• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara
Content

In our latest news update the team discuss the latest cyber security attacks, hacks and trojans and how companies can better stay resilient. The GCR team explore the impact of the 9 Entertainment cyber attack, whether the 500M LinkedIn users data for sale is a hack or not, how a hacker almost poisoned the drinking water at a Kansas water utility, the way APRA is bringing cyber security into focus for our banking system, and the rise of malware for collaboration apps.

 

Content

The Get Cyber Resilient Show Episode #49 Transcript

Dan McDermott: Hello, and welcome to the Get Cyber Resilient Show. My name is Dan McDermott, and I'll be your host for today's In the News episode. I'll be joined by our resident cybersecurity experts, Garrett O'Hara and Bradley Sing. Good morning gentleman, how are you?

Garrett O'Hara: Morning, Dan.

Bradley Sing: Morning, Dan.

Dan McDermott: Great to, to be back and reviewing, all things in cyber in Australia and New Zealand the last few weeks. when we put the last episode to bed, one of the biggest cyber-attacks in Australia happen, just at that time. So, Garrett, I think you made a quick footnote at the end of the show to, to sort of acknowledge what had happened with the Nine Entertainment Group. but it would be remiss of us not to, go back and I guess revisit that and, and sort of review what's happened over the last couple of weeks, where the situation's at and what the implications really mean for, for I guess channel nine and, and more broadly for the in, the cybersecurity industry. Garrett, what can you tell us about what's happened at Nine?

Garrett O'Hara: Probably not a whole lot to be honest. I don't think that, we still really know, exactly what happened. You know, it looks like it had the, the hallmarks of a, a ransomware attack except for the one key piece of, of kind of approach which is the actual ransom. Cause, you know, that's sort of ultimately where y- you sort of think that, ransomware attacks will end. So, you know, there's, there's hints of many nation state given that there was no ransom. you know, w-, it presumably then wasn't financially motivated unless the, unless they screwed up. I mean that's the other thing, I think we, we sometimes thing the attackers are, you know, infallible and will always get it right, but there certainly have been instances where, organizations have been hit with badly-written or badly-performed ransomware, or the, you know, the encryption or, you know, potentially the [inaudible 00:01:48] part happens but the, the bit where they actually ask for the, for the money doesn't, through coding errors or because potentially some internal system within Nine or an organization has, has kind of blocked that from happening.

So, yeah, we don't really know is the, the truth. I think it’s; it was a scary one for many of us just given the, the logo is very well-known. many people would use Nine as a, you know, source of information and, you know, it is, one of Australia's larger, media organizations. and it wasn't just Nine, you know, it was a bunch of kind of, parts of that organization, that kind of broader organization, Sydney Morning Herald, the, you know, the printing was potentially affected. There were a few things that, that happened out of it. So, yeah, I, I think it's, it's worrying in, in s-, in terms of the, the scale and the scope of what happened. it looks like they were relatively okay. You know, I think we missed one, one show on the Sunday morning, that would've gone out otherwise that wasn't being able, wasn't able to, to get, broadcast live. But, you know, otherwise, for the most part, I think they, they maybe just got lucky. so definitely an interesting one. But yeah, just I don't know that we, we necessarily know who was behind it, which I think is an interesting position to be in, you know, so many weeks after the attack.

Dan McDermott: Yeah, definitely. It’s definitely had a financial implication, with their, their ability to, to book and serve their ads has, has been affected. So, there has been a fun-, an immediate, I guess financial impact on the organization themselves. but again, whether that was the intention, or that's just a, sort of a byproduct of what's happened. And I think that's the, I guess the little bit of the scary thing here is just not knowing what the intention really was, right? you know, with ransomware and holding, you know, holding a company to ransom, and, and asking for X amount of money, be-, it sort of becomes quite clear what the, what, the motivations are. not having that, does m- m-, open it up for interpretation I guess is the way to look at it. And I think, you know, high profile media organizations, have come under attack around the world. Previously, we've seen that in, in the US and France previously. and we know that, you know, the power of the media.

Um, we see Malcolm Turnbull back in the media, you know, in the press lately sort of having a go at News Limited and the Murdoch’s. And we saw the, the sort of this dash in, with Facebook earlier in the year, right, with Access Seven News. So, I mean, you know, this is high-stakes games, that get played at, at that sort of level. And, and, you know, Nine being the, you know, imminent organization that they are in that space, certainly, you know, it does, it does create some question marks around, you know, who and why would somebody be, going after them, and, and what is the, the ultimate purpose of I guess, you know, such an attack as well?

Garrett O'Hara: Do you think, and this may be a, more of a question than a statement, but I, I think what happened in December with SolarWinds, with Accellion, some of the stuff that was very sophisticated, we now are almost mentally primed to think that when this stuff happens that it is, you know, really sophisticated, well thought out, complex attack chains. But actually, one of the things we, we need to be kind of very mindful of is that sometimes you just get unlucky and, and some bread and butter, you know, vanilla ransomware makes its way through an organization and, you know, hits somebody like Nine where, you know, you think that they would potentially be set up to, to fight or mitigate those attacks. But it could happen, you know? To, to maybe over-riff on your analogy for high stakes, you know, if it's a poker game, I don't know anything about poker but, you know, there is a chance I could sit down and just get lucky with the cards and, and beat, you know, world-class players. But it's not because I'm good at poker, it's just that I got lucky. And maybe we're seeing something like that.

Bradley Sing: There are some reports coming out that it, it may have been, MedusaLocker. And the interesting thing about that, that, strain of ransomware, it has been observed in the past that it hasn't always been used for ransom. So, potentially, to your point earlier like pure cause was, was maybe disruption. like even working with other media organizations in the past here and across the pond, like I remember hearing stories where, y- you know, quite often, media organizations, journalists would get death threats because somebody watched a documentary and got upset and decided to send a nasty email in. But in a world where it's so easy to hack and, you know, target anybody, disgruntled people are, are now, you know, turning to the dark web and, and deciding like what to do and how to get revenge in other ways as well, I'm sure.

Dan McDermott: Yeah. And I think you're right, [inaudible 00:06:12]. In one of the, I think the word that's used most in every, breach that's reported these days is sophisticated, right? It's a sophisticated attack. so, and maybe we are, looking too hard for some of these things as well. But it's definitely, you know, the concerns there. There's no doubting that. And I think every organization is on notice, right?

Garrett O'Hara: Mm-hmm [affirmative].

Dan McDermott: I think there's no doubting that.

Garrett O'Hara: Yeah, you're, you're 100, s-, like that's the thing. You know, and we, we've talked about this, I think the three of us, but, you know, more broadly in the industry is that idea of, these big logos being hit. It's horrible, but in a way it kinda helps the conversation because I think it makes it much more real for board members, for, you know, the, the sort of senior, air quotes, "business leaders" within organizations to really kinda understand the impact that this stuff could have. Whether it's sophisticated or not, you know, that, ultimately, availability of services is, to your point, c- critical. And also, one of the things that may prompt organizations to do is kinda do proper business impact assessment where, to your [inaudible 00:07:13], I wouldn't have thought about ad revenue. You know, that's not where my head is at. And s-, you know, that, that for an organization like Nine would be huge. You know, it's, it's turning the tap off for a few days-

Dan McDermott: Yep.

Garrett O'Hara: ... and that could be very significant.

Dan McDermott: Yeah, definitely. And, so I think were, moving on from the, the Nine story, to selling information on the dark where, Brad, we've seen another sort of social media scraping of personal information and that being, you know, sold and offered online and that. what can you tell us about the latest sort of scraping from LinkedIn and, and the offering of the data there?

Bradley Sing: Yeah, sure. So, it was, I remember I, I read about a, I think it was a week ago initially. And, and the headline read LinkedIn Breach: Hacked 500 Million Accounts Stolen and Sold Online. And I think quite often we, we hear about these, live data breaches. But when we look a little bit closer, one of the most popular methods that people are using to get data today is, is effectively social media scraping. we saw this quite recently as well with Facebook. There was a database which was posted on a hacking website, had about eight million Australian records on there, things like phone numbers, photos, first names, last names, et cetera. but I guess the challenge for some of this stuff is like it's already out there. Like I know if you're trying to hunt down a person to contact them, you can go to websites, and it'll give you their email address, if you go to their LinkedIn page as an example.

