Cyber Security Weekly Podcast

We speak with Anita Jacobson, Managing Director and Marina Yahya, Business Advisor at Alpine Integrated Solution Sdn Bhd in the lead up to the Top Women in Security ASEAN Region Awards 2024, Malaysia Awards Dinner.

The Inaugural Asia International Security Summit & Expo (AISSE) 2024 at the Putrajaya International Convention Centre (PICC) will be held from 20th to 22nd January 2025.

AISSE 2025 is rapidly shaping up to become one of the world's most vital internal security events. It is hosted by the Ministry of Home Affairs and Royal Malaysia Police, and is jointly organised by Alpine Integrated Solution Sdn Bhd and Royal Malaysian Police Cooperative Limited.

AISSE is designed as a vital rendezvous point for law enforcement, security, and policing bodies to engage, network and exchange intelligence and expertise and at the same time synergise with security experts, technicians and strategists.

In addition to a high-tech showcase of the latest advanced technological solutions for law enforcement, security and policing, AISSE will feature the first-ever ASEAN+ Security High Roundtable Meeting 2025, comprising approximately 100 high-level delegates, including Ministers of Home Affairs, Internal Security, Interior and Chiefs of Police. These distinguished delegates and their entourage will also be programmed to visit booths of security companies, engage in networking sessions, and attend bilateral meetings.

Besides these Foreign VIP delegations, the event will naturally attract the entire ‘who's who’ from all relevant Ministries, Agencies and Bodies of the Malaysian Government, who will be in attendance throughout the three-day event.

The Inaugural Cybercrime Prevention Summit will also be held in conjunction with AISSE, in collaboration with the National Cyber Security Agency of Malaysia (NACSA). Another notable element of AISSE is that there will be approximately 30 forum sessions which will be run over the three-day period covering all areas of internal security and policing.

For more information on Asia's Premium Security Showcase, AISSE 2025, please visit www.aisse.my

For the Women in Security ASEAN Region Awards visit https://womeninsecurityaseanregion.com/

#topwomeninsecurityasean #mysecuritytv

In response to new questions asked by the annual study, sponsored by Adobe—which showcases the feedback of more than 1,800 global cybersecurity professionals on topics related to the cybersecurity workforce and threat landscape—security teams in Oceania noted they are primarily using AI for:

• Automating threat detection/response (36 percent vs 28 percent globally)
• Endpoint security (33 percent vs 27 percent globally)
• Automating routine security tasks (22 percent vs 24 percent globally)
• Fraud detection (6 percent vs 13 percent globally)

Sixty-four percent of cybersecurity professionals in Australia say their role is more stressful now than it was five years ago, according to the newly released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. 

The annual study, sponsored by Adobe, showcases the feedback of more than 1,800 cybersecurity professionals globally on topics related to the cybersecurity workforce and threat landscape. According to the data, Australian cybersecurity professionals are feeling the stress at slightly higher rates than their global peers for reasons including: 

• An increasingly complex threat landscape (85 percent vs 81 percent globally) 
• Low budget (48 percent vs 45 percent globally) 
• Worsening hiring/retention challenges (50 percent vs 45 percent globally) 
• Lack of prioritisation of cybersecurity risks (35 percent vs 34 percent globally) 

Global cybersecurity professionals are feeling the strain of insufficiently trained staff at a higher rate than in Australia, at 45 percent compared to 37 percent locally. 

We speak with ISACA's Jon Brandt, Jenai Marinkovic and Jo Stewart-Rattray on the outcomes of the latest report.

Read more: https://australiancybersecuritymagazine.com.au/isaca-research-reveals-cyber-professionals-are-feeling-the-strain/

Get a copy of the report here: https://www.isaca.org/resources/reports/state-of-cybersecurity-2024

We speak with Dina Mathers, Chief Information Security Officer, Carvana alongside Nick Mckenzie, Chief Information & Security Officer with Bugcrowd.

Dina Mathers, who leads Information Security at Carvana - was recently awarded the CISOs Top 100 Accelerated CISOs Award which recognizes leaders who are shaping the future of cybersecurity.

Carvana engages Bugcrowd for bug bounty and vulnerability assessments, with Dina giving candid insights into the scalability, business value and assurances that the Bugcrowd platform provides.

Carvana (NYSE: CVNA) is an industry pioneer for buying and selling used vehicles online. As the fastest growing used automotive retailer in U.S. history, its proven, customer-first ecommerce model has positively impacted millions of people's lives through convenient, accessible and transparent experiences.

Carvana allows customers to browse a nationwide inventory and purchase a vehicle from the comfort of their home entirely online, benefiting from a 7-day money back guarantee, home delivery and more. Customers also have the option to sell or trade-in their vehicle online in seconds.

For the full interview and more information visit https://mysecuritymarketplace.com/bugcrowd-register-to-access/

#bugcrowd #cisoseries #mysecuritytv #cybersecurity

We speak with Dina Mathers, Chief Information Security Officer, Carvana alongside Nick Mckenzie, Chief Information & Security Officer with Bugcrowd.

Dina Mathers, who leads Information Security at Carvana - was recently awarded the CISOs Top 100 Accelerated CISOs Award which recognizes leaders who are shaping the future of cybersecurity.

Carvana engages Bugcrowd for bug bounty and vulnerability assessments, with Dina giving candid insights into the scalability, business value and assurances that the Bugcrowd platform provides.

Carvana (NYSE: CVNA) is an industry pioneer for buying and selling used vehicles online. As the fastest growing used automotive retailer in U.S. history, its proven, customer-first ecommerce model has positively impacted millions of people's lives through convenient, accessible and transparent experiences.

Carvana allows customers to browse a nationwide inventory and purchase a vehicle from the comfort of their home entirely online, benefiting from a 7-day money back guarantee, home delivery and more. Customers also have the option to sell or trade-in their vehicle online in seconds.

For the full interview and more information visit https://mysecuritymarketplace.com/bugcrowd-register-to-access/

#bugcrowd #cisoseries #mysecuritytv #cybersecurity

We speak with Dina Mathers, Chief Information Security Officer, Carvana alongside Nick Mckenzie, Chief Information & Security Officer with Bugcrowd.

Dina Mathers, who leads Information Security at Carvana - was recently awarded the CISOs Top 100 Accelerated CISOs Award which recognizes leaders who are shaping the future of cybersecurity.

Carvana engages Bugcrowd for bug bounty and vulnerability assessments, with Dina giving candid insights into the scalability, business value and assurances that the Bugcrowd platform provides.

Carvana (NYSE: CVNA) is an industry pioneer for buying and selling used vehicles online. As the fastest growing used automotive retailer in U.S. history, its proven, customer-first ecommerce model has positively impacted millions of people's lives through convenient, accessible and transparent experiences.

Carvana allows customers to browse a nationwide inventory and purchase a vehicle from the comfort of their home entirely online, benefiting from a 7-day money back guarantee, home delivery and more. Customers also have the option to sell or trade-in their vehicle online in seconds.

For the full interview and more information visit https://mysecuritymarketplace.com/bugcrowd-register-to-access/

#bugcrowd #cisoseries #mysecuritytv #cybersecurity

We had the privilege of speaking with Steven Sim, Chair of the OT-ISAC Executive Committee, during the recent summit in Singapore. As a seasoned expert in operational technology (OT) cybersecurity, Sim shared valuable insights into the importance of information sharing, the growing threat of ransomware, and the transformative role of AI in cybersecurity.

Kicking off the podcast, Steven introduced the Executive Committee and its pivotal role in driving OT-ISAC’s mission to foster a collaborative community and promote best practices. By providing advisory support and strategic guidance, the committee ensures OT-ISAC stays at the forefront of cybersecurity initiatives.

Balancing Information Sharing and Confidentiality

One of the most pressing challenges in OT cybersecurity is striking the right balance between information sharing and safeguarding sensitive data. He explained that OT-ISAC has implemented robust measures, such as the Traffic Light Protocol and data anonymization techniques, to protect confidentiality while promoting collaboration. The platform also employs protocols like STIX and TAXII to automate the exchange of cyber threat intelligence, enabling members to quickly share and respond to emerging threats.

Cross-Jurisdictional Collaboration

With cyber threats spanning borders, cross-jurisdictional collaboration is essential. Sim highlighted that OT-ISAC allows members to share threat intelligence across different regions without breaching data sovereignty regulations by anonymizing the information sources. This approach strengthens global defenses against transnational cyberattacks.

The Growing Threat of Ransomware

Ransomware remains a significant risk to OT environments. Steven urged organizations to avoid paying ransoms, citing the risks and long-term consequences. Instead, he emphasized the importance of investing in strong business continuity and incident response plans. By focusing on resilience and preparedness, organizations can minimize their exposure to future attacks.

AI’s Role in OT Cybersecurity

He also discussed the potential of AI in OT cybersecurity, noting its ability to streamline incident response and improve threat detection. However, he cautioned that while AI offers powerful advantages, it must be implemented with human oversight to manage the risks associated with automated systems.

Steven Sim has worked for more than 25 years in the cybersecurity field with large end-user enterprises and critical infrastructures, undertaken global CISO role, driven award-winning CSO50 security governance and management initiatives and headed incident response, security architecture, technology, awareness and operations at local, regional and global levels. He leads cybersecurity across large MNC, heading 8 direct reports at Group Cybersecurity Department as well as indirect reports across regional offices and local business units in 42 countries.

He oversees both IT and OT Security Governance, Global Cybersecurity Technology Management and Incident Response as well as Cyber Security Masterplan Office.

Always keen to give back to the community, he also volunteers at the ISACA Singapore Chapter (which won ISACA Global Outstanding Chapter Achievement in 2022) as the President (from 2021 to 2022) and OT-ISAC (since 2021), the second key thrust of the SG's OT Cybersecurity Masterplan 2019, as Chair Executive Committee, as well as member of Geneva Dialogue Technical Community, and holds Masters in Computing, CCISO, CGEIT, CRISC, CISM, CISA, CDPSE, CISSP as well as technical certifications GICSP, GREM, GCIH and GPPA.

Recorded 5th Sept 2.30pm. Singapore Operational Technology Information Sharing and Analysis Summit 2024

#otcybersecurity #mysecuritytv #cybersecurity #singaporecybersecurity

We sat down with Cassie Crosley to explore the complexities of supply chain risks, particularly within the realm of operational technology (OT).

Comprehensive Supply Chain Security - Crosley detailed the various stages in the supply chain—design, development, and fabrication—where both deliberate and accidental abuses can occur. Each stage presents unique risks, such as compromised design specifications, development flaws, or issues during fabrication. She emphasized that securing the software supply chain requires a holistic approach that goes beyond protecting just software; it must also include firmware and hardware. For example, when working with an Intel chip, securing both the software and firmware associated with that chip is critical. Firmware, which operates at a low level on hardware, is vital for overall system security. Any vulnerabilities in firmware can significantly compromise the entire system, making it essential to secure it alongside software and hardware.

Challenges in Secure by Design - Crosley also noted that while "secure by design" principles often originate from an IT perspective, they may not seamlessly translate to OT environments. This disparity creates challenges, as certain IT security measures, like multi-factor authentication (MFA), may not be practical or necessary in OT due to specific operational needs. Additionally, OT devices are often multi-generational, increasing the risk of outdated security designs. OT systems, such as programmable logic controllers (PLCs) used in industrial settings, have distinct requirements and constraints, necessitating tailored security approaches.

Automated Patching Issues - Crosley highlighted that automated patching in OT environments can pose safety concerns and lead to downtime. Unlike IT systems where automated updates are common, OT systems often require careful, manual handling to avoid disrupting critical processes. Automated patching can interfere with vital safety mechanisms, underscoring the need for controlled and deliberate update management.

SBOM (Software Bills of Materials) - Crosley pointed out that while generating accurate Software Bills of Materials (SBOMs) for modern technologies is relatively straightforward, it becomes more complex for multi-generational OT products due to outdated build practices and the limitations of current scanning tools. While scanners effectively identify open-source components, they struggle with proprietary or commercial libraries, and discrepancies in version identification can be problematic, particularly if certain versions have known vulnerabilities.

Role of AI in Software Development – She also pointed out how AI can quickly analyze vast amounts of data, identifying risks and correlations between projects that would take humans much longer to detect. For example, AI can track a maintainer's contributions across multiple projects to spot potential security risks, such as involvement in both malicious and non-malicious projects. AI is also increasingly offering developers precise guidance on addressing specific vulnerabilities. Instead of generic suggestions, AI now recommends the best code modifications for a given context, speeding up development and enhancing code security.

Supplier Assessment - Crosley advised that supplier assessments should focus on specific aspects of vulnerability management and product security rather than generic compliance questions. It's crucial to inquire about suppliers' vulnerability management practices and their methods for ensuring product security. She emphasized the importance of transparency from suppliers regarding their manufacturing processes, product variations, and supply chain details, advocating for detailed questions to effectively understand and mitigate risks.

Positive Cultural Shift - Crosley shared an encouraging trend where companies are increasingly prioritizing supply chain security. A notable example is a supplier that created a position for a Product Security Officer after facing rigorous scrutiny, reflecting a positive shift towards more robust supply chain security practices.

Cassie Crossley, Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric, is an experienced cybersecurity technology executive in Information Technology and Product Development and author of “Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware”. She has many years of business and technical leadership experience in supply chain security, cybersecurity, product/application security, software/firmware development, program management, and data privacy.

#mysecuritytv

We sat down with Tim Conway and Robert Lee, two leading cybersecurity experts, to discuss pressing issues in OT cybersecurity.

CrowdStrike Lessons Learned

Tim and Robert began by examining the CrowdStrike incident from July 2024. They highlighted the dangers of over-relying on trusted technology without sufficient testing and verification, and the importance of integrating resilience into systems and avoiding a one-size-fits-all security approach.

Cyber Threat Landscape

Robert discussed the rise of sophisticated malware like Fuxnet, Frostygoop and Pipe Dream, designed to target OT systems. Fuxnet was a highly targeted attack aimed at disrupting critical infrastructure in Russia, while Frostygop used similar techniques against Ukraine. In contrast, Pipe Dream serves as a more versatile attack framework applicable to various OT systems.

He underscored an important lesson: even if specific malware isn't reused, studying its tactics can improve our prevention, detection, and response strategies. The key takeaway: threats to OT environments are growing, with increasingly targeted efforts from a range of actors.

Critical Control – ICS Network Visibility

Tim and Robert addressed the challenges of gaining visibility into OT devices. Tim noted that OT environments are diverse and require more than a one-size-fits-all approach. Each environment has unique characteristics that must be considered. While attackers exploit both commonalities and specific features, defenders must balance the need for visibility with the risk of disrupting operations. Legacy systems without modern security features further complicate these efforts. Despite historical challenges in visibility due to limited capabilities and resistance to change, recent technological advances have improved the situation. However, new technologies, such as encryption, introduce additional complexities. A balanced approach, using critical controls as a framework, is essential for prioritizing security efforts and adapting to evolving needs.

Critical Control – Incident Response Plan

Tim and Robert highlighted that many organizations lack specific incident response plans for OT, relying instead on general IT plans. Backup plans for power outages often do not address cyber attack scenarios. Effective OT incident response requires a tailored plan that includes data collection, safety procedures, and appropriate tools. In addition, maturity in incident response involves having a detailed, operationally integrated plan that addresses various scenarios, including handling outages and restoring systems without SCADA support.

OT and IT Convergence

Tim and Robert discussed several crucial aspects of OT security. They noted that the increasing interconnection between IT and OT systems has elevated the risk of attacks transitioning from IT to OT environments. Additionally, remote access, often used for vendor support, presents a significant security threat.

They emphasized the distinct characteristics of OT systems, which necessitate specialized security approaches. Treating OT and IT as identical can lead to dangerous oversimplifications and vulnerabilities. Therefore, security measures must be tailored to the specific needs of OT environments, considering their safety, physical constraints, and unique risks.

Tim and Robert also touched on cyber-informed engineering. Key takeaways include recognizing common attack vectors from IT systems, implementing distinct security strategies for OT, and avoiding the assumption that OT and IT are the same. Tailoring security measures to the specific needs and constraints of OT environments is essential for effective protection.

Celebrating Wins

Finally, Tim and Robert highlighted the importance of celebrating cybersecurity successes, such as defending against VOLTZITE. Recognizing and celebrating these victories can boost morale and encourage teams to continue their efforts.

Tim Conway, Senior Instructor, https://www.sans.org/profiles/tim-conway/

Tim serves as the Technical Director of ICS and SCADA programs at SANS, and he is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), where he was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric.

Robert M. Lee, Fellow, https://www.sans.org/profiles/robert-m-lee/

SANS fellow Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks.

Further viewing; https://youtu.be/BiUpuRk6pvA?si=xQcx9oiJOxQu0n7H

#mysecuritytv #otcybersecurity

This episode dives into OT Cybersecurity and discusses:

SCADA, ICS & IIoT Cybersecurity

How do we define an OT-related cyber incident?

What are the leading standards and guidelines for managing OT Cybersecurity and resilience?

Threat intelligence and suitable ISAC models

Vendor platform insights and cyber maturity landscape

Speakers include:

Daniel Ehrenreich, Secure Communications and Control Experts

Lesley Carhart, Director of Incident Response - Dragos

Ilan Barda, Founder - Radiflow

Rahul Thakkar, Team Lead, System Engineering, ANZ, Forescout

Dean Frye, Solutions Architect ANZ, Nozomi Networks

To visit and subscribe to the full series visit https://mysecuritymarketplace.com/security-risk-professional-insight-series/

#mysecuritytv #otcybersecurity

Further reading:

https://mysecuritymarketplace.com/reports/your-guide-to-nis2-compliance/

https://www.forescout.com/research-labs/ot-iot-routers-in-the-software-supply-chain/

https://cyberriskleaders.com/critical-infrastructure-organisations-remain-poorly-prepared-against-cyber-attacks/

In March 2024, the Australian Senate resolved that the Select Committee on Adopting Artificial Intelligence (AI) be established to inquire into and report on the opportunities and impacts for Australia arising out of the uptake of AI technologies in Australia. The committee intends to report to the Parliament on or before 19 September 2024.

More than 40 Australian AI experts made a joint submission to the Inquiry. The submission from Australians for AI Safety calls for the creation of an AI Safety Institute. “Australia has yet to position itself to learn from and contribute to growing global efforts. To achieve the economic and social benefits that AI promises, we need to be active in global action to ensure the safety of AI systems that approach or surpass human-level capabilities.” “Too often, lessons are learned only after something goes wrong. With AI systems that might approach or surpass human-level capabilities, we cannot afford for that to be the case.”

This session has gathered experts and specialists in their field to discuss best practice alignment of AI applications and utilisation to safety and cybersecurity requirements. This includes quantum computing which is set to revolutionise sustainability, cybersecurity, ML, AI and many optimisation problems that classic computers can never imagine. In addition, we will also get briefed on: OWASP Top 10 for Large Language Model Applications; shedding light on the specific vulnerabilities LLMs face, including real world examples and detailed exploration of five key threats addressed using prompts and responses from LLMs; Prompt injection, insecure output handling, model denial of service, sensitive information disclosure, and model theft; How traditional cybersecurity methodologies can be applied to defend LLMs effectively; and How organisations can stay ahead of potential risks and ensure the security of their LLM-based applications.

Panelists

Dr Mahendra Samarawickrama

Director | Centre for Sustainable AI

Dr Mahendra Samarawickrama (GAICD, MBA, SMIEEE, ACS(CP)) is a leader in driving the convergence of Metaverse, AI, and Blockchain to revolutionize the future of customer experience and brand identity. He is the Australian ICT Professional of the Year 2022 and a director of The Centre for Sustainable AI and Meta61. He is an Advisory Council Member of Harvard Business Review (HBR), a Committee Member of the IEEE AI Standards, an Expert in AI ethics and governance at the Global AI Ethics Institute (GAIEI), a member of the European AI Alliance, a senior member of IEEE (SMIEEE), an industry Mentor in the UNSW business school, an honorary visiting scholar at the University of Technology Sydney (UTS), and a graduate member of the Australian Institute of Company Directors (GAICD).

Ser Yoong Goh

Head of Compliance | ADVANCE.AI | ISACA Emerging Trends Working Group

Ser Yoong is a seasoned technology professional who has held various roles with multinational corporations, consulting and also SMEs from various industries. He is recognised as a subject matter expert in the areas of cybersecurity, audit, risk and compliance from his working experience, having held various certifications and was also recognised as one of the Top 30 CSOs in 2021 from IDG.

Shannon Davis

Principal Security Strategist | Splunk SURGe

Shannon hails from Melbourne, Australia. Originally from Seattle, Washington, he has worked in a number of roles: a video game tester at Nintendo (Yoshi’s Island broke his spirit), a hardware tester at Microsoft (handhelds have come a long way since then), a Windows NT admin for an early security startup and one of the first Internet broadcast companies, along with security roles for companies including Juniper and Cisco. Shannon enjoys getting outdoors for hikes and traveling.

Greg Sadler

CEO | Good Ancestors Policy

Greg Sadler is also CEO of Good Ancestors Policy, a charity that develops and advocates for Australian-specific policies aimed at solving this century’s most challenging problems. Greg coordinates Australians for AI Safety and focuses on how Australia can help make frontier AI systems safe. Greg is on the board of a range of charities, including the Alliance to Feed the Earth in Disasters and Effective Altruism Australia.

Lana Tikhomirov

PhD Candidate, Australian Institute for Machine Learning, University of Adelaide

Lana is a PhD Candidate in AI safety for human decision-making, focussed on medical AI. She has a background in cognitive science and uses bioethics and knowledge about algorithms to understand how to approach AI for high-risk human decisions

Chris Cubbage

Director - MYSECURITY MEDIA | MODERATOR

For more information and the full series visit https://mysecuritymarketplace.com/security-risk-professional-insight-series/