SURF 2015
Transcription
SURF 2015
VOLUME 9 APRIL 2015 ARE YOU GAME FOR 03 A New Home for Smart City Innovations 10 Meet NCS partner, HOPE Technik, a builder of highperformance engineering solutions that soar in the air and push new boundaries. Now, they will complement NCS to develop smart city innovations. The SURF@NCS facility gives smart city living a jab in the arm, with a living lab to test-bed smart city innovations. NCS also plans to grow an eco-system of partners, and to train talents for a smart city. 05 When Cyber Security Gets Too Hard Southeast Asian companies regularly attract the interest of cyber spies and criminals, and traditional security technologies are no match for the new generation of threats. Learn about the latest security threats and how organisations should respond. 09 Engineering Commandos 12 No Organisation Is Safe What can stop the hackers and cyber criminals from infiltrating corporate networks and stealing data? Find out more about the cyber security challenges that IT heads face in today’s connected world, and how greater awareness and managing risks are part of the solution. A Comprehensive Approach Find out how you can take a proactive, layered approach to cyber security by tapping Singtel’s wealth of security skillsets, experience and resources. FOLLOW US ON surfnation.net NCS Group [email protected] NCS is a member of the Singtel Group RIDING THE NEXT WAVE OF SMART CITY INNOVATIONS Riding the Next Wave of Smart City Innovations Smart city innovations get a new home at SURF@NCS facility. man checks his smart phone to find out which mode of public transport will get him to his meeting in the shortest possible time. The Home Team uses video analytics to detect and reduce any overcrowding in buildings before it reaches a dangerous level. A efficiency, said Chia Wee Boon, CEO of NCS. Such utopian scenarios are exactly what NCS’s new facility aims to turn into reality. It is a space that agencies and organisations can use to weave leading-edge technologies into the fabric of modern daily living. Located at NCS Hub in Singapore, stepping into the SURF@NCS facility is like a walk into the future. There, the Intelligent SURF Centre (ISC) sits like a high-tech mission control with screens displaying updates that give the pulse of a city—whether real-time and geo-target alerts, live city data feeds, situational awareness information on 2D/3D spatial maps, or responses from various agencies, etc. Using the SURF@NCS facility, NCS aims to develop more smart city solutions in the four areas of: Education, Healthcare, Transport and Public Safety. It plans to bring emerging technologies to real-life use through a three-pronged approach: • Buildalivinglabforpublicagenciesandcommercial enterprises to test-bed smart city innovations, • Growavibranteco-systemofpartnersforsmartcity development, and • Trainupto120talentstodeliverandimplement smart solutions this year. The ISC plays a key role in making a city smart, as it allows the operator to see all possible incidents and cases, and to provide situational awareness, operational awareness, and to increase operational “With SURF@NCS, we will also have a living lab where NCS and our partners can come together to co-create, test, refine and validate new applications and technologies,” said Chua Sock Koong, Singtel CEO. “We are committed to accelerating our development of intellectual property and smart city solutions to improve the lives of citizens,” said Chia. Monitor 1: Reps from Bosch, Cisco, Hope Technik, IBM ; Monitor 2: Reps from I2R, Kai2, Microsoft, MHI, Mr Bill Chang, Dr Beh Swan Gin, Ms Chua Sock Koong, Monitor 4: Reps from NCS, Polycom, QI, Samsung; Monitor 5: Reps from SUTD, Temasek Poly Web BioTech, Parata APRIL 2015 | www.ncs.com.sg 03 RIDING THE NEXT WAVE OF SMART CITY INNOVATIONS A LIVING LAB The SURF@NCS is a testbed for both public agencies and commercial enterprises to test smart city innovations. It is also a lab for NCS to develop Intellectual Property (IP) and smart city innovations. This ‘living lab’ gives smart city living a jab in the arm, and helps realise Singapore’s vision to be the world’s first smart nation. The first IP being introduced is the ISC. This Intelligent Command & Control Platform is designed to solve challenges in situations involving multiple agencies. Multiple live data feeds are acquired through physical and electronic sensors and processed through advanced analytics so as to trigger intelligence reports that can be used by the relevant public safety agencies. The proprietary platform was tested in Little India last year, under the Safety and Security Industry Programme Office (SSIPO). The technology helped to detect a construction site fire at Little India on March 26 within six minutes, through the monitoring of tweets and camera footage. Some smart city technologies deployed are: • Streetlightsthathaveconigurable schedules for energy savings, and can detect faults that trigger alerts. • Smarttraficredlightsystemthat stays operational 24/7 to detect motorists who attempt to beat the red light. Some 120 digital red light cameras have been installed across Singapore, with another 120 to be installed by the middle of this year. These digital cameras have replaced old film traffic cameras, and can transmit clearer images directly from the site, without having to physically retrieve the film from each camera. Now, less time is needed to analyse data, notify errant motorists and collect fines. • Videoandaudiocontentanalytics that can detect unattended vehicles, spot type or colour of vehicle, recognise licence plate number, and detect illegal parking infringement or traffic rule violation. • Smartpharmacydispensing