[email protected]   +1 (833) 3COLONY / +61 1300 733 940

Monthly Archives: January 2017

Joining the Hive

Insights into the cyber-security industry from some of Hivint’s junior bees


While tertiary institutions around Australia are striving to produce an increasing number of students equipped with cyber security expertise, the industry is often referred to as being in the midst of a ‘skills shortage’.

Meanwhile, Hivint has been in a period of substantial growth, with the team quite literally doubling in size from January to December of 2016. As part of that growth, we’ve brought on a number of graduates and industry newcomers with a variety of backgrounds and skill sets, who have quickly become an integral and valued part of our team.

With cyber security increasingly being seen as a desirable pathway for many of the brightest and best students in Australia (and around the world), we thought it would be apt to get an insight from our new recruits about what it took for them to be successful in joining Australia’s fastest growing cyber security consulting firm, the challenges they have faced, and advice they have for other people aspiring to pursue a career in cyber security.

Justin Kuyken — GRC Advisor

After 12 years cleaning swimming pools, I went back to university part time to study computer science at LaTrobe University — something I had an interest in since my school days. 6 years later in my final year, a network security subject piqued my interest, and after graduating I started absorbing as much information as I could find on this new-found passion.

After another year of reading all the books and using all the tools I could find to expand my knowledge in the area, I still hadn’t had any luck with my efforts to get a start in the industry. Finally, the persistence paid off when I heard back from Hivint, who spoke to me about joining their team as a graduate-level Governance, Risk and Compliance (GRC) advisor. 
While this was not what I originally had in mind, after some research, the role appeared to be an even better way into the industry as a beginner and to get a better understanding of how the security world really works. 
During the recruitment process, the Hivint team was impressed by the dedication and commitment I had displayed in my own knowledge development, having shown a clear passion for developing my own knowledge about any and everything security-related. They decided to bring me on board, and I have not looked back. I have loved my time as part of the company, despite not being the ‘1337’ hacker I originally thought I would be when I started out on this whole path!

In summary, my advice to other aspiring graduates looking for a start is to show initiative to prospective employers — find a way to demonstrate that you are passionate about joining the industry and about continual improvement (e.g. through independent studies and learning), as these are valuable skills even on the job. In addition, be persistent about looking for opportunities — it may take some time, but the payoff for me by getting a foot in the door at Hivint has been well worth it.

Lumina Remick — GRC Advisor

After completing a Masters in Project Management at Bond University, my original plan was to return to working with circuits and microprocessors given my original background in Electronic and Communications Engineering. Little did I know an interesting career change was waiting for me.

In the final semester of my studies, I interned for an asset management company. My job primarily focused on implementing and tailoring their risk management policy and procedures to suit their business needs. However, I also had the opportunity to work on their IT security policies. This experience — together with my interest for risk management — piqued my interest for a career in cyber security.

Coincidentally, the company I worked for was Hivint’s client, so I had a sneak peak of Hivint’s work even before I became a part of the Hive. I believed the right place to further my new-found interest was at Hivint, so I religiously started following them on social-media platforms looking for a way in. 
When they advertised for a graduate GRC advisor role. I jumped at the opportunity, and there has been no turning back.

As a beginner, this role has been an amazing way into the industry and a great learning experience. I’m constantly learning new things and have come to realise there is no such thing as ‘knowing it all’ in security. I must admit that Google has quite often been my best friend through the whole experience. 
Working with some of the best people in the industry has inspired and made me love my time at Hivint.

My advice to any aspiring graduates is to do your research on who are the companies in the industry hiring, and then make sure you know as much as you can about them and keep a regular eye out to see if they are looking to fill new roles. The fact you have done your research and shown an interest in them will stand you in good stead should you land an interview!

Sam Reid — Technical Security Specialist

I took the common route through university, completing a Bachelor of Science in Cyber Security at Edith Cowan University. The first thing I’ll say is that working in the industry is more about client relationships and working with clients (particularly to help them understand their security risks and which ones are appropriate to accept, and which ones are not) than I originally thought. Those boring risk and standards units at uni turned out to be important when assisting clients manage their exposure!

Penetration testing is the real deal and it’s seriously cool. The exposure and range of things you get to test and ‘break’ to help clients identify security holes will live up to your expectations — guaranteed.

