SURF 2015

VOLUME 9
APRIL 2015
ARE YOU
GAME FOR
03
A New Home for
Smart City
Innovations
10
Meet NCS partner, HOPE
Technik, a builder of highperformance engineering
solutions that soar in the air
and push new boundaries.
Now, they will complement
NCS to develop smart city
innovations.
The SURF@NCS facility
gives smart city living a jab
in the arm, with a living lab
to test-bed smart city
innovations. NCS also plans
to grow an eco-system of
partners, and to train talents
for a smart city.
05
When Cyber Security
Gets Too Hard
Southeast Asian companies
regularly attract the interest
of cyber spies and criminals,
and traditional security
technologies are no match
for the new generation of
threats. Learn about the
latest security threats and
how organisations should
respond.
09
Engineering
Commandos
12
No Organisation Is
Safe
What can stop the hackers
and cyber criminals from
infiltrating corporate
networks and stealing data?
Find out more about the
cyber security challenges
that IT heads face in today’s
connected world, and how
greater awareness and
managing risks are part of
the solution.
A Comprehensive
Approach
Find out how you can take a
proactive, layered approach
to cyber security by tapping
Singtel’s wealth of security
skillsets, experience and
resources.
FOLLOW US ON
surfnation.net
NCS Group
[email protected]
NCS is a member of the Singtel Group
RIDING THE NEXT WAVE OF SMART CITY INNOVATIONS
Riding the Next Wave of
Smart City Innovations
Smart city innovations get a new home at SURF@NCS facility.
man checks his smart phone to find out which mode
of public transport will get him to his meeting in the
shortest possible time. The Home Team uses video
analytics to detect and reduce any overcrowding in
buildings before it reaches a dangerous level.
A
efficiency, said Chia Wee Boon, CEO of NCS.
Such utopian scenarios are exactly what NCS’s new
facility aims to turn into reality. It is a space that agencies
and organisations can use to weave leading-edge
technologies into the fabric of modern daily living.
Located at NCS Hub in Singapore, stepping into the
SURF@NCS facility is like a walk into the future. There, the
Intelligent SURF Centre (ISC) sits like a high-tech mission
control with screens displaying updates that give the pulse
of a city—whether real-time and geo-target alerts, live city
data feeds, situational awareness information on 2D/3D
spatial maps, or responses from various agencies, etc.
Using the SURF@NCS facility, NCS aims to develop
more smart city solutions in the four areas of:
Education, Healthcare, Transport and Public Safety. It
plans to bring emerging technologies to real-life use
through a three-pronged approach:
•฀ Build฀a฀living฀lab฀for฀public฀agencies฀and฀commercial฀
enterprises to test-bed smart city innovations,
•฀ Grow฀a฀vibrant฀eco-system฀of฀partners฀for฀smart฀city฀
development, and
•฀ Train฀up฀to฀120฀talents฀to฀deliver฀and฀implement฀
smart solutions this year.
The ISC plays a key role in making a city smart, as it
allows the operator to see all possible incidents and
cases, and to provide situational awareness,
operational awareness, and to increase operational
“With SURF@NCS, we will also have a living lab where
NCS and our partners can come together to co-create, test,
refine and validate new applications and technologies,”
said Chua Sock Koong, Singtel CEO.
“We are committed to accelerating our development of
intellectual property and smart city solutions to improve
the lives of citizens,” said Chia.
Monitor 1: Reps from Bosch, Cisco, Hope Technik, IBM ; Monitor 2: Reps from I2R, Kai2, Microsoft, MHI, Mr Bill Chang, Dr Beh
Swan Gin, Ms Chua Sock Koong, Monitor 4: Reps from NCS, Polycom, QI, Samsung; Monitor 5: Reps from SUTD, Temasek Poly
Web BioTech, Parata
APRIL 2015 | www.ncs.com.sg
03
RIDING THE NEXT WAVE OF SMART CITY INNOVATIONS
A LIVING LAB
The SURF@NCS is a testbed for
both public agencies and
commercial enterprises to test smart
city innovations. It is also a lab for
NCS to develop Intellectual Property
(IP) and smart city innovations.
This ‘living lab’ gives smart city living
a jab in the arm, and helps realise
Singapore’s vision to be the world’s
first smart nation.
The first IP being introduced is the
ISC. This Intelligent Command &
Control Platform is designed to solve
challenges in situations involving
multiple agencies. Multiple live data
feeds are acquired through physical
and electronic sensors and processed
through advanced analytics so as to
trigger intelligence reports that can be
used by the relevant public safety
agencies.
The proprietary platform was tested
in Little India last year, under the
Safety and Security Industry
Programme Office (SSIPO). The
technology helped to detect a
construction site fire at Little India
on March 26 within six minutes,
through the monitoring of tweets
and camera footage.
Some smart city technologies
deployed are:
•฀ Street฀lights฀that฀have฀conigurable฀
schedules for energy savings, and
can detect faults that trigger alerts.
•฀ Smart฀trafic฀red฀light฀system฀that฀
stays operational 24/7 to detect
motorists who attempt to beat the
red light. Some 120 digital red
light cameras have been installed
across Singapore, with another
120 to be installed by the middle
of this year. These digital cameras
have replaced old film traffic
cameras, and can transmit clearer
images directly from the site,
without having to physically
retrieve the film from each
camera. Now, less time is needed
to analyse data, notify errant
motorists and collect fines.
