Discussing September Cyber news with Gar, Dan and Brad

Gar O’Hara is back again with Dan McDermott and Bradley Sing for the September monthly roundup episode. Gar and Dan take a look back over the month that has been and the insights that our September guests brought to the show. Brad and Dan discuss the latest in cyber security news including the shutdown of the New Zealand Stock Exchange, the incredible 2,266 cyber security incidents countered by the ACSC last year, the hackers that claimed to have breached the Department of Education, the 54,000 NSW drivers licences that were potentially exposed and the world’s first recorded fatality attributed to a cyber attack. After the news, Dan and Gar take some time to dive into detail on the governments code of practice for the Wild West of the internet, the IoT.

The Get Cyber Resilient Show Episode #33 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient Podcast, I'm Gar O'Hara, and today is our monthly news roundup. Cohost Dan McDermott will take us through the episode today, and is now tradition, he and I start with reflections on the guests, and the learnings from each interview this month. Bradley Singh, our regular guest then joins Dan to cover the latest news, where they talk about the New Zealand Stock Exchange shutting down in the wake of that offshore cyber attack.

The ACSC addressing 2266 last year, hackers claim to have breached the Department of Education, Skills and Employment, the K7 myth. 54000 New South Wales drivers licenses exposed in a data breach. And particularly heavy piece of news, in that it looks like we have the world's first fatality directly contributable to a cyber attack. We finish the episode out with Dan and I covering the government's code of practice for the Wild West that is IOT and internet connection devices. So over to the episode, please enjoy.

Daniel McDermott: [00:01:08] Welcome to, uh, this episode of, uh, the Get Cyber Resilient show, where at the end of the month, we, uh, we look back on the amazing guests that we've had on the show over, over the previous four weeks, um, and reflect on that. And then also reflect on some of the big news items and what's been happening in the industry. So, Gar, welcome back to the show, and uh, you've had another interesting month of, uh, of having amazing guests that have, uh, been very generous with their time, and, and spending that with us in terms of discussing all things cyber.

Um, you started off the month with Michael McKinnon who is a, the deputy chair of ACER, uh, here in Melbourne. And really spoke a lot about, I guess, the skill shortage that we know exists in the industry, and really how to hit that head on with starting with the role of education and, and certifications in the world of cybersecurity. Can you tell us a bit more about what Michael's take was on, on the, I guess that education and certification process?

Garrett O'Hara: [00:02:04] Yeah, so I, I kind of, um, we've, uh, me and Michael have crossed paths multiple times over the years [laughs]. And um, I think I mentioned this in the, in the episode, where he did a, an absolutely cracking, uh, plenary talk. Um, on the CISO and the gunslinger. Highly recommend that if people haven't already watched it. But uh, this summer ends, I was one of his students, so I've just gone through the uh, sys training, and haven't sat the exam.

Um, petrified by the exam, but um, spent many weeks listening to, to Michael, uh, talk us through, you know, like the various kind of, um, domains of knowledge, um, as part of sys. So I guess he's probably biased, because he [laughs], he's a guy who's actively trying to educate, um, you know, people in this industry. Um, I did look at the comments from, Michael heard that it's obviously important, it's not everything. Um, but it's, it's certainly a really useful thing.

Like, I can only speak for my personal experience that I learnt an absolute metric ton of stuff in that course. And, um, you know, sys, because everyone says it's a, an inch deep and a mile wide. And in many ways, I think what, you know, Michael said this is, part of it is just letting you know what you don't know. So that, you know, you can go off and actually do the, the further education and research, and the bits that you potentially just weren't exposed to before. Because it is such a huge kind of world that we operate in.

Daniel McDermott: [00:03:20] Yeah, and but definitely something that is critical to the entire success of the industry, right? Is this getting that training right, and making sure that we do have, you know, experts in, in our field, so that we can continue to, uh, evolve and, and, and face those attackers head on.