My advice to aspiring grads — with the constant stream of new information, trends and events in this industry — from new vulnerability disclosures, ongoing data breaches, growth in IoT devices, and DDoS attacks, it’s easy to be left behind when you’re starting out. Try to keep your passion up by doing security-related things you enjoy in your own time when you can. Capture the Flag (CTF) events, security research, bug bounties, secure software development not only keep you interested — they keep you interesting! A challenging CTF you recently completed could make a great story to tell during an interview.

As a case in point, I was hired as a junior security analyst straight from university and while I hadn’t heard of Hivint (they were only 12 people back then), the regional director had heard of me having attended a presentation I did on identity theft at a local security meetup. In my opinion, engaging with the community and making yourself known in the field (for the right reasons!) can really kick-start your career and put you ahead of the other graduate job seekers.

Oh, and lastly, be mindful of how you refer to your occupation as a ‘penetration tester’. My Mum proudly told the extended family that I was a “computer penetrator” last Christmas. No Mum. Please don’t ever say that again.

John Gerardos — GRC Advisor

I always knew I’d enroll into a Computer Science degree and work in technology. I originally worked primarily in support/systems administration and network engineering. My last few years as a network engineer had me either living in datacenters or designing and installing wireless access across large campuses in preparation for the explosion of BYOD (bring your own device) policies.

It very quickly became apparent that securing networks from the risks inherit in BYOD as well as the emerging Internet of Things was going to be a very interesting and expanding area. After working closely with the security team on several projects, I decided that is where I wanted to move my career.
So back to university I went! Along with my usual studies at the Masters of Applied Science (Information Security and Assurance) at RMIT, I learned about Ruxmon, a free security meetup that was run once a month on-campus. I immersed myself in the “Security Scene”, began attending Ruxmon, assisting with the organisation of the meetup as well as stepping up to lead the Information Security Student Group at RMIT University. I made it my goal to attend as many security meetups as possible and learn from the experts, which I found very rewarding and something that also helped cover and re-enforce some of the material learnt in my studies.

My university often ran industry networking events and I happened to bump into a couple of Hivint people at one I spoke at. I had not heard of Hivint at the time but it very quickly became apparent that it would be a cool place to work — so I kept it in mind and was excited when I saw them advertise for a graduate role.

The past 6 months on the Hivint team have been amazing! While I already had industry experience, this was my first consulting role and I had to very quickly learn how to manage my time across clients and get up to speed with the IT infrastructure of each client that I was working at. I also quickly found out that it’s not just the technical skills that are important — you need to be a great communicator and take the time to understand each individual client’s business so that you can tailor a solution for them.

My advice to students looking to enter the industry is to network with others and immerse yourself in the field. We are lucky that there are so many high quality free security meetups around the place — make the time to attend the ones that look interesting to you and have a chat to the people there. Follow up by doing your own research on anything that sounded interesting during the meetup, as well as joining in on relevant CTF events. Security people are happy to share the knowledge around and the best way for a student to learn outside of university is to be active in the community, attend relevant meetups and engage with the experts.

How does one spark an interest in cyber security among high school girls?

Hivint Security Consultant Esther Lim describes her experiences running a workshop for a group of female high school students on penetration testing in order to pique their interest in cyber security.


According to a recent study conducted by Intel Security, Australia is currently facing a massive shortage of cyber security skills which is set to widen [1]. To address and to close the gap requires not only the introduction of more ‘hands on’ learning approaches — it also necessitates a more diverse workforce.

In this context, the Go Girls, Go For IT event was held on August 16, 2016 and is an event that is held biennially at Deakin University. The purpose of this event is to promote the exciting jobs available in Information Technology as a career option for women. Having been a volunteer with the communications team, I was privileged to be chosen to speak to a group of very keen high school girls about my career in and passion for cyber security.

A key question I had to consider in addressing the audience was this: how do I make something like penetration testing fun for high school girls? Do I speak about my transition from high school to university and then to my role as a penetration tester at Hivint? Perhaps not; there are already a myriad of inspirational women who were going to be sharing their journey into the IT industry at the event itself.

So, there I was, staring at the first page of my presentation aptly titled; “Hacking Your Way to A Career In Cybersecurity”. According to studies by researchers, the average human attention span has fallen from 12 seconds 16 years ago to a mere 8 seconds today [2] and that rules out a long PowerPoint presentation! On reflection, I knew there was a better way to pique these girls’ interests in penetration testing — so I decided to replace my classroom presentation with an engaging, hands-on interactive workshop entitled “This is why you never use free WIFIs at Maccas”.

Why was that used as an example? In a facebook, Pokemon GO, snapchat-focused society, our short-attention spans mean people most effectively learn by doing. Teaching cyber security — or any IT subjects — to students can be hard if an interest has not quickly been sparked.

With their school teacher in tow, I invited the entire class to do a bit of penetration testing from my laptop. The “ooohs” and “aaahhs” validated my perception that people do learn and are inspired when they are engaged and actively involved in the subject matter. Questions were asked about penetration testing, jokes were made, minds were enlightened, and the class’s interest sparked. I was proud to know that I had gone some way to sowing a seed in these girls’ minds about the importance of cyber security — many who will one day become leaders in our society, and be key members in the ongoing mission to keep individuals, businesses and nations secure against cyber attacks.


Esther Lim is a technical specialist at Hivint, delivering penetration testing services to a diverse range of clients. Esther also helps adapt resources for the Security Colony (www.securitycolony.com) cyber security collaboration portal — you can get started with a free account, so come and sign up today at https://portal.securitycolony.com/Register)

Australia’s Cyber Security Strategy — The Pixie Dust We Need?

Boom! And there we have it, the first reasonably coherent cyber security strategy for the country in almost 7 years. I thought I’d take the opportunity to put down on paper some initial thoughts.


For context, in the time between our last Strategy (2009) and this Strategy (2016), a few things transpired:

But let’s not dwell on the past. We are looking at a golden age of innovation and creativity and perhaps cyber security can get access to some of the pixie dust previously reserved for mining and semi-viable heavy industrial industries.

The Strategy is genuinely a positive step. It makes some reasonably solid (and hence measurable) commitments, hits some of the genuine issues of the industry like skills, the need for innovation, and the need for collaboration, and is significantly more pragmatic than the 2009 treatise on the allocation of responsibility across the many and varied government agencies with a stake in this. That said, the devil, as always, will be in the detail, and how this stuff gets rolled out will make all the difference and will determine if this is a great step forward, or we continue to flail about.

Cyber Security Growth Centre

At first glance this sounds like a great idea, but the more I think about it, the more I don’t understand the need. That’s not to say I don’t understand the need for the funding and the value, importance and opportunity associated with building out a significant cyber security industry for Australia’s economy… As I noted above, everyone in our industry looks to Israel as the shining light here, and there’s no question there’s a big global market if we can make it work.

Perhaps this is a philosophical argument, but does “streamlining governance” mean creating new organisations (as it does in this case) or does it mean making the existing organisations (of which there are admittedly many) operate smoothly together? Perhaps it’s a bit of both, but then is that really streamlining?

Commercialisation Australia programs already exist which would seem to have a very similar focus (albeit not dedicated to cyber security) — and have already invested in Australian cyber security companies like Quintessence Labs and TokenOne. The associated ‘Expert Network’ also has cyber security professionals involved (such as myself; and for clarity, this program is unpaid so there’s no commercial interest in me spruiking its existence) to help guide relevant companies. A specific focus on cyber security would be fantastic, but wouldn’t re-using existing approaches ensure:

  1. A faster time to market; and
  2. A reduced likelihood of the whole thing being a stuff up?

There are a huge number of aims and objectives of the Cyber Security Growth Centre listed in the Strategy, and I’d certainly hate to be the one having to be accountable for starting with a blank sheet of paper and doing everything from coordinating business-government-academia interaction, to cross-sector coordination, to skills development, to international market access support, to government policy advice, to ‘providing tertiary students with hands on experience… before they graduate’. All for $30 Million over a few years. Uh huh.

Again, to be clear, none of this stuff is a bad idea. It will all definitely help and certainly Hivint will be doing what we can to get involved all over the place. But as it currently stands, far from clarifying who does what, it’s added a whole heap of legitimate problems into a blender and poured out a Growth Centre smoothie. Hopefully it will become clearer as more detail becomes available.

Health Checks

The “national voluntary Cyber Security Governance ‘health checks’ to enable boards and senior management to better understand their cyber security status” are a good idea, but then they were a good idea the first time around (everyone remembers the Computer Network Vulnerability Assessment program, right?)