•฀ Video฀and฀audio฀content฀analytics฀
that can detect unattended
vehicles, spot type or colour of
vehicle, recognise licence plate
number, and detect illegal parking
infringement or traffic rule
violation.
•฀ Smart฀pharmacy฀dispensing฀
system for Tan Tock Seng Hospital,
which has cut waiting time by half
to10 minutes. The system can
automatically read e-prescriptions,
and simultaneously pick and pack
the medication.
PARTNER ECOSYSTEM
Already, 15 partners have signed up
to collaborate with NCS in areas such
as fog computing, Internet-of-Things
(IOT) and critical infrastructure
management. These partners include
Bosch, Cisco, IBM, Microsoft, Samsung,
and specialised technology providers
such as HOPE Technik, KAI Square,
Mitsubishi Heavy Industries Engine
System Asia, Polycom, Quantum
Inventions, WEB BiotechnologySPYDER and Worldlabel-Parata.
“Through SURF@NCS, we aim to
partner best-of-breed technology
providers to build a vibrant eco-system
where we can co-create solutions to
enhance essential government services
and deliver game-changing enterprise
innovations,” said Chia.
NCS is also working with tertiary
institutes like Singapore University of
Technology and Design (SUTD) and
Temasek Polytechnic to build smart
campuses and future teaching tools.
“At the heart of the Smart Nation
vision is the recognition that digital
technologies have the potential to
make our economy more productive,
our societies more connected and
our lives better,” said Dr Beh Swan
Gin, chairman of Singapore
Economic Development Board (EDB).
GROOMING TALENT
To ensure a pipeline of smart city
skillsets, NCS plans to recruit and
train 120 professionals as enterprise
architects, product engineers, data
scientists and subject matter experts
to implement smart city solutions.
In addition, SURF@NCS is expected
to train over 500 employees and
students in skillsets related to smart
cities by 2020.
A partnership with the Institute for
Infocomm Research (I2R) has resulted
in a programme to nurture experts in
data science and analytics. This
augments the Singtel Cadet
Scholarship Programme which will
offer 90 scholarships this year.
Finally, as Singapore seeks to
become a smart nation, NCS has
taken significant steps towards
bringing this vision to reality by
building a living lab to test-bed
smart city innovations, growing an
eco-system of partners, and training
talents.
Want to experience being at the controls of a smart city?
Visit the NCS booth L1-G14 at INTERPOL World, held at Marina Bay Sands Level 1
on April 14-16 in Singapore. Come and see the Intelligent Surf Centre (ISC) in action,
enhanced with analytics and cyber security capabilities.
04
APRIL 2015 | www.ncs.com.sg
PLUGGING THE CYBER SECURITY HOLE
I
t has become a common scenario for
high profile information security attacks
to grab headlines, and for
organisations to lose large amounts of
confidential data to well-organised
cyber criminals.
Just last year alone, organisations like
Sony lost a massive amount of data to
attackers, and more than 145 million
eBay users were affected by a massive
hack of its systems. The European Central
Bank was not unscathed, it had personal
data stolen, and closer to home, a
SingPass vulnerability resulted in data
theft, where 1,500 user IDs and
passwords were accessed.
The volume and speed of attacks on
computer systems have increased
significantly in our highly connected world.
Millions of computers get inter-connected
through the Internet, and companies run on
more complex networks and use
virtualisation, cloud computing and mobility
technologies—all of which introduce
security vulnerabilities.
Plugging the
Cyber security
Hole
Breaches of information security
regularly hit the headlines. What
are the latest threats and how
should we respond?
These security vulnerabilities can be
protected with cyber security technologies,
processes and practices, which work to
shield networks, computers, programs and
data from attacks, or unauthorised access.
COMPLEX THREATS
Companies face a complex threat
landscape that is filled with advanced
cyber attackers intent on stealing corporate
data and state secrets. These attackers fall
into three groups: those who steal
intellectual property and confidential
corporate data, those with political
motivations who steal intelligence from
governments, and those motivated by a
quest for fame.
One of the biggest cyber security challenges
for the region is: Advanced persistent
threats (APT). Southeast Asian companies
regularly attract the interest of cyber spies
and criminals looking to steal information
about the region’s growing industry
sectors— energy, telecommunications,
APRIL 2015 | www.ncs.com.sg
05
PLUGGING THE CYBER SECURITY HOLE
high-tech, transportation, and
finance. FireEye has detected that
more than half of the targeted
malware in Southeast Asia came
from government and
telecommunications sites.
Attackers have remained on victims’
networks before being discovered for
a median period of 205 days in
2014, according to the 2014 Threat
Report by FireEye subsidiary,
Mandiant. This was a marginal
improvement from 229 days in 2013.
In addition, 69 percent of
organisations were only alerted to the
attacks by an external party.
Today’s attacks utilise the latest
zero-day vulnerabilities, commercialquality toolkits, and social
engineering techniques to perpetrate
advanced targeted attacks. They
also include advanced tactics, such
as blending polymorphism and
personalisation. These sophisticated
attacks appear unknown to
signature-based tools and seem
authentic enough to bypass spam
filters and even fool targeted victims.
For example, spear-phishing attacks
use social networking sites to craft
personalised emails that deliver
dynamic, malicious URLs that bypass
URL filters.
The new generation of threats can
dodge traditional security
technologies, by happening over
multiple stages across several threat
vectors. The cyber criminals would
use a combination of Web, email,
and file-based attack vectors in a
staged attack—which make it
harder to be detected. Traditional
security technologies that rely on
signature-based or list-based pattern
matching technology are less likely
to defend against these blended,
multi-stage attacks.
Regardless of the choice of attack
method—whether it is viruses,
malware or unauthorised website
access—these cyber criminals can
have a costly and damaging effect on
business operations, workforce
productivity and even your company’s
reputation.
SECURING YOURSELF
How do you ensure information
security? To defend against these
sophisticated attacks requires a
strategy that goes beyond static
signatures and rudimentary
behavioural heuristics. To begin with,
how you view security as part of your
overall business strategy, will
determine your security requirements
and the choice of security solutions
and services.
No longer can next-generation
firewalls, intrusion prevention systems
(IPS), anti-virus (AV), and security
gateways alone adequately protect
organisations from the new generation
of threats. Today, signature-based
technology can stop only the known
threats, and is ineffective against the
unknown, dynamic attacks. As a result,
many organisations may have
advanced malware within their
network despite the many layers of
traditional defences that organisations
have deployed.
To ensure sufficient protection against
this new generation of attacks,
enterprises should adopt nextgeneration protection that is:
signature-less, proactive, and real
time. The continuous analysis of
suspicious code throughout the attack
life cycle and blocking of malware
communications across multiple threat
vectors, next-generation protections
can stop advanced malware,
Maturity Model
Aware
06
APRIL 2015 | www.ncs.com.sg
Defined
Managed
Optimised
zero-day exploits, and advanced
persistent threats (APTs) from
threatening sensitive data assets.
A holistic IT security risk management
programme is essential. The
protection of information assets
needs to cover the perimeter,
network infrastructure, system and
application, access control, and to
have policies in place and staff
educated. Consider a multi-layer
security, with centralised
management of worldwide sites,
together with critical monitoring
and audit checks.
However, such advanced security
practices require highly skilled
personnel that can be expensive
and difficult to hire and retain.
Organisations may lack the in-house
resources to protect online systems
24/7, and managing security
requirements can divert IT resources
from other business and operational
requirements.
As a result, a growing number of
organisations are outsourcing their
day-to-day business: users, data and
assets. An integrated approach to
security will ensure that your operations
and teams can run smoothly.
Your Own Device (BYOD) policies,
ensure compliance to company
policies and protect your mobile
devices against potential threats.
Operational Security
SECURING YOUR USERS
The users of your IT infrastructure
include not just your staff, but also
customers, partners and suppliers.
To protect your users’ access to the
Web, cloud, and your network assets,
set access rights and levels, and secure
Align internal processes,
organisational structure and
employee awareness with security
objectives, for an integrated,
structured and robust security
strategy.
PROTECTING DATA
The new generation of threats can dodge
traditional security technologies, by
happening over multiple stages across
several threat vectors.
IT security programmes. This helps
to maintain a cost-effective,
comprehensive and proactive
security programme. The security
service provider should have certified
ICT professionals, industry-accredited
processes, and security operations
facilities to effectively detect, deter
and mitigate any potential damage
caused by cyber attacks.
OPERATIONAL SECURITY
For your business operations to run
effectively, it would depend on
securing the three key components of
users’ remote access to business
applications and online transactions
with two-factor authentication (2FA),
to ensure a safe and secure
business environment.
The growing use of mobility
solutions for business purposes has
introduced the requirement to
secure your users’ mobile devices
against potential threats. Use
Mobile Device Management (MDM)
to administer mobile devices—
whether smartphones, tablets, or
laptops. Deploy and enforce Bring
With the proliferation of the Internet,
your business data is widely accessed
via the email, Web and mobility
devices. Data is no longer a nice-tohave, but mandatory with growing
legal and industry requirements. The
volume of corporate data is also
ballooning, as the data created by
organisations grow in volume, variety
and velocity.
Protect your corporate email and
website by having secure email and
Web gateways. Safeguard your
online servers from Internet-based
attacks with Distributed Denial of
Service (DDoS) protection solutions.
To ensure secure access and sharing
of your critical business data, first
decide on the level of security needed
to protect these various data types.
APRIL 2015 | www.ncs.com.sg
07
PLUGGING THE CYBER SECURITY HOLE
These cyber criminals can have a costly and
damaging effect on business operations,
workforce productivity and even your
company’s reputation.
Then, deploy Data Loss Prevention
(DLP) to detect the improper use of
data and protect your digital assets
against cyber threats.
your security events, providing
insights into your security health
posture and logging security events
for audit and compliance purposes.
KEEP YOUR ASSETS SAFE
PREEMPTIVE PROTECTION
Your IT infrastructure forms the
backbone of your business. Secure
your infrastructure by deploying
Intrusion Prevention against external
attacks and unauthorised access,
and an Application Firewall for
application and user-based control
within your organisation. This ensures
the security of critical business
functions and transactions.
To strengthen your security position,
your operational security strategy
should be complemented with an
analytical and predictive strategy,
for end-to-end security protection.
The Security Incidents and Events
Monitoring service further extends the
protection of your IT infrastructure, by
effectively monitoring and correlating
Analytical security is about going
beyond just reacting to threats as they
happen, which occurs at the
operational level. The aim is to
understand your enemy proactively
and be ready to counter attacks any
time. Singtel advocates 24x7 vigilance
when it comes to the detection and
analysis of advanced malware threats
IT Security Risk Management Programme
08
APRIL 2015 | www.ncs.com.sg
with real-time monitoring, backed by
security analytics and intelligence for
contextual intelligence.
Predictive security also has a part to
play, to move beyond reacting to
threats. Advanced analytics can help
to anticipate threats before they
materialise. To do so, Singtel is
working with partners to develop an
Asia-Pacific Cyber Security
Competency Centre (ACE), a platform
to convene global technology
providers, start-ups, research
institutions, institutes of higher learning,
partners, customers and service
providers to invest in a nextgeneration of security capabilities.
Enterprises today are faced with the
ongoing challenge of securing their
corporate data, assets and users.
Having suitable security protection will
not only protect your corporate data
and credibility, but also maintain that
trusted relationship with your customers
and ensure business continuity.
STANDING GUARD AGAINST CYBER SECURITY THREATS
Standing Guard Against
Cyber security Threats
Looking for cyber security protection? Reap the
benefits of Singtel’s comprehensive range of
enterprise security solutions.
W
ith the increasing
sophistication of
cyber threats, taking
a reactive stance
with enterprise security may not be
sufficient. Your fight against cyber
threats needs to be proactive, and
security experts recommend a
layered approach.
Tap Singtel’s wealth of security
skillsets, experience and resources,
that include:
•฀More฀than฀4,000฀ICT฀certiied฀
professionals with extensive domain
knowledge and experience,
following industry-certified
methodologies.
•฀Four฀Security฀Operations฀Centres฀
(SOCs) in Singapore and Australia
to provide 24/7 monitoring and
management service.
•฀Strategic฀alliances฀with฀industry฀
leaders to offer only the best-in-class
security solutions.
•฀Simpliied฀delivery฀of฀security฀
services and solutions both
regionally and globally.
Singtel announced plans last year to
invest US$400 million over the next
five years, and hire 1,000 engineers
in a three-pronged strategy to build
strengths in cyber security, smart cities
and analytics.
Then in October last year, Singtel
followed up with a partnership with
US-based cyber security technology
company FireEye. Together, they will
provide a range of security monitoring
and threat response services to
enterprises throughout the region.
NEW REGIONAL CENTRES
Singtel has built a new Advanced
Security Operation Centre (ASOC)
located in Singapore and will build a
another ASOC in Sydney. Both
centres will deliver the SingTel
Managed Defence solution powered
by FireEye, and offer continuous
monitoring, detection and quick
containment of threats. The Singapore
centre just opened in February this year.
SingTel and FireEye intend to increase
regional awareness and knowledge
of cyber threats by producing joint
bi-annual, APAC-focused threat
advisory reports. These capabilities
will build on SingTel’s existing range
of enterprise security services.
24X7 VIGILANCE
It’s often said that the price of
freedom is eternal vigilance. In the
same vein, constant vigilance like the
24x7 monitoring provided by Singtel
Managed Defence helps give
freedom from malware. The solution
detects and analyses advanced
malware threats through security
intelligence and analytics, and goes
beyond simply reacting to threats, to
countering future attacks.
Singtel’s ASOCs and Network
Operations Centres (NOCs) work
together to provide end-to-end
visibility of customers’ network
infrastructure and devices to ensure
the fastest possible detection and
containment of threats.
PREDICTIVE SECURITY
All technological efforts to detect
cyber attacks face a constant
challenge to stay one step ahead of
continuously evolving, increasingly
sophisticated and ever growing
frequency of cyber threats. Prediction
is where the future of cyber security
lies, and Singtel is building an
Asia-Pacific Cyber Security
Competency Centre (ACE).
Complementing the ACE is an
Incubation Lab where security
specialists test new cyber-security
solutions that can enhance security in
Asia Pacific. This will be an
innovation platform to conduct
proof-of-concept (PoC) testing to
validate, adapt, integrate, and
commercialise global best-in-breed
solutions with partners specifically for
the APAC market.
WORLD-CLASS RESEARCH
In close collaboration with world-class
research and academic partners,
Singtel will embark on cutting-edge
cyber-security R&D on key areas such
as big data security analytics,
predictive security intelligence,
software-defined attacks mitigation
and new threat scenarios and
solutions.
CYBER RANGE
To complement the R&D and
Incubation Lab, Singtel will build an
advanced cyber range lab that will
create pseudo enterprise environments
for security resilience testing. It will
also offer realistic threat simulation
and cyber defence training.
APRIL 2015 | www.ncs.com.sg
09
‘HOPEFUL’ ABOUT SMART CITIES
‘HOPEful’ About Smart Cities
Meet NCS partner, a team of engineering commandos who
builds high-performance engineering solutions—HOPE Technik.
A
prototype of a space
plane, machines that lift
200 times its weight—
all sound like a sci-fi
movie come to life, but
in reality, these machines are real and
proudly made in Singapore.
The company behind this is HOPE
Technik, their passion for high
performance engineering is evident—
from the variety of products they have
developed, and the first of 10
commandments that greets visitors in
their office lobby says: “It is a passion
and a career, not a job.” A tour of
their black three-storey building in
Jurong is like walking into an
inventor’s workshop.
It took a few years, but NCS and
HOPE Technik have formally signed a
partnership agreement to fuse high
performance engineering solutions
with the intelligence of IT.
In February 2015, NCS and HOPE
Technik inked an agreement to
develop smart city innovations.
Together, they will identify areas
where technologies can be used to
solve business challenges, prototype
ideas, and conduct proof-of-concepts.
They will share knowledge and
capabilities. Where they can, they
will complement each other to build
solutions that could be for Internet of
Things (IoT), software platforms and
sensor networks for smart city
management.
“Recently we have been looking a lot
at smart city technologies, with
growing interest from customers. One
of the smart city technologies that we
can work on with NCS is to integrate
perimeter security technologies with
the impressive Intelligent SURF Centre
(ISC),” said Michael Leong, general
manager at HOPE Technik.
The ISC is like a high-tech mission
control, with dashboards that display
updates that can include real-time
and geo-target alerts, live city data
feeds, situational awareness
information on 2D/3D spatial maps,
or responses from various agencies,
etc. It is a proprietary platform
developed by NCS.
MAKING LIFE EASIER
HOPE Technik’s work is founded on
two main premises. One of which is
automation, and the other is force
multiplication, a military principle of
using additional factors to increase
your power.
“We aim to use automation for
productivity, to remove dull, dirty and
dangerous work that humans have
typically left to robots. It could be
pushing things from point A to B, or a
soldier managing and sending six
drones, instead of six soldiers, to
scout the situation,” said Leong.
10
APRIL 2015 | www.ncs.com.sg
research to create the omni-directional
wheels on hospital beds.
The mobility wheel can move the
motorised bed in all directions, as
well as make sharp turns down
narrow aisles in hospitals. Sesto also
lessens the manpower needed to
move the hospital beds—where it
used to take 2 people to push the
bed, Sesto requires just one person.
Its force multiplier capability means a
200kg weight would feel like 2kg.
An example of this is drones that
carry cameras for army scouts. Their
Spider Surveillance System is a drone
technology, which HOPE Technik has
used to build unmanned drones for
military and commercial clients.
FORCE MULTIPLICATION
A powerful demonstration of force
multiplicaton is the company’s
creation of the Red Rhino for Civil
Defence Force, a light fire truck that is
custom-built at HOPE Technik’s
premises in Jurong. It can do the work
of several men, and can manoeuvre
into the corners of a HDB void deck. It
is equipped with a hydraulic system
for rescue tools, a water mist gun, a
water monitor, and is the first compact
urban vehicle in the world to feature
an integrated compressed foam
system.
Another of their inventions based on
the idea of force multiplication is
Sesto, a set of technologies that ease
the act of moving heavy objects in
confined spaces.
The creation of Sesto, an Automated
Guided Vehicle (AGV), marked HOPE
Technik’s entry into the medical
industry, when it collaborated with the
National University of Singapore on
HOPE Technik plans to apply this
wheel design to other industries, such
as logistics and warehousing
management. The company even
modified a smaller version into an
autonomous waiter on wheels, which
silently and efficiently served canapés
and circulated among visitors during
an event held in Singapore last
year—while avoiding any obstacles
in its path.
Another force multiplication
technology that HOPE Technik has
tinkered with is exoskeleton
technology, that is reminiscient of the
suits worn by Tony Stark in Iron Man,
and Matt Damon in Elysium. This
technology consists of a back brace
and leg braces with in-built motors
that allow wearers to carry extra
weight on them.
Possibly the furthest boundary that
HOPE Technik has pushed is into
space. They have designed, built and
launched an unmanned space plane
prototype commissioned by the
French aerospace giant Airbus
Defence and Space. The test flights
over the South China Sea last year
were part of tests to assess the
aviation electronics, aerodynamics
and glide capability of the prototype
plane.
Of the company’s 50 staff, more than
half are engineers. These
“engineering commandos” as
mentioned in their second
commandment “We are engineering
commandos. Small in number, strong
in force,” are what distinguishes
HOPE Technik.
To find team members, the company
takes on interns, which provides an
opportunity to find people who fit in
with their culture and work
environment.
“They need the right skillsets, the right
attitude and the willingness to build
things. It’s all very hands on, you
have to touch circuit boards, do
soldering and repair your own wires.
You have to be prepared to get dirty,”
said Leong.
Looking forward, HOPE Technik will
continue to push new boundaries.
“We don’t stay comfortable. Each
day is definitely painful and that is the
reason for the colours of our logo.
Red is for the blood we spill, white is
for the sweat, and black is for the
breakthrough,” said Leong.
“This is our life, to gain knowledge.
Here we have people we can spar
with technically, and we enjoy the
challenges of the work we do,” said
Leong as the interview came to a
close and he walked away, ready to
face yet another challenge and to
push another boundary.
APRIL 2015 | www.ncs.com.sg
11
CIO DIALOGUE –
CYBER ATTACKS AND BREACHES: AN UNDENIABLE REALITY
Cyber Attacks and Breaches:
An Undeniable Reality
Roundtable participants say the key is greater awareness
and managing risks.
T
he loss of customer data from
Sony Pictures, Target and
Home Depot hit the headlines
last year. Can nothing stop
the hackers and cyber
criminals from infiltrating corporate
networks and stealing data?
No organisation is immune to cyber
security breaches, said the IT heads
who participated at the “Building
the Right Defence against Cyber
Attacks” roundtable, hosted by CIO
Asia and sponsored by NCS and
FireEye, and held at Marina Bay
Sands on 11 March 2015. The
question is how they should
respond, and what they should do
post-breach.
“The reality is that we can never have
enough protection. It is not whether
we will be penetrated or have our
environment compromised—it is
when,” said Koh Kok Tian, IT Director
at Borneo Motors, a leading car
distributor.
At Alpha Advanced Materials, a
supplier of products for the
semiconductor packaging industry,
they have experienced more
breaches from the inside than
outside.
“We carry a lot of IP [intellectual
property], patents, and formulas in
our systems, it would be devastating
if any valuable data got out. We
have caught ex-employees trying to
sell formulas, so security issues are
more from the inside than outside,”
said Koh Yew Chee, IT Director at
Alpha Advanced Materials.
To determine their level of security
maturity, Alpha Advanced Materials
has done extensive self certifications,
as well as external audits.
Koh countered that standards may not
necessarily give a complete picture of
where the organisation is, as they just
capture a snapshot in time.
Technology is based on three pillars:
technology, processes and people,
said Lau Kai Cheong, CIO at
Singapore Management University
(SMU). Technology is the most
straightforward, as getting the best
technological defence is about
spending enough, but that does not
guarantee protection. In terms of
processes, there needs to be a
security incident response plan that
includes system recovery, quarantine,
forensics, and a fast response time.
Education in security is important,
said Lau. But it can be difficult as
people are the weakest link in the
security chain. Even after education,
users are likely to click on links or
attachments that activate malware, or
be taken to a fake website that
requests for sensitive information.
NO LONGER ADEQUATE
Relying on traditional security
products or approaches is insufficient
for modern cyber security needs.
MANAGING USERS
“The idea is to be able to see, detect
and manage the situation—that’s the
biggest challenge. Users will always
be curious and will click on what they
want to click,” he added.
Agreed Steve Ledzian, Regional
Director, Systems Engineering – Asia
at cyber security vendor FireEye:
“Breaches are inevitable. We are so
reliant on technology. Many believe
the key is prevention. We need to
move beyond that, to know what to
do when potential chaos happens or
when prevention fails.”
12
APRIL 2015 | www.ncs.com.sg
While cyber security is important, it
needs to be balanced with user needs
and usability.
“We need to balance between the
usability of technology and security.
We can’t be draconian and cut off
users from access to Facebook, and
social media. We have to ensure
that protection is balanced with the
users’ ability to use technology
without interfering with their lives,”
said Gilbert Gan, Assistant Vice
President of Information Security,
Singapore Exchange.
“Today 96 percent of companies who
rely on traditional security, are
already breached and don’t know it.
The traditional model is very broken,”
said Ledzian.
“While traditional vendors will either
sell a product, or services, the
partnership between Singtel and
FireEye is very unique, as we provide
all three: products, expertise,
processes and incident response.
Companies often see a huge gap in
terms of security maturity and where
they want to be. This partnership is a
quick way close the gap without
building up expertise and
technology.”
NCS Director Freddy Tan, said that
an added challenge is that the
attacker always has the advantage.
“They choose the time, the target and
what to exploit. How do you as CIO
protect against such targeted
attacks?” asked Tan.
“The key thing is to get your Board
involved… and return to the basics,”
said Tan. “It’s all about managing
risk. We all live with risk—when we
travel, or when we move from place
to place—and should take steps to
mitigate the risk. Protection is not
sufficient, as multiple vector attacks
will go after the weakest link, which
unfortunately is the human, they will
click on anything.”
The second layer of defence is the
ability to detect a compromised
situation; the third is to mitigate or
reduce the impact of that compromise;
and fourth is to recover.
FireEye has produced a report
specific to this region, the “Southeast
Asia: An Evolving Cyber Threat
Landscape”, that provides statistics to
help convince board members about
the severity of security threats. In
terms of industries, the report found
that the industries most likely to be
targeted are: a) government, b)
telecom, c) financial services, d)
high-tech, e) transportation.
palace, but need soldiers, smart
people, etc. The investment needs to
make sense.”
A chilling find is that attackers have
remained on victims’ networks for a
median period of 205 days in 2014,
before being discovered. And some
69 percent of organisations were only
alerted to the attacks by an external
party. Already, 98 percent of
companies in Asia are compromised.
“These silos are still not broken, you
need to go to the hardware, software
or OS [operating system] vendor
when a security issues arises,” said
Narayanaswamy.
ADAPTING TO NEW NEEDS
Organisations have taken different
strategies to secure their corporate
data.
ABN AMRO ensures that information
leaving the company is checked,
authenticated, and traceable, said
Agnes San Gabriel, IT Security
Officer – Control and Monitoring,
ABN AMRO Bank.
Ramesh Narayanaswamy, CIO at
Singapore Post, said that they strive
for a balance.
“What is it that you want to protect?
It’s the padlock with palace problem.
You can’t just put a padlock on
Another challenge is that technology
tends to be in silos.
This partnership between Singtel and
FireEye aims to remove the complexity
from security technology, allowing
organisations to approach just one
vendor instead of speaking separately
to multiple vendors, said Tan.
“There are very few security
professionals. That’s why FireEye and
Singtel invested in 150 security
professionals. We have reached a
point where it doesn’t make sense for
companies to invest in security
headcount. With the Internet of Things
coming online, there is just not
enough of us,” said Tan.
Alan Seow, Head of Cyber security at
Ministry of Communications &
Information, said the challenge is to
get security professionals to have a
passion for the subject.
From L to R (Standing): Mr Tan Hoon Chiang, Mr Lau Kai Cheong, Mr Alan Seow, Mr Ramesh Narayanaswamy, Mr Teo Teng Hui,
Mr Tan Ai Tong, Mr Derek Gooh, Mr Gilbert Gan, Mr Gary Ooi, Mr Wilson Wong, Mr Koh Yew Chee, Mr Koh Kok Tian, Mr TC Seow
(Seated): Ms Agnes San Gabriel, Mr Zhang Jianxin, Mr Steve Ledzian, Mr Jason Chan, Mr Freddy Tan
APRIL 2015 | www.ncs.com.sg
13
CIO DIALOGUE –
CYBER ATTACKS AND BREACHES: AN UNDENIABLE REALITY
“This is one of the key challenges,
because cyber security is something
that changes faster than a fashion
show. There is a lot of catching up,
reading, and chasing. You must really
like the subject,” said Seow.
To build end-user awareness, BP has
conducted ethical phishing tests, said
Derek Gooh, Regional Information
Security Officer, Integrated Supply
and Trading (Eastern Hemisphere), BP
Singapore.
“A few years back, a quarter of our
people would click on emails that
offer a chance to win an iPad. We
have managed to get the click rate
down to a single digit.”
Gooh also noted that increasingly, the
BYOD (Bring Your Own Device) and
consumerisation of technology has led
to many using Gmail and Dropbox,
and that it is hard to stop users from
using these technologies.
“We have a gigabyte of traffic that
goes to Dropbox every month. Last
year, we made the decision to block
Dropbox. Even when we increased
the email capacity of 25MB
attachment it was still insufficient…
We hate the fact that we need to drop
Dropbox, but because of the huge
data volumes and traffic, we have
to,” said Gooh.
Borneo Motor’s Koh quipped that
BYOD stands for “Bring Your Own
Data Breach”.
“A lot of us are in the same position.
With the commoditisation of hacking
tools, anyone can be a hacker, but we
should not stand in the way of BYOD
as that’s where productivity comes.”
GREATER AWARENESS
The large number of high profile
security breaches last year caught the
attention of many, changing
perceptions and raising awareness.
14
APRIL 2015 | www.ncs.com.sg
“Brian Moynihan, Bank of America
CEO, had said in an interview that
they have no cap on budget for
cybersecurity... because it is a
priority. He mentioned that for the
first time in his 20 years of managing
budgets he is seeing a blank cheque
go to a specific cause,” said Ledzian.
JP Morgan got breached last year,
even though its security budget was
US$250m. Ledzian noted that in the
shareholder report, the CEO had a
mature response, and said that even
with a US$250m investment, not
every battle will be won, that there is
no perfect knowledge of security
breaches, but there is a need to focus
on the afterwards.
Some industries, like the financial
industry, are highly regulated, and
organisations in this space have to
adhere to strict security guidelines,
said Jason Chan, Head of Information
Security, Asia Capital Reinsurance
Group.
“The Boards and senior management
are getting more aware. One reason
is because the authorities are making
it more important in terms of
compliance. MAS [Monetary
Authority of Singapore] ensures
financial institutions comply with a
Technology Risk Management
guideline as a baseline, and does
regular audits.”
With greater awareness of the impact
of security breaches, the Board and
management are more supportive of
stricter security measures at the
expense of convenience.
“The board and senior management
are now behaving very differently.
They were the biggest problem in
terms of insisting on using BYOD. This
whole conversation has gone. Now I
Delegates at the roundtable
Mr Koh Yew Chee, IT Director, Alpha Advanced Materials
Mr Jason Chan, Head, Information Security, Asia Capital Reinsurance Group
Mr Wilson Wong, Manager, IT Infrastructure, Asia Capital Reinsurance Group
Mr Derek Gooh, Regional Information Security Officer, Integrated Supply and
Trading (Eastern Hemisphere), BP Singapore
Mr Zhang Jianxin, Director, Management Information System, Dou Yee
Enterprises
Mr Tan Ai Tong, Director, Information Security, Fairchild Semiconductor
Mr Gary Ooi, IT Director, Mandarin Oriental Singapore
Mr Alan Seow, Head, Cybersecurity, Ministry of Communications &
Information
Ms Agnes San Gabriel, IT Security Officer - Control and Monitoring, ABN
AMRO Bank
Mr Koh Kok Tian, IT Director, Borneo Motors
Mr Teo Teng Hui, CIO, Hyflux
Mr Leong Kai Seng, Deputy Director - Premium Customer Care & Support &
Security Technologies, IDA Singapore
Mr Gilbert Gan, Assistant Vice President,Information Security, Singapore
Exchange
Mr Ramesh Narayanaswamy, CIO, Singapore Post
Mr Tan Hoon Chiang, Divisional Director, Academic Computing & Information
Services & Chief Information Officer, National Institute of Education
Mr Lau Kai Cheong, CIO, Singapore Management University (SMU)
Mr Freddy Tan, Director Product Management, Enterprise Security Division,
Group Enterprise, SingTel (NCS Group)
Mr Steve Ledzian, Regional Director, Systems Engineering - Asia, FireEye
Moderator
T.C. Seow, Editor, CIO Asia
can go and say: ‘I can’t do this for
you’ and they will accept it,” said
Narayanaswamy.
While Alpha Advanced Materials’
Koh agreed that the perceptions of
senior management have changed,
he said it is not the case with some
employees.
“The sales people will ask: ‘Why can’t
I use Whatsapp and Dropbox, as it is
convenient for me when I work outside
the office. Now they can complain
all they want, but [the directive]
comes all the way from the top.”
SMU has chosen to satisfy the user
needs like providing a more secure
technological alternative. Instead of
allowing the use of Dropbox, it
created an inhouse corporate
enterprise ‘Dropbox’ so that
sensitive and confidential material
can be accessed on any device,
without the data being out in the
public, said Lau.
Ensuring users get trained can be a
challenge, said Tan Hoon Chiang,
Divisional Director, Academic
Computing & Information Services &
CIO, National Institute of Education.
The challenge is that the attackers are
not sitting still. After an avenue of
attack is addressed, they will move on
to another mode of attack.
“Unfortunately it’s all about business
and ROI. Today the cost of an attack
to the attacker is very low, but the
potential revenue and value is very
high. A US hacker, when arrested,
had US$1m in cash stashed in his
parent’s backyard. Unfortunately,
crime does pay, and these criminal
attacks are not going to go away,
until you can make meaning to the
phrase ‘crime does not pay.’”
Tan Ai Tong, Director of Information
Security, Fairchild Semiconductor,
noted that there are issues with
encryption.
“It can make usability a bit
cumbersome, especially when you
have to deal with third parties and
outsourcing. Even when it is used, it
is only secure up to that point,
because the third party will have to
use the unencrypted information.
We have totally no visibility into the
data when it is at the office of a
third party.”
ORGANISED APPROACH
To encourage its users, the
organisation has included the training
as part of the workflow, where a user
will only be issued a user account
after undergoing training. It has also
put in place some rewards for those
with a higher level of security
awareness.
TO ENCRYPT OR NOT
NCS’s Tan said the US government
actually broke two important security
rules that resulted in the Snowden
leaks. One is that anything important
should not be in the clear, whether in
storage or in transmission, and the
other is to encrypt on the fly, where
even the end user is unaware that it is
encrypted.
Companies need to have an
organised approach to manage the
aftermath of a security breach. The
typical business questions the senior
management or Board will have
include: ‘How long have the
attackers been in the network?’
‘What did they steal?’ ‘Who are the
attackers?’ ‘How far have they
spread in my network?’ and ‘How to
get the attacker out?
“These questions are very hard to
answer, and can take weeks or
months to answer… Generally,
when a breach happens, the
company is totally unprepared for
it. The partnership between FireEye
and Singtel can put companies in a
position to do forensics and answer
those critical questions much more
quickly,” said Ledzian.
Many companies do penetration
tests on a yearly or quarterly basis.
These tests are useful to discover
vulnerabilities, but once a test is
completed, new vulnerabilities can
appear. Where a penetration test is
an attempt to penetrate the
perimeter, a compromise assessment
looks inside the network to check for
activity. Ledzian said the Managed
Defence service offered by Singtel
and FireEye provides continuous
monitoring, detection and the quick
containment of malware and other
perceived threats to organisations.
When Borneo Motor’s Koh suggested
the value of having industry-led group
that helps to set the security tone for
the industry they are in, Seow noted
that there will be cyber security
agencies formed under the purview of
the Prime Minister’s Office (PMO),
that have a co-ordinating role for the
different sectors.
“There will be some industry
programmes coming out. At certain
point, there will also be some vendor
led ones,” said Seow.
Gan noted that some industries have
been sharing their security
knowledge. The US has been sharing
information for the past 15 years. For
instance, there are such groups for the
financial and manufacturing
industries.
“Many in the financial services
industry in Singapore are
subscribed to this. This information
has helped us to protect our
networks by understanding how
these attackers work. However, in
Singapore today, this information
sharing is still in an infancy stage,
with a lot of potential for industry to
come together,” said Gan.
APRIL 2015 | www.ncs.com.sg
15