Professional Documents
Culture Documents
Cybersecurity
Threats
Challenges
Opportunities
It is only when
they go wrong
that machines
remind you
how powerful
they are. Clive James
01 03
Foreward 1
Executive summary 4
Threats in the
information age 13
The nature of threats 14
02
The Internet of Things (IoT) 16
Botnet armies 17
When security is an afterthought 18
Autonomous systems 19
Driverless cars and transport 19
ATMs and Point of Sale 21
What about wearables? 22
Cyberwarfare 24
A brave new world 5 Automated attacks 24
Cyber speak! 6 Energetic Bear 24
What is cybersecurity? 7 Cyberattacks on infrastructure 26
And the weakest link is 9 When software kills 28
05
The data-driven economy 38
Technology as wealth creation 39
Cybersecurity as job growth 39
Leveraging technology talent 39
Challenges 40
Leadership 40
Learning from history 40
Collaboration 41
Education and awareness 41
You are what you do 43
Looking to the road ahead 45
State of the nation 46
Legal and regulatory 43
What role can you play? 47
Services and privacy 43
Government 47
Perception and practicality 44
Education and research 50
Business and industry 50
You, the individual 50
The five pillars of cybersecurity readiness 51
Online resources 52
Through the looking glass 53
Fast facts 55
Glossary 57
References 59
01
but this is only true if we can protect
it from being hacked, manipulated, Anthony Wong
and controlled. President, ACS
SECURING
AUSTRALIAS FUTURE
At ACS we are passionate about the services to identify and certify Nations in New York, where the
ICT profession being recognised as ICT professionals you can trust, importance of ICT professionalism
a driver of productivity, innovation including through the Professional was acknowledged by the UN
and business able to deliver real, Standards Scheme that assures General Assembly President in 2015.
tangible outcomes. professionals have the specialist
In May 2016 the President of
skills business can rely upon.
This year ACS celebrates 50 years IFIP participated in the European
of advancing ICT in Australia. Our ACS is part of the global federation Foresight Cyber Security
founders and pioneers worked of professional ICT societies, Meeting where he advocated
on the first innovative computers the International Federation for that professionalism of the ICT
in government, academia and Information Processing (IFIP), workforce is a key element in
industry, and our members now and the first professional body to building trustworthy and reliable
work at the coalface of technology receive accreditation under the systems and that it is important
development across every industry. International Professional Practice to ensure that cyber security
Partnership (IP3) providing a and cyber resilience is also a
In 2011, ACS brought together its
platform for accreditation for duty of care of the individual
own Cyber Taskforce from our
ICT professionals and mutual ICT professional.
23,000 members to respond to the
recognition across international
Federal Governments new cyber As we move forward another
boundaries. The ACS currently
discussion paper, Connecting with 50 years, ACS will be there
chairs IP3 and plays a leading
Confidence, where we highlighted at the forefront meeting the
role in the professionalism of the
the need to develop co-ordination challenges and opportunities
ICT workforce.
and a focus on the pipeline of of ICT, and supporting the
cyber professionals. IP3 has since gained global growth and potential of ICT
attention after successful professionals in Australia.
To play our part in securing
engagements at the World Summit
Australias future, we continue
on the Information Society (WSIS)
to perform the role of trusted
Forum in Geneva and the United
advisor to government, and deliver
02
CYBER SPEAK!
Every industry has its own lexicon,
and the cyber world is no different.
While built on technological
foundations that we all know
computers, the internet,
smartphones, and similar as you
delve deeper into the subject you
start to encounter acronyms and
technical concepts that you may
not be familiar with.
And, if were all to communicate
on the subject of cybersecurity
across all sectors of government,
business, industry, and academia
then it can help to familiarise
yourself with the nomenclature
associated with this diverse and
compelling subject.
To this end weve included a
Glossary on page 57. Feel free
to flick back and forth as you read
to ensure you get the most out this
document, spending more time
expanding your knowledge and
less time scratching your head!
And so it follows that in order to individual; at other times it can cause billion1 globally in the next seven
keep our way of life and to continue significant financial or operational years alone and the possibility
to prosper through technology we harm. At its worst, loss of life can be for Australia to establish itself as a
must ensure that it always operates a result. leader, pioneering new technologies
and works for us as intended. and exporting cybersecurity products
Cybersecurity, then, is not optional.
to the rest of the world.
And for the most part it does, until As our world transitions more
its hacked. In the hands of less than products and services online, and We are more than just the lucky
favourable individuals, organisations, we in turn depend on them, protecting country. We are early adopters. We
and governments, technology and this technological infrastructure has are tenacious innovators. We are a
the data it depends on can be turned become a fundamental building block nation with the skills and talent to
against us. for information systems globally. lead the world in cybersecurity
It must underpin every technology, and with the right mix of leadership
When you read yet another report
every gadget, every application, and and commitment from government,
of a multimillion-dollar bank theft,
anywhere data is stored. industry, and academia, we can make
yet another million usernames and
it happen.
passwords leaked on the web, or To help understand the risks, this
yet another scam milking millions document will explore the threats What part will you play?
from vulnerable people what you Australia faces in this digital age:
are reading about is the lack of to our economy, our sovereignty,
cybersecurity: a failure to protect and ultimately, our way of life.
systems, processes, or data and
It will also cover the opportunities
thereby enabling exploitation.
as a burgeoning industry one that
Sometimes the end result is just an
is projected to be worth $US639
embarrassment for a company or
02
of the worlds population2), the
THREAT VECTORS BY INDUSTRY
The vectors by which industries are compromised.
Source: Verizon 2015 Data Breach Investigations Report
FINANCE
INFORMATION
PUBLIC SECTOR
EDUCATIONAL WEB
FINANCE APPLICATIONS RETAIL
9.4%
ENTERTAINMENT
HOSPITALITY
CRIMEWARE
POINT OF SALE
18.8% 28.5% MISCELLANEOUS
14.7%
PRIVILEGE
MISUSE
CYBER
ESPIONAGE
10.6% MINING
18% HEALTHCARE
ADMINISTRATIVE
PROFESSIONAL
INFORMATION
MANUFACTURING
WHATS THE
PASSWORD?
63%
OF BREACHES ARE
CAUSED BY WEAK,
DEFAULT, OR STOLEN
PASSWORDS
MANUFACTURING 27.4%
PUBLIC 20.2%
PROFESSIONAL 13.3%
INFORMATION 6.2%
UTILITIES 3.9%
TRANSPORTATION 1.8%
EDUCATIONAL 1.7%
REAL ESTATE 1.3%
FINANCIAL SERVICES 0.8%
HEALTHCARE 0.7%
02
and how to recognise them
give up login details over the phone
something which comes under the
by someone pretending to be from
umbrella of digital literacy.
the IT department.
Cybersecurity Threats Challenges Opportunities 10
A world without
cybersecurity
93% WHILE One the most damaging targets for a society embroiled
COMPANIES
OF CASES TOOK in cyberwarfare is infrastructure.
HACKERS WEEKS
TOOK JUST
OR MONTHS TO
MINUTES DISCOVER Our reliance on automation focuses single points
TO BREACH
of failure that can have dramatic consequences if
directed at power stations, communication networks,
SHOW
ME THE 95% transport and other utilities.
MONEY OF WEB
ATTACKS By way of example, and to draw terrorist, criminal, or foreign power.