Admittedly, they’re not exactly the same — CNVA seemed a more technical assessment, whereas the ‘health check’ concept seems more governance-driven — but hopefully the model used will avoid the pitfalls that ultimately rendered CNVA a non-starter in most Boardrooms. The big one: the perception that if you’re taking Government funding, you need to share the dirty-laundry-esque outcomes of the assessment with them.

I mean, seriously, we’re talking ASX 100 here. The smallest one today has a market cap of over $1.4 Billion. Funding should not be the issue.

Benchmarking, on the other hand, would be great, and sounds like it is going to be included. The data — both qualitative and quantitative — in our industry is truly woeful. Hopefully the approach adopted here will build on the work already done — such as the guidance towards the NIST Cyber Security Framework included in the ASIC Cyber Resilience: Health Check document.

Security Assessments for Small Business

Having been in cyber security consulting for close to 20 years now, I like to think I have a pretty good understanding of the market, both from the supply side and the demand side, and it is definitely the case that the ‘supply side’ of providing cyber security services to SMEs is a graveyard of firms with good intentions. It is simply very difficult to provide the customised level of services required by a client, when operating in a low value — high volume delivery model necessary for SME-targeted services to work.

On ABC News last night it referred to this as a $15 Million program. I can’t find that number in the strategy itself, but I’m sure it comes from somewhere reliable. Assuming it is, that’s about $4 million / year over 4 years (since everything seems to be expressed as 4 year investment periods these days), which is the revenue of a fairly small cyber-security consulting firm with about 15–20 staff; so that’s basically what we’re funding here. Let’s be generous and say 20 consultants, working full time, so 200 days / year each, so a total of about 4,000 days of delivery.

It’s hard to see anything meaningful being generated for an SME in under a day and probably 2–3 days is more realistic, so the number of companies able to be serviced each year under the program is probably in the 1,300–2,000 range. Which is certainly non-trivial, but is also not exactly addressing the scale of the problem given we have 2,000,000-ish SMEs in Australia according to the ABS. Obviously not all of them will have a cyber security “problem” to solve, but it’s still a pretty big discrepancy.

Ultimately the answer here is to tie this to the R&D initiatives and spend a reasonable portion of that $15M on developing a methodology and system as automated as possible to speed up the delivery of these, while continuing to recognise that it is going to require human intervention and expertise of consultants. This can’t become the IT equivalent of the pink batts program, paying dodgy operators $5K a throw to run Nessus over their local plumber’s Yellow Pages listing.

Industry Accreditation

The Strategy seems to double-down on the CREST approach, suggesting at one point that it could be extended beyond testing services. Which seems interesting given the REST in CREST is — by definition — for “Registered Ethical Security Testers”. But why let that get in the way. If all you’ve got is a hammer, everything looks like a nail.

It will be interesting to see whether the Government really does attempt to “pick a winner” in this market despite avoiding it in the past — and which I’m sure will piss off the many and varied other accreditation programs no end — or whether CREST necessarily has to build in a stronger cross-recognition process to acknowledge the breadth of market offerings available.

Fortunately though, we seem to have steered clear of any suggestion we need a “licensing” program for cyber security professionals. The longer we can avoid that albatross around our necks, the better.

Threat Sharing & Collaboration

It’s great that the strategy now commits to “strengthen trusted partnerships with the private sector for the sharing of sensitive information on cyber threats, vulnerabilities and their potential consequences.”

Wait, sorry, that was the 2009 strategy.

Now we’re saying that “organisations, public and private, must work together to build a collective understanding of cyber threats and risks through a layered approach to cyber threat sharing.”

Either way, it’s still true, and it’s still necessary.

But it’s not enough. Why limit sharing to threat information? Which is why we’ve built Security Colony (www.securitycolony.com) as the first — and only — cyber security collaboration platform in Australia. Here is the one pitch I’ll make in this article: For under $300 / month (and you can trial it for free), you can get access to virtually all the output, from our entire consulting team, country-wide.

You can get an entire Information Security Management System that we were paid $100K to develop.

You can get entire security architecture documents that we were paid $40K to develop.

You can get incident response planning guides that we were paid $50K to develop.

And over 100 other documents that add up to over $2 million in value. It’s all derived from real-world consulting projects, paid for by real Australian clients.

