

This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector or to maintain a minimal presence in a network and avoid detection while moving laterally.

Snake Architecture Snake’s architectural design reflects professional software engineering practices. Critical pathways within the implant are stacks of loosely coupled components that implement well-designed interfaces. In addition to facilitating software development and debugging, this construction allows Snake to use multiple components for the same purpose, choosing the specific component based on environmental considerations.

For example, Snake’s custom network communications protocols function as a stack. All implementations use encryption and transport layers, such as Snake’s custom HTTP or raw TCP socket protocol. Each Snake network protocol stack layer solely implements a specified interface for operability with the two adjacent layers.

The encryption layer and underlying transport layer thus function independently, so any custom Snake network protocol can employ an encryption overlay without any change to the encryption layer code.[4] This modularity allows Snake operators to choose the most logical network transport for the given environment without affecting Snake’s other functionality.

When using a compromised HTTP server as part of the Snake P2P network, the operators can ensure that all traffic to this machine follows the Snake custom HTTP protocol and blends effectively with legitimate traffic.

In the context of a compromised machine that legitimately allows secure shell (SSH) connections, Snake can utilise its custom raw TCP socket protocol instead of its custom HTTP protocol. All other layers of the Snake protocol stack, from the immediately adjacent transport encryption layer to the distant command processing layer, can and do remain entirely agnostic to the transport layer as long as it implements its interface correctly.

This architecture also allows the Snake developers to easily substitute a new communications protocol when they believe one has been compromised without necessitating any downstream changes in the code base.

Lastly, this design facilitates the development of fully interoperable Snake implants running on different host operating systems. Snake’s technical sophistication extends from the software architecture to lower-level software implementation.

Original versions of Snake were developed as early as 2003 before many of the modern programming languages and frameworks that facilitate this type of modular development were available. Snake is written entirely in C, which provides significant advantages in low-level control and efficiency but does not provide direct support for objects or interfaces at the language level and provides no assistance with memory management.

The developers of Snake successfully implemented the implant’s complex design in C with very few bugs, including careful avoidance of the common pitfalls associated with null-terminated strings and the mixing of signed and unsigned integers. Additionally, the developers demonstrate an understanding of computer science principles throughout the implant’s implementation.

This includes selecting and correctly coding asymptotically optimal algorithms, designing and utilising efficient custom encoding methodologies that closely resemble common encoding schemes, and securely handling the numerous possible errors associated with systems-level programming. Capitalising on Mistakes Although the Snake implant is a highly sophisticated espionage tool, it does not escape human error.

A tool like Snake requires more familiarity and expertise to use correctly, and in several instances, Snake operators should have used it more effectively. Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake. They were key factors in developing capabilities that have allowed for tracking Snake and manipulating its data.

The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key set created by Snake during the key exchange needs to be longer to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems.

Also, in some instances of what appeared to be rushed deployments of Snake, the operators should have stripped the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments, as seen in the following figure.

Tags: ACSCRussia

The post ACSC issues joint Advisory on Russian ‘Snake’ Cyber Espionage Tool” appeared first on CIO Tech Asia.

Success in aligning the I&O strategy with critical business outcomes is needed

Seventy-five percent of organizations will have implemented a data centre infrastructure sustainability program driven by cost optimization and stakeholder pressures by 2027, up from less than 5 per cent in 2022, according to Gartner, Inc.

“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations (I&O) leaders to improve IT’s environmental performance, particularly around data centres,” said Autumn Stanish, Senior Principal Analyst at Gartner. “This has led many down the path of greater spend and investment in environmental solutions, but environmental impact shouldn’t be the only focus. Sustainability can also have a significant positive impact on non-environmental factors, such as brand, innovation, resilience and attracting talent.”

According to a Gartner survey of 221 respondents from North America, Europe and APAC conducted in the second half of 2022, environmental performance of IT infrastructure is only one facet of a strong I&O sustainability strategy, with most sustainability benefits being indirect.