system for Tan Tock Seng Hospital, which has cut waiting time by half to10 minutes. The system can automatically read e-prescriptions, and simultaneously pick and pack the medication. PARTNER ECOSYSTEM Already, 15 partners have signed up to collaborate with NCS in areas such as fog computing, Internet-of-Things (IOT) and critical infrastructure management. These partners include Bosch, Cisco, IBM, Microsoft, Samsung, and specialised technology providers such as HOPE Technik, KAI Square, Mitsubishi Heavy Industries Engine System Asia, Polycom, Quantum Inventions, WEB BiotechnologySPYDER and Worldlabel-Parata. “Through SURF@NCS, we aim to partner best-of-breed technology providers to build a vibrant eco-system where we can co-create solutions to enhance essential government services and deliver game-changing enterprise innovations,” said Chia. NCS is also working with tertiary institutes like Singapore University of Technology and Design (SUTD) and Temasek Polytechnic to build smart campuses and future teaching tools. “At the heart of the Smart Nation vision is the recognition that digital technologies have the potential to make our economy more productive, our societies more connected and our lives better,” said Dr Beh Swan Gin, chairman of Singapore Economic Development Board (EDB). GROOMING TALENT To ensure a pipeline of smart city skillsets, NCS plans to recruit and train 120 professionals as enterprise architects, product engineers, data scientists and subject matter experts to implement smart city solutions. In addition, SURF@NCS is expected to train over 500 employees and students in skillsets related to smart cities by 2020. A partnership with the Institute for Infocomm Research (I2R) has resulted in a programme to nurture experts in data science and analytics. This augments the Singtel Cadet Scholarship Programme which will offer 90 scholarships this year. Finally, as Singapore seeks to become a smart nation, NCS has taken significant steps towards bringing this vision to reality by building a living lab to test-bed smart city innovations, growing an eco-system of partners, and training talents. Want to experience being at the controls of a smart city? Visit the NCS booth L1-G14 at INTERPOL World, held at Marina Bay Sands Level 1 on April 14-16 in Singapore. Come and see the Intelligent Surf Centre (ISC) in action, enhanced with analytics and cyber security capabilities. 04 APRIL 2015 | www.ncs.com.sg PLUGGING THE CYBER SECURITY HOLE I t has become a common scenario for high profile information security attacks to grab headlines, and for organisations to lose large amounts of confidential data to well-organised cyber criminals. Just last year alone, organisations like Sony lost a massive amount of data to attackers, and more than 145 million eBay users were affected by a massive hack of its systems. The European Central Bank was not unscathed, it had personal data stolen, and closer to home, a SingPass vulnerability resulted in data theft, where 1,500 user IDs and passwords were accessed. The volume and speed of attacks on computer systems have increased significantly in our highly connected world. Millions of computers get inter-connected through the Internet, and companies run on more complex networks and use virtualisation, cloud computing and mobility technologies—all of which introduce security vulnerabilities. Plugging the Cyber security Hole Breaches of information security regularly hit the headlines. What are the latest threats and how should we respond? These security vulnerabilities can be protected with cyber security technologies, processes and practices, which work to shield networks, computers, programs and data from attacks, or unauthorised access. COMPLEX THREATS Companies face a complex threat landscape that is filled with advanced cyber attackers intent on stealing corporate data and state secrets. These attackers fall into three groups: those who steal intellectual property and confidential corporate data, those with political motivations who steal intelligence from governments, and those motivated by a quest for fame. One of the biggest cyber security challenges for the region is: Advanced persistent threats (APT). Southeast Asian companies regularly attract the interest of cyber spies and criminals looking to steal information about the region’s growing industry sectors— energy, telecommunications, APRIL 2015 | www.ncs.com.sg 05 PLUGGING THE CYBER SECURITY HOLE high-tech, transportation, and finance. FireEye has detected that more than half of the targeted malware in Southeast Asia came from government and telecommunications sites. Attackers have remained on victims’ networks before being discovered for a median period of 205 days in 2014, according to the 2014 Threat Report by FireEye subsidiary, Mandiant. This was a marginal improvement from 229 days in 2013. In addition, 69 percent of organisations were only alerted to the attacks by an external party. Today’s attacks utilise the latest zero-day vulnerabilities, commercialquality toolkits, and social engineering techniques to perpetrate advanced targeted attacks. They also include advanced tactics, such as blending polymorphism and personalisation. These sophisticated attacks appear unknown to signature-based tools and seem authentic enough to bypass spam filters and even fool targeted victims. For example, spear-phishing attacks use social networking sites to craft personalised emails that deliver dynamic, malicious URLs that bypass URL filters. The new generation of threats can dodge traditional security technologies, by happening over multiple stages across several threat vectors. The cyber criminals would use a combination of