• Garrett O’Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Garrett O’Hara

The latest cyber news and resilience insights: Meat-giant cyber-attack, NYC subway hack, and NSW councils lacking basic cyber controls

Content

Our resident cyber experts dive into the latest hacks and cyber news from Australia and around the globe - the attack that shut down Australia’s largest meat processor, the hack that compromised the New York transit authority, the audit that showed dozens of NSW local councils are without basic cyber security controls, and what the ABC and SBS are doing to boost their security following the infamous cyber-attack on Channel 9.

Content

The Get Cyber Resilient Show Episode #57 Transcript

Dan McDermott: Hi listeners. Welcome back to episode 57 of The Get Cyber Resilient Show Podcast. I'm Dan McDermott. And today we'll be looking at the industry news. I chat with our resident cybersecurity experts, Brad and Gar following the theme of ransom and disruption. Today, we'll be looking at the hack that has brought down Australia's largest meat processor. Then we'll head over to the US and take a look at the latest hack that had occurred on the New York subway. Then back on our local shores to look at Australian media organisations and how they're looking to protect themselves since the Nine attack and results for the local government audit and councils across New South Wales and their preparedness for cyber. So we'll kick off today with a, from recording from lockdown again in Melbourne. so Brad and I are certainly suffering our way through that. And as we said, we'll kick off with the latest hack that's happened on the meat processor, JBS.

But we have seen in lockdown that again, we've noticed panic buying. so again, we see a shortage of toilet paper here in Melbourne. the meat aisles are already pretty sparse when you go, head into the supermarkets. And now we've seen the world of cyber actually make that even worse. They're getting Brad, what can you tell us about what's happened at JBS and then the impact on, on local meat supply?

Bradley Sing: It's just like another day, another piece of ransomware or another breach we hear about Dan. But I think the one thing I'm concerned about, and I think you messaged me this morning, you're like, “Make sure you go get your Mackers while you still can, because Mackers are going to run out of meat.” it's sad, yeah, we could, if you think about, I guess the shift in terms of the way our businesses are designed to, you know, provide things just in time, it really is, is, you know, it's almost come at the cost of resilience. Because when things stop just for a split second or just for a day, the amount of disruption is absolutely phenomenal. Now, in terms of the re, the breach we're talking about.

So it's made all the headlines for the wrong reasons, of course, but it's a, it was an attack against the multinational company called JBS. they've got abattoirs all around Australia, all around the US. I think in Australia they employee well above 10,000 people. So a massive employer, but estimated yesterday due to the disruption, there was about 8,500 head of cattle and six and a half thousand sheep, which were scheduled to be processed, but they couldn't process them. So, yeah, there's a lot of news or a lot of thinking that this is going to lead to some certain disruption that the consumer will feel.

Garrett O'Hara: It's, it's such an interesting word processing. I feel like that means something else in this context, but anyway but yeah, I think you're spot on Bradley. Like the whole resilience thing when it comes to just in time delivery and supply chain, was it... it wasn't just this, right? But COVID was the same thing when you kind of realised actually how much stuff arrives on shore or from other places through very complex supply chains. And then, you know, something goes wrong like our, something as small as our borders shutting and all of a sudden, you know, the, the, the buying just starts.

It's definitely interesting one and, and, you know, the focus is obviously on JBS because there's going to be presumably a lot of, sort of broader impact to farms. You know, those cattle and sheep come from somewhere and, you know. Like I don't really know how this stuff works, but presumably they'll have to stay on land and be fed and that has costs associated with. So, you know, it's not just JBS, but it's actually rural communities who are already so hard hit in Australia with through drought and everything else. And that, you know, for those, for those folk who are, you know, waiting to ship out cattle, they're probably sitting on land, costing money you know, not getting cash turnover for, for folks who probably need it. So, yeah, definitely an interesting one.

Bradley Sing: You, you can't like store things that long anymore. Like just the way that, I guess, the world has kind of changed, but like, back to kind of just in time or just type of supplier provisioning. But, you know, for a, for a farmer to have an extra thousand cattle sitting on his, his, farm or property for, for two months, like the cost of feed to your point, Gar is absolutely phenomenal. And it comes all back down to the consumer too, right? From the delivery, from the retailers, to the end, the consumer. That's, that's just an example, eating meat. it affects just every single part of that oh so delicate supply chain.

Which is what was learned through just COVID like, you have to, you can't... like disruption happens, right? Things, bad things happen. Like you have to, to a degree they, they're not the reason or the fault they happen. So how do we, how do we plan for them and be more resilient?

Garrett O'Hara: Yeah. Is it sort of buffers? Is it buffers in the supply chain 'cause that, that has costs and you know, ultimately, end, end consumers are left to pay for that. Although, the, you know, the toilet paper one was interesting because from what I understood, it was actually the cost of store, storing toilet paper is extraordinarily high because it's so big, you know, compared to the weight. So, you know, you buy a, is it a 48 pack of toilet paper? It takes up a huge amount of space on, on shelves, but also in the backend storerooms for supermarkets. So they wouldn't, you know, obviously then they wouldn't store that stuff in those central locations.

H, here's the thing, given Australia's massive amount of space you know, as you kind of move further towards the centre, I mean, I wonder is there opportunities for regional buffers or resilient storage centres for things that we need in our supply chain? If you could figure out a way to, to store them. I mean, when it comes to meat, unless it's in jerky form, you could probably not, not in good position. 'Cause then you've got to pay for refrigeration and all that stuff. But yeah, it's, it's a really interesting one. It's started the, you know, we've already started the, started the cyber security stuff, I think. yeah, COVID, it's been a massive lesson just in, in terms of how brittle and exposed.

Not just us, you know, it's not an, an Australian problem, right? It's, it's global, but how how brittle the supply chains actually are. And it, it sort of, so it's just like super quick and it reminds me of the, you know, butterfly flapping its wings causing a tornado a bit across the worlds. And it sort of feels a little bit like that at, at the moment.

Bradley Sing: You make such a good point there about geography as well. Like buffer zones, you know, that's such an interesting idea. And we think about where things like manufacturing evolved originally, it was in countries like Japan, which had incredibly small geographics. So the idea of supplying something just in time is completely fine, but in Australia, historic, it's quite hard because we rely on so much ports, you know, stuff coming in from the outside world going in. But if, you know, I think to your point Gar, like it does make us think, how do we make this more resilient at a national level and kind of within Australia.

Garrett O'Hara: And also have manufacturing onshore 'cause one of the, I got... this is a little bit odd, but I've got friends who went into business making me, men's underwear and I, I've left, it's odd right? I get it, but they were, you know, high ends very appealing to a certain type of a demographic. And when they went to try and source the raw materials, so, you know, cotton and fabrics in Australia, that, that just is nearly impossible to do these days. And I suspect it's probably the same for many things where when you, when you look at the map of supply chain, the thing, you know, we send the things we buy overseas, you know.

There's, there's these weird things like, it's like a boomerang where when you make it on shore, you send it overseas and then we, you have it packed there and then sent back to Australia and then some things we just don't make it all. So yeah, it's, it's quite bizarre.

Dan McDermott: I think it's also an example of another attack that's having societal impacts. Right? We spoke last time about colonial pipeline and, and what we saw in the U S and with people queuing and, and doing strange things or trying to steal a petrol. Right? you know, these things do have a real impact on everybody. and you know, certainly I'll be heading out to Mackers after this and because, you know, you just don't know when you might get it again. But also just, you know, the cost of living as well. And I think that the idea of building in those sort of resilience factors are great, Gar.

But the economics is, is always the challenge then, right? It's like, how does that get funded? And then like, I mean, you've already seen the, the cost of land is pretty high, the, these days as it is. you know, sort of driving that up is is something that then doesn't become sort of affordable for, for people either. So the implications are, are really big and I think are ongoing in terms of, of this. And, and obviously no easy answers in that, but there's certainly we've got to make sure that, you know, resilience, as you said at the start, Brad.

Is that I guess the core of what people are thinking about, because if you think through that and have sort of, you know, different scenarios play out you're able to, I guess, be better prepared. but hopefully JBS are, are back processing soon. I think they've said that they are, they're actually dealing with it quite quickly and looking to get systems back online as soon as possible.

