• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara
Content

In this week’s cyber security news, we discuss the ramifications of the hack and data breach on the popular streaming service Twitch that resulted in hackers releasing source code and details of creator payments. We also review the latest attack on our health industry with the hack of Macquarie Health Corporation, the news that New South Wales will be extending DMARC for all local councils, and the implications of new laws that will require Australian companies to report ransomware attacks.

Content

The Get Cyber Resilient Show Episode #76 Transcript

Dan McDermott: Welcome to episode 76 of The Get Cyber Resilient show. I'm Dan McDermott, and I'll be your host today. This week is our in the news episode and I'm joined by our resident cyber security experts, Bradley Sing and Garrett O'Hara. And we will start with the confirmation from the interactive live streaming provider Twitch that it has been hacked, and its source code and secrets have leaked out. We will review the latest attack on our healthcare system with the hack of Macquarie Health Corporation. We'll look at the latest announcement from New South Wales government about extending the use of DMARC for all councils and LGAs. And finally, we'll take a deep dive into the federal government ransomware action plan.

Now, Brad, before we dive into the cyber issues this week, can you help me and some of our listeners understand what is Twitch?

Bradley Sing: Certainly, what, what is Twitch? That's a great question. Um, so it's just something which is, I guess, really popped up in popularity over the past 10 years. Probably around the advent of things like YouTube and kind of that whole people making content themselves, probably since around 2008, I think we really started to seeing the rise and surge of it alongside things like social media, of course, as well. Um, what it is though effectively it's a platform where either anybody or a media organization, um, a lot of real life stuff these days is to where people were just doing things like cooking food, or it could be like live music as an example. Like it's not just video game anymore, but effectively it's a community where people can stream themselves and then also make revenue or have sponsorships and, and ads around it.

Now, in terms of what we've seen recently though, is potentially the, the, one of the largest data breaches on the platform where we've seen a lot of the creators on the platform. A lot of the individuals involved, um, have had their personal details leak, but also the, the dollar values that Amazon, um, AKA Twitch, um, is purchasing as well. Uh, sorry, it's kind of paying towards them. So I think there's a, yeah, it's, um, quite interesting. One in terms of, I guess, this from a, a sense of becoming a popular media, but also now a whole lot of details which have been breached and, um, potentially more as well. Um, from what I understand, it was, it was effectively uploaded as a Torrent online about 120 GB.

Garrett O'Hara: Yeah. Big, big trove it seems like, and there's some interesting stuff there. And the unreleased steam competitor, that's not gonna be too good for Amazon, um, given, you know, whatever the privacy side of things, which is pretty serious. But I wonder about the financial implications here. Um, you know, if there from what I understand, it's the code and correct me if I'm wrong Bradley, but if it's the code for a steam competitor, like that's, it's not a small thing to, um, to be out there in the wild and for hackers to have their hands on.

And then the other side of it is, you know, that they're reading through it, there's a backlash or, you know, people are a little bit upset knowing how much money they are they called Twitchers or your mind that's people who are looking for [inaudible 00:02:57], you know, whatever the dream is.

Bradley Sing: Streamers? I don't know.

Garrett O'Hara: Yeah. Streamers.

Dan McDermott: Content creators.

Garrett O'Hara: I'm so out of the loop, man. I saw this pop up on Reddit and I was, I didn't understand any of the things that people were annoyed about, made no sense to me. So I definitely feel old, but, um, yeah, I was looking at, at some of the backlash and, you know, thinking about the big numbers that have been thrown around, including some of the sort of Melbourne based streamers from, from what I understand, um, you know, we've got some Australians making some mad coin from this, but the other side of it is, um, you know, if they're making mad money then presumably Amazon and Twitch is making madder money.

And I think that's the, the sort of interesting part for me is that how lucrative this stuff actually is. And I know in one of the articles, there was the question, why do people watch other people playing games? And I, you know, there was an explanation, but I'll be honest as a 46 year old, it made no sense to me.

Dan McDermott: No. All I can think is, is that it's an, it's another thing that, um, my kids will put down as a career ambition and it's like being a Twitcher is not a career, but anyway.

