Hivint Security Consultant Esther Lim describes her experiences running a workshop for a group of female high school students on penetration testing in order to pique their interest in cyber security.
According to a recent study conducted by Intel Security, Australia is currently facing a massive shortage of cyber security skills which is set to widen . To address and to close the gap requires not only the introduction of more ‘hands on’ learning approaches — it also necessitates a more diverse workforce.
In this context, the Go Girls, Go For IT event was held on August 16, 2016 and is an event that is held biennially at Deakin University. The purpose of this event is to promote the exciting jobs available in Information Technology as a career option for women. Having been a volunteer with the communications team, I was privileged to be chosen to speak to a group of very keen high school girls about my career in and passion for cyber security.
A key question I had to consider in addressing the audience was this: how do I make something like penetration testing fun for high school girls? Do I speak about my transition from high school to university and then to my role as a penetration tester at Hivint? Perhaps not; there are already a myriad of inspirational women who were going to be sharing their journey into the IT industry at the event itself.
So, there I was, staring at the first page of my presentation aptly titled; “Hacking Your Way to A Career In Cybersecurity”. According to studies by researchers, the average human attention span has fallen from 12 seconds 16 years ago to a mere 8 seconds today  and that rules out a long PowerPoint presentation! On reflection, I knew there was a better way to pique these girls’ interests in penetration testing — so I decided to replace my classroom presentation with an engaging, hands-on interactive workshop entitled “This is why you never use free WIFIs at Maccas”.
Why was that used as an example? In a facebook, Pokemon GO, snapchat-focused society, our short-attention spans mean people most effectively learn by doing. Teaching cyber security — or any IT subjects — to students can be hard if an interest has not quickly been sparked.
With their school teacher in tow, I invited the entire class to do a bit of penetration testing from my laptop. The “ooohs” and “aaahhs” validated my perception that people do learn and are inspired when they are engaged and actively involved in the subject matter. Questions were asked about penetration testing, jokes were made, minds were enlightened, and the class’s interest sparked. I was proud to know that I had gone some way to sowing a seed in these girls’ minds about the importance of cyber security — many who will one day become leaders in our society, and be key members in the ongoing mission to keep individuals, businesses and nations secure against cyber attacks.
Esther Lim is a technical specialist at Hivint, delivering penetration testing services to a diverse range of clients. Esther also helps adapt resources for the Security Colony (www.securitycolony.com) cyber security collaboration portal — you can get started with a free account, so come and sign up today at https://portal.securitycolony.com/Register)
Boom! And there we have it, the first reasonably coherent cyber security strategy for the country in almost 7 years. I thought I’d take the opportunity to put down on paper some initial thoughts.
For context, in the time between our last Strategy (2009) and this Strategy (2016), a few things transpired:
Facebook released the “Like” button. Well, technically that was in February 2009, but it’s still a useful social reference point to date the previous Strategy document’s external environment. Instagram, Pinterest, Google+ started in 2009 or later. The first consumer Android smartphone was less than a year old (released October 2008). The cloud computing market has almost quadrupled in size.
But let’s not dwell on the past. We are looking at a golden age of innovation and creativity and perhaps cyber security can get access to some of the pixie dust previously reserved for mining and semi-viable heavy industrial industries.
The Strategy is genuinely a positive step. It makes some reasonably solid (and hence measurable) commitments, hits some of the genuine issues of the industry like skills, the need for innovation, and the need for collaboration, and is significantly more pragmatic than the 2009 treatise on the allocation of responsibility across the many and varied government agencies with a stake in this. That said, the devil, as always, will be in the detail, and how this stuff gets rolled out will make all the difference and will determine if this is a great step forward, or we continue to flail about.
Cyber Security Growth Centre
At first glance this sounds like a great idea, but the more I think about it, the more I don’t understand the need. That’s not to say I don’t understand the need for the funding and the value, importance and opportunity associated with building out a significant cyber security industry for Australia’s economy… As I noted above, everyone in our industry looks to Israel as the shining light here, and there’s no question there’s a big global market if we can make it work.
Perhaps this is a philosophical argument, but does “streamlining governance” mean creating new organisations (as it does in this case) or does it mean making the existing organisations (of which there are admittedly many) operate smoothly together? Perhaps it’s a bit of both, but then is that really streamlining?
Commercialisation Australia programs already exist which would seem to have a very similar focus (albeit not dedicated to cyber security) — and have already invested in Australian cyber security companies like Quintessence Labs and TokenOne. The associated ‘Expert Network’ also has cyber security professionals involved (such as myself; and for clarity, this program is unpaid so there’s no commercial interest in me spruiking its existence) to help guide relevant companies. A specific focus on cyber security would be fantastic, but wouldn’t re-using existing approaches ensure:
A faster time to market; and
A reduced likelihood of the whole thing being a stuff up?
There are a huge number of aims and objectives of the Cyber Security Growth Centre listed in the Strategy, and I’d certainly hate to be the one having to be accountable for starting with a blank sheet of paper and doing everything from coordinating business-government-academia interaction, to cross-sector coordination, to skills development, to international market access support, to government policy advice, to ‘providing tertiary students with hands on experience… before they graduate’. All for $30 Million over a few years. Uh huh.
Again, to be clear, none of this stuff is a bad idea. It will all definitely help and certainly Hivint will be doing what we can to get involved all over the place. But as it currently stands, far from clarifying who does what, it’s added a whole heap of legitimate problems into a blender and poured out a Growth Centre smoothie. Hopefully it will become clearer as more detail becomes available.
Admittedly, they’re not exactly the same — CNVA seemed a more technical assessment, whereas the ‘health check’ concept seems more governance-driven — but hopefully the model used will avoid the pitfalls that ultimately rendered CNVA a non-starter in most Boardrooms. The big one: the perception that if you’re taking Government funding, you need to share the dirty-laundry-esque outcomes of the assessment with them.
Benchmarking, on the other hand, would be great, and sounds like it is going to be included. The data — both qualitative and quantitative — in our industry is truly woeful. Hopefully the approach adopted here will build on the work already done — such as the guidance towards the NIST Cyber Security Framework included in the ASIC Cyber Resilience: Health Check document.
Security Assessments for Small Business
Having been in cyber security consulting for close to 20 years now, I like to think I have a pretty good understanding of the market, both from the supply side and the demand side, and it is definitely the case that the ‘supply side’ of providing cyber security services to SMEs is a graveyard of firms with good intentions. It is simply very difficult to provide the customised level of services required by a client, when operating in a low value — high volume delivery model necessary for SME-targeted services to work.
On ABC News last night it referred to this as a $15 Million program. I can’t find that number in the strategy itself, but I’m sure it comes from somewhere reliable. Assuming it is, that’s about $4 million / year over 4 years (since everything seems to be expressed as 4 year investment periods these days), which is the revenue of a fairly small cyber-security consulting firm with about 15–20 staff; so that’s basically what we’re funding here. Let’s be generous and say 20 consultants, working full time, so 200 days / year each, so a total of about 4,000 days of delivery.
It’s hard to see anything meaningful being generated for an SME in under a day and probably 2–3 days is more realistic, so the number of companies able to be serviced each year under the program is probably in the 1,300–2,000 range. Which is certainly non-trivial, but is also not exactly addressing the scale of the problem given we have 2,000,000-ish SMEs in Australia according to the ABS. Obviously not all of them will have a cyber security “problem” to solve, but it’s still a pretty big discrepancy.
Ultimately the answer here is to tie this to the R&D initiatives and spend a reasonable portion of that $15M on developing a methodology and system as automated as possible to speed up the delivery of these, while continuing to recognise that it is going to require human intervention and expertise of consultants. This can’t become the IT equivalent of the pink batts program, paying dodgy operators $5K a throw to run Nessus over their local plumber’s Yellow Pages listing.
The Strategy seems to double-down on the CREST approach, suggesting at one point that it could be extended beyond testing services. Which seems interesting given the REST in CREST is — by definition — for “Registered Ethical Security Testers”. But why let that get in the way. If all you’ve got is a hammer, everything looks like a nail.
It will be interesting to see whether the Government really does attempt to “pick a winner” in this market despite avoiding it in the past — and which I’m sure will piss off the many and varied other accreditation programs no end — or whether CREST necessarily has to build in a stronger cross-recognition process to acknowledge the breadth of market offerings available.
Fortunately though, we seem to have steered clear of any suggestion we need a “licensing” program for cyber security professionals. The longer we can avoid that albatross around our necks, the better.
Threat Sharing & Collaboration
It’s great that the strategy now commits to “strengthen trusted partnerships with the private sector for the sharing of sensitive information on cyber threats, vulnerabilities and their potential consequences.”
Wait, sorry, that was the 2009 strategy.
Now we’re saying that “organisations, public and private, must work together to build a collective understanding of cyber threats and risks through a layered approach to cyber threat sharing.”
Either way, it’s still true, and it’s still necessary.
But it’s not enough. Why limit sharing to threat information? Which is why we’ve built Security Colony (www.securitycolony.com) as the first — and only — cyber security collaboration platform in Australia. Here is the one pitch I’ll make in this article: For under $300 / month (and you can trial it for free), you can get access to virtually all the output, from our entire consulting team, country-wide.
You can get an entire Information Security Management System that we were paid $100K to develop.
You can get entire security architecture documents that we were paid $40K to develop.
You can get incident response planning guides that we were paid $50K to develop.
And over 100 other documents that add up to over $2 million in value. It’s all derived from real-world consulting projects, paid for by real Australian clients.
You can save tens, or hundreds, of thousands of dollars through subscribing and re-using these materials. Check it out: it’s free. www.securitycolony.com
Given we’re all expecting an election to be called in a couple of weeks’ time, and the Government then goes into caretaker mode, is all this stuff effectively on ice until at least July (assuming the current Government is returned) or maybe September (if there’s a change of Government, with the new lot invariably wanting to make their mark by changing the curtains).
So there it is. Some initial thoughts on the strategy in the context of the various initiatives we’ve seen come and go in the past. A lot of really good ideas, and really valuable initiatives, provided they are well executed. Hopefully we see a speedy implementation, and the outcomes match the promises.
By Nick Ellsmore, Chief Apiarist at Hivint. For more of Hivint’s latest cyber security research, as well as to access our extensive library of re-usable cyber security resources for organisations, visit Security Colony.