You moved, move onto the second, uh, episode in the previous month was with, uh, Joseph Carson, um, from Thycotic, who is their Chief Security Scientist, and advisory CISO. Um, really different conversation, and something that I found really interesting is being based in Estonia, and how he spoke about looking at, you know, I guess cyber resilience at a national level. Um, and that's something that we've been talking a lot about in Australia recently, as well.

And how Estonia's gone about trying to build cyber trust with their citizens. Um, what was your take on, on, on Joseph and I guess where Estonia are going with their, uh, their digital footprint, and, and building that cyber trust.

Garrett O'Hara: [00:04:16] I absolutely loved that conversation, and you know, it, but always learn stuff from the, the conversations we have. Um, but Jo- [laughs], Joseph was particularly enlightening, because I didn't realize to the extent, um, that Estonia is this kind of advanced digital, digital society. And you know, the genesis of that with the, you know, the troubles they had with some of their neighbors back in the day, and you know, how they've kind of, uh, evolved into this society that really, it, it, it's funny, because I'm, when I was doing the research for that, I was looking for commentary from, you know, news and citizens, and stuff like that.

And some of the people there, when they're asked, you know, about storage of data. They're very kind of against the idea of things being stored in paper. Like, for them, they are all about put it on, put it digital. I can control it, you know, I'm, it's, I, I, it's transparent. Almost the complete opposite of what you see in so many other countries. And uh, like, as Joseph kind of talked through that, and how they've kind of educated and changed an entire nation, um, multiple times along the way where, you know, these light bulbs are just going off in my head.

Especially around the data embassies, which I'm, uh, been slightly obsessed with, because it just seems like such a cool idea. And points to true resilience thinking, which kind of, for, for those who don't know, Estonia did the kind of analysis of where, where should they store data? And because of the potential for kind of land based attacks, because of where they are, having everything kind of backed up within their region, as in, in their country, didn't really make sense. Because in a land based attack, that stuff was going to get wiped out potentially too.

And with them, as a country, because everything is digital, you're talking about your whole life. So your identity, um, your driving license, your tax return, everything is digital and online. So it would be a big deal for that stuff to get wiped. So then, they went and, and created what they call data embassies, to get over the problem of data sovereignty. Which is, chuck the stuff in different countries, um, in these data embassies, where they're a bit, essentially still sovereign soil.

So, you know, or considered at least sovereign soil. Um, what an, what an elegant and beautiful way to take care of that problem. And what big thinking, as you said Dan. Like, it's national level cyber resilience. It's just, it's, I love it, absolutely love it [laughs].

Daniel McDermott: [00:06:29] Yeah, I was fascinated by the whole digital embassy concept, and, and it takes the notion of data sovereignty to an entirely new level. I think, and everybody thinks about you know, you've got to keep it on, on shore. And I guess as, as an island here, far away from a lot of the rest of the world, that may be possible. But it's, everywhere is a, you know, has risks in that, and the ability to, to have resilience at a, at a new level and creating these digital embassies is, uh, yeah. It's quite incredible and was really fascinating to learn about.

The next guest you had was, uh, Andrew Bycroft, uh, the CEO of iResilience, and the author of the Cyber Intelligent Executive: Securing the Future of your Organization. Um, which is a good read, and everybody should, uh, get a hand on that as well. And um, really I guess this is a, you know, interesting take on the notion of building in resilience and security as an executive conversation, and really driving that from the top down, um, across all organizations of all different sizes. And how to get the mind share of, of people at that executive level, and then sort of building that culture if you like throughout the organization from there. Um, what was your take with, uh, Andrew's, Andrew's views on sort of building that resilience and security across, uh, the sea, I guess the sea level and board level, and then across the organization?