Bradley Sing: It's true. It's true actually that, I don't know if we've covered this already, but they survey kids in America and they said that, um back in the day, everyone wants to, wanted it to be an astronaut or wanted to be something like that, but I think now kids want to be TikTokers. I think was the number one. [laughing] The number one kids wanted to be.

Dan McDermott: TikToker. Uh it's uh, it's interesting that like so much data got released as well. Like, do we understand, like why would somebody release it all in one go like, w what's the motives behind this, but sort of, you know, happening in the background here that is, is driving, you know, breach is one thing, but then it's like, then, then sort of dumping it out there as well. What sort of going on in that space?

Bradley Sing: Uh, one of the things I think we've seen with this community, it's, it's kind of almost grown up over the past 10 years, but it is full of a lot of, you could say toxic behaviour, a lot of doxing, a lot of harassment, a lot of people potentially getting rubbed the wrong way. Um, it seems like this is, I don't wanna say Robin Hood esque, but it feels like somebody has purposely leaked path only funny, any part of it and really highlighting how much people get paid in terms of money. I think Garrett made an interesting point there in terms of the reality of how much of it, how much money is involved, right?

So from a competitiveness perspective, some of Amazon's internal tools, their intellectual property, the whole platform economy, we're kind of almost seeing a bit of an arms race from different companies, Microsoft, um, included, and which you're trying to go into that whole ecosystem and, and make money of it. In fact, I think Microsoft had a live streaming service, spent millions on it and then kind of got nowhere with it.

Garrett O'Hara: Yeah, and they try and like poach one of the guys that was on Twitch for millions, millions, millions of dollars to try and get him to go across.

Bradley Sing: He, he did. So [inaudible 00:05:41]. And he got banned off Twitch because he was entering an airplane. He was live himself and somebody called the FBI and they swatted the airplane, um, on live tuition. So, because of that, he got banned off to Twitch, and then I think Microsoft paid him a couple mil to go over there.

Garrett O'Hara: Full-on. Look, do you, do you sort of see this as a version of the gay economy, because it was kind of where I was doing the research for this, I mean, it's basically people kind of hustling to make some money doing streaming, you know, for whatever. I think you said baking and there's some tensions and dragons to find there.

Bradley Sing: Where do you learn stuff like that, like any kind of life skills. I, I don't think it's just video games, it's just a format, right?

Garrett O'Hara: Yeah. But it's, it's that thing where it's grown into a platform where it sounds like some people are using it as their kind of income source and, um, you know, having read, kinda try to educate myself on, on the world of Twitch before we had this conversation, you know, it sounds like some people are, are sort of irked and had, um, a day where they didn't stream or Twitch or whatever the verb that we were supposed to use is, um, you know, almost like it seems to kind of collective bargaining by the gig economists, oh, economist, gig economy workers, um, on Twitch. So you know, you kind of wonder, is there some of that kind of activist stuff in the backgrounds where, you know, is that a motivation here to release so much data?

Dan McDermott: It definitely sounds like some sort of hacktivism, right? Like that somebody's, you know, is got their back up about something, not agreeing with, you know, some sort of principle and there's like, you know, a bit of a one-upmanship is what it seems like.

Garrett O'Hara: Yeah. 'Cause there's no ransom demands. There was none of that. Right? It was basically, you know, it went from nothing to data exposed. So you got to assume that the, the motivation there is, is to your point on its activism rather than financial.

Bradley Sing: In terms of the technical aspect though, real quick as well. Um, from what I understand, it was originally, it was kind of interesting. 'Cause I remember when the news broke, it seemed like it was like an active attack on the platform, which taught everyone to reset their passwords and stream keys as well. Because if you have somebody else's stream key theoretically broadcast to anybody else's channel, so you could broadcast to a channel which has, I don't know, 200,000 people watching it and you could put your face up there or something nasty instead. So a lot of people say, yes so there was a huge process, but it looks like it was misconfiguration on Twitch. And so obviously there's somebody out there who's, you know, downloaded the information, but another misconfigured massive cloud platform putting a user data at risk.

Dan McDermott: Well, Bradley, you certainly seem to know a lot more about Twitches than, than Garrett and I, but it's a... And I think like it's obviously it does highlight the vulnerabilities of these large scale platforms as well. Like as much as like, as well as they're locked down at times, it's the scale that when something does happen, how quickly that can proliferate and then, and the number of sort of people that are can impact, but moving to our next story, which you know, is a much more sambal one and one that is close to home and a constant theme, unfortunately, throughout sort of, um, us delivering the show and, and during the health pandemic has been the notion of cyber attacks on our healthcare sector.

And the fact that healthcare continues to be one of the highest targeted areas. And we know who some of the reasons around the value of the data that's considered to be there and that, but the fact that this continues to happen at this time when we know the crisis and the strain that the system is under at the moment is sort of just mind-boggling that it continues to occur. But unfortunately, we've got another latest story to, to report, which is around the Macquarie health group, um, hit by a cyber attack. And it's effected sort of six, 6,700 people, um, across multiple hospitals. Brad, what can you tell us has happened here?

Bradley Sing: Yeah, certainly down, we got no surprise there. Unfortunately, no surprise really that another healthcare provider, um, has been hit and targeted. I was trying to think the massively about this, if there's anything kind of, I, I guess, almost unique from it, but part of me also wonders, you know, what is the, is there an answer to this specifically? But it is that whole problem of ransomware where it is that whole ecosystem. It, you know, it feeds itself and, and the idea that hospitals are so critical, um, in terms of this, this attack itself, so it appears that it was the, the high of ransomware, which is something or at least a gang or group, which the FBI has issued alerts out for, I think as early, as kind of early September.

So they've been known about all for quite a while, they've been in the news, um, they also targeted the Memorial health system, um, which you guys may or may not remember that data breach from earlier in the year as well. Um, over in, um, I'm not sure actually where it was, [inaudible 00:10:17] health system. I just tried to look it up, but there's a little hospitals with the name Memorial in it. [laughing]

Garrett O'Hara: The problem is if you Google cyber attack in hospitals, there's literally so many of them there that you're going to struggle to find any specific one. It's, it's, it's an army of this stuff.

Bradley Sing: Yeah. You're 100, 100% right. But, um, what we can say though is about, at least about Hive ransomware itself is that the systematic in the sense that they've been highlighted as being an unknown rent in summer's service provider, um, there was some commentary from some news outlets that they were bragging to a degree as well. So, you know, kind of quite proud of their, um, their accomplishments and, you know, this kind of stuff is very common, any community, I guess. Um, but I would also say unfortunately, Dan you're right? Like it's the human toll at the end of the day. Um, I think we've been probably quite lucky still up till now in terms of actual human toll of cyber in Australia when it comes to healthcare providers, but it's only a matter of when, when I'd argue.

Garrett O'Hara: I think that's it, isn't it? It's just a, it's a way in, rather than if, um, and it's such a big, it's a big, I mean, I feel like every, you know, episode of this and all the other security podcasts and every kind of online media, um, sort of presence when it comes to cyber, it's just ransomware, ransomware, ransomware, um, time and time and time again, it just feels a bit like the worry for me is that, and I think other people is the, um, fatigue that sits in where you just get so tired of it and we ended up normalizing.

Like, I'll be honest, [inaudible 00:11:47] so this was going to be one of the stories that we're gonna cover today. If you're all like a couple of years, there was probably some sense of not, not shock but like, oh no, this is really bad. But like, if you guys can tell me a day where there hasn't been a ransomware attack reported, like it's starting to feel like this is just normal and roll a, a little bit maybe like COVID will be, you know, we'll just learn to live with it. We're going to do, we'd like, you know, we'll, we'll try and get immunized, but will eventually just kinda end up having to live with ransomware at some level. I mean, hopefully not.

Bradley Sing: [inaudible 00:12:16] ransomware normal as well as COVID normal has, has began for [crosstalk 00:12:19].

Garrett O'Hara: Yeah. Yeah. That's it. And keep, you know, two meters apart, if you're an organization that maybe has the ransomware in the parks that you're like, this is probably some digital equivalent.

Dan McDermott: And I guess just interested in the ransomware as a service, just to sort of dive into that, we'll explain what that is before and that, so it just is Hive the ones that actually create the service then that then others deploy or LA actually deployed this themselves? Do we know like how that's worked and, and, and, you know, I guess, you know, if they're the ones developing it, they're probably taking the claim in order to try to, you know, drum up business for others. Right?