Web, email, and file-based attack vectors in a staged attack—which make it harder to be detected. Traditional security technologies that rely on signature-based or list-based pattern matching technology are less likely to defend against these blended, multi-stage attacks. Regardless of the choice of attack method—whether it is viruses, malware or unauthorised website access—these cyber criminals can have a costly and damaging effect on business operations, workforce productivity and even your company’s reputation. SECURING YOURSELF How do you ensure information security? To defend against these sophisticated attacks requires a strategy that goes beyond static signatures and rudimentary behavioural heuristics. To begin with, how you view security as part of your overall business strategy, will determine your security requirements and the choice of security solutions and services. No longer can next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV), and security gateways alone adequately protect organisations from the new generation of threats. Today, signature-based technology can stop only the known threats, and is ineffective against the unknown, dynamic attacks. As a result, many organisations may have advanced malware within their network despite the many layers of traditional defences that organisations have deployed. To ensure sufficient protection against this new generation of attacks, enterprises should adopt nextgeneration protection that is: signature-less, proactive, and real time. The continuous analysis of suspicious code throughout the attack life cycle and blocking of malware communications across multiple threat vectors, next-generation protections can stop advanced malware, Maturity Model Aware 06 APRIL 2015 | www.ncs.com.sg Defined Managed Optimised zero-day exploits, and advanced persistent threats (APTs) from threatening sensitive data assets. A holistic IT security risk management programme is essential. The protection of information assets needs to cover the perimeter, network infrastructure, system and application, access control, and to have policies in place and staff educated. Consider a multi-layer security, with centralised management of worldwide sites, together with critical monitoring and audit checks. However, such advanced security practices require highly skilled personnel that can be expensive and difficult to hire and retain. Organisations may lack the in-house resources to protect online systems 24/7, and managing security requirements can divert IT resources from other business and operational requirements. As a result, a growing number of organisations are outsourcing their day-to-day business: users, data and assets. An integrated approach to security will ensure that your operations and teams can run smoothly. Your Own Device (BYOD) policies, ensure compliance to company policies and protect your mobile devices against potential threats. Operational Security SECURING YOUR USERS The users of your IT infrastructure include not just your staff, but also customers, partners and suppliers. To protect your users’ access to the Web, cloud, and your network assets, set access rights and levels, and secure Align internal processes, organisational structure and employee awareness with security objectives, for an integrated, structured and robust security strategy. PROTECTING DATA The new generation of threats can dodge traditional security technologies, by happening over multiple stages across several threat vectors. IT security programmes. This helps to maintain a cost-effective, comprehensive and proactive security programme. The security service provider should have certified ICT professionals, industry-accredited processes, and security operations facilities to effectively detect, deter and mitigate any potential damage caused by cyber attacks. OPERATIONAL SECURITY For your business operations to run effectively, it would depend on securing the three key components of users’ remote access to business applications and online transactions with two-factor authentication (2FA), to ensure a safe and secure business environment. The growing use of mobility solutions for business purposes has introduced the requirement to secure your users’ mobile devices against potential threats. Use Mobile Device Management (MDM) to administer mobile devices— whether smartphones, tablets, or laptops. Deploy and enforce Bring With the proliferation of the Internet, your business data is widely accessed via the email, Web and mobility devices. Data is no longer a nice-tohave, but mandatory with growing legal and industry requirements. The volume of corporate data is also ballooning, as the data created by organisations grow in volume, variety and velocity. Protect your corporate email and website by having secure email and Web gateways. Safeguard your online servers from Internet-based attacks with Distributed Denial of Service (DDoS) protection solutions. To ensure secure access and sharing of your critical business data, first decide on the level of security needed to protect these various data types. APRIL 2015 | www.ncs.com.sg 07 PLUGGING THE CYBER SECURITY HOLE These cyber criminals can have a costly and damaging effect on business operations, workforce productivity and even your company’s reputation. Then, deploy Data Loss Prevention (DLP) to detect the improper use of data and protect your digital assets against cyber threats. your security events, providing insights into your security health posture and logging security events for audit and compliance purposes. KEEP YOUR ASSETS SAFE PREEMPTIVE PROTECTION Your IT infrastructure forms the backbone of your business. Secure your infrastructure by deploying Intrusion Prevention against external attacks and unauthorised access, and an Application Firewall for application and user-based control within your organisation. This ensures the security of critical business functions and transactions. To strengthen your security position, your operational security strategy should be complemented with an analytical and predictive strategy, for end-to-end security protection. The Security Incidents and Events Monitoring service further extends the protection of your IT infrastructure, by effectively monitoring and correlating Analytical security is about going beyond just reacting to threats as they happen, which occurs at the operational level. The aim is to understand your enemy proactively and be ready to counter attacks any time. Singtel advocates 24x7 vigilance when it comes to the detection and analysis of advanced malware threats IT Security Risk Management Programme 08 APRIL 2015 | www.ncs.com.sg with real-time monitoring, backed by security analytics and intelligence for contextual intelligence. Predictive security also has a part to play, to move beyond reacting to threats. Advanced analytics can help to anticipate threats before they materialise. To do so, Singtel is working with partners to develop an Asia-Pacific Cyber Security Competency Centre (ACE), a platform to convene global technology providers, start-ups, research institutions, institutes of higher learning, partners, customers and service providers to invest in a nextgeneration of security capabilities. Enterprises today are faced with the ongoing challenge of securing their corporate data, assets and users. Having suitable security protection will not only protect your corporate data and credibility, but also maintain that trusted relationship with your customers and ensure business continuity. STANDING GUARD AGAINST CYBER SECURITY THREATS Standing Guard Against Cyber security Threats Looking for cyber security protection? Reap the benefits of Singtel’s comprehensive range of enterprise security solutions. W ith the increasing sophistication of cyber threats, taking a reactive stance with enterprise security may not be sufficient. Your fight against cyber threats needs to be proactive, and security experts recommend a layered approach. Tap Singtel’s wealth of security skillsets, experience and resources, that include: •Morethan4,000ICTcertiied professionals with extensive domain knowledge and experience, following industry-certified methodologies. •FourSecurityOperationsCentres (SOCs) in Singapore and Australia to provide 24/7 monitoring and management service. •Strategicallianceswithindustry leaders to offer only the best-in-class security solutions. •Simpliieddeliveryofsecurity services and solutions both regionally and globally. Singtel announced plans last year to invest US$400 million over the next five years, and hire 1,000 engineers in a three-pronged strategy to build strengths in cyber security, smart cities and analytics. Then in October last year, Singtel followed up with a partnership with US-based cyber security technology company FireEye. Together, they will provide a range of security monitoring and threat response services to enterprises throughout the region. NEW REGIONAL CENTRES Singtel has built a new Advanced Security Operation Centre (ASOC) located in Singapore and will build a another ASOC in Sydney. Both centres will deliver the SingTel Managed Defence solution powered by FireEye, and offer continuous monitoring, detection and quick containment of threats. The Singapore centre just opened in February this year. SingTel and FireEye intend to increase regional awareness and knowledge of cyber threats by producing joint bi-annual, APAC-focused threat advisory reports. These capabilities will build on SingTel’s existing range of enterprise security services. 24X7 VIGILANCE It’s often said that the price of freedom is eternal vigilance. In the same vein, constant vigilance like the 24x7 monitoring provided by Singtel Managed Defence helps give freedom from malware. The solution detects and analyses advanced malware threats through security intelligence and analytics, and goes beyond simply reacting to threats, to countering future attacks. Singtel’s ASOCs and Network Operations Centres (NOCs) work together to provide end-to-end visibility of customers’ network infrastructure and devices to ensure the fastest possible detection and containment of threats. PREDICTIVE SECURITY All technological efforts to detect cyber attacks face a constant challenge to stay one step ahead of continuously evolving, increasingly sophisticated and ever growing frequency of cyber threats. Prediction is where the future of cyber security lies, and Singtel is building an Asia-Pacific Cyber Security Competency Centre (ACE). Complementing the ACE is an Incubation Lab where security specialists test new cyber-security solutions that can enhance security in Asia Pacific. This will be an innovation platform to conduct proof-of-concept (PoC) testing to validate, adapt, integrate, and commercialise global best-in-breed solutions with partners specifically for the APAC market. WORLD-CLASS RESEARCH In close collaboration with world-class research and academic partners, Singtel will embark on cutting-edge cyber-security R&D on key areas such as big data security analytics, predictive security intelligence, software-defined attacks mitigation and new threat scenarios and solutions. CYBER RANGE To complement the R&D and Incubation Lab, Singtel will build an advanced cyber range lab that will create pseudo enterprise environments for security resilience testing. It will also offer realistic threat simulation and cyber defence training. APRIL 2015 | www.ncs.com.sg 09 ‘HOPEFUL’ ABOUT SMART CITIES ‘HOPEful’ About Smart Cities Meet NCS partner, a team of engineering commandos who builds high-performance engineering solutions—HOPE Technik. A prototype of a space plane, machines that lift 200 times its weight— all sound like a sci-fi movie come to life, but in reality, these machines are real and proudly made in Singapore. The company behind this is HOPE Technik, their passion for high performance engineering is evident— from the variety of products they have developed, and the first of 10 commandments that greets visitors in their office lobby says: “It is a passion and a career, not a job.” A tour of their black three-storey building in Jurong is like walking into an inventor’s workshop. It took a few years, but NCS and HOPE Technik have formally signed a partnership agreement to fuse high performance engineering solutions with the intelligence of IT. In February 2015, NCS and HOPE Technik inked an agreement to develop smart city innovations. Together, they will identify areas where technologies can be used to solve business challenges, prototype ideas, and conduct proof-of-concepts. They will share knowledge and capabilities. Where they can, they will complement each other to build solutions that could be for Internet of Things (IoT), software platforms and sensor networks for smart city management. “Recently we have been looking a lot at smart city technologies, with growing interest from customers. One of the smart city technologies that we can work on with NCS is to integrate perimeter security technologies with the impressive Intelligent SURF Centre (ISC),” said Michael Leong, general manager at HOPE Technik. The ISC is like a high-tech mission control, with dashboards that display updates that can include real-time and geo-target alerts, live city data feeds, situational awareness information on 2D/3D spatial maps, or responses from various agencies, etc. It is a proprietary platform developed by NCS. MAKING LIFE EASIER HOPE Technik’s work is founded on two main premises. One of which is automation, and the other is force multiplication, a military principle of using additional factors to increase your power. “We aim to use automation for productivity, to remove dull, dirty and dangerous work that humans have typically left to robots. It could be pushing things from point A to B, or a soldier managing and sending six drones, instead of six soldiers, to scout the situation,” said Leong. 10 APRIL 2015 | www.ncs.com.sg research to create the omni-directional wheels on hospital beds. The mobility wheel can move the motorised bed in all directions, as well as make sharp turns down narrow aisles in hospitals. Sesto also lessens the manpower needed to move the hospital beds—where it used to take 2 people to push the bed, Sesto requires just one person. Its force multiplier capability means a 200kg weight would feel like 2kg. An example of this is drones that carry cameras for army scouts. Their Spider Surveillance System is a drone technology, which HOPE Technik has used to build unmanned drones for military and commercial clients. FORCE MULTIPLICATION A powerful demonstration of force multiplicaton is the company’s creation of the Red Rhino for Civil Defence Force, a light fire truck that is custom-built at HOPE Technik’s premises in Jurong. It can do the work of several men, and can manoeuvre into the corners of a HDB void deck. It is equipped with a hydraulic system for rescue tools, a water mist gun, a water monitor, and is the first compact urban vehicle in the world to feature an integrated compressed foam system. Another of their inventions based on the idea of force multiplication is Sesto, a set of technologies that ease the act of moving heavy objects in confined spaces. The creation of Sesto, an Automated Guided Vehicle (AGV), marked HOPE Technik’s entry into the medical industry, when it collaborated with the National University of Singapore on HOPE Technik plans to apply this wheel design to other industries, such as logistics and warehousing management. The company even modified a smaller version into an autonomous waiter on wheels, which silently and efficiently served canapés and circulated among visitors during an event held in Singapore last year—while avoiding any obstacles in its path. Another force multiplication technology that HOPE Technik has tinkered with is exoskeleton technology, that is reminiscient of the suits worn by Tony Stark in Iron Man, and Matt Damon in Elysium. This technology consists of a back brace and leg braces with in-built motors that allow wearers to carry extra weight on them. Possibly the furthest boundary that HOPE Technik has pushed is into space. They have designed, built and launched an unmanned space plane prototype commissioned by the French aerospace giant Airbus Defence and Space. The test flights over the South China Sea last year were part of tests to assess the aviation electronics, aerodynamics and glide capability of the prototype plane. Of the company’s 50 staff, more than half are engineers. These “engineering commandos” as mentioned in their second commandment “We are engineering commandos. Small in number, strong in force,” are what distinguishes HOPE Technik. To find team members, the company takes on interns, which provides an opportunity to find people who fit in with their culture and work environment. “They need the right skillsets, the right attitude and the willingness to build things. It’s all very hands on, you have to touch circuit boards, do soldering and repair your own wires. You have to be prepared to get dirty,” said Leong. Looking forward, HOPE Technik will continue to push new boundaries. “We don’t stay comfortable. Each day is definitely painful and that is the reason for the colours of our logo. Red is for the blood we spill, white is for the sweat, and black is for the breakthrough,” said Leong. “This is our life, to gain knowledge. Here we have people we can spar with technically, and we enjoy the challenges of the work we do,” said Leong as the interview came to a close and he walked away, ready to face yet another challenge and to push another boundary. APRIL 2015 | www.ncs.com.sg 11 CIO DIALOGUE – CYBER ATTACKS AND BREACHES: AN UNDENIABLE REALITY Cyber Attacks and Breaches: An Undeniable Reality Roundtable participants say the key is greater awareness and managing risks. T he loss of customer data from Sony Pictures, Target and Home Depot hit the headlines last year. Can nothing stop the hackers and cyber criminals from infiltrating corporate networks and stealing data? No organisation is immune to cyber security breaches, said the IT heads who participated at the “Building the Right Defence against Cyber Attacks” roundtable, hosted by CIO Asia and sponsored by NCS and FireEye, and held at Marina Bay Sands on 11 March 2015. The question is how they should respond, and what they should do post-breach. “The reality is that we can never have enough protection. It is not whether we will be penetrated or have our environment compromised—it is when,” said Koh Kok Tian, IT Director at Borneo Motors, a leading car distributor. At Alpha Advanced Materials, a supplier of products for the semiconductor packaging industry, they have experienced more breaches from the inside than outside. “We carry a lot of IP [intellectual property], patents, and formulas in our systems, it would be devastating if any valuable data got out. We have caught ex-employees trying to sell formulas, so security issues are more from the inside than outside,” said Koh Yew Chee, IT Director at Alpha Advanced Materials. To determine their level of security maturity, Alpha Advanced Materials has done extensive self certifications, as well as external audits. Koh countered that standards may not necessarily give a complete picture of where the organisation is, as they just capture a snapshot in time. Technology is based on three pillars: technology, processes and people, said Lau Kai Cheong, CIO at Singapore Management University (SMU). Technology is the most straightforward, as getting the best technological defence is about spending enough, but that does not guarantee protection. In terms of processes, there needs to be a security incident response plan that includes system recovery, quarantine, forensics, and a fast response time. Education in security is important, said Lau. But it can be difficult as people are the weakest link in the security chain. Even after education, users are likely to click on links or attachments that activate malware, or be taken to a fake website that requests for sensitive information. NO LONGER ADEQUATE Relying on traditional security products or approaches is insufficient for modern cyber security needs. MANAGING USERS “The idea is to be able to see, detect and manage the situation—that’s the biggest challenge. Users will always be curious and will click on what they want to click,” he added. Agreed Steve Ledzian, Regional Director, Systems Engineering – Asia at cyber security vendor FireEye: “Breaches are inevitable. We are so reliant on technology. Many believe the key is prevention. We need to move beyond that, to know what to do when potential chaos happens or when prevention fails.” 12 APRIL 2015 | www.ncs.com.sg While cyber security is important, it needs to be balanced with user needs and usability. “We need to balance between the usability of technology and security. We can’t be draconian and cut off users from access to Facebook, and social media. We have to ensure that protection is balanced with the users’ ability to use technology without interfering with their lives,” said Gilbert Gan, Assistant Vice President of Information Security, Singapore Exchange. “Today 96 percent of companies who rely on traditional security, are already breached and don’t know it. The traditional model is very broken,” said Ledzian. “While traditional vendors will either sell a product, or services, the partnership between Singtel and FireEye is very unique, as we provide all three: products, expertise, processes and incident response. Companies often see a huge gap in terms of security maturity and where they want to be. This partnership is a quick way close the gap without building up expertise and technology.” NCS Director Freddy Tan, said that an added challenge is that the attacker always has the advantage. “They choose the time, the target and what to exploit. How do you as CIO protect against such targeted attacks?” asked Tan. “The key thing is to get your Board involved… and return to the basics,” said Tan. “It’s all about managing risk. We all live with risk—when we travel, or when we move from place to place—and should take steps to mitigate the risk. Protection is not sufficient, as multiple vector attacks will go after the weakest link, which unfortunately is the human, they will click on anything.” The second layer of defence is the ability to detect a compromised situation; the third is to mitigate or reduce the impact of that compromise; and fourth is to recover. FireEye has produced a report specific to this region, the “Southeast Asia: An Evolving Cyber Threat Landscape”, that provides statistics to help convince board members about the severity of security threats. In terms of industries, the report found that the industries most likely to be targeted are: a) government, b) telecom, c) financial services, d) high-tech, e) transportation. palace, but need soldiers, smart people, etc. The investment needs to make sense.” A chilling find is that attackers have remained on victims’ networks for a median period of 205 days in 2014, before being discovered. And some 69 percent of organisations were only alerted to the attacks by an external party. Already, 98 percent of companies in Asia are compromised. “These silos are still not broken, you need to go to the hardware, software or OS [operating system] vendor when a security issues arises,” said Narayanaswamy. ADAPTING TO NEW NEEDS Organisations have taken different strategies to secure their corporate data. ABN AMRO ensures that information leaving the company is checked, authenticated, and traceable, said Agnes San Gabriel, IT Security Officer – Control and Monitoring, ABN AMRO Bank. Ramesh Narayanaswamy, CIO at Singapore Post, said that they strive for a balance. “What is it that you want to protect? It’s the padlock with palace problem. You can’t just put a padlock on Another challenge is that technology tends to be in silos. This partnership between Singtel and FireEye aims to remove the complexity from security technology, allowing organisations to approach just one vendor instead of speaking separately to multiple vendors, said Tan. “There are very few security professionals. That’s why FireEye and Singtel invested in 150 security professionals. We have reached a point where it doesn’t make sense for companies to invest in security headcount. With the Internet of Things coming online, there is just not enough of us,” said Tan. Alan Seow, Head of Cyber security at Ministry of Communications & Information, said the challenge is to get security professionals to have a passion for the subject. From L to R (Standing): Mr Tan Hoon Chiang, Mr Lau Kai Cheong, Mr Alan Seow, Mr Ramesh Narayanaswamy, Mr Teo Teng Hui, Mr Tan Ai Tong, Mr Derek Gooh, Mr Gilbert Gan, Mr Gary Ooi, Mr Wilson Wong, Mr Koh Yew Chee, Mr Koh Kok Tian, Mr TC Seow (Seated): Ms Agnes San Gabriel, Mr Zhang Jianxin, Mr Steve Ledzian, Mr Jason Chan, Mr Freddy Tan APRIL 2015 | www.ncs.com.sg 13 CIO DIALOGUE – CYBER ATTACKS AND BREACHES: AN UNDENIABLE REALITY “This is one of the key challenges, because cyber security is something that changes faster than a fashion show. There is a lot of catching up, reading, and chasing. You must really like the subject,” said Seow. To build end-user awareness, BP has conducted ethical phishing tests, said Derek Gooh, Regional Information Security Officer, Integrated Supply and Trading (Eastern Hemisphere), BP Singapore. “A few years back, a quarter of our people would click on emails that offer a chance to win an iPad. We have managed to get the click rate down to a single digit.” Gooh also noted that increasingly, the BYOD (Bring Your Own Device) and consumerisation of technology has led to many using Gmail and Dropbox, and that it is hard to stop users from using these technologies. “We have a gigabyte of traffic that goes to Dropbox every month. Last year, we made the decision to block Dropbox. Even when we increased the email capacity of 25MB attachment it was still insufficient… We hate the fact that we need to drop Dropbox, but because of the huge data volumes and traffic, we have to,” said Gooh. Borneo Motor’s Koh quipped that BYOD stands for “Bring Your Own Data Breach”. “A lot of us are in the same position. With the commoditisation of hacking tools, anyone can be a hacker, but we should not stand in the way of BYOD as that’s where productivity comes.” GREATER AWARENESS The large number of high profile security breaches last year caught the attention of many, changing perceptions and raising awareness. 14 APRIL 2015 | www.ncs.com.sg “Brian Moynihan, Bank of America CEO, had said in an interview that they have no cap on budget for cybersecurity... because it is a priority. He mentioned that for the first time in his 20 years of managing budgets he is seeing a blank cheque go to a specific cause,” said Ledzian. JP Morgan got breached last year, even though its security budget was US$250m. Ledzian noted that in the shareholder report, the CEO had a mature response, and said that even with a US$250m investment, not every battle will be won, that there is no perfect knowledge of security breaches, but there is a need to focus on the afterwards. Some industries, like the financial industry, are highly regulated, and organisations in this space have to adhere to strict security guidelines, said Jason Chan, Head of Information Security, Asia Capital Reinsurance Group. “The Boards and senior management are getting more aware. One reason is because the authorities are making it more important in terms of compliance. MAS [Monetary Authority of Singapore] ensures financial institutions comply with a Technology Risk Management guideline as a baseline, and does regular audits.” With greater awareness of the impact of security breaches, the Board and management are more supportive of stricter security measures at the expense of convenience. “The board and senior management are now behaving very differently. They were the biggest problem in terms of insisting on using BYOD. This whole conversation has gone. Now I Delegates at the roundtable Mr Koh Yew Chee, IT Director, Alpha Advanced Materials Mr Jason Chan, Head, Information Security, Asia Capital Reinsurance Group Mr Wilson Wong, Manager, IT Infrastructure, Asia Capital Reinsurance Group Mr Derek Gooh, Regional Information Security Officer, Integrated Supply and Trading (Eastern Hemisphere), BP Singapore Mr Zhang Jianxin, Director, Management Information System, Dou Yee Enterprises Mr Tan Ai Tong, Director, Information Security, Fairchild Semiconductor Mr Gary Ooi, IT Director, Mandarin Oriental Singapore Mr Alan Seow, Head, Cybersecurity, Ministry of Communications & Information Ms Agnes San Gabriel, IT Security Officer - Control and Monitoring, ABN AMRO Bank Mr Koh Kok Tian, IT Director, Borneo Motors Mr Teo Teng Hui, CIO, Hyflux Mr Leong Kai Seng, Deputy Director - Premium Customer Care & Support & Security Technologies, IDA Singapore Mr Gilbert Gan, Assistant Vice President,Information Security, Singapore Exchange Mr Ramesh Narayanaswamy, CIO, Singapore Post Mr Tan Hoon Chiang, Divisional Director, Academic Computing & Information Services & Chief Information Officer, National Institute of Education Mr Lau Kai Cheong, CIO, Singapore Management University (SMU) Mr Freddy Tan, Director Product Management, Enterprise Security Division, Group Enterprise, SingTel (NCS Group) Mr Steve Ledzian, Regional Director, Systems Engineering - Asia, FireEye Moderator T.C. Seow, Editor, CIO Asia can go and say: ‘I can’t do this for you’ and they will accept it,” said Narayanaswamy. While Alpha Advanced Materials’ Koh agreed that the perceptions of senior management have changed, he said it is not the case with some employees. “The sales people will ask: ‘Why can’t I use Whatsapp and Dropbox, as it is convenient for me when I work outside the office. Now they can complain all they want, but [the directive] comes all the way from the top.” SMU has chosen to satisfy the user needs like providing a more secure technological alternative. Instead of allowing the use of Dropbox, it created an inhouse corporate enterprise ‘Dropbox’ so that sensitive and confidential material can be accessed on any device, without the data being out in the public, said Lau. Ensuring users get trained can be a challenge, said Tan Hoon Chiang, Divisional Director, Academic Computing & Information Services & CIO, National Institute of Education. The challenge is that the attackers are not sitting still. After an avenue of attack is addressed, they will move on to another mode of attack. “Unfortunately it’s all about business and ROI. Today the cost of an attack to the attacker is very low, but the potential revenue and value is very high. A US hacker, when arrested, had US$1m in cash stashed in his parent’s backyard. Unfortunately, crime does pay, and these criminal attacks are not going to go away, until you can make meaning to the phrase ‘crime does not pay.’” Tan Ai Tong, Director of Information Security, Fairchild Semiconductor, noted that there are issues with encryption. “It can make usability a bit cumbersome, especially when you have to deal with third parties and outsourcing. Even when it is used, it is only secure up to that point, because the third party will have to use the unencrypted information. We have totally no visibility into the data when it is at the office of a third party.” ORGANISED APPROACH To encourage its users, the organisation has included the training as part of the workflow, where a user will only be issued a user account after undergoing training. It has also put in place some rewards for those with a higher level of security awareness. TO ENCRYPT OR NOT NCS’s Tan said the US government actually broke two important security rules that resulted in the Snowden leaks. One is that anything important should not be in the clear, whether in storage or in transmission, and the other is to encrypt on the fly, where even the end user is unaware that it is encrypted. Companies need to have an organised approach to manage the aftermath of a security breach. The typical business questions the senior management or Board will have include: ‘How long have the attackers been in the network?’ ‘What did they steal?’ ‘Who are the attackers?’ ‘How far have they spread in my network?’ and ‘How to get the attacker out? “These questions are very hard to answer, and can take weeks or months to answer… Generally, when a breach happens, the company is totally unprepared for it. The partnership between FireEye and Singtel can put companies in a position to do forensics and answer those critical questions much more quickly,” said Ledzian. Many companies do penetration tests on a yearly or quarterly basis. These tests are useful to discover vulnerabilities, but once a test is completed, new vulnerabilities can appear. Where a penetration test is an attempt to penetrate the perimeter, a compromise assessment looks inside the network to check for activity. Ledzian said the Managed Defence service offered by Singtel and FireEye provides continuous monitoring, detection and the quick containment of malware and other perceived threats to organisations. When Borneo Motor’s Koh suggested the value of having industry-led group that helps to set the security tone for the industry they are in, Seow noted that there will be cyber security agencies formed under the purview of the Prime Minister’s Office (PMO), that have a co-ordinating role for the different sectors. “There will be some industry programmes coming out. At certain point, there will also be some vendor led ones,” said Seow. Gan noted that some industries have been sharing their security knowledge. The US has been sharing information for the past 15 years. For instance, there are such groups for the financial and manufacturing industries. “Many in the financial services industry in Singapore are subscribed to this. This information has helped us to protect our networks by understanding how these attackers work. However, in Singapore today, this information sharing is still in an infancy stage, with a lot of potential for industry to come together,” said Gan. APRIL 2015 | www.ncs.com.sg 15