You can save tens, or hundreds, of thousands of dollars through subscribing and re-using these materials. Check it out: it’s free. www.securitycolony.com

Timing

Given we’re all expecting an election to be called in a couple of weeks’ time, and the Government then goes into caretaker mode, is all this stuff effectively on ice until at least July (assuming the current Government is returned) or maybe September (if there’s a change of Government, with the new lot invariably wanting to make their mark by changing the curtains).

Summary

So there it is. Some initial thoughts on the strategy in the context of the various initiatives we’ve seen come and go in the past. A lot of really good ideas, and really valuable initiatives, provided they are well executed. Hopefully we see a speedy implementation, and the outcomes match the promises.

Oh, and if anyone knows whether the Cyber Ambassador role comes with diplomatic immunity, let me know. It would be sweet to not have to worry about pesky traffic laws.

By Nick Ellsmore, Chief Apiarist at Hivint. For more of Hivint’s latest cyber security research, as well as to access our extensive library of re-usable cyber security resources for organisations, visit Security Colony.

The Growth of the Business Email Scams Threat

In the last year, there has been a trend towards the commission of payment scams that target employees of companies by attempting to convince them to transfer money to cyber criminals. Commonly referred to as business email compromise (BEC) scams, they generally involve scammers sending emails that appear to come from senior staff at an organisation (hence sometimes being referred to as “CEO fraud”) and requesting that a sum of money be transferred to a third party’s bank account (controlled by the scammers). Brian Krebs has written about these attempts in his blog, here and here. According to the Federal Bureau of Investigation (FBI), these scams have generated reported losses of $1.2 billion internationally between October 2013 and August 2015.

Two recent examples of these scams reported to us by our clients demonstrate the different types of organisations that can be targeted by these scams.


The first scam described below targeted a sporting club and demonstrates how a business email scam can be executed in a relatively simple and innocuous fashion. The second is an example of a slightly more complex version targeted at a financial technology company that required more effort to execute, and which ultimately needed execution of the company’s incident response plan to investigate and resolve the incident.

Case Study — A Sports Club is Targeted

The first business email scam targeted a small sporting club that had published the contact details and roles for all of its board members on its website. This meant the scammer had to exercise a minimum amount of effort in order to craft the scam — all the contact details and roles for the board members were clearly available. Initial contact was made by the scammer via email (posing as the President) to the Treasurer, John, to start the conversation.


In this case, the Treasurer became suspicious and was quick-thinking enough to call the President to seek verbal confirmation of the transfer request. This gave the game away and revealed that the club was being scammed.

Hivint was contacted to provide further analysis and advice on the email scam, as the club staff members who were targeted in the scam were unsure if the scam indicated a system compromise or similar. Once the emails were received, a simple check of the email headers (below) of the original email identified the ruse.


As the email headers reveal, the “Authenticated sender” or real scammer’s email was different from the address shown in the actual email. A google search shows [email protected] to have been used before in scams.

In addition, the “Reply-To” address of [email protected] did not actually belong to the club’s President, and directed the target’s response to an email address controlled by the scammer. A check of the return email address when responding would also have given this away.

The Second Scam — A Financial Technology Company

The next occurrence of a business email scam that Hivint was made aware of came from a financial technology company we work with. They had received a phishing email similarly requesting money from the financial team.

This attempt took more effort as the scam clearly involved more research and customisation by the scammer.

While the content of the email was consistent with most business email scams (see below), there were some distinguishing features which contributed to the scam almost being successful.


In this case, the attacker registered a domain with a very similar domain to the target business — an extra letter was added to the domain name — e.g. www.domain.com was registered as www.domaiin.com. This meant that the reply-to address closely resembled an email address that belonged to the company’s actual registered domain name, making the scam harder to detect unless anything more than a cursory examination of the reply-to address was undertaken.

Analysis

There are a number of attacks which are high volume/low value. For example, attempting to force payment through cryptolocker only works if the price is within the victim’s “pain point” or ability to pay. The business email scam, however, has no force behind the request for payment. The scam only works if the victim doesn’t know they’re getting scammed. And this takes effort, which means that the payoff has to be worth it for the perpetrator.

Even spending a few weeks on researching a victim and crafting an attack for a five figure payout would still be highly profitable for a scammer, and a growing $1.2 billion pot of money derived from these scams shows that they can be lucrative.

That there is continuing growth in these scams demonstrates that this threat is worth countering, and there are some fairly basic steps to undertake should you want to reduce the risk of these types of attacks occurring at your company, and the likelihood that they will be successful.

Recommendations

Exercise proper security hygiene to protect your online identity.

Don’t publish the contact details and position names of specific staff on publicly accessible places on the internet; particularly staff with payment-related responsibilities. Instead, use an email form that sends to a generic email address — [email protected] — and distribute emails to relevant personnel from there.

Separation of Duties

Should a request come to an individual for payment of a sum of money (whether for an invoice or otherwise), a check should be made that the payment is in fact legitimate (e.g. through verbal confirmation, or confirmation there is an associated Purchase Order number or invoice) and approved by a relevant authority.
Basically, no business processes should fundamentally tie the receipt of an email with a money transfer.

Security Awareness

Ensure education on email scams is included in your organisational security awareness program.

Check your registered domains

Andrew Horton’s URLCrazy (included in Kali Linux) can be used to keep an eye on domains registered with similar domain names to your business.
Buy the domains that you can, and consider blocking emails from similar domains already registered, or generating an alert should an email arrive from these domains.

And Finally

Remember, if something about an email doesn’t seem right, making simple checks that you’re corresponding with a legitimate sender will go a long way to ensure you are not defrauded. In particular:

  • Double check whom you’re actually responding to — if the reply address for the email is different once you’ve hit “reply” then it may have been sent by a scammer. If the email looks legitimate, then check the spelling of the email address to ensure the domain name is not misspelt.
  • Contact the purported sender of the email using a known telephone number (i.e. not a contact number given in the email) before executing any money transfers. Even if an attacker has gone out of their way not to just spoof an email address, but has control of your entire IT environment, using an “out-of-band” method to contact the legitimate person can help verify the authenticity of the email.

And finally, should you still fall victim to a payment scam, contact your financial institution as soon as possible.

By Ben Waters, Senior Security Advisor at Hivint. For more of Hivint’s latest cyber security research, as well as to access our extensive library of re-usable cyber security resources for organisations, visit Security Colony

The Cloud Security Challenge

As the use of cloud services continues to grow, it’s generally well accepted that in most cases reputable service providers are able to use their economies of scale to offer levels of security in the cloud that match or exceed what enterprises can establish for themselves.


What is less clear is whether there are currently appropriate mechanisms available to enable an effective determination of whether the security controls a cloud service provider has in place are appropriately adapted to the needs of their various customers (or potential customers). There’s also a lack of clarity as to whether providers or customers should ultimately bear principal responsibility for answering this question.

These ambiguities are particularly highlighted in the case of highly abstracted public cloud services where the organisations using them have very little ability to interact with and configure the underlying platform and processes used to provide the service. In particular, the ‘shared environment’ these types of services offer creates a complex and dynamic risk profile: the risk to any one customer of using the service — and the risk profile of the cloud service as a whole — is inevitably linked with all the other customers using the service.

This article explores these issues in more detail, including discussing why representations around the security of cloud services is likely to become an increasingly important issue.

Why it matters: regulators are starting to care about security

It is important to appreciate the regulatory context in which the growth in the use of cloud services is taking place. Specifically, there is evidence of an increasing interest by regulators and policymakers in the development of rules around cyber security related matters2. This includes indications of increased scrutiny regarding representations about cyber security that are made by service providers.

Two recent cases in the USA highlight this. In one instance, the Consumer Financial Protection Bureau (a federal regulator, similar to the Australian Securities and Investments Commission) fined Dwolla — an online payment processing company — one hundred thousand US dollars after it found Dwolla had made misleading statements that it secured information it obtained from its customers in accordance with industry standards3.

Similarly, the US Federal Trade Commission recently commenced legal proceedings against Wyndham Worldwide, a hospitality company that managed and franchised a group of hotels. After a series of security breaches, hackers were able to obtain payment card information belonging to over six hundred thousand of Wyndham’s consumers, leading to over ten million dollars in losses as a result of fraudulent transactions.

The FTC alleged that Wyndham had contravened the US Federal Trade Commission Act by engaging in ‘unfair and deceptive acts or practices affecting commerce’4. The grounds for this allegation were numerous, but included that Wyndham had represented on its website that it secured sensitive personal information belonging to customers using industry standard practices, when it was found through later investigations that key information (such as payment card data) was stored in plain text form.

The case against Wyndham was ultimately settled out of court, but demonstrates an increasing interest by regulators in representations made in relation to cyber security by service providers. It is not inconceivable that similar action could be taken in Australia if corresponding circumstances arose, given the Australian Competition and Consumer Commission’s powers to prosecute misleading and deceptive conduct under the Australian Consumer Law5.

While the above cases do not apply to cloud service providers per se, they serve as examples of the increasing regulatory interest that is likely to be given to issues that relate to cyber security. Indeed, while regulatory regimes around cyber security issues are still in relatively early stages of development, it is feasible to expect that cloud providers in particular will come under increased scrutiny due to their central role in supporting the technology and business functions of a high number of customers from multiple jurisdictions.

There is also a strong likelihood that this scrutiny will extend to the decisions made by customers of cloud providers. In Australia, for example, if a company wishes to store personal information about its customers on a cloud service provider’s servers overseas, they would (subject to certain exceptions) need to take reasonable steps to ensure the cloud provider did not breach the Australian Privacy Principles in the Privacy Act 1988 in handling the information. Among other things, this would include ensuring that the cloud provider took reasonable steps to secure the information6. Similarly, data controllers (and data processors) in the EU will be required under the new Data Protection Regulation to ensure that appropriate technical and organisational measures are in place to ensure the security of personal data7.

The question then arises as to how cloud service providers and their customers are supposed to make sure they take appropriate steps to ensure they meet their responsibilities in assuring the security of cloud services in the context of a nascent and still developing regulatory environment. At first glance, the solution to the problem appears simple — benchmarking a cloud service against industry security standards. As discussed below, however, there are significant challenges with this approach.

The problem with bench-marking cloud security against industry standards

Many cloud service providers point to certification against standards such as ISO 27001:2013, ISO 27017, ISO 27018 (from a privacy perspective), the Cloud Security Alliance’s STAR program, or obtaining Service Organisation Control 2 / 3 reports as demonstration that their approach to security aligns with best practice. This is in addition to the option of undertaking government accreditation programs, such as IRAP in Australia or FedRAMP in the USA, avenues which some providers also pursue.

While this seems a logical approach, public cloud services and the shared environments they introduce create some unique considerations from a security perspective that complicate matters. Specifically, the potential security risk to any one customer of using these shared environments is inevitably closely intertwined with, and varies based on:

  • their own intended use of the service; and
  • the security risks associated with all other clients using the cloud service8.


As a result, any assessment of a cloud service provider’s security is inevitably reflective of their risk profile at a specific point in time, despite the fact that the risks facing the provider may have changed since based on its dynamic customer base. To illustrate this point, consider the hypothetical case study below.

Case study

X is a public cloud service provider that has been in business for a few years, and provides remote data storage services. X has primarily marketed itself to small businesses which make up the bulk of its customer base, and offers a highly abstracted cloud service with customers having little visibility of and ability to customise the underlying platform.

Those organisations have not stored particularly sensitive information on X’s servers. X has nevertheless obtained ISO 27001:2013 certification during this period — which includes a requirement that the cloud provider implement a risk assessment methodology and actually conducts a risk assessment process for its service on a periodical basis9.

X is then approached by a large multi-national engineering firm, who wants to store highly sensitive information regarding key customers in the cloud to reduce its own costs. The firm wishes to engage a public cloud provider that is ISO 27001:2013 compliant and notices X meets this requirement.

X is planning to conduct a risk assessment to review its current risk profile in 3 months, however, its current set of security controls — against which it obtained ISO 27001 certification — have been designed to address the level of risk associated with customers who use its cloud services for storing relatively insensitive data.

The engineering firm is unaware of this and engages X despite the fact their security controls may not be appropriately adapted to meet its requirements.

As this case study illustrates, whether it’s appropriate for an organisation to engage a cloud provider from a security perspective isn’t a question that can be answered purely by reference to whether they have been deemed compliant with certain standards. The underlying assumptions upon which the cloud provider’s compliance was determined — and whether those assumptions still hold true — are just as important. And yet in many circumstances, it is unlikely (and impractical to expect) that key documents that reveal those assumptions (such as risk registers and treatment plans) — will be made available publicly by cloud service providers so that these investigations can be undertaken by customers. And even if this information can be made available, the customer first has to have the security maturity and awareness to know to ask for such documents and be able to perform the required assessment.

Responsibility for cloud security — a two-way street

Given the limited utility of industry standards in assuring the security of cloud services, and the potential relevance of regulatory responsibilities that could apply to both service providers and their customers, the most reasonable argument is that both parties have a role to play in establishing that a particular cloud service offers an appropriate level of security. While it is difficult to define the precise scope of those responsibilities in the context of a nascent regulatory landscape, this article offers some guidance below.

Customers of cloud services

Customers need to make sure they conduct a sufficient level of due diligence prior to using a cloud service to ensure that its design is appropriately adapted to meet their needs from a security perspective. In particular, they should consider the following:

  • Does the cloud service create a high degree of abstraction from the underlying platform (public cloud services, for example, often have a high level of abstraction where users have very limited — if any — ability to configure the underlying platform). If so, this may mean the service is less suited to more sensitive uses where a high degree of control by the customer is required.
  • Is the use of a shared IT environment — in which the risk profile of the cloud service as a whole varies dynamically as its customer base changes — appropriate?
  • Are the security controls put in place by the cloud provider appropriate to satisfy the organisation’s intended use of the service?
  • Does the cloud provider make available details of security risk assessments and risk management plans?
  • Are there any other considerations that may have a bearing on whether using the cloud service is appropriate (e.g. a regulatory requirement or a strong preference to have the data stored locally rather than overseas)?

Generally speaking, the higher the level of sensitivity and criticality associated with the planned uses of a cloud service, the more cautious a customer needs to be before making a decision to use a service offered in a shared environment. If the choice is still made to proceed (as opposed to using a private cloud, for example), the reasons for this decision should be documented and subject to appropriate executive sign-off and oversight (as well as regular review). This will prove particularly valuable in case the decision is scrutinised by external bodies (e.g. regulators) at a later date10.

Cloud service providers

It is important that cloud providers are transparent with their customers about the security measures they have in place throughout the course of the period they are engaged by the customer. While representing that the cloud service is certified against particular industry benchmarks is useful to some extent, the cloud provider should also provide their own information to customers as to the specific security controls they do — and don’t — have in place, and the level of risk those controls are designed to address. In addition, cloud providers should be proactive about informing their customers where circumstances may have arisen that have resulted in a material change to their risk profile.

Providing this information is important to enable potential customers of cloud services to ascertain whether use of the service is appropriate for their needs.

Conclusion

Clearly, the shift towards the use of cloud services is now well established. This is a not a problem in and of itself. However, while regulatory expectations around cyber security are still being established, organisations need to ensure that they choose a cloud service provider only after first carefully considering what their requirements are and whether the cloud service offers an approach to security and a risk profile that is adapted to their needs. Service providers need to facilitate this process as best they can through a transparent dialogue with their customers about their approach to security and their risk profile.

By Arun Raghu, Cyber Research Consultant at Hivint. For more of Hivint’s latest cyber security research, as well as to access our extensive library of re-usable cyber security resources for organisations, visit Security Colony


  1. Note this write up focuses less on dedicated cloud environments (e.g. private cloud arrangements), where these complexities are largely avoided because a service can be customised and secured with a specific focus on a particular customer.
  2. This article does not cover this in detail, but examples include the development of the Network Information and Security Directive in the EU; the rollout of Germany’s IT Security Act; the ongoing discussions around legislated cyber security information sharing frameworks in the USA; and the proposal in late 2015 to amend Australia’s existing Telecommunications Act 1997 to include revised obligations on carriers and service providers to do their best to manage the risk of unauthorised access and interference in their networks, including a new notification requirement on carriers and some carriage service providers to notify of planned changes to networks that may make them vulnerable to unauthorised access and interference.
  3. See the regulator’s findings for details.
  4. See the FTC site for additional details on the Wyndham case.
  5. See section 18 of Schedule 2 of the Competition and Consumer Act 2010.
  6. See in particular Australian Privacy Principles 8 and 11.
  7. See Article 30 of the proposed text for the EU’s General Data Protection Regulation.
  8. The risks introduced by other clients of the cloud service may vary depending on the sector(s) in which they operate and their potential exposure to cyber-attacks as well as their intended use of the service.
  9. See in particular section 6.1 of the ISO 27001:2013 standard.
  10. A relevant consideration that may also be taken into account by regulators or other external bodies is what would reasonably be expected by an organisation of the same type in the same industry before engaging a cloud service provider — this would help ensure that unreasonable levels of due diligence are not expected of organisations with limited resources, for example.