Bradley Sing: Yeah. It's like, I, I honestly don't know exactly where the, the kill chain starts or like who's, who's involved exactly. But I believe it's quite sophisticated in the sense, like the Hive piece of software script or boot kit, whatever it is, it'll create like a nice little fake website for the persons. They can go there and pay, they'll show how long till their data is gonna be deleted and stuff like, you know, it's on the web of stuff. Like it's quite a, quite a nice little integrated piece, which is then meant to decrypt as well.

It's even got like a live chat built in there as well. So it's a proper end-to-end kind of service where the ransomware even then are give them money as well, where it's, I guess, very different from the first tack we covered today, which is the polar opposite of hacking getting the information, putting it up there and then asking for payment.

Garrett O'Hara: Yeah. And Hive, I mean, it is affiliate based. Uh, so you know, it is part of that kind of ransomware as a service play that we're seeing more and more of. Um, and that's their adjustment. It's another real worry. And it's another reason I suspect why the ransomware stuff is pulled up, proliferating and is so popular because you don't need to know anything. Um, you know, Phil Clark who works with us, years ago said, "You just need a credit card on a grudge." And I really feel like that almost should be on a t-shirt for ransomware at this point. But, um, but that's it, right?

I mean, you can just go pay an affiliate a little bit like dark side, right? The colonial pipeline. It's the same deal. And you don't, you don't have to be a developer. You don't have to know how to do anything other than get this stuff out there and then sort of pay your, um, I'm sorry, get your, your payments through Bitcoin. And even then they've got sort of brokers for the payments side of things. There's very, very little in the ecosystem of ransomware that's not covered by kind of expert organizations that specialized in payments, specialized in broker access, specialized in customer success and service to make sure you get your, your Bitcoin payments through.

It's, it's incredible to see really an industry, you know, and, you know, I think Brad, you just said, it's an end-to-end industry. Like, that's what we have here with ransomware now, because it's so lucrative. It's so easy. It's so hard to police. And everyone's kind of getting used to it.

Dan McDermott: Is there a technical answer long term? And again, I'm not an expert in, in memory or, or encryption or anything like that, but I wonder, is there a feature technical solution and the way that data is stored or even encrypted ourselves, then our organizations, which potentially inhibits threats somewhere, or is it just something which is gonna happen forever and it comes back down to resilience and do we get to a point where, you know, we can restore systems almost instantly and get back up and lunch right away?

Garrett O'Hara: Yeah, they, there, I think, um, it's been on here for a little while, actually. There's these flattened pieces of carbon or white, and you can write things on them with pens and pencils [laughing] and you can lock those in metal cabinets and it's, it's old technology, but it works. And now, like, I, I dunno, honestly, Brad, I think, you know, there, there's probably technical things you can do to, you know, potentially get yourself set up to not be vulnerable to this. But I would say it comes back to the productivity versus security argument that we've had for decades, which is look, you can be totally secure, but nobody can do anything.

And then what's the point. Um, and also the fact that everybody is so digitally interdependent, like you could probably like yourself down to the point where your risk of ransomware is really minimal, but your ability to interact with other organizations easily would probably be cost prohibitive. You know, you would have to do things in ways that just take longer or frustrating for employees, et cetera, et cetera. Um, I, look, I would say, um, not to downplay like the problem of ransomware, but I think what we've seen consistently is that sometimes the solutions aren't crazy esoteric, bleeding edge solutions, they're actually just do really good backups, do them regularly.

Um, you know, do application white listing, do, do some basic assuming you're set up for that, and you can. I actually saw a quote on, I wish I'd remember where I saw it from. Oh, it was in a security white paper this week, but the, the quote was from somebody I think in the US governments around what, what's the one thing that would protect organizations against ransomware? And the comment was something like get onto windows 10.

And it's not that windows 10 is particularly secure, but Austin, the to- the problem is people are running, you know, windows, windows 8.1, or they're, you know, they're sitting on legacy operating systems that aren't getting patched, don't have security updates, and they're running sort of operational applications that are in the same boat, there maybe for many reasons they can't get away from, can't secure, et cetera, et cetera. So, I, suppose like Brad technically yes. And then when it comes to the reality of the spans that it takes to do that, and the ability for a business to operate, then it starts to veer more into no. [laughs] Or just by filing cabinets on paper, you know, [inaudible 00:17:36].