ARE FINACIALLY from the emerging technology of Australia invaded without the invader
MOTIVATED
driverless cars gaining popularity ever stepping on our shores.
now, is the following example of
Its a stark example, but it
EMPLOYEE LOST ASSETS what might happen if we continue to
demonstrates the Achilles heel the
MISTAKES
100x
TIMES MORE
create products and services without
cybersecurity in mind:
inter-connected society that we are
heading for right now, and the reason
PREVALENT Thirty years from now our society cybersecurity must be part of all
THAN THEFT
runs on automated cars, buses and technology from the outset.
trains. Planes still require human
Consider this: the internet has
NEARLY 12% DO authority for now and drones
enabled entirely new business
CLICK
30% THE LINK OR
line the sky. On the one hand, this
advance in technology has brought
models that have already shaped
our planet. But the Googles and
OPEN
PHISHING
OPEN much greater efficiency: traffic
ATTACHED Facebooks and Amazons of this
EMAILS FILES jams eliminated, pollution lowered,
world are not the most profitable
cheaper cost of transport and more.
organisations that conduct business
Its a golden age.
SIMPLE MISTAKES, COSTLY LOSSES over the internet today that crown
Source: Verizon 2016 Data Breach Then a cyberattack compromises the belongs to cybercrime. It speaks
Investigations Report central network. The systems that volumes that the most lucrative
co-ordinate all transport shut down, business on the internet today
bringing the city of Sydney now is fraud.9
7 million people to an abrupt halt.
No cars, no buses, no trains.
Workers cant get to and from work,
and productivity stops. Life-saving
medicine doesnt arrive and people
die. Essential services begin to fail,
and chaos ensues. The economic and
social fallout is immense: a city held
hostage by an external force be it
02
Q2 2015 saw one of the
highest packet rate
attacks recorded... which
peaked at 214 million
packets per second (Mpps).
That volume is capable
of taking out Tier 1
routers, such as those
used by Internet service
providers (ISPs).
CHINA 37.01%
US 17.88%
UK 10.21%
INDIA 7.43
SPAIN 6.03%
KOREA 4.53%
GERMANY 4.29%
AUSTRALIA 4.18%
TAIWAN 4.0%
Derek Manky,
Fortinet Global Security Strategist5
03
500
500,000 ATTACKS
AGAINST FORTINET
EVERY MINUTE
03
individual, the following section
computers and network).
delves into our predictions of where
cybercrime is heading, and the type
of attacks we can expect to see.
The Internet of
Things (IoT)
Perhaps the most recognised buzzword of the
For $6 in Bitcoin, I can
moment, the Internet of Things (IoT) encompasses
rent time on a DDoS tool
and bring down most
the many and varied devices currently on the market,
websites. Better yet, if I or soon to be on the market, that will connect to and
send just the right type stay connected to the internet 24/7.
of packet to their web Typically this includes products like But this is just the beginning. IoT
servers, I can crash the webcams, smart TVs, and even the has the potential to encompass a lot
site for free. much touted internet-connected more heart monitoring implants,
fridges. But IoT actually encompasses pathogen monitoring for food,
A Thiefs Perspective (interview), a broad range of products most of transponders for animals on farms,
Intel Security, 201518 which you wont actually see environmental waste monitoring,
electronics, sensors, actuators field devices for police to detect
and software soon to be built into threats, feedback sensors for
everything from your car to your home: firefighters in search and rescue
technology to unlock your door and and much, much more.
turn on the lights when you arrive
Perhaps the best way to imagine
home; technology to allow cars to
IoT is and to borrow a phrase
talk to other cars and traffic lights
from a research paper at the Social
to prevent accidents; technology to
Science Research Network is
let entire cities regulate air-quality,
to think of IoT as an inextricable
manage energy distribution, and
mixture of hardware, software, data
regulate water supply all in real-time
and service11. Which of course is
from thousands of buildings, each with
to say that the potential is close to
thousands of sensors, all communi-
limitless.
cating through a city-wide network.
According to the CEO of Cisco, Chuck
Sound like fantasy? There is already a
Robbins, the IoT industry is expected
development in the UK by River Clyde
to be worth $US19 trillion globally
Homes and the Hypercat Consortium
by 202012. Closer to home, Frost &
to build a Smart Neighbourhood in
Sullivan is tipping the Australian
Scotland by installing hundreds of
market for IoT just in terms of
IoT devices to monitor everything
home devices, such as in security or
from temperature and local weather
energy management to be worth
through to carbon monoxide levels,
$200M by 2020.13
potential gas leaks, lift maintenance,
smoke detection and communal Taken together, this means is that in
lighting to name a few. All of these the near future just about everything
talk to each other to provide an you use, and everywhere you go,
overall real-time knowledge base devices will be hooked up to each
for the operating of neighbourhood other communicating, sharing data,
services, and to minimise health and and enabling a future that once
safety risks. was the realm of science-fiction.
The potential boon for society is
immense, but so too are the risks.
99% 1T
20x 40x 60x
OF THINGS IN THE COST OF COST OF COST OF 1 TRILLION
WORLD ARE STILL SENSORS BANDWIDTH PROCESSING CONNECTED
NOT CONNECTED PAST 10 YEARS PAST 10 YEARS PAST 10 YEARS THINGS BY 2035
Considerably more devices will be Botnet armies the Googles and Akamais of this world
connected to each other and the are able to withstand.
Somewhat related are botnets. A bot
internet: Intel predicts there will be as
(sometimes called a zombie) is a Analysis of the attack on OVH revealed
many as 200 billion devices by 2020.14
remotely-controlled and compromised it consisted of some 145,000 devices,
And if you remember our primer at unbeknownst to the owner computing the majority of which belonged to
the start of this document, that is device thats connected to the internet. internet-connected CCTV cameras
one very large, very vulnerable attack This could be a desktop computer or a and DVRs (digital video recorders)
surface. It should go without saying laptop, but it can also be a webcam, typically used in business and home
that the threat potential from IoT is a modem, or a Wi-Fi router, all of surveillance.
beyond vast, and therefore which almost everyone has in their
Such products make ideal bots because
cybersecurity practices must form home today. Unfortunately, again, poor
their limited functionality provides less
part of IoT development from the security design sees devices like
scope for security software; theyre
ground up. For example, car manufac- these come with only basic security
often headless, meaning a user doesnt
turers need to build security protocols that can be easily bypassed, allowing
have a display or other means to
into the sensors in smart cars to cybercriminals to install malware and
interact with them to monitor activity.
ensure they cant be turned against control the device remotely.
They almost always come with a
the driver to cause injury or death.
Collect enough bots and you have default administrator password that
Something which, unfortunately, is
a botnet, and with a botnet you can nobody changes because it requires
currently not the case (see next
launch a distributed denial-of-service effort and a bit of technical know-how
section, Autonomous systems).
(DDoS) attack. In large enough allowing cybercriminals to walk
numbers, such an attack can take through the front door and take it over.
down websites and knock services
This is a great example of how lack of
offline something we saw first-hand
Although a successful earlier this year when the Australian
security design enables cybercrime
attack on industrial IoT who would think to hack a CCTV?
Bureau of Statistics eCensus website
But thats the line of thinking that
devices with an installed was very publicly attacked.
engenders security flaws. And once a
base of hundreds of This is to say nothing of what happens flaw is out there, it often cant be fixed:
millions would likely when IoT devices take part in a DDoS, the cost of updating the devices could
which we know they already do. In fact, be ruinous for a company if they need
cause havoc, one device
the worlds largest DDoS occurred in to be recalled, as not every device sup-
at a key point in a critical August of this year knocking out French ports the ability to be updated remotely.
infrastructure control internet service provider OVH, suffering
Prevention, then, is better than cure.
system could be far more an attack that transmitted a record-
breaking 1Tbps17. To put this into Recently, cybercriminal botnet
devastating.
perspective, a 1Gbps attack is sufficient operators have moved to self-
to knock most businesses anywhere in sustaining botnets that continually
McAfee Labs 2016
Threats Predictions15
the world offline, and this attack was find new devices to infect and add to
1000 times stronger. It was only earlier the flock, even while others may
in 2016 that the previous record came be taken offline16. This has led to
in at 579GBps. That is, we have already cybercriminals to sub-lease access to
03
seen almost a doubling of capability their botnets on the cheap, meaning
in less than a year, and at a volume so anyone with a grudge and $50 can
high that very few very large players bring down a website.
TABLETS WEARABLE DEVICES
2015 248 MILLION 2019 269 MILLION 2015 200 MILLION 2019 780 MILLION
2015 15 BILLION 2020 200 BILLION 2015 $97 BILLION 2020 $159 BILLION
WHEN SECURITY IS
AN AFTERTHOUGHT
One of the most potent botnets and passwords (usually all related
to date is Lizardstresser, by the to administrator logins).
infamous Lizard Squad DDoS
Its so successful because many
group. In 2015 the group released
IoT devices are manufactured with
the source code, allowing others to
the same default login credentials.
make their own. This has resulted
Additionally, these same devices
in copy-cat groups and a stark
are also often simply plugged in
increase in botnets-for-hire.
and turned on, and have unfettered
Lizardstresser relies on cheap access to the internet through
IoT hardware to build large botnet whatever corporate or home
armies, using shell scripts (simple networks they are connected to.
text-based scripted programs) This makes them easy targets
to scan IP ranges and to attempt to enslave into botnets.19
access using hardcoded usernames
Autonomous
systems
As technology continues to permeate our lives, we
move from operating technology to integrating with
it. This is especially true of autonomous systems
that are by definition designed to blend in with our
society, becoming second nature.
By the same token however, Similar abuse of access has also
reliance on such systems makes the been demonstrated with cars from
outcome of their abuse potentially Mercedes, BMW, Toyota, Audi and
more damaging. Typically, these Fiat all due to poor security in the
technologies also integrate into design process.20 21 22
critical infrastructure, such as
Its not hard to see that in the wrong
payment systems and in the case
hands such abuse could result in
of autonomous cars the transport
cars being used as weapons to maim
network, making protecting them
or kill pedestrians or even the
from a cybercrime a pivotal focus for
occupants themselves on the road.
cybersecurity.
According to Business Insider in its
Connected-Car Report, there will be
Driverless cars and transport 220 million autonomous cars on the
At the moment, driverless cars are road by 2020.23
stealing the limelight of autonomous
McAfees 2016 Threats Predictions
systems. While so far there have
Report notes that poorly secured
been no documented cases of
driverless cars and smart highways
wilful misuse, its already been
will further expose drivers and
demonstrated that autonomous cars
passengers in 2017 and beyond,
can be remotely controlled.
likely resulting in lost lives, and
In 2015, 1.4 million Jeep Cherokees that recent vehicle hacks are a
were recalled after hackers great example selectively modifying
demonstrated that the cars could communications and commands
be taken over remotely through the so they can take control or affect
03
entertainment system.6 what the vehicle does. This has a
potentially terrifying result.15
DRX-BASED
AIRBAG ECU USB RECEIVER (VX2)
LIGHTING SYSTEM
VEHICLE ACCESS ENGINE AND ECU (INTERIOR AND ADAS SYSTEM
SYSTEM ECU TRANSMISSION ECU EXTERIOR) ECU
ALTER BEHAVIOUR
STEAL CREDENTIALS
USE OF STOLEN CREDENTIALS
PAYMENT
POS TERMINAL/CONTROLLER
03
WHAT ABOUT
WEARABLES?
Wearables are rapidly gaining Wearables are tracking all sorts
popularity with smartwatches such of personal information including
as the Apple Watch and Samsung GPS location, blood pressure,
Gear, as well as exercise wearables heart rate, and anything else
like those from FitBit and Jawbone. you feed them such as weight or
According to ABI Research, an diet. Such personally identifiable
estimated 780 million wearable information could be used as a
devices will be in circulation base to target you for spear-phishing,
by 2019. or aid in identity theft. But the
real opportunity is these devices
Now you might be wondering
linking to your smartphone, where
just what would be so bad about
phone numbers, more personally
hacking a fitness wearable? This
identifiable information, emails,
is exactly the line of thinking
web logins etc. could theoretically
that allows cybercrime to occur.
be compromised.
ENERGETIC BEAR
One of the more well-known in manufacturing, construction,
nation-state sponsored tools of health care and defence companies.
cyberwarfare currently active is
Primarily designed for
Energetic Bear. First uncovered in
cyberespionage, when the threat
2012, and believed to be sponsored
was first mapped in 2014 by
by Russia, Energetic Bear used
security firm Kaspersky Labs,
the Havex Trojan to gain access to
it identified nearly 2,800 victims
company networks, particularly
worldwide, affecting countries
those in the energy sector,
including the US, Spain, Japan
though it has also been found
and Germany.44
03
230
PEOPLE LOST
POWER WHEN
30 SUB-STATIONS
IN WESTERN
UKRAINE WERE
SHUT DOWN
VIA A REMOTE
ATTACK
,000
Cyberattacks on Irans nuclear-enrichment program French Coldwell, Chief Evangelist
infrastructure by sabotaging centrifuges.40 at governance, risk, and compliance
In 2014 a German steelworks was apps company Metricstream, at a
As societies around the world
disabled and a furnace severely cybersecurity summit earlier this
depend ever more heavily on
damaged when hackers infiltrated year noted that this is the canary
technology, the ability to shut down
its networks and prevented the in the coalmine. Much more of this
or destroy infrastructure, take
furnace from shutting down.41 will come.43
control of machines and vehicles,
and directly cause the loss of life In 2015, with an attack strongly We can expect governments around
has become a reality. To date, some suspected to have originated the world to strengthen their
of the more well-known examples from Russia, 230,000 people lost cyberattack and defence capabilities,
of cyberattacks on infrastructure power when 30 sub-stations in spurring an arms race that will
include: Western Ukraine were shut down operate at a much faster pace than
via a remote attack. Operators at we saw in the Cold War. But here
In 2008 when Russia sent
the Prykarpattyaoblenergo control the results could be much more
tanks into Georgia, the attack
centre were even locked out of subtle as noted in the McAfee 2016
coincided with a cyberattack on
their systems during the attack and Threats Predictions report, they will
Georgian government computing
could only watch it unfold.42 improve their intelligence-gathering
infrastructure. This is thought to
capabilities, they will grow their
be one of the first land and cyber In all of these, and as an indication
ability to surreptitiously manipulate
coordinated attacks.39 of how the landscape of war is
markets, and they will continue to
Also in 2008, Stuxnet a computer changing, the weapon of choice for
expand the definition of and rules of
worm purportedly jointly designed these attacks wasnt guns or bombs
engagement for cyberwarfare.15
by the US and Israel crippled it was a keyboard.
03
for attack.
BLAST FROM
THE PAST
Perhaps one of the more it was visible from space. Later
prominent examples of the cause was revealed to be a
cyberwarfare even before the Trojan horse implanted by the US
internet became ubiquitous in pipeline equipment sold from a
comes from the cold war in 1982 Canadian company on to Russia.
when a Siberian oil pipeline End result: economic sabotage
exploded, creating at the time facilitated by computer software.
one of the largest non-nuclear
explosions in history, so large
22 LOCAL
WEATHER
CARBON
MONOXIDE 0 50%
CISTERN
AND TANK
LEVELS PPM OVERFLOW
COMMUNAL
WINDOWS
35
ANGLE
0% SMOKE
DETECTION
COMMUNAL
LIGHTING KWH 1344 LIFTS
2 IN 3 AUSTRALIANS
HAVE SOCIAL
MEDIA ACCOUNTS
1 IN 2 AUSTRALIAN
MOST AUSTRALIANS
SMALL AND MEDIUM
SPEND ALMOST 1 DAY
BUSINESSES RECEIVE
ONLINE PER WEEK
PAYMENTS ONLINE
But theres also a less obvious A good example of how the landscape
Nation-state concern here: sovereignty. can change is the news earlier this
cyberwarfare will year that in Russia, ISPs are now
Security of cloud data is not just
required to store both the metadata
become an equaliser, about encryption, but also the
and content of communications,
sovereignty of access when data is
shifting the balance and hand over encryption keys for
physically located in an overseas
of power in many jurisdiction. The internet may have
any encrypted data36. Any cloud data
international passing through an ISP can become
no borders, but data itself still
readable by Russias government and
relationships just as lies within traditional real-world
intelligence services. This had the
boundaries and in turn may be bound
nuclear weapons did immediate fallout of some popular
by the laws of a foreign nation.35
starting in the 1950s. VPNs closing their Russian nodes,
Further, even if we trust in the and in at least one known case37
McAfee Labs 2016 laws of a foreign nation theres no servers were seized from the VPN
Threats Predictions15 guarantee they wont change, and provider under this law.
data that was previously protected
With cloud expected to grow by
could be subpoenaed, accessed by
around 18% through 201638,
government departments, or shared
concerns around the sanctity and
with third parties without consent.
sovereignty of cloud data are only
going to increase.
03
MORE USERS
2015 3.0 BILLION
2019 4.0 BILLION
03
While in an ideal world these ransoms financial information while using
would never be paid and thus not spear-phishing targeted at office
staff to get malware installed.
Utilising the cumulative
bandwidth available to
these IOT devices, one
group of threat actors
has been able to launch
attacks as large as
400Gbps.
THE WORLD
WE LIVE IN
Facebook CEO, Mark Zuckerberg,
has been observed in a
promotional photo for Instagram
with his laptop in the background
sporting tape covering both the
camera and the microphone the
implication being he doesnt trust
his own machine is secure from
cyberespionage.24
If the CEO of one of the worlds
technology innovators cant neces-
sarily trust his own computer, what
does that mean for the rest of us?
One of the largest known (considering targeted for the purpose of advancing However, identity theft is more than
not all companies like to own up to a different attack against another just financial fraud, its a central
having been scammed) scams to date victim. For instance, an attacker may pillar for all manner of cybercrimes:
resulted in the loss of =C 40 million hack a website to serve malware once you can impersonate an
from Leoni AG84 in August of this to visitors with the intentions of individual, you can gain access to
year, facilitated by tricking a financial infecting its true target.25 their accounts, commit multiple
officer into transferring funds to the types of fraud in their name, steal
A common adage in cybersecurity
wrong account. information only they have access
is that while defence must consider
to, and much more.
Importantly, success with one method every possible attack vector,
can lead to exploitation of others, attackers only need to find one weak As we share more of our lives online,
such as an employee clicking on point. An attack only needs to be we open ourselves to being exploited
a macro within an email which in successful once. further. In McAfees 2016 Threats
turn downloads a program, which Predictions report the authors note
then automatically pulls down Identity theft that the growing value of personal
targeted malware to access network Identity theft is the crime no one data is already more valuable than
resources (this is sometimes known thinks will happen to them until payment card information and will
as weaponised email attachments). it does. continue to climb.15
The Aspen Institutes Critical According to Javelin Strategy and
Infrastructure Readiness Report Research, some $US16 billion was
notes the analysis of this years data stolen from 12.7 million consumers
led to an interesting new revelation in the US alone during 2014 due to
nearly 70% of attack victims are identity theft.26
Cybersecurity Ventures48
04
639
$
04
700,000
639,000
525,000
350,000
175,000
$0 BILLION
2000 2023
Opportunities
The threats are many and varied, but so are the
Cyberattacks are costing
opportunities technology constantly teases us with
global businesses as
much as $500 billion per
new ideas, new products, and new ways of living our
year The banking and lives. It also presents new economic opportunities,
financial sectors have led new ways of doing business, and new ways to make
the way as top targets for a difference.
cyberattacks in the last
The data-driven economy to increase exponentially already
five years, with IT and we are creating new ways to mine
If theres one prediction we can make
telecom, defence, and about the next decade it is this:
data and produce new services (right
the oil and gas sectors down to robot lawyers86). Combined
data will be king. From machine-
with the Internet of Things, there is
following behind. learning AI to the Internet of Things,
tremendous economic opportunity
the accumulation and analysis
for Australian technology companies
Cybersecurity Ventures48 of data from every aspect of our
to innovate and produce products for
lives will drive entirely new insights
the world stage.
and products.
But all of these will also require
We already have advanced local
cybersecurity as a fundamental
information system industries to
building block. Regardless of the
support this, including the emerging
level of investment or development
FinTech sector (where already nine
in Australian technology businesses,
Australian FinTech businesses are
we will need a vibrant cybersecurity
listed in the worlds top 100 FinTech
sector to support innovation and
companies47).
guarantee the economic prosperity
But the opportunities for products of technology initiatives.
and services involving data are going
Rodney Gedda,
Senior Analyst, Telsyte53
Technology as wealth creation Cybersecurity as job growth Australia can galvanise its own
cybersecurity industry with
The benefits of technology have According to SEEK, cybersecurity
government and private-sector
created tremendous wealth over the roles are already in demand, having
support but part of this involves
last decade you only need to look at grown 57% in the last year.50 This
addressing the need for more
household names like Google, Apple, includes jobs like Security Analyst,
trained scientists, mathematicians,
or Facebook for examples. Security Architect, Security Engineer,
engineers, and ICT workers. As
and Chief Information Security
As we move to a world populated a nation we need a scientifically
Officer, all of which represent the
by internet-connected devices literate community capable of
new type of opportunities that are
from your car to your fridge, your engaging in a national conversation
developing in the workforce.
childrens toys and even the clothes on vital technology issues like
you wear there are still Googles We have the skills and talent in cybersecurity.
and Apples and Facebooks to be Australia to support and capitalise
discovered. on this growth, which will only see Leveraging technology talent
more demand as the importance of
This alone represents tremendous Which leads us to the talent we
cybersecurity in the development
opportunities for Australias ICT already have Australia has some of
of new technologies and products
sector, but for any of this to be the worlds top universities, but as a
continues to grow.
possible, the gadgets and the previously resource-driven economy
networks they communicate on There are lessons to be learned from we currently lack a technology focus,
must be secure, and this means Israels high proportion of security the type of which Israel recognised
cybersecurity will need to form vendors here: moving from a high as essential for a data-driven future.
the basis of every new technology proportion of agricultural exports
Collaboration of government, industry
going forward. some 50 years ago, one of Israels
and research organisations to
primary exports is now software.
The end result, as it happens, is that incentivise new developments and
Government support for a startup
good cybersecurity is good for the monetise research to bring products
culture and the belief that technology
bottom line. There is an inherent and services to market will be key.
is the backbone of a strong economy
interest for companies to implement This includes interacting with
has seen Israel now lead the world
good cybersecurity strategies to ensure incubators and accelerators, sharing
in cybersecurity, second only to the
their profitability is protected, and key learnings from innovation, and
US globally.
this in turn will require cybersecurity encouraging entrepreneurial thinking.
products and skilled cybersecurity Currently there are some 228
Diversity is also a critical component
professionals in the workforce. cybersecurity vendors in Israel, and
in order to meet demand for skilled
only 15 in Australia. Israel has one
The economic opportunity for Australia ICT workers. This includes utilising
third the population of Australia.
then for a strong cybersecurity sector a greater proportion of our aged
is clear. Meanwhile in the UK, and since the workforce, and galvanising interest
British government published its in ICT with women, who are currently
cybersecurity strategy in 2011, the underrepresented in the technology
cybersecurity sector in the UK has sector (just 28% of ICT roles are held
almost doubled from 10 billion to by women50) and represent a large
17 billion and is now responsible for untapped resource.
employing 100 thousand people.49
04
Challenges
While the opportunities are clear for ICT in Australia
Many of these devices
and the nation as a whole, there are a number of
are always on, always
listening, and always
challenges we need to address. Ideally, all sectors
communicating... from government and industry, to enterprise and
raising concerns about academia, need to play a part in the development
transparency and privacy. and promotion of cyber education, skills and products.
With homeowners
Leadership The foundation of any society is
unprepared and ill- trust, as well as the foundation for
Lack of leadership is a key challenge,
equipped to detect and if only because it takes a concerted
security itself. Security helps build
remediate most security trust between people and technology.
effort to both recognise and take
If we cannot protect for example
threats, some highly action on what is clearly a vital
personal data, it will have negative
successful attacks will function in todays technologically
consequences for technology
savvy world.
collect personal info on adoption and the ICT industry as
This is true across government, a whole.
an ongoing basis.
the private sector, education and
As a result, leadership is required to
academia the rate at which
McAfee Labs 2016 tackle issues around cybersecurity,
Threats Predictions15
technology adoption occurs in
governance, private-sector support
Australia far outstrips our ability
and education to ensure we can
to predict the implications of
adequately protect the foundation of
technology, particularly when it
trust upon which we all depend.
comes to the results of cybercrime.
LEARNING
FROM HISTORY
In 1958 when the National Defense Today we face a similar situation
Education Act was signed into law where we are already in a skills
in the US, the goal was to provide shortage for ICT in Australia, and
funding to education institutions at if we are to create a blossoming
all levels. The impetus was Russia cybersecurity ecosystem we will
beating the Americans to space, first need a strong emphasis on
and a national feeling that America and promotion of STEM-based
was falling behind. Over a period of skillsets for Australians throughout
four years $USD1 billion was spent the educational pathway.
on science education.57
04
1% of this demand.50 Additionally, cybersecurity in current workplace
there has been a 35% drop in practice: as noted earlier, the
enrolment rates for ICT subjects weakest link is often people so
at universities since 2001.50 good cybersecurity policies and
Infrastructure has
always been considered
a legitimate target. In
WWII we bombed and
destroyed the electrical
infrastructure of our
enemies. Now we have
the ability, through a
cyberattack, to just shut
the grid down.
04
bad guys dont. For one, there may The trend today for many companies
be legal or regulatory limitations, is to capture as much personal
particularly where the sharing of information as possible, all the better
USA 827
ISRAEL 228
UK 76
CANADA 49
INDIA 41
GERMANY 33
FRANCE 25
AUSTRALIA 15
SWEDEN 12
IRELAND 10
SWITZERLAND 9
to mine for advertising or other for 2016 notes that Government capability to create highly successful
products, but as more breaches identity records such as birth/death, companies and products that compete
come to light this trade-off of taxes, and national insurance IDs; on the world stage.
personal data for services will and banking accounts and ATM
Changing this perception will
come under increased scrutiny. transactions will also be targeted.15
involve, in part, the promotion of
This has implications for mass Increasingly, as governments and the value of home-grown ICT and
surveillance and the storage of corporations turn to big data, it raising awareness of Australian
metadata. As Jill Slay, Director of will become paramount that this technological solutions.
the Australian Centre for Cyber data be de-identified when possible
Practically, it also helps for the
Security, and Greg Austin, Professor to limit the damage from data
private sector and the ICT industry as
Australian Centre for Cyber Security, breaches as well as preserve privacy
a whole to seek Australian products
succinctly noted, you cannot of individuals.
when canvassing for solutions.
demand mass surveillance and
metadata retention without there Perception and practicality
being costs that make us much Finally, there is a perception
less safe. Metadata retention is that Australia is not currently a Its a market economy
retrospective it wont predict or stop
crimes, but it will open up breaches
technology leader not just in the price of a compromised
cybersecurity, but as a whole. The
that bad actors can waltz through.54 system of $5 shows you
current view with technological
The DDoS against the Australian products is that its better if it comes exactly how far down
Bureau of Statistics eCensus servers from overseas.56 the road we are of the
in August this year demonstrated just This is a perception that needs to cybersecurity story.
how easily a service can be knocked change. We have all the ingredients
offline and, typically, DDoS attacks to create world-class products and Tim Wellsmore, Former Manager,
can often hide secondary attacks services in Australia, particularly in Fusion Special Intelligence 2013-1685
aimed at breaching a system. Any relation to ICT and cybersecurity.
large database such as census data
is a prime target for cybercriminals Pioneers like Atlassian and WiseTech
as its a jackpot for identity theft. Global demonstrate we have the
McAfees Threats Predictions report
05
For all my enthusiasm
for governments
responsibilities in
cyberspace, good cyber
policy requires the
cooperation and creativity
of academia and industry.
Indeed, government needs
to be challenged by
academia and industry.
Malcolm Turnbull,
Prime Minister of Australia.
September 2016
Helping ensure a secure and State of the nation While in Japan the Japanese
successful environment ultimately Government in August announced
Economies of scale aside, the US
comes down to every government, plans for a government institute,
administration, under Obama and
business, academic institution and as part of Japans Information
now Trump, allocated $US14 billion
individual around the world. All three Technology Promotion Agency (IPA),
to cybersecurity spending in the 2016
are the targets of cybercrime and any to train and educate employees to
budget3, and has asked for $US19
government department, corporate recognise and counter cyberattacks.88
billion for the 2017 fiscal year.60
network, or the smartphone in your
So where are we now in Australia?
pocket could be used as a vector In the UK the British Government
In September this year Prime Minister
for attack. has allocated 860 million over a
Malcolm Turnbull addressed the
five-year period from 2011-2016,
Thats not to say we should all stop Australia-US Cybersecurity Dialogue
and is increasing this to 1.9 billion
using technology because the risks at the Center for Strategic and
to 2021.51 The UK also conducts
are too high its all about process International Studies, in which
three exercises each month to test
and procedure. Good government he reiterated the importance of
cyber resilience and response, and
regulation, skilled and qualified IT cybersecurity and noted for all
has a joint program with the US to
staff in an organisation, and education my enthusiasm for governments
prepare for a cyber-enabled terrorist
about common scams and how responsibilities in cyberspace, good
attack on nuclear power stations.
to avoid them, can dramatically cyber policy requires the cooperation
UK Chancellor George Osborne
shrink the surface of exposure and and creativity of academia and industry.
has called it one of the greatest
minimise or prevent data breaches, Indeed, government needs to be
challenges of our lifetime.54
cybercrime, and many of the threats challenged by academia and industry.
covered here. Elsewhere in Europe, the European
On the 21st April, the Federal Govern-
Parliament in June imposed security
So what are other parts of the world ments Cyber Security Strategy59 was
and reporting obligations for
doing, and what are we doing here launched and encompassed:
industries such as banking, energy,
in Australia?
transport and health and on digital A national cyber partnership
operators like search engines and between government, researchers
online marketplaces.87 and business including regular
meetings to strengthen leadership
and tackle emerging issues.
05
now in its fourth year.
SHAKEN AND THREAT LEVEL THREAT AGENT THREAT VECTOR
STIRRED CRITICAL Nation state Espionage, theft,
sabotage, product alteration
In security parlance a threat
agent (not the James Bond type) Competitor Espionage, theft,
product alteration
is an attack source combining
Organised crime Espionage, fraud, theft
motivation and capability. In
general, threat agents can be Terrorist Sabotage, violence
categorised from benign to HIGH Activist/hacktivist Espionage, data theft, sabotage
critical. To the right is a Disgruntled employee (All of the below)
breakdown of common threat
agent categories and their Reckless, untrained Accidental breach or
or distracted misuse of data
typical vectors:25 employees
MEDIUM Thief Physical theft, espionage, fraud
Irrational individual Physical theft or sabotage
Vendor or partner Accidental leak, but also
intentional fraud or theft
LOW Outward sympathiser Deliberate data leak or
misuse of data
1
Education and Awareness
First and foremost, its essential
2
Planning and Preparation
A cybersecurity incident isnt an
3
Detection and Recovery
When a breach happens, the quicker
that cybersecurity forms part of the if but a when, and to that end, it is detected and responded to, the
conversation in every organisation, preparation is essential. This can greater the chance of minimising
from the lunch room to the include management systems, loss be it financial, reputational,
boardroom. Only through keeping best practice policies, IT auditing, or otherwise.
cybersecurity front of mind can it and dedicated staff responsible for
How quickly can your organisation
form part of the decision-making cybersecurity operations.
identify and respond to the theft of
process, infrastructure investment,
Good cybersecurity readiness data or the disabling of key services?
and regulatory and governance
encompasses an understanding How fast can affected servers or
requirements.
of risks and threats to assets and workstations be quarantined for
Additionally, as people can themselves information relevant to the forensic analysis? How quickly and
be an attack vector through social organisation and its people, monitoring easily can lost or corrupted data
engineering, everyone within an and detecting cybersecurity threats be restored? What is the incident
organisation ultimately shares regularly, protecting critical systems response plan and who are the
responsibility in ensuring best-practice and information, ensuring the stakeholders that need to be notified
cybersecurity processes are carried organisation meets all relevant immediately?
out. This requires staff education standards compliance, has incident
Importantly, the preservation and
with regular updates to material response plans in place in the event
analysis of logs that can help identify
as new threats arise. In fact, of a breach, and clear business
how the breach happened, and thus
parallels have been drawn between continuity plans to minimize any loss.
how it can be closed, is part of the
cybersecurity and healthcare
Typically, many of the above recovery process. Its not enough
everyone needs some form of
responsibilities belong to the CISO just to close the hole; an
cybersecurity education.
(Chief Information Security Officer) understanding of how the breach
Finally, the employment of qualified or equivalent, though other stake- occurred can lead to preventing
cybersecurity professionals or holders such as senior leadership, other, similar, breaches.
certified training for key staff both in legal and communications staff,
IT and management should form part and public relations may also need
of any cybersecurity readiness. to have preparations in the event of
an incident.
05
ONLINE
RESOURCES
For further reading and more
4 5
information, visit the following
websites:
Australias Cybersecurity Strategy
cybersecuritystrategy.dpmc.gov.au
Australian Center for Cyber Security
Sharing and Collaboration Ethics and Certification www.acsc.gov.au
As weve covered in this guide, It may initially seem a less Australian Computer Emergency
collaboration is essential to practical pillar, but the difference Response Team (AusCERT)
mitigating current and future risks. between a white hat hacker and
www.auscert.org.au
black hat hacker is mindset.
Sharing the results of your breach
Australian Cybercrime Online
analysis with government and In any company or organisation,
industry can help stop a known ethics plays a role and should Reporting Network (ACORN)
attack vector hitting other organisa- be of particular concern when www.acorn.gov.au
tions. In turn, your company may it comes to cybersecurity. While Australian Internet Security Initiative
be able to prevent an exploit by some sectors, such as defence, www.acma.gov.au/Industry/
learning from a breach that another will have their own means to vet
Internet/e-Security/Australian-
organisation shared. credentials, for an industry as
Internet-Security-Initiative
diverse and skilled as ICT it helps
Also consider joining or providing
if professionals can demonstrate Australian Signals Directorate
information to an ISAC (Information
adherence to a code of ethics Top 4 Mitigation Strategies
Sharing and Analysis Centers, www.
through membership of a www.asd.gov.au/infosec/
nationalisacs.org) if there is an
professional institution. mitigationstrategies.htm
equivalent for your industry.
Many professional organisations
In some cases, your organisation Australian Signals Directorate
hold their members to standards
may be bound by legislative CyberSense Videos
that ensure the reputation and
requirements to report an incident. www.asd.gov.au/videos/
respectability of a profession is
At a minimum, a breach should cybersense.htm
preserved. ACS, for example,
be reported to government or
has a code of ethics all Certified Australian Government
organisations such as AusCERT
Professionals must abide by, in Stay Smart Online
(www.auscert.org.au) and the
addition to other requirements www.staysmartonline.gov.au
Australian Centre for Cyber Security
such as demonstrating continued
(www.acsc.gov.au).
education and personal ACCC Scam Watch
development in their chosen www.scamwatch.gov.au
professional field of expertise.
Australian Computer Society (ACS)
www.acs.org.au
EASYDOC
MALWARE ADDS 10 MILLION
TOR BACKDOOR ANDROID
TO MACS DEVICES
FOR BOTNET REPORTEDLY
CONTROL63 INFECTED
LIZARDSTRESSER BOTNETS
WITH CHINESE
USING WEBCAMS, IOT MALWARE73
GADGETS TO LAUNCH
DDOS ATTACKS65 THIEVES GO HIGH-TECH
TO STEAL CARS75
DDOS ATTACK
TAKES DOWN CROOKS ARE
US CONGRESS WINNING THE
WEBSITE FOR CYBER ARMS
THREE DAYS67 RACE, ADMIT
HACKERS FIND 138
COPS77
SECURITY GAPS IN
PENTAGON WEBSITES69
05
The US government
has increased its annual
cybersecurity budget
by 35%, going from $14
billion budgeted in 2016
to $19 billion in 2017.
This is a sign of the times
and theres no end in sight.
Incremental increases in
cybersecurity spending
are not enough. We expect
businesses of all sizes
and types, and govern-
ments globally, to double
down on cyber protection.
Cybersecurity Ventures48
THREATS
IN 2014-15 CERT (COMPUTER THE WORLD ECONOMIC FORUMS CYBERSECURITY IS A BUSINESS
EMERGENCY RESPONSE TEAM) GLOBAL RISKS 2015 REPORT ISSUE, NOT JUST A TECHNOLOGY
AUSTRALIA RESPONDED TO HIGHLIGHTED CYBERATTACKS AND ONE. IN A SURVEY OF CLOSE TO
11,733 4,000
THREATS AS ONE OF THE MOST LIKELY
HIGH-IMPACT RISKS. IN THE UNITED
STATES, FOR EXAMPLE, CYBER CRIME
ALREADY COSTS AN ESTIMATED
FIFTEEN
FINANCE, AND COMMUNICATIONS
WERE THE TOP THREE TARGETS.82
IOT SENSORS AND DEVICES
ARE EXPECTED TO EXCEED MOBILE
PHONES AS THE LARGEST CATEGORY PERCENT CLASSED AS CYBER
THE AUSTRALIAN GOVERNMENT
OF CONNECTED DEVICES IN 2018, LITERATE. THERE IS A LACK
DEPARTMENT OF COMMUNICATIONS
23%
GROWING AT A OF KNOWLEDGE ABOUT
HAS REPORTED THAT THE AVERAGE
CYBERSECURITY AT THE EXECUTIVE
COST OF A CYBERCRIME ATTACK
LEVEL IN MANY BUSINESSES
TO A BUSINESS IS AROUND
IN AUSTRALIA.1
$276,000
92
05
IN PLACE FOR THIS FUTURE.
OPPORTUNITIES
IN 2003 THE CYBERSECURITY THE UK PUBLISHED ITS CYBER- JOB ADVERTISEMENTS FOR CYBER-
57%
INDUSTRY WAS TAGGED AT SECURITY STRATEGY IN 2011 SECURITY ALONE HAVE GROWN
$US2.5
SINCE THEN THE SECTOR
ALMOST DOUBLED FROM TEN
BILLION POUNDS TO
SIXTH
WILL BE WORTH $US639 BILLION
BY 2023.1
1,404
THERE ARE
MOST ADVERTISED ICT
BY 2030 ITS ESTIMATED OCCUPATION ON LINKEDIN
DATA ANALYTICS, MOBILE IN 2015.50
INTERNET, CLOUD AND IOT
COULD GENERATE $US625
BILLION
CYBERSECURITY VENDORS IN
THE WORLD TODAY. AUSTRALIA
SPORTS ONLY FIFTEEN.
VENDORS BY COUNTRY:
IN SALES PER YEAR IN APAC.1
USA 827, ISRAEL 228, UK 76,
INDIA 41, AUSTRALIA 15.1
05
Administrator: Person who Cyberthreat: A potential threat Malware: Catch-all term to refer
administers a computer system targeting computer systems to any type of malicious software,
or network and has access to the and technology, typically from typically used in reference to viruses,
Administrator account. the internet. ransomware, spyware and similar.
Black Hat: Programmers who hack Cyberwarfare: Internet-based Phishing: Deceptive attempt, usually
into systems to test their capabilities, conflict to attack computer systems over email, to trick users into
and exploit vulnerabilities for personal to disrupt or destroy. Usually in handing over personally identifiable
or financial gain. See Cybercrime. reference to nation states but can or critical information (such as
also refer to companies, terrorist or passwords or credit card numbers).
Advanced Persistent Threat: Usually
political groups, or activists. A form of social engineering.
refers to long-term stealth attacks
on or infiltration of a system, but can DoS/DDoS: Denial of Service/ Ransomware: Malware used to
also be used to describe a group, Distributed Denial of Service. A hold an individual or organisation
such as a foreign government, with common attack involving thousands to ransom, typically by encrypting
advanced cyberattack capabilities. of devices accessing a site simultan- files or an entire hard drive and
eously and continually to overload its demanding payment to unlock the
CIO/CISO: Chief Information Officer/
ability to serve web pages. data. Also known as Cryptoware.
Chief Information Security Officer.
Executive position responsible for Hacker/Hacking: While originally Social engineering: The practice of
ensuring the security of systems and in reference to a programmer manipulating human beings to gain
data in an organisation (can include hacking at code, its now become access to data or computer systems.
physical security). mainstream to represent individuals
Spear-phishing: Highly-targeted
who maliciously breach (hack into)
Critical infrastructure: Physical form of phishing towards an
computers and related systems.
and virtual assets that are vital to individual or business, often utilising
the operation of an organisation or ICT: Information and social engineering techniques to
nation, for example, the electrical grid. Communications Technology. appear to be from a trusted source.
Overarching term encompassing
Cyberattack: An offensive act against Spyware: Covert software designed
all forms of computing and
computer systems, networks, or to steal data or monitor people
telecommunications technology
infrastructure. and systems for cybercriminals,
inclusive of hardware, software,
organisations, or nation states.
Cybercrime: Computer-facilitated and networks.
crimes, though frequently can Threat actor: an individual or entity
IoT: Internet of Things. An evolving
be used to refer to all forms of that has the potential to impact, or
definition of the wide-variety of
technology-enabled crimes. has already impacted, the security
internet-connected devices ranging
of an organisation.
Cyberespionage: The practice and from sensors to smartphones.
theft of confidential information from White Hat: Programmers who hack
Internet security: A general term
an individual or organisation. into systems to test their capabilities,
referring to the security of internet-
and report vulnerabilities to
Cybersecurity: The discipline and related technologies, such as web
authorities to be fixed.
practice of preventing and mitigating browsers, but also that of the
attacks on computer systems underlying operating system
and networks. or networks.
05
1 Richard Stiennon, Chief Research Analyst, IT-Harvest,
National Fintech Cybersecurity Summit 2016
2 Internet Users by Country 2016, Internet Life Stats, July 2016
www.internetlivestats.com/internet-users-by-country
3 Cybersecurity Market Expected To Reach $170 Billion By 2020, Forbes, Dec 2015
www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-
%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-
%E2%80%8Bexpected-to-reach-170-billion-by-2020
4 One in two users click on links from unknown senders, Fau.eu, August 2016
www.fau.eu/2016/08/25/news/research/one-in-two-users-click-on-links-
from-unknown-senders
5 Biggest cybersecurity threats in 2016, CNBC, Dec 2015
www.cnbc.com/2015/12/28/biggest-cybersecurity-threats-in-2016.html
6 Hackers remotely kill a jeep on the highway, Wired, July 2015
www.wired.com/2015/07/hackers-remotely-kill-jeep-highway
7 Hackers can send fatal dose to hospital drug pumps, Wired, June 2015
www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps
8 Hackers can hijack Wi-Fi Hello Barbie to spy on your children, The Guardian, November 2015
www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-
barbie-to-spy-on-your-children
9 Simi Bajaj, Cyber Fraud: A Digital Crime,
www.academia.edu/8353884/cyber_fraud_a_digital_crime
10 Akamais State of the Internet Security Report Q2 2015
media.scmagazine.com/documents/144/q2_2015_soti_security_report_-_35820.pdf
11 Contracting for the Internet of Things: Looking into the Nest,
Social Science Research Network, February 2016
ssrn.com/abstract=2725913
12 Cisco CEO Pegs Internet of Things as $19 Trillion Market,
Bloomberg Technology, January 2014
www.bloomberg.com/news/articles/2014-01-08/cisco-ceo-pegs-internet-of-things-
as-19-trillion-market
13 Aussie IoT in the home spend tipped to top $200m in 2020, IoT Australia, November 2015
www.iotaustralia.org.au/2015/11/06/iot-facts-and-forecasts/aussie-iot-in-the-
home-spend-tipped-to-top-200m-in-2020
14 A guide to the Internet of Things Infographic, Intel
www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
15 2016 Threats Predictions, McAfee Labs, 2016
www.mcafee.com/au/resources/reports/rp-threats-predictions-2016.pdf
16 Lax Security Opens the Door for Mass-Scale Abuse, Imperva Incapsula, May 2015
www.incapsula.com/blog/ddos-botnet-soho-router.html
05
www.forbes.com/sites/briansolomon/2016/06/30/the-first-self-driving-car-
death-launches-tesla-investigation/
33 Chinese cyberattacks hit key US weapons systems. Are they still reliable?,
Christian Science Monitor, May 2013
www.csmonitor.com/USA/Military/2013/0528/Chinese-cyberattacks-hit-key-US-
weapons-systems.-Are-they-still-reliable
34 Secret Code Found in Junipers Firewalls Shows Risk of Government Backdoors,
Wired, December 2015
www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-
of-government-backdoors
35 The 10 Commandments of Data Sovereignty, CSO Online, July 2013
www.cso.com.au/article/466539/10_commandments_data_sovereignty
36 Russia Imposes New Data Storage Requirements for Telecoms and ISPs,
Hogan Lovells Media, July 2016
www.hlmediacomms.com/2016/07/11/russia-imposes-new-data-storage-requirements-
for-telecoms-and-isps
37 We are removing our Russian presence, PrivateInternetAccess.com
www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-
our-russian-presence
38 Image, Cyber Security Trends 2016, Cybernetic Global Intelligence, November 2015
cgi-content-imagesandcode.cyberneticglobal.netdna-cdn.com/wp-contentuploads/
2015/11/cyber-predictions-2016-v2.png
39 Russo-Georgian War, Wikipedia, 2016
en.wikipedia.org/wiki/Russo-Georgian_War
40 An Unprecedented Look at Stuxnet, the Worlds First Digital Weapon, Wired, November 2014
www.wired.com/2014/11/countdown-to-zero-day-stuxnet
41 A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever,
Wired, January 2015
www.wired.com/2015/01/german-steel-mill-hack-destruction
42 Inside the Cunning, Unprecedented Hack of Ukraines Power Grid, Wired, March 2016.
www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid
43 French Coldwell, Chief Evangelist, Metricstream,
National Fintech Cybersecurity Summit 2016, Sydney
44 Kaspersky report on Energetic Bear, Security Affairs, August 2014
securityaffairs.co/wordpress/27224/cyber-crime/kaspersky-report-energetic-bear.html
45 Mayhem program wins grand hacking challenge, BBC News, August 2016
www.bbc.com/news/technology-36980307
46 When Paying Out Doesnt Pay Off, Talos Intel, July 2016
blog.talosintel.com/2016/07/ranscam.html
47 Fintech 100: Nine Australian companies make the cut
www.home.kpmg.com/au/en/home/media/press-releases/2016/10/the-fintech-
100-announcing-the-worlds-leading-fintech-innovators-for-2016.html
48 Cybersecurity Market Report, Cybersecurity Ventures, 2016
cybersecurityventures.com/cybersecurity-market-report
49 Chancellors speech to GCHQ on cyber security
www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security
05
65 LizardStresser botnets using webcams, IoT gadgets to launch DDoS attacks,
SC Magazine, July 2016
www.scmagazineuk.com/lizardstresser-botnets-using-webcams-iot-gadgets-to-launch-
ddos-attacks/article/506962
66 Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web,
Motherboard, July 2016
motherboard.vice.com/read/researchers-found-a-hacking-tool-that-targets-
energy-grids-on-dark-web-forum
67 DDoS Attack Takes Down US Congress Website for Three Days, Softpedia News, July 2016
news.softpedia.com/news/ddos-attack-takes-down-us-congress-website-for-three-
days-506451.shtml
68 Citing Attack, GoToMyPC Resets All Passwords, Krebs On Security, June 2016
krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-passwords
69 Hackers Find Security Gaps in Pentagon Websites, ABC News, June 2016
abcnews.go.com/Technology/wireStory/hackers-find-security-gaps-
pentagon-websites-39945560
70 Political Partys Videoconference System Hacked,
Allowed Spying On Demand, Slashdot, June 2016
news.slashdot.org/story/16/06/18/1831235/political-partys-videoconference-system-
hacked-allowed-spying-on-demand
71 Hacker steals 45 million accounts from hundreds of car, tech,
sports forums, ZDNet, June 2016
www.zdnet.com/article/hacker-steals-45-million-accounts-from-hundreds-of-
verticalscope-car-tech-sports-forums/
72 Online Backup Firm Carbonite Tells Users To Change Their Passwords Now,
Slashdot, June 2016
it.slashdot.org/story/16/06/21/2032209/online-backup-firm-carbonite-tells-users-
to-change-their-passwords-now
73 10 million Android devices reportedly infected with Chinese malware, CNet, July 2016
www.cnet.com/news/malware-from-china-infects-over-10-million-android-
users-report-says
74 FLocker Mobile Ransomware Crosses to Smart TV, Trend Micro, June 2016
yro.slashdot.org/story/16/06/13/1845221/android-ransomware-hits-smart-tvs
75 Thieves Go High-Tech to Steal Cars, The Wall Street Journal, July 2016
www.wsj.com/articles/thieves-go-high-tech-to-steal-cars-1467744606
76 Hackers Can Use Smart Watch Movements To Reveal A Wearers ATM PIN,
Slashdot, July 2016
news.slashdot.org/story/16/07/06/2132206/hackers-can-use-smart-watch-
movements-to-reveal-a-wearers-atm-pin
77 Crooks are winning the cyber arms race admit cops, ZDNet, July 2016
www.zdnet.com/article/crooks-are-winning-the-cyber-arms-race-admit-cops
78 Identity fraud up by 57% as thieves hunt on social media, BBC News, July 2016
www.bbc.com/news/uk-36701297
79 A hack will kill someone within 10 years and it may have already happened,
Yahoo News, June 2016
uk.news.yahoo.com/hack-kill-someone-within-10-091800465.html
05
ABOUT THE ACS
The Australian Computer Society is the
professional association for Australias
Information and Communications
Technology sector.
We are passionate about recognising and
developing ICT skills and provide more than
60 products and services to our members.
We are also the voice of Australian ICT,
representing all practitioners in business,
government and education.
In everything we do, our goal is to advance
ICT in Australia and help our members be
the best they can be.
COPYRIGHT NOTICE
This work is licensed under a Creative
Commons Attribution-ShareAlike 4.0
International License.
creativecommons.org/licenses/by-sa/4.0
P: 02 9299 3666
F: 02 9299 3997
E: info@acs.org.au
W: www.acs.org.au