Garrett O'Hara: [00:07:49] Yeah, so like, Andrew, I, I've crossed paths again with him, um, a, a couple of times. I think we've met at conferences. Um, I, we, we, one of the sort of engagements we had, um, some time ago now. He was in there as a, a security consultant, so kind of got to know him, um, during that process, and I really like Andrew's thinking. Um, it's a little bit different. You know, it sort of comes at this stuff from a different angle, and I think as you just said, the, the importance of culture in cybersecurity, but that board level understanding of the difference between cybersecurity and cyber resilience, I think, um, it's incredibly important as a, a difference, you know, a thing to understand the difference of, I should say.

Um, but I particularly like his, he's kind of codifying some of the kind of, the stuff around, um, you know, creating models. So you've got different tiers and understand where an organization is in terms of cyber, uh, resilience. And also his attributes, um, around culture, because I think sometimes we have these conversations. But what you really need is just the detail, um, you know, to, to really understand, what does good culture look like?

And I think Andrew's done a great job of, uh, breaking down the, the attributes, or the things that you would see in a good culture that plays into, um, to cybersecurity. So yeah, it was a, really enjoyed that, that conversation.

Daniel McDermott: [00:09:03] Yeah, you're right. It's easy to say the words, you know, create a security culture. But uh, you need some practical ways of actually how you go about doing that, and I think, you know, he provides that framework that I think we all can sort of n-, you know, learn from and start to be able to adhere, and make that notion of, of a culture, I guess of practical in terms of its application, um, and roll out across the organization as well.

And, we finished up, uh, with our most recent guest, being uh, Beverley Roach from, uh, who runs her own, uh, podcast. I definitely would encourage people to jump onto that, called Cybersecurity Café. Um, and is currently the, uh, interim CISO at Sigma Healthcare. Um, and I guess a, a wide range of conversation again, but a, you know, the common theme so often is, is the role of humans in, in cyber and what it means. Um, and again, Beverley has, you know, great insights on that.

Garrett O'Hara: [00:09:59] She definitely does, and I, I said this I think in the interview. I particularly like speaking to people who have got that kind of broad range and depth of, uh, experience within their careers. And Beverley's done, you know, data privacy, security, and a bunch of different companies. Um, including, you know, the safety office back in the day, as well. So like, has, has um, significant form, um, in the industry, so is particularly good at sort of commentary.

And you're spot on Dan. You know, it's back to the humans, as it so often is. And um, you know, the insights I got from Beverley were really around some of the myths, I think from you, is the thing that stood out about, um, you know, humans and cybersecurity. Um, but also then looking at the, the management of the lifecycle of, uh, workers as they come into roles, and how security plays out for someone in a maybe, like a marketing position, versus somebody in an op-, operational, uh, position.

Um, but the idea that security isn't the same for everybody. And, um, you know, really the idea that if you're delivering the same security messaging to like, the technical teams as you are to somebody maybe who sits in, in finance or human resources, like, those two things are probably not going to land in the same way. So, um, phenomenal conversation and, and you know, I could have easily talked to Beverley I think over a cup of tea or a pint for hours.

Um, she's, she's a very, uh [laughs], natural podcast host, and um, yeah. L-, the episodes that they, they have I think are definitely worth checking out, including stuff around design thinking. Uh, which I think is particularly, uh, applicable to certainly the human side of cybersecurity. So yeah, definitely one for, uh, our audience to check out.

Daniel McDermott: [00:11:35] Yeah, for sure. So, uh, that sort of wraps up our review of, uh, the, the latest editions. Um, thanks again to all our guests. Um, really incredibly generous with their time, and giving us the insights, and being able to share that with our audience is, uh, is something that we really appreciate. And look forward to, uh, the next lot of guests that I know you've already, uh, lined up, uh, going forward as well. So, thanks again Gar, and we'll speak again soon.

Garrett O'Hara: [00:11:58] Thanks, Dan.

Daniel McDermott: [00:12:01] Well now we have a look back at what have been some of the big incidents and, and news breakers if you like of, uh, the last month. Welcome back to the show, Bradley Singh. Brad, good to see you, how are you going today?

Bradley Sing: [00:12:14] Very good thank you, Dan. I'm, uh, trying to investigate at the moment actually, because uh, a strange piece of metal randomly fell off the building and hit my car. So, that's what I was doing this morning [laughs]. But today we're here to talk about cybersecurity. How are you, Dan?

Daniel McDermott: [00:12:27] Yeah, good, and uh, yeah, it was definitely, uh, blowy here the other day. And um, uh, I'm glad you weren't outside at the time, that's for sure. Well today we're going to look back on some of the big, you know, news items from the month, uh, that's just taken place. And we're going to actually start, um, over the ditch, in, in, in New Zealand, with the New Zealand Stock Exchange, and you know, the fact that they were taken down by a denial of service attack. What can you tell us about that?

Bradley Sing: [00:12:53] I think the, the fact that they were taken down was one thing. But they were actually down for five consecutive days, um, which is probably one of the larger attacks we've seen against a, well, financial institution, especially New Zealand. Um, it appears to have been a DDOS attack, and I'm sure everyone's familiar with a DDOS attack, so effectively sending large amounts of network traffic, or making it so the server can't respond.

Um, interestingly enough, the New Zealand Stock Exchange, they even changed their hosting providers from Extreme to Akami, halfway through. The attack's still, still persisted. And I guess this raises a, you know, a wider conversation. Like, if it's your provider which gets targeted, what do you do as an organization to help mitigate that risk?

Daniel McDermott: [00:13:30] Yeah, and five days down for a stock exchange is a long time, and you know, it has, you know, huge flow on impacts on, in terms of the economy and what's happening in that market. And you know, as we know in the, these times of, of the pandemic, and, and things, the economy already struggling and on its knees in many ways. You know, attacks like this certainly, you know, obviously don't help at any time, but are making things even worse at the moment, as well.

Bradley Sing: [00:13:55] The market did close down that day in New Zealand, and it had been up every single other day of the week, when the attack first happened [laughs]. So, not sure if it's related or not. Um, it does go hand in hand, um, from a be prepared advisory which the GCSV, so many acronyms in cybersecurity, security. Uh, the Government Communications Security Bureau over in New Zealand. Um, they had a be prepared advisory, kind of advising it to look, look out for state sponsored attacks, ransomware and BC. So it kind of goes hand in hand.

Interestingly enough though, the New Zealand Stock Exchange has also responded in that they're created an additional website. So I think it's announcements.nzx. And it's effectively hosted in different infrastructure. And what they do there, is the secondary, they post the top 200 announcements every single day. So a little bit of resilience if the main platform goes down.

Daniel McDermott: [00:14:38] Mm-hmm [affirmative]. Oh yeah, definitely a good idea to always have, have a secondary way of doing things right? You never know when an attack might, might strike, and the impact that it can have. So yeah, definitely good planning on, on their behalf, on, on that front. We then sort of look at, uh, back here in Australia, the, um, we had the annual report released, uh, by the Australian Cybersecurity Center. Um, looking back at the last financial year, June, um, July 2019 sorry to June 2020. Um, on the number of, uh, incidents that were being reported and investigated by them.

Um, nearly 2300 incidents. Is this something that, you know, we should be worried about? Is this a big number?

Bradley Sing: [00:15:22] I mean, it's a big number, and definitely should be worried about. Um, well what I would say is, look, for anybody interested in cybersecurity, and I'd like to assume that probably most of our listeners are, listeners are, given the nature of the podcast. Um, the annual report, the ACSC, it's more acronyms. Australian Cybersecurity Center release, um, is an absolute treasure trove of information in terms of different report of breaches. One of the interesting stats, um, from the last, the latest report, um, was highlighting the fact that government was the most highly reported.

And I'll leave it there as a key word on reported, as well, because it still is, this is on organizations to report their breaches, as well. So potentially we do see maybe more reporting around government. But outside of key government, uh, 35 percent of the breaches were around critical infrastructure. So, we're talking water, health, communications, and education. Which is consistent with what we've been seeing over the past kind of year or so.

Daniel McDermott: [00:16:13] Yeah, and it definitely ties into the overall sort of narrative around, you know, security at a, at a national level and what that means, and, and how we need to be prepared, and the notion of those attacks on our critical government, and critical infrastructure. Certainly ties into I guess the go forward plan from the government regarding sort of positive security obligations. Um, or PSO, as we, uh, as we're liking the acronyms today. Um, you know, and what that means going forward as this legislation will come into the effect, you know, going into next year, as well.

so certainly, uh, you know, it's a scary figure in terms of the amount of I guess attacks and incidents that have been reported, uh, in the last year alone.

Bradley Sing: [00:16:52] I, I would say as well-

Daniel McDermott: [00:16:54] So we use this-

Bradley Sing: [00:16:54] ...just, there is some good stats in there for anyone listening as well. Just, uh, in terms of the, the entry vector. Um, not, unsurprisingly, email does remain the number one attack vector, but we do still see in this, um, quite a high amount of compromised accounts, as well. And I just think if we think back to some of the sophisticated attacks, like ANU last year, where they gained access to the network, sat on that for a very long time. We're going to see more and more of these attacks, where they're potentially using email as the entry, but then sitting on the network for a, for a longer period of time.

Daniel McDermott: [00:17:23] Yeah, it's a scary thought to think that there are, they're just, they're lurking in the shadows, right, at uh, at all times.

Which leads to a, another I guess, a large scale sort of breach that has been reported, um, and, uh, one that you know, around sort of Department of Education, and a particular, um, online maths program, um, called K7 Maths, um, that has been, has been breached, and sort of uh, picked up and reported by AusCert. Um, what can you tell us about that?

Bradley Sing: [00:17:52] So, from what I could tell, this breach was huge. Um, not new in the sense that allegedly this breach happened earlier in the year, I think about March, uh, or kind of in around April time. Um, but originally there was a, a, effectively what happened is, somebody found it online. They found a dump with a bunch of, uh, student details, uh, hashed passwords, um, on a forum for sale. Um, it was reported to AusCert, and AusCert went and quickly started to investigate, to try and figure out what it was, where it was from.

Originally, it was thought that maybe it was the Department of Education who had been breached themselves, but it was a third party provider in this instance, K7 Maths. I had a quick look at their website, they offer some type of classroom services for students. But that's a lot of data. It's also consistent with what we've seen, um, earlier this year, when there was an app called Math Away, which was breached, where 25 million users lost their details, as well.

So I think again, really pure point early, Dan, focusing back on education as, as a prime target. But, also again, raising that concept of, we're dealing with third parties. Who's our providers? What security do they have in place, and then ultimately what happens, like, who, how do we then I guess resolve this and, and move forward? Where's the resilience approach to it, and what's the plan B?

Daniel McDermott: [00:19:01] Yeah, this is one that, um, I hadn't heard of in, in the news, and that, had missed it previously. So it's, uh, good to learn about it really. The first thing I did was, uh, went to my boys and asked whether, uh, whether they've been using K7 Maths at school or not. Uh, um, fortunately neither of them recognized the program, and, and thought not.

But it was certainly as a, as a parent was a concern of, you know, you don't want, you know, kids' details sort of out there online, and, and you know, just the fear of what might go wrong in, in when they get, falls into the wrong hands. Um, and who they might sort of, who, who could target them and that type of thing. So certainly one that, uh, be aware of, and uh, yeah. It was certainly a learning on my behalf, as well.

Bradley Sing: [00:19:39] There, there is an advisory out as well, so if anyone is, um, I guess looking for recommendations, or worried about their privacy, the, the kids' privacy as well. Um, there was an advise, one of the advisories from AusCert was saying that they'll probably see a spike in BC or fraud style attacks as a result of this. There was actually a campaign a couple of years ago targeting Australian schools, where what they did is, they effectively got a dump of usernames or passwords. And they would email teachers across Australia saying, hey. I've got naughty photos of you, and they would put the plain text password they'd stolen from a dump in the subject line.

So I guess watch out for similar style of attacks, now that there seems to be a lot of details out there.

Daniel McDermott: [00:20:14] Mm-hmm [affirmative], well thanks for pointing out that there's an advisory on that, as well. That's uh, definitely something that everybody should be across and then be aware of. That, that's for sure. Um, I guess one that I have seen in the news, is certainly been around sort of the New South Wales drivers license, uh, breach, and what's happened there. And then I guess, the ongoing sort of investigation and response from the government as well, in terms of, um, the way that they've, you know, had to I guess forensically look at this, and what's the implications of that are. Um, so it's definitely a, a high profile attack, and, and one that, you know, again, a drivers license is, is something that can obviously be used in a wide array of sort of, you know, identity theft, um, as well.

Bradley Sing: [00:20:56] Yeah, look, I think New South Wales, um, from a cybersecurity spec-, perspective, haven't had, uh, the greatest track record recently. It's definitely been a lot of high profile breaches in the news. The clarity around this specific breach in terms of the 54000 drivers licenses, it looks like it was a third party. So, a, a third party commercial provider. Potentially nothing to do with the New South Wales government at all. Just had 50000, um, drivers license scanned there.

But it was separate also to the, the breach, um, which happened a month earlier, which was the 30, 47 staff who had their details compromised. But what it has spun up though, is a parliamentary inquiry at a state level in terms of how cybersecurity is being conducted. It's also important to note that the current New South Wales government has opposed mandatory data breach reporting at a state level for the past three years. But, recently as of I think earlier this year, they've, there's a new bill proposed around it.

So, a lot of spotlight around it. Um, this one technically not their fault, but, I think also again, highlights the, the, the value around these details. Um, the potentially accounts and identities you can steal with them. Um, but ultimately at the end of the day, the person, people who suffer here is the consumer. Uh, and I still don't think we've actually had an answer in terms of where they've specifically come from.

Daniel McDermott: [00:22:10] Yeah, like you say, it's, uh, the risks are, you know, throughout I guess your, your supply chain, right? I think that's always one of the things of like, where are you, where, who's, who are you using, where are you storing data? Um, and you know, how secure are they? And um, creates, you know, one of those vulnerabilities throughout the whole process, as well.

Uh, we're going to end looking at, uh, I think, you know, definitely a very sad item, and, and something that has been reported out of Germany recently. Um, you know, detailing the fact that, you know, we've had the first recorded death, um, resulting from a ransomware attack. Um, just incredibly sad, and in a tragic set of circumstances. But I think really brings to bare, and shows you know, the reason why, you know, we, we're so passionate about this industry, and what we're trying to do.

Um, because there is a real impact and a real human toll that can, uh, can occur from, from when things do go wrong. And when, you know, cyber criminals get in, and might think that it's just, you know, bit of financial gain. But the implications and the impacts on people, um, are something that are wide ranging, and, and, and really scary to think of, as well.

Bradley Sing: [00:23:21] Yeah, this was a really, really sad story. And like, I think important to talk about on the podcast as well, just because we, we talk about security a lot, and we see it, I think glamorized in the media to a degree, as well. But there is a real human toll to it, and i think this is a prime example of potentially where something unfortunately tragic may have happened as a result.

Um, effectively what happened, it was a University hospital in Dusseldorf, over in Germany. Um, prosecutors allege that ransomware is to blame, so effectively there's a patient. She was, needed emergency care, going to hospital. She got to the hospital, but effectively the systems were offline due to the ransomware attack. They sent her to another hospital 20 miles down the road, and she didn't survive.

Um, it's absolutely tragic in terms of, I guess, you know, the, the human impact from that. But if we start to drill down into the attack itself, it starts to get even more concerning. Um, they were using a Citrix, uh, an older version of Citrix, which had a very well known and public, uh, glitch, uh, exploit in it, which they hadn't patched. Um, so effectively it was a known bad. Uh, the ransomware hit 30 servers. Uh, in their investigations as well, and attribution, I know Gar speaks about this from time to time. It's always a hard thing to do.

Um, but German authorities are allegedly, it's going back to effectively Russian gangs or, or Russian trolls. The unfortunate thing about this also is that if we think about the industry such as healthcare, there is a chance they're more likely to pay ransomware payments, because they need access to the data so quickly. So it's this very complicated psychological play, where they're effectively holding people's lives at ransom.

Um, and again, I can't speak enough in terms of how horrible this was, but really hope that the, um, the university's, you know, patches their systems, follows the advisories, and follows good cybersecurity practice.

Daniel McDermott: [00:25:01] Yeah, well uh, thank you for uh, being able to detail that for us Brad. And uh, it, it's certainly a somber way to end the month in review, but something that, uh, is critically important, and does show the hi-, and highlight the importance of I guess you know, great security practices and what needs to be done. And um, you know, as an industry I think we're all sort of on that path together to try to, uh, create, you know, a more resilient world if you like, and that will, uh, certainly put us in good stead, and sort of hopefully you know, stop these types of attacks having the impact that they have recently.

Thanks again Brad, and we'll, uh, we'll catch up again next month. Look forward to it.

Bradley Sing: [00:25:37] Thanks for having me, Dan.

Daniel McDermott: [00:25:42] For the final part of today's episode, um, a return to talking to Gar O'Hara, regarding I guess what he has termed as, as the Wild West of security. Um, and IOT, and what's happening with the internet of things. Um, and the security vulnerabilities that come with that. Um, it's an interesting time, Gar, as uh, recently the government has also put out the, uh, the code of practice regard IOT devices, um, and something that I think, you know, we need to consider, how does that get adopted? Um, and what's the implications of that, uh, for society?

Garrett O'Hara: [00:26:15] yeah, like, and the implications are huge I think, is the, the really concerning part. And, the conversations I've had on this, uh, Dan, and you know, as recently as, and like, literally in the last hour, uh, with uh, with people on this. Where like, the reality is, you could walk into a, a Bunnings, you know, a hardware store, and you can buy a light bulb that's IOT, or you know, internet enabled. And you're, psychologically, you're not really set up to think about security in that situation. You're buying a light bulb, or you're buying a toaster, or you're buying a, you know, whatever the widget it.

And, I think you know, fundamentally that's a really different sort of place than sitting down in front of a computer where you know, you hope things like stay smart online, and those kind of initiatives are landing, and people are thinking about what they click on. They're a little bit skeptical of emails, or um, you know, it, websites that look a bit funny. You know, and the education that you know, is, is, we're hoping is kind of starting to land now.

That's sort of all falls apart when you go and buy a piece of hardware that is going to make your life easier, you know, to, you know, ring doorbells, or um, the, uh, you know, lots of different products out there. Um, cameras, um, so many different IOT devices. And it, I suppose the worry is, sometimes that it's too late. You know, the market is driven to cheap, and you can't really do cheap and security well, um, often.

And um, I think the government to, you know, to issue the code of practice I think is an excellent first step, and it's all common sense. If you look at the, the code of practice, it's about the kind of things that you would, you'd sort of assume are I suppose obvious from a security perspective. You know, vulnerability disclosure policies, um, no defaults, um, or kind of weak passwords. Um, so if we're being kept up to date. Stuff that, you know, you would assume is kind of bread and butter security, but actually given that many of the devices are basically manufactured to be as cheap as possible, because that's what's going to drive the market.

Um, like, my two cents is that, that code of practice is a good start, but um, you know, without some sort of regulation, uh, like, what's the incentive to do the right thing, if people will just buy the, the cheapest version of a, an IOT device. So I think it's an incredibly important conversation to have. And my personal worry is that we're maybe a little bit too late in having the conversation. Um, and it's very, very complex but I think the, yeah, the code of practice is a great start, and um, yeah, look forward to hopefully seeing, um, yeah, some legislation or laws that kind of, you know, protect Australian citizens.

Um, I think you, when you and I were talking, if I buy a toaster, I feel like I know I'm protected, because there's a consumer rights, and, and consumer, uh, laws that protect me, uh, from you know, the cable not being good enough quality so that you know, potentially there's a, an electric fire. So we have all these laws that protect consumers in, uh, you know, from normal devices. But they were never written for this age that we live in, which is, you can buy a toaster, and then have an app on your phone that tells you when you're ready [laughs], when your bread is perfectly browned, and you can walk into the kitchen and pick it up.

Um, but we, we need to have that conversation in my opinion. Um, the, you know, the risk of, uh, look, these things being a hop off point into people's computers, where they can, you know, then potentially steal, uh, information. Um, or, or do worse things. Um, I think it's a worry, and you know, we need to, we need to have an adult conversation about how we protect Australian citizens.

Daniel McDermott: [00:29:38] And is that where you do see it going, sort of from this voluntary code of practice if you like that is in place at the moment, to actually you know, being enforceable, and being part of legislation, um, to ensure that I guess that, that happens. But as you say, like, the thing is so many devices are now already out there.

Garrett O'Hara: [00:29:56] Mm-hmm [affirmative].

Daniel McDermott: [00:29:56] It feels a bit like the horse is bald.

Garrett O'Hara: [00:30:00] It, it does. But, I mean, the one sort of maybe positive thing about our consumer society is that people want the newest and the greatest and latest things. So, um, like you're spot on. There's a bunch of stuff out there that is a worry. But um, given we're, we're fairly good at sort of buying things pretty reasonably, um, soon. Um, I, I think what you set up is a set of legislation that as people are kind of renewing, I don't know, webcams that are, um, connectable, you know, sort of security cams that are IP enabled, so you can connect to them via apps in your phones, or you know, toasters, or foot warmers. Or like, pretty much everything you could possibly buy these days.

It's some version that's internet enabled. And I often wonder, like, why, why [laughs] is probably the question I have most often with those things. But whatever, like, I get it. You know, some of it's really convenient. Um, but you know, I would love to see that, that it is legislation rather than just a code of practice, because you know, market forces will just drive the cheapest if it's not regulated.

I mean, that's just how capitalism in its current form works. So the reality is, like, laws would service maybe not immediately, but what you'd hope to see is this kind of slow, trickle out of insecure devices and then, as people buy new things, they kind of have to comply with the equivalent of consumer laws for cyber gear. Um, that you know, we then see better protection for all of us.

Daniel McDermott: [00:31:20] Yep, definitely. That's certainly, uh, I think a lot to play out in that space, and um, definitely an area to keep, keep an eye on, and make sure that, you know, that we are sort of doing the right thing and being able to protect everybody at the same time as creating these new applications, and new sort of conveniences for life as well. So, certainly a balancing act to, to be struck there, that's for sure.

Well thank you Gar. I really appreciate your insights, and uh, thanks again for another great month on the Get Cyber Resilient show. Um, and looking forward to the upcoming guests in, uh, in new episodes, um, in the, in the coming weeks. So everybody, uh, look out for podcast Tuesday, each Tuesday the new edition will be up and live. Um, and uh, hopefully yeah, continuing the conversation of good cybersecurity and resilience in, um, the Australian and New Zealand industry.

Garrett O'Hara: [00:32:16] And that's a wrap for September. Thanks to Dan for hosting today's episode. Thanks to Bradley for the insights, and I hope your car gets repaired soon [laughs]. And thank you for listening. Dip into the past archives, and if you like what you hear, we'd really appreciate it if you subscribe and rate us. It helps us a lot. For now, thanks for listening to the Get Cyber Resilient Podcast, and I look forward to catching you on the next episode.