Bradley Sing: I think they're back up and running in [crosstalk 00:08:38]

Garrett O'Hara: I was just to say, are we at a point where we need to have a segment for preppers on the show? You know, that we, we talk about like the latest offerings in canned goods and weaponry for when the apocalypse comes. It's starting to feel that way.

Yeah. I'm sure you've got your stash out the back there, Gar with the tinfoil [crosstalk 00:08:56]

10% of our listener base.

Dan McDermott: Yeah, it's a definitely a, an interesting story. One that will continue to evolve, but again, the, the fragility of, of supply chains the societal impact that it does have both upstream, as you said to the farmers and downstream to consumers is massive and something that yeah, we'll definitely keep an eye on. And un, unfortunately I'm sure in fortnight's time when we come back together, there'll be another example to talk about because it just keeps hitting the news on a daily basis. As we say boo, then have a look over stateside and take a look at the New York subway system hack. that occurred. I think, Gar, I think you're gonna kick us off with a joke, aren't you?

Garrett O'Hara: yeah. I, am. I have to. I'm sorry. I don't even have kids and yet I make the dad jokes. So when, when Brad sent over this story, I initially thought like, is this the fast food chain? 'Cause I think it was the, you know, Mackers thing had been put in my head. So, you know, I was just thinking like New York is going to be in a panic. If the s, you know, subway sandwiches are unavailable, people would be freaking out completely. It's not apparently, it's the transit system.

Dan McDermott: I'll definitely add that to the dad joke, repertoire.

Garrett O'Hara: Thanks, Dan.

Dan McDermott: Thank you and Brad, what can you tell us actually happened here in New york?

Bradley Sing: Yeah, like I was, when I was reading this story originally, I was a bit confused because I saw MTA everywhere. And I was thinking Mail Transfer Agent, but it's Metropolitan Transportation Authority. So we were both a bit confused there, Gar. so this is an interesting attack and the fact that it doesn't look like it really did much damage or, or any damage. But I guess effectively that it suggests that there was a foreign government, which effectively gained access to 18 databases of the New York subway system, it's saying the hackers didn't access any train controls or anything to that effect. But it was linked to a foreign entity. it's quite interesting if they, if they think about like maybe some of the reasons behind it, like there's been a lot of nationalisation around our training systems and like the manufacturing aspect of that as well as, as a lot of countries around the world, you know, rushed rail lay rail as well.

Um, but I think it's just another example where, you know, this is a core system, it's critical infrastructure, how is this stuff then protected? And, you know, what's the onus on the organisations? There was a survey or study conducted by Moneta, sorry, Mineta Transport Institute, which found that only 60% of the transportation agency survey had a cybersecurity plan in place. Despite 18% saying that they felt prepared to manage such threats, which I'm sure we can do the math on that one.

Garrett O'Hara: Yeah. Something doesn't add up there. Does it? It's a little bit concerning. And transport is one of those, it's, it's kind of an interesting one, you know, the transport communication, those, you know, almost back to critical infrastructure conversations. It's amazing to me how potentially vulnerable so much of that stuff can be. And, you know, this is obviously about trains, but we've seen many stories that are sometimes cyber attacks, but actually sometimes it's just computer failure where airlines are brought in because their booking systems go askew. Or you know, those sort of central coordinating systems for, you know, agency and airlines.

Um, yeah, I don't, I mean, I really don't know what the answer is here other than kind of rethinking the whole Brazilians aspect of things like transport. And one of the things I've kind of come back to is, and this is probably naive on my part, but like, what is the, what is the core requirement for this stuff to be connected in a way that means to tackle? Because in my mind, you know, something like a transport system doesn't... I mean, again, I don't work in transport, so I'm probably getting this wrong. But like, I don't know why you would necessarily need it connected externally in a way that makes it attackable. Like if it was fully air gapped, which doesn't make it impenetrable, but you know, it, it's sort of a isolated, segmented system. You know, almost zero trust at a transport level and where you could maybe mitigate some of the, the risk. And again, you know, it's impossible to mitigate all the risks, but I feel like so many of the ICS transport manufacturing systems they're connected.

And I'm often wondering, yes, I get, I get, there are reasons why you would do that, but are we at a point where the reasons we do that are far away, but the risk that's presented when attacks are successful and brought, you know, bringing down manufacturing, transport, healthcare, you know, all the, all the systems that we, we talk about, it seems like every week. You know, in the risk analysis, are we at a point where we go back to fully air gapping systems that are completely critical? That's probably me being completely naive in terms of the reason that you connect connect these systems.

Bradley Sing: I'm thinking you just run like a, a land cable under each train line or something, or tram line in Melbourne must be safe. And that's like the private network. But I remember watching something on it was I think it was like a Metro trains and it was about a role or position where basically you're like the master train controller of Melbourne, right? So you sit in this room above Flinders Street station and it's like being an air traffic controller. So you're seeing all the trains leaving the ramp, pushing these buttons. Like what's the resilience behind those systems? Like if that stopped tomorrow, like how quickly would we be able to get back up and running and serving people? Like, maybe we're lucky at the moment. 'Cause you know, it was secondhand in Melbourne, but you know, want them back up and running, like that's, the disruption is just ridiculous. It's insane.

Garrett O'Hara: Yeah. I think there's something around the cost of, you know, is I think through this. so we, we did a panel last week. Like a show over in New Zealand and on open data and government and I was lucky enough to talk to some very qualified people in the space. And, you know, their commentary was around the, the utility and value of data when it came to well sort of with governments and that's across lots of different things. But when you think of a transport, you know, sensors along the way, I suppose, temperature of tracks and track warping number of passengers, like all of that stuff is incredibly incredibly useful data to make decisions. You know, do we need more trains or is this train running slow? So like I get, and I, so I get all of that. And then I wonder is the cost to do fully secured, you know, private versions of that just so expensive, that it's easier to hop on to, you know, public infrastructure secured by VPN or whatever.

Um, but that's your way to do that. But if you have, it's such a, it's such an interesting one. Because again, how valuable valuable the, the data sets are and the ability to control that stuff. But I wonder, yeah. Are we at a point where we need to rethink the use of public infrastructure for connectivity?

Dan McDermott: I think it's cost, Gar. And I think it's probably access to the technology as well. Right? Like as we've seen the move to cloud and that being, I guess, a default for innovation and new solutions and the availability of some of the, you know, new applications, even. Then I think that the, you know, you've got a question, whether, you know, is it economical for it to be a completely closed network? Both for the operator. And then I guess for the suppliers of some of those solutions that are, that there are, that they procuring as well.

I guess where my head goes as well with this is, is the, you know, the scary thought of like, where does it end? Right? Like who are these people? What are their motives at the end of the day? And you know, something like transportation and, and that type of thing, getting into that, you know, you can get to the point of cyber terrorism, right? I mean, it's, it's actually possible that they take control of, you know, the subway and, and who knows what can happen from there. So it's definitely scary sort of thoughts. And again, like, you know, if that goes too a much bigger level of concern. And like you said, Gar, what is that risk that needs to be considered in all of this?

Because, you know, if at the end of the day, it's, you know, yes, like identity theft is bad and you know, and, and money's bad. And that obviously, you know, something, you know, loss of life is obviously so much greater, so there does need to be, I think that risk perspective throughout all of this.

Bradley Sing: Definitely. Do you feel like... do you guys remember Superman III from like, was it the eighties, maybe the seventies, that's so long ago now. But you know, the one where we had Richard Pryor and they had the supercomputer he was like an expert, a hacker guy and he built... I'm going to get all of this wrong now, but he was the wiz. And I think he controlled like a weath, a weather satellite and it was creating storms. And then he-

Dan McDermott: Is this like Brainiac or?

Bradley Sing: No. Superman III, like the, you know, the superhero movie way back. It's probably early eighties. Like it's, I remember I was tiny when the thing came out, but like it sort of feels like it's that kind of movie, you know, it's, it's, it is that, you know. To your point, Dan, it's that it's control of systems that have a huge, huge impact to countries. So I don't know, are we living to Superman III? Great question for the listeners.

Dan McDermott: I'll have to go back and check that out. I haven't seen it for a long time. Maybe get the kids to watch it. We'll see.

Bradley Sing: Sure. The kids sure.

Dan McDermott: [laughs] Yeah. Exactly, that's a handy excuse when, when need be. Right? So one of the one of the most high profile attacks in Australia this year has been an arm on the Nine Entertainment. and we've now seeing that, you know, we've actually gone to Senate estimates and ABC and SBS have actually spoken about how they now proactively looking at what they need to do and how do they actually increase their security posture and their resilience knowing that, you know, that this is, you know, a likely scenario. That if it's been successful once, that they might be, you know, the next off, next cabs off the rank. Brad, what can you tell us about what the ABC and SBS have been up to?

Bradley Sing: Yeah, I, I think the ABC, you, the SBS have recognised the disruption that, that Nine suffered, unfortunately in late March. And I think even personally, maybe because I don't really watch, I guess, like TV, as we know traditional TV. Like, I probably, to me, it didn't really seem like much of a big deal, but if we look at some of the, actually, latest draft of the national critical infrastructure bill, there is a lot of wording in there which talks about how do we protect our public broadcasters. And that could range from anything like a, a radio station out in Wollongong as an example. all, the way to like a large broadcaster, such as like ABC or SBS. So I think it's, it's, you know, they've obviously got the, the right idea behind it. they're talking about increasing I think spend of $500,000 at the moment at ABC, um. The ABC's operational cyber security costs will more than double to $3.9 million, next financial year. And security similarly eating into the budget of, of the SBS as well.

So I think, look, it's, it's obviously great that they're, they're recognising the risk of it, but I know a big plan, I think, of, of, of a lot of broadcasters, including the ABC is to go into a more digital space. So as they digitise that again, raises more questions of potential risk and, you know, access points. I know as an example that, that you now have to sign up for an ABC account or they're making it mandatory. So they're going to start, start to, you now, collect more data on, on their viewership and audience.

Garrett O'Hara: It's, it's funny when, you know, you look at Nine it's Nine Entertainment. So people think that I don't know next top housewife model that cooks or whatever they, you know, they sort of TV shows they air right there at the moment. But when I think of ABC, I think about the [Bush Farmers 00:19:46], I think about you know, the theater as a communication method for a nation. You know, it's, it's sort of a national, it's like the BBC in England or [RTE 00:19:53] back in Ireland, they're kind of, they have an important role. In terms of, you know, news what's happening. Weather, things that I think, you know, me, I'm definitely I'm city folk, but when you hear some of the ads on, you know, ABC people in regional areas rely on it for weather, what's happening, news. What's happening in bush, far as they can see.

It's actually so, so important outside of the, you know, the, the comedies and sitcoms and all that stuff. It's actually, these [NSPS 00:20:21] is in the same boat I would say, but that, that's where my head goes. And I think about when you see those coups that happen in other countries, one of the first things that often happens is get control of the TV stations either shut them down or take control of them. So, I mean, to me, that sort of points to the importance of these kind of broadcasters and then sort of news, news media in general.

Dan McDermott: Indeed. I what we have also seen and is, is the ASD's Director General, Rachel Nobel sort of come out in Senate estimates and say that the information that they collected from Nine has allowed them to actually start to be proactive and actually warn, um... And it happens to be warning to other networks and they don't actually name who they are, but it's coincidentally that then the ABC and SBS have spoken about like what they are doing, you know, maybe join those, those breadcrumbs. But it's, it's interesting what is the role of the ASD, right? And what is happening and the information intelligence that they're getting to start to be proactive in that. And, you know, some really interesting articles that I certainly didn't realise, I guess, that proactive nature of what of their capability and what they are doing.

And, you know, and now they're talking about the fact that they actually are doing that and bringing, I guess, the information to bear in a, in a sense to stop things happening before, rather than just reacting afterwards and how to get people back up and running.

Garrett O'Hara: And that's, isn't that so good? Because the cost of like heading into tackle it before it happens is so much lower than remediation costs. Like economically that to me just makes a million percent sense. You know, it just seems the right move. And interestingly, Brad and myself were chatting in another meeting completely unrelated, but we got into the, you know, the, like, how does this work and how does that ASD [inaudible 00:22:17] And one of her colleagues was talking about how some of the organisations he's worked with would have people who would spend, you know, a decade building a profile on the dark web to a point where they're really trusted.

And, you know, sitting in forums, understanding what's happening you know, at a higher level and using that as kind of Intel into yeah, I suppose, nation state attacks and private enterprise also. but it's really interesting that the ASD were able to like share those IOCs prior to the attacks. I just think that is such a good news story. You know, we, we talk about all the bad stuff all the time, but that is such a light at the end of the tunnel. If we can see national level organisations starting to play that role where they really do head off the attacks before they becomes, become something that is so incredibly expensive.

Whether that's you know, meat processing whether that's transports whether that's Mackers, whatever it is. But I think this is just an incredibly good thing to have happened.

Bradley Sing: It's good that they share the information too. Like, it sounds like based on that, that, I mean, your report, Dan, that they have been notifying organisations across Australia and starting to grow, like, I think a couple of health care providers too. And again, going back to Gar's point, like, you know, just the fact that we, we're going on the offensive a little bit, but we'll also getting to hear a little bit about... In terms, behind the scenes, you know, how has the government, how has the ASD, how are these institutions supporting businesses in Australia to tackle a threat, which we just keep hearing about? Right? And I feel this is probably one of the first tangible things and, you know, does it turn into a hotline? I mean, there's probably already a hotline, isn't there? Where you can call on speed dial. There is, isn't there?

Dan McDermott: Yup.

Garrett O'Hara: Yup.

Bradley Sing: but no, I think it's fantastic. And I like to see, I think just more examples of this and it makes you wonder what goes on behind closed doors in terms of how we collect information, the honeypots that we may have out there as an example. And in some of the analysis chatter that we see just on the dark web as example.

Dan McDermott: Yes. And they spoke about actually, as you said, healthcare, and actually having people in the department of health from the ASD. because we've seen health as the most attacked sector and knowing how critically important it is normally. But even, and even more so in these times. Right? And actually doing that proactive monitoring and really trying to get ahead of the game. and 'cause we've seen too many examples of where, you know, unfortunately it's made the news because the breach has occurred.

But it makes it think now, like, “I wonder how many more there might've been? and how many they have been able to get ahead of?” Never make the news. Right? Which at the end of the day, this is a, you know, hopefully our podcasts can come to an end one day because there's actually no news to talk about this is the ultimate outcome, I think.

Bradley Sing: Don't, please, don't. That's, that's such a scary thought. [laughs]

Garrett O'Hara: That's a, that's a good thing. I think, if anything, with the podcast may become daily with that, because we have too much to talk about.

Bradley Sing: Or we just changed it into, I don't know, we can figure out some other topics that we all like. Food, let's do... We can do a burger podcast, maybe?

Dan McDermott: Indeed. [laughs] I think also the flowing off the back of that though is, is like the scourge of ransomware. Right? And we, we've seeing it all the time and we're seeing, we've spoken about it previously. and we've also just recently seen commentary from the shadow assistant minister for communications and cybersecurity, Tim Watts. Really, really, I guess saying, and putting it on the agenda for the ASD to go a step further and actually start to actually look at who are those top 10 ransomware groups that are targeting Australian organisations. and how does the ASD actually get after them and make sure that there's actual, you know, things put in place to actually get stop them, you know, take down their infrastructure, take down their capability, not have them financed and ensure that they are actually, you know I guess hitting the, cutting them off at the knees, if you like.

Rather than, you know, just reacting and trying to, you know, stop things as they are occurring as well. It's an interesting thought. And, and how far, I guess, you know the ASD could go and how far this might go in terms of actually achieving, you know, stopping this at a more holistic scale you know, obviously out of Australia, but obviously with other, you know, international sort of cyber agencies as well.

Garrett O'Hara: Yeah. Tim, Tim, what is their real deal? I've had interviews with him now and he's definitely gained a massive amount of respect for his, his commentary on this stuff. definitely I feel he really, really gets it, which is pretty cool. I've heard him and many other people, you know, Dimitri actually talked about this too. I think on episode 53, 54 about... If I get the number wrong, but when Dimitri was on you, but his, his whole thing about you know, understanding that it is a often nation state that's attacking.

And that idea of being proactive and, and sort of making sure that you're protecting, protecting a nation. I think there's a couple of interesting points around that. This is not my idea. This is kind of, you know, a digest of, of things I've heard and read, but that the solution is many things. It's not doing one thing. So, you know, the big conversation about crypto, which I've heard so much discussion about, you know, regulate that. That's the, to your point, Dan, that's chopping the legs out from underneath the beast. Because it, it certainly makes it more difficult. The counter to that is money laundering tends to happen. In the leg, the, the sort of regions or the jurisdictions where many of these folks are operating from any way. So yes, it might not be through Bitcoin or Ethereum, but you're probably going to see the money reeled and laundered some other way. It just makes it more difficult. But you do that. You sort of regulations, you make them, you know, illegal.

And I know this stuff in place already by paying a sanctioned organisations. You're cool. The counter to that is it becomes a cost of doing business. So it's not necessarily the thing that fixes the problem. but the things that do is the collection of all of those things together starts to make it so that it becomes inviolable, the cost for the attackers just becomes so much that it becomes not worth the, the risk and the, you know, the, the inside. so yeah, I think it's a very complex issue, but I think there's so much that we, we can do and should do. And I think then the combination of all of those different areas, legislation and regulation of crypto, yes, better security controls.

But that's never going to solve the problem. You know, a bunch of things around the human side, all of it together, you know, you, you start to sort of turn the dial and make it more and more difficult for more difficult and less profitable for the attackers. But, you know, it's, it's such a huge problem.

Dan McDermott: Just on that note as well. If anyone wants to understand the report that, that Tim Watts was referring to, it's a combating ransomware report, which was released just at the end of April by the ransomware task force. I'm just looking over like the, the, I guess the, the headlines for it right now, but, guys everything you're talking about. It's like understanding ransomware payments, the role of crypto, crypto currency, a global challenge. So we'll probably share a link to this somewhere in the show notes or something, but I'd definitely give it a read, everyone listening, 'cause it's going over all the topics we talk about quite regularly.

Garrett O'Hara: Exactly. And what we do talk about, I guess, the sophistication of attacks and what's happening in terms of, you know, impersonations and ransomware and these things, but basic cyber hygiene is still so critical. Right? and we've also just recently seen the audit come back from New South Wales councils. and unfortunately not a flattering scorecard that they received either, Brad.

Bradley Sing: Yeah. And this is quite interesting 'cause I was having a look at the report. So it's a financial audit report of local government of 2020 run by the audit office of New South Wales. And first of all, when I read that like financial order, I was thinking, you know, what's the relevance of cyber security? But you've got diagrams and infographics of areas suffering from drought. And then you've lost statistics. It's just in the next paragraph talking about the preparedness of some local governments when it comes to tackling the risk of cyber security. So I know that for a long time really over the past kind of four to five years, that cybersecurity is rising in priority for local councils, but to see the auditor calling it out in a report. And then also kind of singling out and it's really highlighting that a lot of local government aren't prepared for it. and it's really kind of interesting to see.

Garrett O'Hara: Yes. It's, it, it, am I right? We've, we've talked about governments and audit so many times and yeah. I, I really wish we could just spend more money and, and sort of help especially councils, right? I mean, I think it's fair to say there's budget constraints and for obvious reasons on local councils and government in general. and I think one of the papers probably last year talk about the, like they're competing for towns in the private sector and it's never not been the case to my knowledge anyway, that's, you know, private sector just tends to pay more. So you tend to get better talent and it sort of ends in this kind of reinforcing cycle where you can't build a strategy or do the right thing quite often, if, if the folks haven't got the experience or haven't been through that before. So there, there might be something that we need to address around how to get good talents into these positions to build the programs.

And then there is also the thing around paying for the update of, of legacy systems, which has been called out multiple times. Where you want to do, that to your point, Dan you know, the essential eight are the basics, but actually some of the, the sort of legacy technology that's in place makes it really, really difficult to do that. And, you know, you're, you're sort of beholden then to technology that doesn't let you do the essential eight. There's a cost to do that, big barrier. At some point, we usually just kind of accept that and you know, I know I'm being idealistic here, but like pay the money, get it done and then we can kind of move forward. But it just feels like we're constantly kicking the ball down the road.

Bradley Sing: Just on the funding. I think it's a good point, right? And we hear a lot about, "Hey, you know, here's $500 billion towards cybersecurity. Here's, you know, another company adding more to their budget." And, you know, money doesn't always solve the problem. Like it's obviously going to help, but target funding around sustainable programs, which develop capabilities of things which are going to work. So, you know, potentially looking at things like cybersecurity trainee ships for local government, as an example, like how do we get local capability and young people involved in an industry with such a big shortage. You know, train them up, get them part of the, of the ecosystem that actually keeps breeding itself. But you know, simply spending $100,000 on a new firewall or starting off a new seamless solution, like a seam's a great example. Seam can give you so much information, so many insights you didn't have before in a correlated place.

But unless you've got somebody sitting there to analyse it, it does actually not that useful. It's always better to have another help desk engineer who can triage fishing tickets as an example. So we need to make sure that I, I think the funding is done in a clever way, which, which helps build capability instead of just kind of putting in stop gaps.

Garrett O'Hara: Definitely agree like that, that is so, so spot on. But yeah, I think where my head goes is the, if you're on Windows 311, like you sort of have to get that taken care of. Like that, that to me is it's-

Bradley Sing: It's like a baseline, right? Like you have to do exactly.

Garrett O'Hara: Yeah. But I think you're like, you're so right there Brad, in terms of... I mean, let's be honest, that's not just government, that's in general, like folks going out and spending money on the amazing, shiny new toy that they're just not ready to, to fully use it. There's just no point in doing that. but there's definitely a point in updating, you know, to the latest version of Windows that has, you know, appropriate to security patches and is still supported and you know, an exchange server that's maybe really old, like all of that stuff, get that done.

Um, and then, yeah, then you're at a point where, to your point, all of the training, all of that stuff starts to make sense. But you know, the humans can't really do much if you're running systems that are just so, so old. And so out of date.

Bradley Sing: Hard to teach.

Garrett O'Hara: Yeah, but, you're not preaching. Right? You gotta be able to deliver before you can then build that culture.

Bradley Sing: Yep, totally.

Dan McDermott: Hmm. For sure. Well, thanks gentlemen, for the conversation and covering these key issues again looking forward, Gar who do we have for next week's episode?

Garrett O'Hara: It's Jenny Radcliffe who is just an absolute pleasure to talk to. Jenny has been on Darknet Diary. She's fairly well known. I think in the industry as the, the human hacker and an amazing storyteller on honestly just a total pleasure. We got to do prep calls and it was one of those ones where you know, it's a half hour prep call, but you could easily talk to her, to Jenny for like an hour or two hours. And you just don't, you don't even notice the time going. she's focused very much on the human side. So social engineering kind of, you know, manipulation of people to, to basically breach organisations. So she's less around the technical controls and very much around physical penetration of buildings, you know, getting, getting through security yards.

She has honestly just incredibly good stories. And when we stopped recording, she was, she kind of made the nice comment that we add new material because she does a lot of interviews. And luckily we got to some stuff that she never talked about before. So definitely for Jenny Radcliffe fans out there. And I know they're, they're out there including Chelsea on our team definitely worth a listen.

Dan McDermott: Fantastic. Really looking forward to that conversation and those stories they're very entertaining and well, a little frightening all at the same time-

Garrett O'Hara: Yes.

Dan McDermott: So. Terrific. Well, thanks again, gentlemen, and thanks all for listening. And we'll be back with you next week.

Tags
Principal Technical Consultant, Mimecast

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara