The state of security in Australia: HackSydney and BSides provide insight into security after Medibank and Optus

The state of security in Australia: HackSydney and BSides provide insight into security after Medibank and Optus

Cybersecurity in Australia is well and truly front and center for the mainstream media and everyday public. This year we have seen two catastrophic security breaches with Optus, an Australian telecommunications provider, and Medibank, one of Australia’s largest health insurance providers. Both breaches saw massive amounts of personal customer information accessed by cybercriminals and actively used in various different attacks on the public. The reaction to these breaches has been greater than anyone could have imagined just a year ago, not only in online communities, but also in the wider population, as you hear stories of people’s savings being stolen by criminals running phishing campaigns and stealing identities. I recently traveled around the country and attended some of the major security conferences to see how much it has changed the security landscape in Australia.

I was fortunate enough to be invited as a guest speaker at two of Australia’s leading technical security conferences, HackSyndey and BSides Sydney. These conferences provided great insight into the state of cybersecurity in Australia and what we can learn from it.

In 2021, one of Australia’s leading cybersecurity voices, Alastair MacGibbon, told 60 Minutes that there would be catastrophic consequences if Australia did not take security more seriously. It seems that a year later, his prophecy has come true.

“As we rely more and more on computers, as we sew more of our lives, our economy and our society into technology, when that technology fails because of a threat actor, it will have catastrophic consequences for we”
Alastair MacGibbon

Having not been to Australia for many years, I was curious to know what had changed in the landscape and how it had been affected by recent events. What was clearly evident is that the industry as a whole is coming under critical scrutiny, from the security community extending to government and policy makers. This critical assessment was best covered by Edward Farrel in his talk “A Critical Analysis of the Australian Cybersecurity Industry”. This conference called for a reassessment of the security industry, from the skills shortage to the incentives put in place by security consultants. Many organizations in Australia rely heavily on security consulting firms to fill in gaps internal to organizations. But Farrell, who owns a security consultancy, said standard MSP practices have not been effective in addressing security issues in Australia. He pointed out that Chaos in the industry means old models don’t work………. the industry as a whole has no incentive to solve problems quickly when we are paid by the hour”. He went on to also challenge the reality of the skills shortage in Australia, explaining that despite the hysteria there is no shortage of senior and middle management positions in security, the shortage is almost entirely at the level technicians who are not encouraged or targeted by the same employment campaigns. While certainly provocative, it is extremely refreshing to hear people within the security community take issue with the way it is being put together and point out some shortcomings.

It doesn’t take long to talk to people attending security conferences in Australia to see that the community has really grown with the general reaction to security today. Something you don’t often see at community leader conferences is government staff, some at the federal level, but that was a welcome change this year. BSides Sydney, which is run entirely by volunteers, not only hosted government officials but also led the conversations with presentations. This included Venessa Ninovic who gave detailed presentations on the latest state of phishing campaigns and data analyst Harriet Farlow who gave compelling insights into how machine learning and AI are used by the attackers. But, government and security are also converging on another level in the form of thelegislation, including a new bill that will increase fines for privacy breaches from $2.2 million to $50 million.

Another notable change is the increased interest in technical conversations around securing infrastructure, particularly API security, and with recent history, this is no surprise. In the Optus breach case, it was an insecure API (fully open to the public) that was used to steal millions of customer data, and in the Medibank case, the attackers used internal APIs to automate the theft of customer data. It should come as no surprise, then, that there were few seats to be found when API security was the featured topic. One of those Jason Kent talks “IOCsin your APIs” really took us through a terrifying journey of API security, not only abusing API endpoints to get data, but also how much more traditional criminals use them to locate valuables in stores to carry out smash and grab crimes. In one particularly entertaining story, he detailed how they tricked criminals into stealing $500 Dyson hair dryers from a store where police were waiting for them, by modifying the abused data via an API. A talk that was perfectly complimented by Jayesh Bapu Ahire from the HackSydney conference who looked at how to implement API security testing in the development lifecycle. This one was clearly a favorite.

So, after endless conversations and 50 presentations, what can we learn from HackSydney and BSides about the state of security in Australia? One thing that was clear is that the model where organizations rely heavily on security consulting firms has failed to provide adequate security coverage and adequate incentives to provide better services. But as a result, straight from the biggest security breaches in Australian history, organisations, government and the security community are making changes. There has been a change in attitude towards security, the community has grown to include stakeholders previously behind the scenes, and the appetite for technical content has increased. If I could sum it up in one sentence, I would say that the state of security in Australia is one of action and change. Change within the security community, changes to how organizations will be served by security consultants, action by organizations to take charge of security, and action by government to introduce legislation to hold those who refuse accountable. to take security seriously.

*** This is a syndicated blog from the GitGuardian Blog Security Bloggers Network – Automated Secret Detection by Mackenzie Jackson. Read the original post at: https://blog.gitguardian.com/the-state-of-security-in-australia-post-medibank-and-optus/

Leave a Reply