“Success in aligning the I&O strategy with critical business outcomes requires a more comprehensive approach that recognizes the indirect benefits that come with sustainable IT operations,” said Stanish. “This is true specifically for organizations in which IT is material to the business, such as financial services.”

According to the Gartner survey, the top three indirect benefits include:

Reduced Costs
The most effective action I&O leaders can take for the environment and their budget is to defer purchasing new equipment and better manage, optimize, or redeploy what they already have. According to Gartner, organizations can experience up to 60 per cent in cost savings by simply extending product life spans from three to five years. In addition, optimizing for better server utilization and storage capacity is another way to reduce waste and save money.

Innovation
Organizations are using sustainable strategies to drive innovation and growth through new products and business models. Technology hardware vendors are rapidly releasing new products and services based on AI technology, analytics insights and circular business models that can be leveraged for innovation. For example, open telemetry platforms may be deployed to track and improve energy efficiency, while simultaneously offering critical insights for IT staff to understand usage patterns that can be optimized for greater, more consistent performance of systems.

“The core focus of many enterprises with a sustainability strategy is actually around how they can use it to drive innovation, differentiation and growth through new products and business models,” Stanish said. “However, fewer than half of I&O leaders we speak to are currently taking advantage of the business benefits beyond reduced energy costs.”

Better Risk Management and Mitigation
In a market disrupted by price fluctuations and supply constraints, organizations can achieve greater resilience and better risk management and mitigation by adopting sustainable recycling and resource utilization practices. This includes organizations using renewable energy, generating their own power, and reusing and redeploying equipment as much as possible.

According to the Gartner survey, more than 85 per cent of business leaders agree that sustainability is an investment that protects the organization from disruption.

Tags: data centresGartner

The post Organisations are starting to implement data centre programs appeared first on CIO Tech Asia.

There is a danger in introducing additional regulation

Executive Summary

The AICD strongly supports Government and industry working together to ensure that Australia is a world leader in cyber security with citizens having confidence that our economy operates within a secure and trusted digital environment. A Government- industry partnership should focus on enhancing cyber resilience across the Australian economy with any new regulations being risk-based and developed with a strong appreciation of the potential compliance costs and impacts on innovation. There is a danger that introducing additional regulation, including at the board level, will result in a culture that prioritises being cyber compliant rather than cyber resilient.

Tags: AICDAustralia

The post 2023-2030 Australian cyber security strategy appeared first on CIO Tech Asia.

The EU is committed to ensuring that all European citizens and businesses are well protected

Today, the Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States. The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism.  It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.

The Commission has also presented a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to ensure a more coordinated approach towards closing the cybersecurity talent gap, a prerequisite to boosting Europe’s resilience. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

Under the European Security Union, the EU is committed to ensuring that all European citizens and businesses are well protected, both online and offline, and to promoting an open, secure, and stable cyberspace. Yet, the increasing magnitude, frequency and impact of cybersecurity incidents represent a major threat to the functioning of network and information systems and to the European Single Market. Russia’s military aggression against Ukraine has further exacerbated this threat, along with the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.

Building on a strong strategic, policy and legislative framework that is already in place, the proposed EU Cyber Solidarity Act and the Cybersecurity Skills Academy will further contribute to enhancing detection of cyber threats, resilience, and preparedness at all levels of the EU’s cybersecurity ecosystem.

EU Cyber Solidarity Act

The EU Cyber Solidarity Act will strengthen solidarity at Union level to better detect, prepare for and respond to significant or large-scale cybersecurity incidents, by creating a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.

To detect major cyber threats quickly and effectively, the Commission proposes the establishment of a European Cyber Shield, which is a pan-European infrastructure of composed of national and cross-border Security Operations Centres (SOCs) across the EU. These are entities tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.

These centres could be operational by early 2024. As a preparatory phase of the European Cyber Shield, in April 2023 the Commission has selected, under the Digital Europe Programme, three consortia of cross-border Security Operations Centres (SOC), bringing together public bodies from 17 Member States and Iceland.

The EU Cyber Solidarity Act also includes the creation of a Cyber Emergency Mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:

• Preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies.
• Creating a new EU Cybersecurity Reserve consisting of incident response services from trusted providers pre-contracted and therefore ready to intervene, at the request of a Member State or Union Institutions, bodies, and agencies, in case of a significant or large-scale cybersecurity incident.
• Providing financial support for mutual assistance, where a Member State could offer support to another Member State.

Moreover, the proposed Regulation establishes the Cybersecurity Incident Review Mechanism to enhance Union resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve Union’s cyber posture.

The total budget for all actions under the EU Cyber Solidarity Act is of EUR 1.1 billion, of which about 2/3 will be financed by the EU through the Digital Europe Programme.

EU Cybersecurity Skills Academy

The EU Cybersecurity Skills Academy will bring together private and public initiatives aimed at boosting cybersecurity skills at European and national levels, making them more visible and helping to close the cybersecurity talent gap of cybersecurity professionals.

The Academy will initially be hosted online on the Commission’s Digital Skills and Jobs platform. Citizens interested in pursuing a career in cybersecurity will be able to find training and certifications from across the EU in a single place online. Stakeholders will also be able to pledge their support to improve cybersecurity skills in the EU by initiating specific actions, such as to offering cybersecurity trainings and certifications.

The Academy will evolve to include a common space for academia, training providers and industry helping them to coordinate education programmes, trainings, funding, and monitor the evolution of the cybersecurity job market.

Certification Schemes for Managed Security Services

The Commission has also proposed today a targeted amendment to the Cybersecurity Act, to enable the future adoption of European certification schemes for ‘managed security services. These are highly critical and sensitive services provided by cybersecurity service providers, such as incident response, penetration testing, security audits and consultancy, to assist companies and other organisations prevent, detect, respond, or recover from cyber incidents.

Certification is key and can play an important role in the context of the EU Cybersecurity Reserve and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), facilitating also the cross-border provision of these services.

Next Steps

The European Parliament and the Council will now examine the proposed Regulation on the EU Cyber Solidarity Act, as well as the targeted amendment to the Cybersecurity Act.

The European Cybersecurity Competence Centre will organise a joint procurement of tools and infrastructures with the selected cross-border Security Operations Centres to build cyber detection capabilities.

The EU Cybersecurity Agency (ENISA) and the European Cybersecurity Competence Centre will continue working on cybersecurity skills, contributing to the implementation of the Cybersecurity Skills Academy, in line with their respective mandates, and in close cooperation with the Commission and the Member States.

The Commission proposes that the Academy takes the shape of a European digital infrastructure consortium (EDIC), a new legal framework to implement multi-country projects. This possibility will now be discussed with Member States.

It is also necessary to ensure that professionals undertake required quality trainings. In this regard, ENISA will develop a pilot project, exploring the set-up of a European attestation scheme for cybersecurity skills.

Tags: EU Cyber Solidarity ActEuropa

The post Towards stronger EU capabilities appeared first on CIO Tech Asia.

Optus has also accused of breaching contractual obligations to customers

Leading class action law firm Slater and Gordon has issued proceedings against Optus on behalf of current and former customers whose personal information – including key identity documents – were compromised in the September data breach.

The statement of claim, lodged in the Federal Court, accuses Optus of breaching privacy, telecommunication, and consumer laws as well as the company’s internal policies by:

• failing to protect or take reasonable steps to protect customers’ personal information from unauthorised access or disclosure
• failing to destroy or de-identify former customers’ personal information, and
• failing to ensure that only those who had a legitimate reason for having access to customers’ personal information could access it.

Optus has also been accused in the class action of breaching contractual obligations to customers along with its duty of care to ensure customers did not suffer harm arising from the unauthorised access or disclosure of their personal information. It is claimed such harm was reasonably foreseeable if customer data was compromised.

Group members are seeking compensation for losses the data breach caused, including time and money spent replacing identity documents in addition to other measures to protect their privacy and prevent the increased likelihood of them falling victim to scams and identity theft. They are also seeking damages for non-economic losses such as distress, frustration, and disappointment.

Optus announced on 22 September last year that the personal information of up to 10 million of its current and former customers had been compromised in a cyberattack. The telco revealed that information including customer names, dates of birth, phone numbers and email addresses were accessed by, and/or disclosed to, an unknown number of unauthorised persons. For a subset of customers, their addresses, ID document numbers such as driver’s license, Medicare cards and/or passport numbers had also been compromised. The personal information of more than 10,000 customers was subsequently published online when ransom demands were made.

Slater and Gordon Class Actions Practice Group Leader Ben Hardwick described what occurred as “an extremely serious privacy breach both in terms of the number of people affected and the nature of the information that was compromised.

“Very real risks were created by the disclosure of this private information that Optus customers had every right to believe was securely protected by their telecommunications and internet provider,” Hardwick said.

“The type of information made accessible put affected customers at a higher risk of being scammed and having their identities stolen, and Optus should have had adequate measures in place to prevent that.

“Concerningly, the data breach has also potentially jeopardised the safety of a large number of particularly vulnerable groups of Optus customers, such as victims of domestic violence, stalking and other crimes, as well as those working in frontline occupations including the defence force and policing.”

He said more than 100,000 of Optus’s current and former customers had so far registered for the class action. Amongst that group were:

• a domestic violence victim who spent money that was intended for counselling for her children on increasing security measures around the house, including installing video cameras and extra locks on doors and windows
• a former Optus customer who had previously been burgled and had his identity stolen who now suffers severe anxiety after learning his personal information had been shared online
• a stalking victim who takes extreme measure to maintain her privacy, especially her address, who fears her life has genuinely been put in danger by the data breach
• a woman who is now too fearful to answer the telephone after noticing an increase in scam phone calls following the Optus cyberattack, and
• a retired police officer concerned that his home address may have been shared with criminals he was involved in the prosecution and incarceration of.

The lead applicant, who does not want his name disclosed out of fear he will be targeted by other cyber criminals or scammers, said that he had been left feeling “vulnerable, exposed and worried” after learning his personal information had been compromised.

“Not knowing what still might happen as a result of having my information accessed and by whom haunts me,” the Victorian man said.

“I had to make a lot of calls and do a lot of running around in the aftermath of this breach to make sure my bank account and other accounts hadn’t been compromised, and I noticed I was being targeted by phishing and other scams a lot more frequently.

“It feels like only a matter of time before I get scammed or defrauded, which is a constant worry that I didn’t have before I was let down by Optus. I would have thought that as big a company as Optus is, there would have much better data security in place than what it turns out they had, which is pretty concerning.”

The second lead applicant, who also does not want to be named to prevent further privacy or data security compromises, was one of the many thousands of affected Optus customers whose ID documents had to be subsequently replaced.

“It was incredibly stressful trying to get answers from Optus about what information had been exposed and then taking action to rectify the damage so I could try to stop anything else from happening,” the Queensland woman said.

“I spent a lot of time changing passwords to all my accounts, have been constantly checking that money hasn’t been stolen, and making sure I’ve done everything I can to protect myself. One of the worst aspects of all this was the fact that I had no control over what had happened, so it’s been overwhelming.”

Hardwick said many of the affected customers had expressed frustration about Optus’s delays in providing detailed information about the privacy breach, and inconsistencies with how the telco was treating one affected customer to the next.

“Some registrants have told us they were fobbed off when they sought information from Optus about exactly what data had been exposed, and others have informed us that Optus refused to pay for credit monitoring services on the basis they were no longer Optus customers,” he said.

“There appears to have been a piecemeal response from Optus, rather than a coordinated approach that made sure everyone whose data was compromised is treated the same.

“Any suggestion that affected customers have not suffered as a result of this data breach is like rubbing salt into the wounds of those who have lived it and are continuing to deal with the fallout,” he said.

Slater and Gordon has experience running group proceedings in relation to data privacy breaches. The firm continues to act for more than 1,000 refugees who succeeded in a landmark representative data breach complaint against the Australian government after their personal information was released online in 2014.

Tags: OptusSlater & Gordon

The post Slater and Gordon commences class action against Optus appeared first on CIO Tech Asia.

The adoption of public cloud services has risen steadily since the pandemic started

A new whitepaper from International Data Corporation (IDC) commissioned by Microsoft predicts that by 2026, public cloud adoption will generate billions of dollars in new revenue for organisations within the cloud technology ecosystem in Australia and New Zealand. That includes organisations implementing public cloud technology – that is, customers – as well as suppliers of the hardware, software and services that enable its delivery.

The IDC Whitepaper, commissioned by Microsoft, titled Public Cloud Services Opportunities and Dividends to the Australian and New Zealand Economies, Doc #AP15023X, November 2022 finds that the adoption of public cloud services has risen steadily since the pandemic started, with organisations seeking to increase their capabilities and optimise costs. IDC says this trend is set to accelerate as organisations embrace public cloud as the go-to platform for digital transformation.

According to the whitepaper,

• public cloud spending in Australia is set to increase by 83 per cent from $US12.2 billion in 2022 to $US22.4 billion in 2026
• public cloud spending in New Zealand is expected to nearly double in the same period from $US2.6 billion to $US5.1 billion
• public cloud adoption in Australia will generate $US123.7 billion in revenue across the nation’s cloud customer and supplier ecosystems in 2022 (equivalent to more than 5 per cent of GDP)
• public cloud adoption in New Zealand will generate $US23.9 billion across the nation’s cloud customer and supplier ecosystems in 2022 (equivalent to almost 6 per cent of GDP)
• public cloud deployments will generate cumulative new revenue of more than $US114 billion in Australia and $US21 billion in New Zealand for cloud customer and supplier ecosystems by 2026.

“Investment in cloud computing services also drives revenue growth for organisations that make up the supplier ecosystem. These include systems integrators, software providers and professional services providers,” adds Lai.

The whitepaper also finds that public cloud adoption and adjacent areas such as security, data mining or analytics will create 596,750 jobs in Australia and 134,000 in New Zealand. Approximately 20 per cent of these jobs will require specific technical and IT-related digital skills.

With demand for digital skills already high and getting higher, organisations should be investing in upskilling their existing workforce to build the necessary cloud knowledge and capabilities. The whitepaper notes that managing cloud environments requires specialised capabilities and that the availability of these skills has not been able to keep up with demand.

This is a key hindrance for organisations on their cloud adoption journey. In fact, the whitepaper finds that a shortage of people with relevant skills is one of the top 10 governance-related roadblocks for Australian and New Zealand businesses seeking to take full advantage of the cloud.

Furthermore, the whitepaper says organisations with existing cloud migration strategies will continue to adopt public cloud services pre-emptively to drive business efficiency, while those without strategies in place will be forced to adapt to cloud reactively.
“It’s clear that the strong demand for public cloud services in Australia and New Zealand shows no signs of slowing, as organisations continue to transform their business operations, accelerate the pace of innovation and capitalise on technologies such as AI and data analytics,” says Steven Worrall, Managing Director at Microsoft ANZ. “Cloud technology will also help organisations remain resilient in today’s challenging economic environment by enabling them to simplify their IT systems and processes, reduce costs and minimise risks.

We’re also excited to be adding significant new Generative AI capabilities, including copilot productivity functionality across our Microsoft 365, Dynamics 365, Security, and Teams platforms, and bringing Enterprise Azure OpenAI services to the cloud. These will enable customers and developers to unlock further productivity and innovation from their investments in Microsoft Cloud, while also leveraging our commitment to responsibility and trust in this new area of technology.”

International Data Corporation is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets.

Tags: IDCMicrosoftWhitepaper

The post Public cloud adoption set to surge in ANZ appeared first on CIO Tech Asia.

The joint guide provides an overview of risks to smart cities

The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Federal Bureau of Investigation, the United Kingdom National Cyber Security Centre, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre released today a joint guide: Cybersecurity Best Practices for Smart Cities.

Integrating public services into a connected environment can increase the efficiency and resilience of the infrastructure that supports day-to-day life in our communities. However, communities considering becoming “smart cities” should thoroughly assess and mitigate the cybersecurity risk that comes with this integration. This guide is intended to help communities navigate through this complex and important work.

The joint guide provides an overview of risks to smart cities, including expanded and interconnected attack surfaces; information and communications technologies (ICT) supply chain risks; and increasing automation of infrastructure operations. To protect against these risks, the government partners offer three recommendations to help communities strengthen their cyber posture: secure planning and design, proactive supply chain risk management, and operational resilience.

• Strategies for secure planning and design include enforcing multifactor authentication, implementing zero trust architecture, protecting internet-facing services, and patching systems and applications in a timely manner.
• Proactive supply chain risk management recommendations include setting clear requirements for software, hardware, and Internet-of-Things (IoT) supply chains, and carefully reviewing agreements with third-party vendors, such as managed service providers and cloud service providers.
• In the event of a compromise, operational resilience strategies, such as workforce training and incident response and recovery plans, can prepare organizations to isolate affected systems and operate infrastructure with as little disruption as possible.

“Today’s joint guide is a continuing example of the strong collaboration CISA has with our partners in the U.S. and around the globe to provide timely and useful cyber risk management guidance,” said CISA Director Jen Easterly. “The cybersecurity best practices outlined here are designed to help evolving connected communities better protect their infrastructure and sensitive data.”

“As our communities and public services increase their digital connectivity, it’s imperative that we balance new technological integration with good cyber security. The Canadian Centre for Cyber Security is happy to join our international partners to provide recommendations and best practices to help protect smart city technology. Together we can ensure that our communities are safely connected and prepared for any risks that lie ahead,” said Sami Khoury, Head of the Canadian Centre for Cyber Security.

“Connected places have the potential to make everyday life safer and more resilient for citizens; however, it’s vital the benefits are balanced in a way which safeguards security and data privacy,” said Lindy Cameron, NCSC-UK CEO. “Our new joint guidance will help communities manage the risks involved when integrating connected technologies into their infrastructure and take action to protect systems and data from online threats.”

“Smart city technologies provide opportunities for more innovative and sustainable communities, but they also broaden the attack surface and risks to our security and critical infrastructure,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “This guidance helps forward-thinking communities to securely integrate new technologies into existing infrastructure, ensuring the resilience and protection of the data, systems and interconnected infrastructure we need for our daily lives and business.”

“The digital transformation of infrastructure can improve daily life, but increased connectivity may also expand attack surfaces and introduce new risks. No technology solution is completely secure. This guidance is a useful resource for organisations and communities seeking to balance innovation with cyber security,” said Lisa Fong, NCSC-NZ Deputy Director-General.

Tags: CISASmart cities

The post Best cybersecurity practices for smart cities appeared first on CIO Tech Asia.

The ACCC has focused on data holders’ compliance

Executive summary

The Consumer Data Right (CDR) improves consumer choice, control, and convenience by enabling access to data organisations hold about consumers and products. For the CDR to be effective it is critical that CDR data is good quality. This includes product reference data as well as consumer data.

The CDR regime requires data holders to take reasonable steps to ensure the data they disclose through the CDR is correct.

In the period since the CDR commenced, the ACCC has focused on data holders’ compliance with their data sharing obligations, including in relation to the quality of CDR data. This includes publishing guidance, monitoring obligations to make product reference data available, managing technical incidents between participants, and investigating complaints about data quality.

In overseeing these matters, it should be noted that the ACCC cannot view consumer data directly. Concerns about consumer data quality are therefore typically brought to our attention through reports from participants.

As CDR uptake grows, the impact of data quality issues becomes increasingly important. In October 2022, the ACCC published a discussion paper on CDR data quality compliance. In addition, we held bilateral meetings with various stakeholders. The engagement was constructive with feedback provided on the extent, including frequency and impact, of data quality issues.

This paper outlines the ACCC’s findings from the consultation process and actions we intend to take to address the issues raised. The key findings include:

1. The quality of consumer data is generally sufficient to support the delivery of CDR products and services, although improvements are required.
2. There are significant shortcomings in the quality of product reference data.
3. Data recipients and users of product reference data have raised concerns over the responsiveness of data holders when data quality issues have been raised with them.
4. There is scope to clarify the nature of data quality obligations to ensure a better understanding of expectations around appropriate data quality. 5. Regulators should be prepared to take a stronger regulatory approach to improve data quality.

Through the consultation process, it is apparent that there are a number of factors that impact CDR data quality, and there is no single solution to improving it. Issues raised include:

• Data quality is a multi-faceted concept, with data quality relevant to a range of obligations in the CDR framework. Good quality data can be relied on to deliver useful CDR products and services to consumers when the data is accurate, up-to-date, complete, and in the required format.
• Different data quality issues will require different regulatory – and possibly policy – responses. In some cases, compliance or enforcement action is appropriate, while in 5 other instances, further guidance or amendments to rules or standards can improve data quality. The current quality of product reference data is of particular concern. It appears to be the key factor hindering the use of product data for comparison services.
• The sharing of consumer data is currently supporting CDR services that are providing value to consumers. However, consumer data quality issues do arise and can impact the delivery of some services. The extent of impact depends on the use case and the nature of the issue.
• For some accredited data recipients, consumer data quality is not a primary concern. However, others have indicated that inadequate data quality may be inhibiting new products and services from being developed. Complexity in data holder systems (for example, the interaction of legacy and new systems) further increases the challenge of implementing CDR obligations. Implementing new CDR functionality ahead of addressing operational issues as they arise can affect the time it takes to resolve data quality issues.
• Complexity in data holder systems (for example, the interaction of legacy and new systems) further increases the challenge of implementing CDR obligations. Implementing new CDR functionality ahead of addressing operational issues as they arise can affect the time it takes to resolve data quality issues.
• Many data recipients and product data users find that once they raise data quality issues with data holders, they frequently encounter difficulties receiving a satisfactory response and resolution to concerns raised.

Recognising the importance of the issue, the ACCC and the Office of the Australian Information Commissioner (OAIC) are treating data quality as a priority area for compliance and enforcement activities.

CDR participants must comply with their obligations. In particular, the ACCC expects data holders to regularly review the efficacy of their CDR solutions and address any outstanding data quality incidents as a priority. In the short term, the ACCC’s CDR compliance and enforcement efforts will be focussed on regulatory action for data quality issues involving:

• the provision of incorrect interest rates
• missing data
• the use of free text fields where a relevant structured field exists
• data that is not commensurate with what a consumer can otherwise see in their online or mobile banking channels.

There is no single solution for improving data quality in the CDR.

Instead, the necessary response will need to encompass a combination of:

• clear regulatory obligations
• effective guidance
• constructive stakeholder engagement
• strong regulatory action
• an improved culture of compliance among participants

Tags: ACCCCDR

The post ACCC set to increase consumer data rights appeared first on CIO Tech Asia.