Dan McDermott: And I guess just to wrap that one up, I don't know if you guys know where, like, where is Macquarie Health at the moment. Have they've been able to restore things to get back online and what's the next steps for them?

Bradley Sing: What I read was that they had disconnected systems. Um, but I guess, I, I'm not sure if they're fully online, online, online yet. I, I, I, to be honest, I guess that they're probably not like it usually takes this group organizations a few days to recover. I think more concerningly, or what we don't know is, you know, if there is information out there, which, which is very common in terms of Hive and, and how they operate, um, yeah. If there's going to be information published as well, or even if I've have access to it. But, um, I would say at least from a uh, I guess ongoing attack perspective, it looks like they are recovering at the very least.

Dan McDermott: Yeah. The old double exploitation Hive, so it stuck to publish the data as well. So yes it doesn't end just at the, at the first half that's for sure.

Garrett O'Hara: Yeah. And, and could this be triple, you know, given that they, they have data on people that are presumably probably fairly sensitive, like, do they go for the triple where they definitely, they contact, you know, those people directly and say, "Hey, give us some, give us some money, or we're going to [crosstalk 00:18:49]."

Bradley Sing: They don't have to though, like, they can open credit cards with people's, people's names. They can have bank accounts, like from a whole fraud ecosystem perspective. Like even, even if they don't do that, like yeah, they can sell the details. I mean, it could be four things. [laughing]

Dan McDermott: Uh, scary stuff indeed. Um, having a look at the New South Wales government to have a look to extend the DMARC protocol for all of their, um, LGAs, as soon as we've come to know them harm or local government areas, um, across the state. Garrett, before we dive in, tell us what DMARC is.

Garrett O'Hara: Uh, DMARC is basically, I'm gonna, it stands for domain based message authentication, reporting and conformance. Um, what DMARC does is basically fix some of the kind of technical issues with SPF and DKIM, which let's probably not get, get down the rabbit hole of just realized this could keep going forever. Um, Senator policy framework and the [Banky 00:19:49] and messaging integrity. I can't even remember what DKIM stands for. Um, you know, long story short, this is the way to start locking down sending services to your infrastructure. So Dan, imagine if you're an organization, you know, your acme.com and you've got a, a SAS provider that's abc.com and they do sort of EDM or marketing material for you, right?

You want them to be able to send messages from your domain and you want them to be able to do that legitimately, but you don't want hacker.com to be able to do that, um, you know, for, for kind of bad reasons. Using DNS, so that's the kind of, you know, the phone book of the internet as, as people describe it. So using that, which in theory is in control of an organization, so in LGA. What you can do is put a record in your DNS and tell organizations what to do if DMARC doesn't pass. So we know when I say DMARC passes, it means that when I see an email come through, I can look at the domain. I can go to the DNS record and make sure that the, the sender for want of a better expression is like, okay, to be sending from that domain.

And there's a bunch of the things in the background or in sort of IP address checks and envelope and header addresses. And you're like, yeah, I'm probably beyond the interest of our audience to get into it. Um, but the outcome is that you end up with a, a situation where in theory, you can lock down your sending services so that if you get a, an email using your domain, you know, that it's not an attacker spoofing you, if that makes sense.

Dan McDermott: Yeah.

Garrett O'Hara: So, you know, um, you know, abc.com or Mimecast.com, for example. And you can be sure that, um, if you see an email from that exact domain, you get to go, gonna call it the biggest problem with DMARC is that it's incredibly good for the domains you own. It does absolutely nothing for the domains you don't own. So any cousin domains, homoglyph, home graph attacks, any of that sort of stuff, forget about it. DMARC does nothing. But it's an excellent, excellent first thing to do.

Dan McDermott: Indeed. And if this gets rolled out, like a, across the, the state, you know, what do we think that, you know, what do we expect, you know, the positive sort of outcome today from this?

Garrett O'Hara: Well, you know, if, if you're a cancel and you're getting emails, um, you can be sure that if you see the domains that are being protected by DMARC, then you know, that, that eliminates a lot of spoofing attacks. So, you know, you, and that could be anything, that could be inbound phishing attacks, it could be social engineering, BBC type stuff. It could be lots of different things. Um, so, you know, it's another incremental control and it's a really positive thing, you know, it's, and it gets more powerful as more organizations do it, which is an important part of this. So it's great to see that the, you know, the government is pushing it as they did in the US, and, and in other countries like this, isn't just an Australian thing. It's a good thing to do for security.

Bradley Sing: I guess, just to unpack, pack the news a little bit more, um, in terms of what it looks like the New South Wales government is doing. So it almost looks like a little bit of back in to and from. So like a couple of years ago in 2018, the councils were, were kind of saying there wasn't enough support from the, the state government, um, as a result of an audit. And then kind of, I guess his reaction to this, there was a huge round of funding that was injected into this. I started into, so by cybersecurity security, New South Wales, and then that funding has now flown down in terms of X way down, rather in terms of direct support for helping local councils provide or get to DMARC people's reject. And I, sorry, I'm not sure if there's people's rejecting there. Um, but it also is including things like training to local councils around cybersecurity as well.

So I think this is fantastic LGAs, the being, to your point earlier, Dan, that the instrumental, I think, during COVID and really the past kind of two years, and it'll continue to be incredibly important in the future. And I think just as, you know, tell me, you know, rate payer and stuff like that, to know that my bills and stuff are gonna be signed with D, D DMARC and kind of communications from, from them. I, I think it's a fantastic thing. So, um, as to Garrett's point as well, the more people that do it, um, it becomes even better as well.

So there's also, I think a conversation around BIMI records or BIMI records, which have, um, definitely started to have with a few people. And that's the whole idea of where you can start to have a logo or a brand only if you're at pickles reject or 100% quarantine. And I think that's going to also help unlock this, um, probably a lot for marketers and, you know, kind of the area you're in Dan as well, but also just from a, a security perspective where it's kind of another reason why you would enforce, enforce something where really the, the problem with emails, that it was never designed with any security in place. And that's, that's, that's the challenge today.

Garrett O'Hara: Like so much of the stuff we use a like, that's, that's the problem. If it was ever designed with security, half of what we do today, we, we wouldn't actually do. [crosstalk 00:24:32]. Yeah. So I love, I think it was with you guys, we were kind of joking about you know, the CHIPS program, was the cyber hygiene improvement program. That was the one that, the ones who pushed this. And I just think, just think [inaudible 00:24:43] every time on a cool motorbike, pushing DMARC, like making cyber safe, making the world safe for all of us.

Dan McDermott: Indeed. And then continuing on the government theme, last week, we saw the announcement from the federal government on the ransomware action plan, um, and at the heart of it being around, um, mandatory reporting around ransomware. But Garrett, can you give us a bit more insights into what the ransomware action plan is addressing? Um, and for us to sort of really unpack, you know, it's, it's impacting it the way it will help organizations across Australia.

Garrett O'Hara: Yeah. This is a, a kind of hot potato topic, right? It's a, there's been a few kinds of MPs, um, on the other side you know, talking about this. And I think it's a good thing. Fundamentally, I think many other cyber security, you know, folks out there nationally in Australia, what I would say globally are looking at this sort of legislation and, and, um, regulation as a way to start to close the vice a little bit, um, at least in one area when it comes to ransomware.

Um, so if home affairs minister, Karen Andrews, um, has kind of put forward the, this ransomware plan that kind of includes a mandatory reporting requirement. Now, the interesting thing is that it's for companies with a turnover of 10 million or more a year, and correct me if I'm wrong Dan, but I think you did the math on this one and figured out how many, what percentage of organizations that actually is and it's pretty small, right?

Dan McDermott: Yeah. It's, it's actually just under 2% of Australian organizations turn over 10 million plus a year. So, so it's, it's a very small pool out of everything that's happening from a ransomware perspective and the attack is in the market.

Bradley Sing: Yup. Yeah. And I think that's a really important data point. 'Cause if I'm gonna say, Dan really didn't click with me when I said this, I probably got a little bit more excited than I should have, which, you know, it's a story of my life. Let's be honest, but, um, it's a cool start. I think it's an important start. Um, you know, the idea here is that ransomware is such a big issue that, um, if you like, if you, if you can measure, it's really hard to manage the problem, right? And the, the, the issue is that we see the stories, you know, we've talked about some of them today hitting the news every single day.

And Australian company is getting absolutely slammed by ransomware and money's getting paid, right? That's the reality in the background. Money's getting paid to criminals. Um, and there's some really interesting, kind of ethical and legal questions there that I don't really fully understand. I'm not a lawyer, but there are other areas where you know, that there's sort of obligation to report crime. And, um, and I'm kind of scratching my head again. I'm not a lawyer, so I don't really understand this stuff, but I don't really understand how a, an organization can make, what is, I assume, an illegal payments to an illegal organization, which in my mind is kind of like, it's, it at least involves crime and then not have to sort of make that payment, first of all, known, um, and ideally the amount of, the amount going out as well.

Anyway, you know, pretty gone on too long already, but you know, what this gives is sort of an insight at least into for that, um, you know, the, those organizations with a turnover of more than 10 mil, like what's, what's getting paid? And then at least we can start to create some sort of data sets around, first of all, the volume, um, of payments, um, in terms of overall number. So you'll get some sort of proxy number for the number of attacks. And then secondly, you'll get the actual dollar amount, which could be, I mean, who knows, right? It's finger in the air stuff at the moment. Um, I would like to see it expanded. I mean, that's a personal opinion.

I think if there's ways we can anonymize and make sure that companies, I think this is an important point where companies need to feel safe with doing the reporting, because what you don't want is having this problem pushed down under crowns where, um, because of a mandatory reporting requirements, um, that has implications, um, you know, clearly that has implications, and what you would hate to see is that instead of, um, yeah, reporting people start kind of going underground and, and, you know, there's, there's a bunch of incentives here that could play against what we want as an outcome, which is less ransomware.

And I think that's the, the devil's in the detail. And I think there's a bunch of work still to be done and kind of industry consultation to figure out things like what's the expected amount of time before your report, how do you anonymize the data? You know, what's like, what is the [ACST 00:28:59] doing? Like, this is a bunch of questions that I think aren't really answered yet, but I think it's a really good start.

Dan McDermott: It'll be interesting to see how closely we follow America. So I believe, what we're probably actually a little bit ahead of them in terms of their requirements during ransomware payments, because I know over there, the Senate's debating, um, um, basically, so if your critical infrastructure over there, I think you have, they will not say you have 24 hours to report if you've made a ransomware payment. And then if you been subjected to a, a cybersecurity incident, you have 72 hours to notify. Um, and that's only applying to critical infrastructure.

And I'm not sure exactly what critical infrastructure is defined as over the US, because I know over here, when we're looking at our critical infrastructure kind of laws to stuff where there, there's a big discussion point there, but, um, I think to your point, guys, yeah. That organizations need to report the stuff, it needs to be visible. Um, I believe from my understanding, I think to a large degree, it is potentially illegal just to pay ransom in Australia, but I would also argue that in any circumstance where you could, you know, you're delivering a service or, or you know, if you're like an electricity company as an example, or a gas company, and somebody could die because you can't deliver them electricity, whatever it might be like, I don't believe you'd ever be prosecuted for it.

I don't think any company ever has really been prosecuted for, for paying a ransom in Australia. Um-

Bradley Sing: Yeah. I, I mean, Garrett, getting back to the point of this only 2% of the, the effective population you feel like is, is, is my challenge with this. So, like you say, it's a great first step and we want the visibility around it, the size of the problem and understand what that is. Um, but from our own research at Mimecast, we know that nearly 65% of organizations said they suffered a ransomware attack in the last 12 months. So if, if it's so prevalent across industry, yet we're only reporting around a very small part, I feel that there is the analogy to sort of the vaccine rollout, right?

It's like, you know, we're, we've just created, you know, a double [VAX 00:30:56] immune for 2% of the population, but that doesn't make us feel good, that doesn't allow everyone else to actually want to actually be um, having that I guess, engaging in that and actually being part of it. So it does need to expand beyond that. And, and so much of the commentary beneath it talks about SMBs and where it needs to be and, and how we need to support them. Yet, then the focus becomes on, you know, reporting for us, very small, large into town or director's duties for large organizations and those sorts of things.

So we're not getting the follow through, I think of the next step of what is the role of government industry and sort of tertiary institutions to come together to start to solve and make a better cyber health program for the country and for SMBs. And I know we spoke about it last time, and this is going to be my hobby horse until we ever see something. Um, because it just feels as though otherwise we're at a very superficial level of dealing with it and we're not actually getting underneath and, and also not providing support. And I think one of the things that we speak about and look at in this is, is that manager reporting is at the back end, it's already happened. The bad stuff's happened.

So the damage in many ways has been done. How do we stop it from happening? How do you get preventative in this and put the guard rails up ahead of time and make that accessible for the community abroad? So I feel like, yeah, it's, it's a good first step, but feel like it's a little bit light on for where we need to be to actually address this problem across the country.

Garrett O'Hara: Yeah, absolutely agreed. It's, it's funny, there's an old show, I think it's old called Utopia, which ABC did.

Dan McDermott: Yeah, yeah.

Garrett O'Hara: Um, but as you're describing that time, it just feels like they're, you know, they're, the value of a, you know, a launch message versus the actual getting the project done, it feels a little bit like that sometime. And I think you're spot on, you know, there's, there's, there's probably hard and difficult work to do, but we sort of need to do it, right? The, the results, um, the results of that kind of work, I think, would be great for Australia as a, as a, as a country, but in, you know, economically clearly there'd be benefits.

Dan McDermott: Yeah, no, it definitely feels unfortunate, a little bit of politics apply, right? And it is like, it is the show and, and the front end and what that looks like. Um, what is that substance and the program that actually sits behind it, that will actually change things, right?

Garrett O'Hara: Yep.

Dan McDermott: We're, we're, we're a little while away from, from seeing what that is. And, and hopefully it starts to, you know, this is a step to building that momentum.

Garrett O'Hara: Yep. Totally great.

Dan McDermott: Well, thank you Brad and Garrett, um, appreciate your insights as always. Garrett, who have you got lined up for us as our special guest for next week's episode?

Garrett O'Hara: So next week is, it's actually a very cool episode. I've got a, a recommendation. And when was that all served for Dr. Chase Cunningham. So he's basically a retired Navy chief cryptologist, he's a guy who's kind of, who was buried in cyber forensic, analytical operations. He's worked for bunch of the three-letter organizations doing the kind of secret squirrel work. Um, just an absolute gun when it comes to, to this stuff, um, but he's also an author and he's written a book called Cyber Warfare, Truth, Tactics and Strategies, which, um, I actually recommend it to you guys. It's a really good read.

Um, covers a bunch of broad topics, just super easy to read, but really kind of, um, there's meat on those bones. If that makes sense. He goes into some cool stuff around machine learning and AI. So, um, he's written that. And also [inaudible 00:34:28] Gabriel, which he's actually just launched, which is a fiction and, but very kind of cool. It's a fiction book based in the world of cyber. So, um, but we, we get into a bunch of different things. I was originally keen to talk to him 'cause he does forensics. And, um, I think it's something, it's important, but it's amazing how little we talk about, you know, what does it mean? How do you do it well? What's the, the point where you need to bring in the government or an external organization?

Um, so, you know, we have we have that conversation, um, and Chase also did a PhD on some very cool stuff that to me sounded like minority report. And I'm guessing you guys have seen that movie where you kind of predict what people are doing. Um, yeah, he did a bunch of research on that and kind of modeled human behaviour and then kinda cross correlated those were kind of technical precursors and indicators so that he could sort of see before people did the bad thing, that they were going to do the bad thing. Um, I find that stuff really quite fascinating.

Um, and then, you know, and that. You know, we, we talk about cyber warfare, um, AIML, he's, he's got a fair, um, fairly strong kind of set of opinions on that, but, um, yeah, just a very, very interesting guy. Um, and I think we barely touched the, the sort of surface of What he could and, and does know. So he may be a repeat guest, we'll see.

Dan McDermott: Terrific looking forward to having our very own cyber 007 on the on the show for next week. Well, that brings this week's episode to a close. If you'd like to continue exploring key topics in cyber security, please jump on to getcyberesilient.com. And check out some of the hottest articles, including a follow-up to the healthcare sector article from Brad, with the adoption of how healthcare cloud services are on the rise, that buyers need to be aware. Insights from Nick Lennon on why [inaudible 00:36:10] shouldn't reveal everything to the board, and an overview of how to cut through cybersecurity's marketing spin from yours truly. So thanks for listening, and until next time, stay safe.

Tags
Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara