The State of Security in Australia: HackSydney and BSides give insight into security post-Medibank and Optus
Cybersecurity in Australia has moved well and truly into the focus of the mainstream media and the everyday public. This year we saw two catastrophic security breaches with Optus, an Australian telecom provider, and Medibank, one of the largest health insurance providers in Australia. Both breaches saw huge amounts of customers' personal information accessed by cyber criminals and actively used in various different attacks on the public. The reaction from these breaches has been bigger than anyone might have anticipated just a year ago, not just in the cyber communities, but also in the extended population as you hear stories of people's life savings being stolen by criminals conducting phishing campaigns and stealing identities. I recently traveled to the land down under and checked out some of the leading security conferences to see just how this has changed the security landscape in Australia.
I was fortunate enough to be invited as a guest to speak at two leading technical security conferences in Australia, HackSyndey and BSides Sydney. These conferences gave a great insight into the state of cybersecurity in Australia and what we can learn from it.
The underlying issues of security in Australia
In 2021 one of the leading voices in cybersecurity in Australia, Alastair MacGibbon, told 60 Minutes that there would be catastrophic consequences if Australia didn’t take security more seriously. It appears that a year later, his prophecy came true.
“As we rely more and more on computers, as we stitch more of our lives and our economy and our society into technology, when that technology fails because of threat actor, it will have catastrophic consequences for us”
Not having been in Australia for many years I was curious about what had changed in the landscape and how it has been affected by recent events. What was clearly apparent is that the industry as a whole is under critical scrutiny, from within the security community extending to government and policymakers. This critical evaluation was best covered by Edward Farrell in his talk “A critical analysis of the Australian cybersecurity industry”. This talk called for a reevaluation of the security industry, from the shortage of skills to the incentives set up by security consultants. Many organizations in Australia rely heavily on security consultancy companies to fill the gaps organizations are missing internally. But Farrell, who owns a security consultancy, stated that the standard practices of MSPs have not been effective in solving the issues of security in Australia. He outlined that “The chaos in the industry means old models do not work………. the industry as a whole doesn’t have incentives to solve issues quickly when we are being paid by the hour”. He went on further to also challenge the reality of the skills shortage in Australia explaining that despite the hysteria, there isn’t a shortage of upper and middle management roles in security, the shortage lies almost entirely at the level of technicians who are not being incentivized or targeted by the same jobs campaigns. Whilst certainly provocative, it is extremely refreshing to hear people, within the security community, challenge how it is set up and outline some failings.
The future of Australian cybersecurity
It doesn’t take long talking to the people in attendance at security conferences in Australia to see that the community has really expanded with the mainstream reaction to security today. Something you don’t often see at community lead conferences is government personnel, partially from a federal level, but this was a welcome change this year. BSides Sydney which is run entirely by volunteers not only had government representatives in attendance but also leading the conversations with presentations. This included Venessa Ninovic who gave detailed presentations on the latest state of phishing campaigns and data analyst Harriet Farlow who gave compelling insights into how machine learning and AI are being used by attackers. But, government and security are also converging on another level in the form of tough legislation including a new proposed bill that will change the fines of privacy breaches from $2.2million to $50 million.
Another shift that is noticeable is the increased interest in technical conversations around securing infrastructure, in particular API security, and with recent history, it is no surprise. In the case of the Optus breach it was an unsecured API (completely open to the public) that was used to steal millions of customers' data, and in the case of Medibank, attackers used internal APIs to automate the theft of customer data. It will be no surprise then, that there were few seats to be found when API security was the topic being presented. One such talk by Jason Kent “IOCsin your APIs” really took us through a terrifying journey of API security, not just abusing API endpoints to gain data but also how more traditional criminals are using these to locate valuable items in stores to conduct smash and grab type crimes. In a particularly entertaining story, he detailed how they lured criminals into stealing $500 Dyson hair dryers from a store with police waiting for them, by altering data being abused via an API. A talk that was perfectly complimented by Jayesh Bapu Ahire from the HackSydney conference which looked at how to implement API security testing into the development cycle. This one was a clear favorite.
So what is the current state of security in Australia?
So after endless conversations and 50 presentations, what can we learn from HackSydney and BSides about the state of security in Australia? One thing that was clear is the model where organizations rely heavily on security consultancy companies has failed to provide adequate security coverage and adequate incentives to provide better services. But as a result, directly from the biggest security breaches in Australian history, organizations, the government, and the security community are bringing about change. There has been a shift in the attitude of security, the community has grown to include stakeholders previously in the wings and the appetite for technical content has grown. If I could put it in a sentence I would say the state of security in Australia is a state of action and change. Change from within the security community, changes in how organizations will be served by security consultancies, action from organizations to take charge of security, and action from the government to introduce legislation to hold to account those that refuse to take security seriously.