So, I would argue to a large degree that a lot of this stuff is already out there. But, by the same token, I think, the disturbing thing with, with some of these attacks in the past is that hackers have been quite clever and leveraged APIs to scrape a large amount of data. So, whilst those are obviously meant to be here for, for protecting things and sharing information for the systems, they can also be used I guess to rapidly exfiltrate large amounts of personal data from a platform as well.

Garrett O'Hara: Is there something here, almost going back to the Nine thing in a way, the, the media angles and how these things get reported is, you know, they, words like hack get thrown around, and quite often it's not really hacks at all. What you're seeing is kinda aggregation of stuff that's already been breached. And, you know, some of the big headlines that I remember from last year were, you know, Biggest Dump of Personal Data on the Web and stuff that, to your point, Brad, it's already out there. All you're seeing is that the data is being kind of aggregated into larger data sets, and it makes headlines. But actually the, you know, the risk hasn't changed for an individual. You know, the stuff is already out there.

Bradley Sing: Like I wanna say there's articles of clickbait. But also, to the same, same I guess volition, like it is quite important. I think we covered a, it might've been a, a, a social media management company which got breached in an earlier episode. And basically, what they did is they scraped social media, and that was their, their database of data they marketed and worked from, if you will. So, it is a very common thing. And, and I guess maybe it is to a degree up to the platforms to protect us. But also, as individuals, like we all know as soon as we place something online, it, it's there forever. It never goes away.

Garrett O'Hara: It is, unsettling, yeah, how much stuff gets put out there and, and how little, yeah, people seem to care about that. Yeah, it's bizarre.

Dan McDermott: I guess there's a layman, if it seems so easy to be able to scrape these sites and get the information, is there actually any value in, in offering it for sale? you know, would somebody actually be willing to pay for it? If, you know, if the bad guys really have that intention, would they just be able to just go get it anyway? so like the fact that it's, you know, there and for sale, yes, that sounds bad. But probably others are already doing it anyway and just not, and, you know, if they want to, if they want the information, they could probably go and get it.

Bradley Sing: It's a valuable list. Like, in fact, most of them are quite valuable, I guess. Just because if we think about like LinkedIn, I think LinkedIn only had 500 million users a few years ago. So, like it'd be fairly, fairly up to date I'd say. but like you're right, like you can get all this information from the phone book. If you really want to find someone, you can find them. But what you're probably gonna see I'd say is large campaigns of phishing attacks to those email addresses over the next, you know, kind of two to five years. And it'll be the fallout effect from this which will probably catch people out in the long term.

Garrett O'Hara: And I think that that's, yeah, right. It's not, it's not necessarily that they're buying this stuff to go after individuals. It's for large-scale, automated at- attacks where, you know, that, that's the value here. It's not, you know, they're gonna go find Dan McDermott, they're just gonna go find anyone who's in the list and do things like cred stuffing and all of, all of those fun things we hear about all the time.

Dan McDermott: Yep, and therefore create the, the risk at scale, right, that somebody's gonna fall for something and, therefore, they get a win somewhere along the line. yeah, it's certainly a scary thought of the volume that could, could be impacted out of something like that.

Garrett O'Hara: And then potentially what happens when you correlate that data set with another one. You know, that's maybe something else to think about is, you know, this in and of itself might have what seems like innocuous data. But, you know, and we've talked about this on previous episodes that, that sort of, using, using multiple data sets to kind of have useful stuff emerge that you can then use to either do social engineering attacks or even automate at a higher level. And so, there's a bunch of things to maybe think about there as well. It's not individual data sets, it's what they potentially mean when you buy two of them. You know, is there, is there stuff that emerges from those?

Dan McDermott: Hmm, definitely so. And Brad, one of the biggest trends that we've seen over the last year, obviously, since COVID and working from home or working from anywhere as we are, is, is the rise in, in alternative communication tools, and, and in particular collaboration platforms as part of I guess this, you know, new working environment and, and how people do collaborate, across, you know, multiple, locations on a, on a regular basis. but we've started to see that there's been some research done with, some vulnerabilities that are appearing through the fact of u-, the rise of these collaboration tools. what's been going on here?

Bradley Sing: Yeah, so this is based off a report by, TELUS that, effectively looking at, the rise of collaboration applications throughout the, I guess work from home and COVID, but then the potential effect a- and use of them as a delivery method. Now interestingly enough, like I'm, I'm sure we're all, we're all aware of, you know, we all moved to working from home and, and using remote applications, but with the rise of memes and animated GIFS and stuff that we're sending each other in kind of a, an internal chat, chat rooms, what happens if there was a piece of malware or a virus behind that? Would we actually know if one of your colleagues had been compromised? I'd say there's a very large chance that you actually would.

Garrett O'Hara: Yeah, totally agree. it's, it's funny we're talking about this. I got a message from a very well-respected cybersecurity person, over the weekend. And the link looks right, it's to, to sort of help out on something. But, you know, I, I, I don't know, that paranoia has started to creep into other areas where... Now, this is somebody who I suspect is very good at minding and managing their online presence and, and would have two-F, two-factor auth turned on. And I'm just, I'm paranoid. But to your p-, comment, Bradley, it feels like we're just adding more and more ways into organizations and not necessarily building the security around those things. An- and with active content, you know, things like Slack being able to share Word docs, you know, with a macro. And macro does a connection to a CNC, or whatever it may be. But and didn't Slack open their, their communication so you could actually potentially invite people outside of your organization to use Slack as a means to communicate with you [crosstalk 00:14:28]-

Bradley Sing: You, you, you, you can. Like they're, they're kind of open platforms to, to a degree. And, and Discord, I'm not sure if you guys are familiar with it, it's probably more popular in the gaming community. But I think Microsoft have just announced plans to potentially buy them. Discord's even worse for I guess kind of open, open communications. but a big problem behind both Discord and Slack is that when you upload a file to share, it gets uploaded to the Slack or Discord CDM, so it effectively compresses the file, but it also changes the hash. So, if you upload a virus or a piece of malware and if that person goes to download it on the other end, it's gonna be a different hash to that it was originally. So, the chance of infection, especially if you don't have any, I guess kind of corporate controls around these types of services, which hardly any organization would, and the risk of infection is so much higher.

Garrett O'Hara: And then you're into, I mean that's why people are buying CASB. You know, it's, it's for that, this exact use case. And also, that's why zero-trust is emerging, right? I mean it's, it's that thing of just don't trust anything ever. And-

Dan McDermott: Yeah, there's no doubting and this is, you know, gonna be a, a rising concern, and I think we'll see more, you know, attacks and sophisticated attacks I'm sure being, reported by collaboration tools, right, this year. and it's gonna, it's sort of a, a vulnerability and, Bradley, you know, a great way of sort of, you know, highlighting that vulnerability in terms of the actual technology and what's required to, to look to, to try to shut some of this down. Because, you know, it is, it's, it's something new and it is creating a potential sort of, you know, weak link in the chain, you know, like, where other areas of, of being invested into, and, and we're seeing, you know, some good results and that. But we always sort of se- see things get through anyway even on main channels like email and stuff. So, to see a, I guess a new channel that can be, exploited, is gonna be an interesting watch and see I think throughout the year as well.

One of the, the biggest, I guess attack vectors that we always know is just the notion of the disgruntled employee. and, and we saw one recently in the US where, where it was a, a former employee at a, at a water plant, not happy but had access to all of the, the system still. So, even though they'd, they'd left, and obviously probably left under, not great circumstances and were quite disgruntled in their own right, was able to still access, the, the water treatment plant itself, and create a huge, you know, you know, public health scare and, and massive implications of what happens, with those type of attacks. so it's an interesting one but one that li-, again, is highlighting I think the importance of, you know, being able to lock away our critical infrastructure. And I think this is an ongoing theme, throughout this year and certainly here in Australia with the regulations starting to, to come to life.

Um, but also like just sort of showing the fact that, you know, if you don't sort of, you know, stop those disgruntled employees and that malicious insider, it can become, you know, a really serious situation really quickly for people.

Bradley Sing: Definitely. I mean this story to me, like, there's some interesting things going on here, to me, that a 22-year-old ex-employee could do what he did, or even a current employee. Forget about being disgruntled. Even if you were an incredibly happy employee, you should never be in the position where an individual can log on and make any sorts of changes that could have, such a, a huge impact to critical infrastructure. Basic security is, I think they call it M of N controls or, you know, multi-person control. You want to go back to the '70s m-, you know, the movies where the, the nuclear bombs can only be set off with two keys. It, it to me is the questions I would be asking if, you know, if I was in Ellsworth County in Kansas is, "Hang on, like how di-, how did you guys have your systems and processes set up in a way that allowed this to happen?" cause it feels like maybe, yeah, may- maybe this shouldn't have, have happened at all just based on just good pro-, pro-, process.

It's one of those things, you know, w-, obviously we're here talking about cybersecurity and resilience but so much of the things that we talk about can often be fixed with thinking about what good process looks like at a human level. And not just the awareness stuff but actually building the human processes so a 22-year-old disgruntled or happy employee could never ever log on and make changes to something as critical as, you know, with a water system. And then to your point, Dan, this could've been huge.

Dan McDermott: It was quite dangerous to just jump in there.

Bradley Sing: Yeah.

Dan McDermott: Like what he tried to do was he tried to up the sodium hycloroxide in the water to effectively make the water toxic. Um-

Bradley Sing: That's bleach, isn't it? Is that-

Dan McDermott: I'm not too sure.

Bradley Sing: I think it is. I think that's like, you know, household bleach.

Dan McDermott: Wow, there you go. he did get caught though. and he is, I think he's getting charged and potentially facing up to 25 years in prison. but it also came out that the, the organization didn't have a firewall in place or even strong password security. So, I think that's probably actually the, actually the real reason behind it. [laughs]

Garrett O'Hara: And, you know, to circle back to the critical infrastructure stuff, I mean that this is it, right? This is the bit where you kinda look at what we need, as a society, and I would say Australia but it's global, it's not, you know, we're not unique, is d- do you need to regulate this stuff so that there is no option or there are consequences, and big consequences, for maybe a cavalier approach to, you know, technical controls, you know, the process side of things where, building standards at a, a sort of national level, means that at least you can go into critical infrastructure ordered against them, you know, based on the nuances that exist within critical infrastructure and ICS systems and SCADA and all of that good stuff? But, you know, it gives you some standards and baseline so that we at least know as a nation, you know, is there a desalination plant up for being popped, or is it okay? Or is this damn gonna overflow because a 22-year-old can log on and, and decide to make some, you know, huge change. you know, that's, I don't know, I think there's some good stuff that would come out of a, a Critical Infrastructure Bill around that.

Bradley Sing: Well, I worry about Texas, right? Like it just makes me think of like how like in America they've obviously segregated a lot of their infrastructure. Like from a security perspective as well, that starts to raise complications. Like they need to... I mean, look, yeah, I think great job from a government coming forward with the Critical Infrastructure Bill because like to, to both of your points, like this is the exact reason why.

Dan McDermott: So, Garrett, are you saying that not only should the individual, in this case be, you know, held to account and, and, and charged, but Kansas Water, should be on the hook for, for having, you know, allow-, almost allowing this to happen far too easily?

Garrett O'Hara: I'm very conscious that we're, we're recording something so, you know, I've got a personal opinion on this, which is that any organization, where they've got a, a sort of either fiduciary or societal responsibility, you know, there's a reason boards exist, there's a reason regulation, you know, the stuff we have locally, like the, that stuff exists so that we know what good looks like. And to me, if I look at any critical infrastructure whether that's kind of electricity or water supply, health, like there, there needs to be a conversation around who is accountable. Because it's really, really easy to externalize costs or to cut corners to make things look good on a balance sheet but actually the downstream costs are born by people in Kansas, in this case, where, you know, potentially their drinking water is put at risk because somebody tried to save money, or the overhead of good security processes or technology was deemed too high.

So, you know, my, I'm, I'm trying to be maybe a little bit sort of weaselly here and not, not sort of answer directly. But, you know, you probably get the sense that what I'm saying is that, you know, in some way organizations on top of individuals, when, when, when you look at it, right... you know, I think if they've, if they've done good security and if, and somebody managed to work their way around it, then, okay, that's fine. But if you're at a point where one individual can make a change like this, that points to, you know, there's a question around what the processes were and how ser-, seriously security was being taken. I didn't really answer that question at all, did I Dan? [laughs]

Dan McDermott: No, I think you did. you know, the- they do need to be held to a hi-, a high standard, right? And, to hi-, to account in terms of actually, you know, what those, those standards look like-

Garrett O'Hara: Yeah.

Dan McDermott: ... and how do we, how do we know what, like you said, what good does look like and ensure that that is in place as, you know, as minimum standards. And I think that what we also see is, is, we talk about the Critical Infrastructure Bill, but regulators are looking at this all the time. And, and, you know, one of the leading I guess industries for regulation and trying to stay ahead of the curve is certainly APRA in financial services. and they've come out recently and, and have spoken about the fact that while the banking sector itself hasn't had a major breach and, and that they're acknowledging that it's probably o- only a matter of time, and that one of the vulnerabilities that they have is not just, you know, the, the, say the big four for example who, who pour millions into this and are trying to, you know, stay ahead of the curve, but it's all of the, all of the people that they work with in their ecosystem, and the way that that actually connects together can create that, that notion of a supply chain vulnerability.

And I think that that's something that is going to be incredibly difficult, as we move forward with the Critical Infrastructure Bill, that they're looking at industry by industry. so, you might protect within one sector, but when they start cross-pollinating and working together, you know, as an economic society, vulnerabilities may exist somewhere else. And, and somebody who wasn't held to such a standard could be the one that could be that weak link in the chain, if you like, as well. So, that, it's interesting that, APRA are talking about it almost proactively and almost getting ahead of, what's coming, with the, with the new reg- regulations as well.

Garrett O'Hara: Yeah, like it- it's, this is timely for me at a personal level. So, you know, [inaudible 00:24:24] what's happening with interest rates and, you know, s-, the, the money you, you get when you have money in a savings account is abysmal. So, I'm c-, so I've moved some of the very small amount of money that I do have into a, manage fund. And here's what happened. Signed up, got an unencrypted email from the third party that was doing the I suppose the, the management side or the, you know, the, the outsource platform for, you know, looking at and sort of managing the, the funds. And, like my, I, I couldn't believe it. I'm, I'm thinking like, "Really?" You know, it's 2021 and I've just got an unencrypted email with, with a, a [inaudible 00:25:03]. I think there was a password, but it had an attachment from memory with details of the transaction. and I raised it with them. that's, probably about a month ago now, and have had responses that have been re-, a little bit kind of lax in my opinion, you know, a little bit of, "Yeah, we're, we're working on it. We'll, we'll look to get it fixed within a couple of months." I'm like, "Are you kidding me?" What like what is going on?

Um, like to your point, Dan, I, I think there's a couple of big issues here. Finance and banking in general, they carry a huge amount of technical debt, massive technical debt. And I think one of the things that we've seen, multiple times is that when there is an appetite for those big changes that would sort of, modernize or, or get a, a large institution up to the point of kind of what you'd, air quotes, call a "reasonable ICT standard", y- you look at the cost and you look at sort of shareholder value and what it would mean, and people kind of shirk away from it and kind of go, "Ah, maybe next year. Maybe next year." And then its, time goes by an- and the problem gets worse. I think that's a huge issue. And there's a huge, huge amount of technical debt in these organizations. And then that complex supply chain where you're seeing some of the, the sort of opening of how finance and, and sort of, that industry is done and the emergence of, you know, smaller organizations that are supply chains into the large organizations.

And, and to your point, I mean it, it feels a little bit not like a wild West, but I think, yeah, first of all APRA's remit probably needs to broaden a little bit when you look at what the, the, the organizations that they're actually able to do anything with. It probably needs to be bigger than it is at the moment. And then we're almost back to standards, you know, some of the CPS standards that they have out there are becoming, I mean like the CPS 234 is the big one, right? That was guidelines until was it July last year? And then it became a standard. And maybe that needs to happen with, with more of their guidelines and, and more of their standards. It's just stronger enforcement but to a broader set of organizations.

Bradley Sing: I, I think this is part of it. So, I think it's part of APRA coming out and saying, "Look, cybersecurity is serious this year." with, you know, they, they used the word cyber, so I think it's a lot an operational resilience, which I think is fantastic. I think it, it, like I said, a part of this is kind of going through and re-looking at the financial services, sorry standards. but I think you're right, like it only applies sort of to finance. But w- we've talked about this before but financial services or fintech quite often can be some of the most I guess advanced organizations or industries when it comes to cybersecurity and managing their data correctly just because they face these risks every day and then the dollar values are so real. So, it's good to, I think it's a fantastic thing to see. But also, it'd be interesting to see I guess how strong the wording is as well. for a lot of organizations, you know, we speak to every day, they, like they bring, you know, stuff like this up. But I don't think a lot of them also have really, I guess kind of looked back and, and seen how they stack up against some of these today. And, yeah, it's just a little bit of the back of mind but I'm happy something like this brings it a lot more forward.

Dan McDermott: Certainly not being a lawyer but, I think that the issue of w- who is the regulator is gonna become a huge issue in Australia as well. Like we're gonna see like, you know, APRA trying to, to set their standards and get ahead of things. The critical infrastructure, regulations will come in. but who is the actual ones that are in control of, of actually regulating that and, or what does regulatory overlap look like as well? and is there then gaps of vulnerabilities within the regulatory system itself that might create some challenges and issues as well? to, to be able to get people to, to that higher standard and to hold it to account, if there's any sort of uncertainty as to exactly where, I guess the obligations actually lie and who can then be enforcing those as well as we go forward? So, I think it's a, it's a, it's a very big area that's gonna take not only this year but I think multiple years for this to, to continue to come to life and unravel as we, really, start to understand what this looks like going forward and what the implications are gonna be for organizations, to, to, to comply, how they're gonna actually be able to, you know, prove that compliance, to one or potentially multiple regulators as well as we go forward.

Garrett O'Hara: Yeah, it is spaghetti. It's, I, I, I think it's gonna be longer than two years. I think it's, it's probably, you know, we're a decade away from getting this stuff sorted. And that might sound very pessimistic but it's just incredibly complex technically, people-wise, legally. I mean that's the thing that makes me shudder. Like I just, I can't even fathom the, the, how you, how you build fair regulations and legislation around some of this stuff when, you know, you see at, at a very base level, when, you know, if something like a, you know, fake transfer to a bank account that was changed because of these, you know, being, brandjacked as an example. You know, who's responsible there? Is it the, the organization that has got, that was brandjacked or is it, you know, the person who transferred the money without checking that the back account was real? You know, it's, it's just a minefield.

Dan McDermott: Indeed, no doubt. Definitely, I think an ongoing one that, that I'm sure we're, come across again in, in, in episodes in the future as well. So, and on that note, we'll, we'll call this show to an end. But, again, Garrett, we're back to our interviews for next week and, looking forward to, to who you have in store for us, the next episode.

Garrett O'Hara: Yeah, it's gonna be part two, of Jo Stewart-Rattray, so that's the one where we get into a pretty interesting conversation actually. I mean it's, it's around gender diversity mostly. it's probably, you know, broader diversity but incredibly important from a resilience perspective. You know, I think we, we often sort of focus on the breaches and the hacks and all of that stuff. But there's actually a whole set of things that we need to do as an industry around, diversity. And we know diversity brings better innovation, it brings resilience, you know, all the indicators from a business perspective are that it's a good thing to do. and I would say it's, you know, the same applies to cybersecurity and cyber resilience. You know, get more, let's get more minds in here and let's get more people from b-, different backgrounds thinking about this stuff and, you know, get, get a better fix to, you know, so we can all retire and not have to worry with our abacuses and, you know, tinfoil hats. It's gonna be amazing.

Dan McDermott: Fantastic. Now, looking forward to part two. And, on that note, enjoy the week gentlemen, and I'm going to look forward to, the next In the News episode in a fortnight's time. Speak to you then.

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara