• Profile picture for user Daniel McDermott

    Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.


    Add comment

On this week’s episode, the team are back to look behind the cyber news, starting with the announcement from the Home Affairs Department to restructure in order to give government a ‘cyber spine’. We investigate the plan from the European Central bank to run stress tests on cyber resilience across Europe’s top banks in response to the sharp rise in cyber attacks. To wrap up the show, we discuss the new “bootkit” malware called BlackLotus and the risk it poses as well as a lightning round of the latest breaches and vulnerabilities to make the headlines.


The Get Cyber Resilient Show Episode #127 Transcript

Dan McDermott: Welcome to episode 127 of the Get Cyber Resilient Show. Today is our Behind the Cyber News edition of the show. I'm Dan McDermott, your host, and I'm joined by our resident cybersecurity experts, Garrett O'Hara and Vinh Nguyen.

Today, we will begin by looking into the announcement from the Home Affairs Department to restructure in order to give the government a cyber spine. Next, we will dive into the plan from the European Central Bank to run stress tests of cyber resilience across Europe's top banks, following the sharp rise in cyber attacks over the past 12 months. And our final deep-dive story is a look at a new bootkit malware called BlackLotus, and the risk that it poses. And we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines.

Gar and Vinh, welcome back to the podcast. And as always, there's plenty of news headlines for us to delve behind. Gar, let's begin by taking a look at the latest announcement from the Home Affairs Minister, Clare O'Neil, on the department's restructuring, and how this will help create a so-called cyber spine for the Federal Government.

Garrett O'Hara: [laughing] Cyber spine, that's a, you know, that's a cute [inaudible 00:01:18] ... Somebody's gonna trademark that, and we're gonna have probably a new product, hey?

Dan McDermott: [laughs]

Garrett O'Hara: Cyber spine. Yeah, like, it's, ... It's happening around the world, right? I mean, we saw the US re- releasing their cyber strategy. But looking, I think what's happening here kinda makes sense, the rejigging of the DHA. And, and I think what it is, is ack- acknowledging how much the risk has changed for Australia the citizens, the businesses, the government. And, like, i-, DHA now kinda reflecting more of the cybersecurity concerns whether, you know, it's breaches, or foreign interference type stuff you know, influence attacks as they call them. And I think it fits in perfectly with that sense that I think most people who have, you know, kinda tuned into the news would have around the geopolitics, and just a general sense of nations kinda circling the wagons, you know, borders going up, you know, much more concentration on even more concentration, I suppose, by, from, by most countries.

I think Claire is, is often saying what many folks in our cybersecurity industry have been thinking for kind of a long time which is really that's ... You know, this is a ... It's a big problem, and we're probably behind where we need to be. I'd say that's at an industry level and, and also to kinda national level. That it is serious and you know, well, we haven't really seen the, the big thing that many people are waiting for. It, it could be only a matter of time and I know I kinda bleed on about the CNI stuff a lot and just, you know, this, that worrying that could be. But I think Claire is spot on and just, you know, getting the, the, the DHA kinda lined up behind this properly and making service creating more of a focus and then doing it now.

And that's the thing I would say about what I've seen from her so far, like, sure, you kinda think, "Well, it's just saber-rattling," but this is ... It, it, it's happening quite quickly, like, some of the changes that she's putting in place and and some of the, the, the, you know, the change within the DH, but also the kinda, the coordination that she's looking to get in place at a national level. And that sort of stuff I think is, is actually quite important. And, and again reflects what's happening around the world. Like, Australia is not unique in this. It's the same in the UK, same in the US, et cetera.

Dan McDermott: Yeah. An interesting part of this is the, the notion of this new role that they're setting up around the coordinator for cyber security, you know, and got a pretty big task ahead of them looking at, you know, the structure strategy, what they need to do, and being able to actually say, like, are the ... I mean, this is a quote from Claire, "Are the billions of dollars being spent on cyber actually being spent in the right way as well?" So it's gonna be interesting to see, you know, the appointment of that person and how they can manage, you know, across that ... I mean they'd be able to effectively, you know, measure some of the effectiveness of, of the spending that the government put in place. So it sounds like some accountability coming to to the notions that are happening as well.

Garrett O'Hara: And accountability, like, that is so important. Right? I think that's the, the thing. There's a lot of money sloshes around in governments in every governments. Australian thing, obviously. But to your point, Dan it's ... There's so much bureaucracy and layers that are involved in government whether that's kinda, you know, federal, state or local. I think that accountability part is, is actually really, really important. And you know, we've seen Tom again, right, when the audits happen, how far off governor, organizations and entities are from like stated goals, whether that's alignment to ASD or you know, that, just a general audits that happened for cyber security. So I think, you know, the, the, the double pronged approach of first of all getting the coordination in place and at a national level, that's, that's going to be fantastic.

And, you know, the analogy I was thinking of earlier today was when 9/11 happened in the US, one of the things that was kind of very obvious was that there was a, you know, weakness that existed not through the work of individual, vidual agencies but actually the kind of overarching view of cyber and ... Well, sorry, at the time with 9/11, the, the three letter [laughs] agency's role potentially doing really good work, but it just took somebody to have the conversation and integrate the intel between them to potentially get to a better outcome. Cyber is the same. I think you and I actually spoke about this a couple of years ago. Was there there was a statement to parliament. And so- sort of buried in one of the documents there was the fragmented nature of the reporting that was happening and that's, that's years ago. I can't even remember what that ... I think it was the statement of parliament, something like that, on cyber. And so many PDFs, so little time [laughs] to, you know, to remember.

Dan McDermott: [laughs]

Garrett O'Hara: But I do remember, you know, I was talking about that like, what, what a weakness that is when you think about the the metrics that are being reported on, they're so fragmented. There's no unified view of where we're at, whether the spend is being effective or not being effective. So I think that's a really good, good sort of outcome of this. And then also from an incident response perspective as well, that integrated, coordinated approach to what that looks like I think that's going to be really, really important as well. I mean, this sort of lighthearted comment is I think they need a better title because coordinated ... I think it's Coordinated for Cyber Resilience, I think, was the title or-

Dan McDermott: Yeah.

Garrett O'Hara: ... something like that.

Dan McDermott: It was Coordinated for Cybersecurity.

Garrett O'Hara: [inaudible 00:06:43], they need Commander of the Night Watch. We need something a bit more punchy for, [

Dan McDermott: laughs]

Garrett O'Hara: ... for a role that that is that important. Obviously, I'm just kidding there. I mean, the ... I think the function is so important to, to get this right. And as you say, it's a huge remit and a huge amount of responsibility. But from what I've read, it looks like this is stuff that they're looking to get in place as early as next month. Which is beautiful, right? This isn't a, you know ... We're, we're doing the evaluations to set up the committee to have the discussion around the potential for a steering committee.

Dan McDermott: [laughs]

Garrett O'Hara: Like they're actually doing stuff which is, it's heartening. You know, good, good times.

Dan McDermott: Yeah. I wonder how long it'll take for this Coordinated for Cybersecurity to be the most popular person in the cybersecurity given the, the massive budget and spend they're gonna have I guess being told the strategy. And, I mean, it's great to hear that they are a month out, but, you know, if they had more time I would have said, "Hey, God, Dan, like if you ever needed a refe- referral, I'm more than happy to kinda patch for you guys to jump in. Throw your hat in the ring."

Garrett O'Hara: You know, I would be so bad at that job. It's not even funny [laughs].

Dan McDermott: [laughs] Well, we'll give you a different challenge, Garrett. I think it would be like looking forward to having them as a guest on the, on the podcast.

Garrett O'Hara: There you go.

Dan McDermott: So you know ... So definitely do that.

Garrett O'Hara: That'd be cool.

Dan McDermott: We can give you that one.

Garrett O'Hara: Look, this, this stuff I don't know what you guys think but it's, it's starting to feel more and more every time, you know, we talk on the, the news episodes, but like when you track it over per year over year, the importance of a national level is just it's going up and up all the time in a really constructive, I would, I would think away, and mentor ... Reflecting on some of the stuff that came out of the US strategy which was last week or the week before where some of it's like it's, it's pretty solid stuff. And, like, I think in their case they're doing things around and they almost think about pushing the tooth [laughs], you know, the toothpaste back in the tube with some of it. Where, you know, for, for so many years, ... And we've talked about this, you know, the, the idea that, you know, companies are pushed to grow rather than be secure. And, you know, that's the free market's ... Just doing what free market's will, which is, you know, kinda grow at all expenses and, you know, externalized costs to your users and take the risks with data.

And, and you're starting to see some of the stuff with the US strategy where, ... Some of their pillars around ... I, I should have this in front of me, but, you know, it's basically how do you get the industry and the market to do the right thing by national cyber resilience.

Dan McDermott: [inaudible 00:09:13].

Garrett O'Hara: And the issues that we've, ... We've actually talked about now on this with... Well in the news episodes, I know we spoke about with Dmitri Alperovitch, [inaudible 00:09:23] around things like IoT. And, you know, had the market drives towards cheap stuff that you can put in place, but, you know, they're released with, you know, username and password of admin, admin, and zero security. But, you know, it's an awesome little IP connected security camera or, you know, kettle that ... I don't know what it ... what could you do in a kettle? The kettle that, you know, tells your phone what temperature the water is at and when the tea is ready, or whatever. But, you- you know, but now starting to see a little bit of pushback on that stuff where, and it's going to take ...

It's not like this is instant, but, you know, you're going to start to see the, the hopefully the slow change in markets through, through this kind of stuff where you now have to kinda do IoT IoT well and you have to, I don't know, align to sort of, I don't know, list or software development life cycles or big eyes or whatever it is. But, like, good security practices as you're developing products. So yeah, I think it's around the world. Some good stuff happening with this governments. Yeah.

Dan McDermott: Yeah. And it's obviously all around the, the stated notion of wanting Australia to be the most cyber secured country in the world by 2030. And I guess, you know, when you look at that, we've sort of laughed a couple of times around like, you know, well lucky by 2030 because I heard the big attacks coming in 2031. That's what they're planning for.

Garrett O'Hara: [laughs]

Dan McDermott: So, like, we should be okay. Which is, which is good. And the second part is, is how do you know that you're the most secure? How do you rank? And it's really interesting that MIT have actually just released a report around this. So MIT, the famed obviously university out of Boston have just done a, a research study around the G20 countries in the world minus Russia and including Poland. And done a survey of CI- 50 CISOs from each country around 16 different sort of pillars and contributing factors that they're looking at around trying to get an understanding of sort of where does, where does each nation sort of fit in terms of their strategies, their approaches and their resilience at a government, organizational and sort of person level.

They actually looked at four core pillars as part of it. One is, is that one he's spoke about, Garrett, around CNI, around critical infrastructure and what is being done around that. Second is around the resourcing for cyber security and what is in place for that. The third pillar is around organizations' capacity. So are, are boards prioritizing spend? Is it actually seen as an important aspect and is there the focus around it from an organizational perspective? And the fourth pillar is around policy commitment. So things that you said like around regulatory. We spoke about, you know, the privacy changes coming and all of those type of things. So there's, oh, those four pillars and they did this survey and have actually ranked all the nations. And on top, despite all of failing ASD audits and everything else, on top of the rankings is Australia.

So Australia placed first in this, in this report. It's called the Cyber Defense Index. So we were number one on that and it reflects the efforts to make robust digital infrastructure widely available. And it talks about the fact that the Australian Government strives to use digital tools and regulations to safeguard personal data and digital transaction, and it's committed to overhauling cybersecurity laws pledging to shelve previous road maps that, you know, maybe weren't, you know, weren't going to be effective. And it really is also highlights the importance of this and the reaction since like the Optus breach that gets called out as well.

So if anybody's interested in reading more on the MIT report and where different nations fit re- really interesting to see Australia coming out on top. Netherlands was number two, by the way. Been interesting to sort of see where we fit and how I guess the gaps that we know that still exist yet, you- you know, relatively speaking seem like so far our [inaudible 00:13:33] community thinks that, you know, as organizations and as a, as a government we're doing a reasonable job.

Garrett O'Hara: We need the the edit to include the national anthem in the background as you're going through that, Daniel. I feel the burst of patriotism there that we're doing so well. That's awesome news though. Maybe they have a Cyber Olympics in the future.

Dan McDermott: [laughs]

Garrett O'Hara: You know, we could start getting some gold medals under our belts.

Dan McDermott: We love the gold medal,-

Garrett O'Hara: Yeah.

Dan McDermott: ... so why not [laughs]?

Garrett O'Hara: [laughs]

Dan McDermott: Garrett, we'll move on to our next story. It was something that you sort of spoke about a little bit around, like, how do you test for cyber resilience and how do you sort of raise the standards? And the next story is around the European Central Bank looking to stress test the cyber resilience of European banks. Then, how can a sort of central bank play a role in cyber security?

Garrett O'Hara: I guess given that it's the central bank here, it looks after a lot of little banks underneath it, right? The European Central Bank, if you kinda compare it to the Reserve Bank of Australia I guess it's a banks bank, right, in financial terms. But essentially what they're doing is they're looking at stress testing and under the European Central Bank, there's actually 111 that kind of falls under underneath it. But essentially it's just giving them an idea of how these banks would be able to, first, respond and also react to a potential cybersecurity incident. Now, it was the European Central Bank Supervisory Chief Andrea Enria, who did talk about how they were going to test this through a them- through a thematic stress test.

So why the stress test, all that? Okay, with all the bells and whistles, there's got to be like people running in and out. It's gotta be like a full table top exercise. They're only in the process of now thinking of this scenario and they would all go out to 111, those banks, and say great, this is scenario, please respond to us within the year how you would want react but also respond and also recover. So those are the metrics of it. I don't think there's any more insight into obviously not the scenario, but also what's expected in terms of their reports or the results. But some of that will be interesting to see. And I think more interesting is the timing of it, too. Now, it, it ... They did mention ... [inaudible 00:15:48] did mention that it was based off, you know, what's been happening with, say, Russia and Ukraine, and there's been increase in cyber attacks coming through.

This is a very interesting time. They're like, why now to test, you know, top banks cyber resilience? Obviously the increased number of attacks has something to play with it, but it's been done before this type of stress test, right? Now, we had the Bank of England last year. They also did a voluntary stress test, was like, right, like, who wants to participate? And the Federal Reserve in the US also do it quite often as well. So it'll be interesting to see, like, what comes out of this one.

Dan McDermott: It's really interesting that like you say, sort of a, like a central sort of authority taking that role to try to raise the bar for and the standard for everybody, right as part of the, you know, who they look after. So it's definitely it's interesting that they're taking such a proactive approach to trying to make sure that it is top of mind, that it's there and it is part of, you know, the best practices that are required. As we know, you know how critical cyber is, of course, in sort of financial services.

Garrett O'Hara: Yeah, it's about the accountability, which I mentioned before, right? And, and that's goal, right? You need someone to say, like, "Wait, wait, raise our hand." Like, "We're going to be responsible because they're ..." Obviously, these banks report up to the European Central Bank, so who better than the person at the very top?

Dan McDermott: Seems like there's a theme here, isn't there? Or you let-

Garrett O'Hara: Yeah.

Dan McDermott: You let certain organizations kinda eventually try and get to it themselves, and they don't. But as soon as, yeah, to Vinh's point, when somebody central comes in with a bit of, bit of authority and, you know, more bite than bark yeah, it's amazing how quickly stuff can happen.

Garrett O'Hara: And there's a mutual interest.

Dan McDermott: Right.

Vinh Nguyen: I mean, like Andrea did call that as part of it. It's like one of the big concerns for them is the fact that a lot of the banks are actually outsourcing a lot of their critical IT infrastructure to outside providers, and it could be outside providers outside their own team obviously, but of course be outside providers from other parts of the world too. And more recently it was actually the ION's Markets' breach. So they're a SaaS based company out that UK who essentially help a lot of financial institutions actually do things like transactions and, you know, all of that type of stuff. And they actually got done by a group called Lockbit, which I think we've spoken on the pod before. A Russian kinda criminal gang who's out to kind of get PII and that type of information and kinda sell it on the dark web.

But there's a flowing effect, right? And it gets like at the very top, like that's gives it the most room to kind of flow down and affect everyone else. So it's in their best interest to make sure that, hey, we're all secure, but what's the best way to do it? Let's get a thematic stress test out, see where everyone's at. And from there, you can kinda plan on what's the best next steps to ensure everyone's more secured, a cyber resilient.

Dan McDermott: Indeed. Well, definitely strong steps being taken in the right direction by a lot of sort of these regulators and central sort of providers to really up game for everybody.

Our final deep dive story for this episode is how the BlackLotus malware can bypass important Windows boot functions. Gar, what is BlackLotus? And what's the risk that this poses for organizations?

Garrett O'Hara: Yeah, this is ... So it's an interesting one. I think first signal's around October last year where this thing was getting kinda spooked on the dark web and hacker forums. And it, it basically is interesting because it was sort of not theoretical, but it was mythical [inaudible 00:19:17] as well. Wasn't necessarily confirmed that it was real, I suppose. But pretty much has been confirmed now that it's the first kind of in-the-wild because that's able to bypass the secure boot in UEFI. So that, like, UEFI's the kinda replacement for BIOSes. If anyone remembers building machines back in the day where you'd have to you know, get the BIOS sorted, then plug in all your stuff. Vinh's smiling 'cause he's probably built a bunch of gaming [laughs] machines over the years, I suspect.

But you know, UE's, UEFI's sort of Unified Extensible Firmware Interface is the, you know, full name for that. But it's basically the kind of new rock'n'roll when it comes to the the thing that talks between the hardware and, you know, it's only the operating system, so firmware for devices and all that good stuff. Secure Boot is is like in theory is a way to make sure that the machine ... Well starting in the name, isn't it?

Dan McDermott: [laughs]

Garrett O'Hara: It's se- securely dead. And the marketing team went bananas and that one in the white boarding and then there's [inaudible 00:20:22] [laughs].

Dan McDermott: I- Im- Imagine the options that they went through and just, you know, like, should we just call it Secure Boot?

Vinh Nguyen: That's a good idea.

Garrett O'Hara: Yeah. I woulda ... It's, it's like a ... Wasn't there a movie years ago? It was a little side trail where the, the, this sort of idea was that a guy got really successful in marketing because he basically just used honesty. So like, you know, Volvo, they're boxy, but they're good, you know, it was that [laughs]-

Vinh Nguyen: [laughs]

Garrett O'Hara: ... that sort of stuff.

Vinh Nguyen: It would never catch on, honestly, marketing [inaudible 00:20:51] [laughs].

Garrett O'Hara: Yeah [laughs].

Dan McDermott: [laughs]

Garrett O'Hara: But yeah, look at this, this thing is like, it's basically an industry standard, and as so many of these things do, use this cryptography too in theory, make sure that all the things that a UAC and the machine needs to kind of get booted up and ready to rock and roll is trusted. And, you know, it's, it's fairly standard stuff we can use is signatures as so many of the things that we do and, and use today are based on. So that idea that if you're a trusted signature like a digital signature certificates and, you know, you get a websites. It's sort of the same idea. But as you boot, you can check that the signatures are valid and, and okay, and away you go. So in theory, like, it's, it's a good, good way to approach this. And what you're trying to protect here is kinda ring 0 kernel stuff.

If you guys kinda familiar with that, it's like, it's the, like, the heart of the security in a machine. Like if you get into ring 0 and as you go further at the ... the rings kinda have higher numbers then they're less critical or core to security. So by the time you get into compromising kinda ring 0 stuff, you're ... It's pretty serious. It's a pretty huge vulnerability. And that's what, you know, the interior, that's what this thing is doing. It's getting in at that level and able to bypass the secure boot, you know, to the point where you compromise machine and start to do things like HTTP downloads and, you know, all that, that kinda good stuff. It's, it's a really interesting one. So the CV that it's better vulnerability that it's based on has been patched already. So you can think, "Well, okay, what's ... You know, what's going on here?" You know, it's patched and there's a, a thing called re- revocation list exists in certificates as well for Internet sites.

So the idea being that on a trust chain, as you go from like the top level end if something breaks along the way you can kind of revoke the certificate. And in theory, then if somebody tries to go and use that certificate, the, you know, the machine say ... The computer says no.

Dan McDermott: [inaudible 00:22:57]?

Garrett O'Hara: Yeah. Speak as, "Okay, well, you know, we've got a thing that has been revoked." So the the problem with this stuff is that if you sort of use the rev- revocation list, the potential impact is you kinda brick or make a bunch of machines that, you know, potentially could have otherwise booted, not boot anymore. So it's not as simple as just, you know, publish a list and away you go. It's actually got pretty significant imp- implications. So I think there's been a little bit of ... It's, it's kind of a funny one, you know, the, the fix exists or sort of the patch exists for the vulnerability but it's hard to to kinda use it because of the impact or the potential impact to a bunch of unknown machines that are out there that could be involved in, in potentially critical stuff.

So end result is that, you know, this BlackLotus thing is, is out there. That's actually, you know, the ... The headline is it can potentially be running on, you know, fully up-to-date Windows 11 systems with UEFI that has secure boots. So you've done all the right things and you're potentially still vulnerable because of how this thing is, is is built.

Dan McDermott: And have we seen it turn up anywhere? Has it actually had an impact so far?

Garrett O'Hara: So ESET are the ones doing the kind of, I suppose the, the detailed research. [inaudible 00:24:22] I'm sure [inaudible 00:24:23] familiar with ESET. So like, it's, it's around as far as the actual, you know, sort of this scope or the impact so far. And my ... Honestly don't know the answer to that one, and I haven't actually read anything about that so far. Maybe Vinh has. I'm, I'm not sure. But it, you know, it's sort of in the wild and I think that's the thing. Like if it's out there, yeah, like it's the thing to be worried about. It's just simple as that, really. The ... Like you say, it's been sprayed on the Internet since I think it was last October, but correct me if I'm wrong in that one where the, the folks who sell these things are, like, they're selling it for thousands of dollars and you know, kind of telling you, telling the buyers like what it can do, what it's good for.

And ... But in and of itself, that, that's probably the thing to worry about. If it's been on sale since last year, then you know, you'd assume along the way people somewhere along the way actually kinda bought it and and actually, you know, potentially out there using it. And interestingly, like in theory, it's capable of actually disabling some of the the operating system level security mechanisms that are there. So if people are using things like BitLocker for encrypting their hard drive and things like Windows Defender, then you know in theory you can disable those. So i- it's certainly like a serious one. And then sort of one to be worried about it, I suppose.

You know, [laughs] add it to the long list of things to be worried about when it comes to cyber, but you know, it's definitely out there. And unless you're actually [inaudible 00:25:56] ... Maybe don't worry about it if you're from a subset of the countries that apparently it doesn't proceed with the, a Boot Kit, Boot Kit installation. So if you're in Russia or Ukraine, Belarus, Minya and Romania, there's a few countries where apparently it's sort of it, it doesn't actually proceed with the Boot Kit installation. So maybe those folks can go to, go to sleep at night and not worry so much about this one.

Dan McDermott: Well, very good. Well both our listeners in Armania will sleep well tonight, which is good.

Garrett O'Hara: So we're huge in Armenia, huh?

Dan McDermott: [laughs] I think, I think we have had a play there, but maybe not huge [laughs].

Garrett O'Hara: [laughs]

Dan McDermott: Finally, let's wrap up with a quick review on the latest breaches and vulnerabilities to make the headlines. The first news item is how the Australian National Maritime Museum has been hit by an alleged trusted insider. Vinh, what's happened here?

Vinh Nguyen: I did Google search where the the actual maritime museum was. [inaudible 00:26:54] ever been to one before. It's a whole lot of birds and stuff. But in this particular case as we've seen time and time again a third party IT contract though is working at the Australian National Maritime Museum has been accessing their accounting system and doing a little bit of forensic investigation and done some naughty stuff, where they've gone ahead and, you know, things like change bank account details on the system. They access, I guess, individual and business details to help authorize some transactions through. So they obviously buy some stuff. Not sure if they were Louis Vuitton bags or not then.

Dan McDermott: [laughs]

Vinh Nguyen: But it did amount to a grand total of around $90,000 or what the police have pulled up there. And I will say, going back to my prediction at the very start, it's ... I think it's going to happen. I, I generally think there's gonna be a stage where someone gets enticed and paid enough, where they will actually make a mistake. Now this one wasn't necessarily it, but it's, it's human arrogant, right? People are tempted, right? The fact that they can try and get away with, you know, buying all this stuff with a lot of money. Yeah, it's just ... How, how do we, how do we fix this? I, I don't know, but it's been investigated by the AFP. They've gone through this person's house. They've gone ahead and grabbed all this stuff like laptops and the likes of to get evidence. But yeah, just another instance to show that crime doesn't pay.

Dan McDermott: Indeed [laughs]. And we've spoken many times about, you know, insider threat, right, and, and-

Vinh Nguyen: Mm.

Dan McDermott: ... how difficult it is to to detect and to stop. Right? And so obviously they've done a good job of actually pinning this one down and being able to put a halt to it.

Vinh Nguyen: Mm-hmm.

Dan McDermott: Next is the latest stats from the OAIC, on the number of notifiable data breaches from the second-half of last year. And to no one's surprise, the numbers are on the rise. Gar, just how many breaches were reported?

Garrett O'Hara: So nearly half 1,000 or as a normal human being would say 500. 500 of that reaches [inaudible 00:29:00]-

Dan McDermott: [laughs]

Garrett O'Hara: ... of the last calendar year. What's interesting ... [inaudible 00:29:05] used to the word interesting maybe loosely when it comes to [laughs] the OAIC stuff, but this was released based on a freedom of information request. So it's, it's actually before the, you know, I suppose the official breach report that they do release on a fairly regular basis. And it's interesting, Dan. Like, the ... When we were talking about this in the very start, I was pretty keenly like, you know, opening reports, see what was changing, what was new and it actually felt like it's such a rare, like relatively static in terms of, you know, the types of things that were happening. You know, the numbers were, were not flatlined, but they didn't seem to jiggle around too much. Whereas you know for this one, it's a 26% increase compared to 2020. So like that's not insignificant, I suppose.

But it was ... Yeah, certainly interested to see that ... Yeah, the data, yeah, it's basically a really special [inaudible 00:29:59] rather than you know, the, the sort of normal cadence release that, that happens. And I think it was actually included, sorry, had released with segment data that wasn't traditionally part of the report also. So you could start to see it a bit more of at granular level how specific segments or kind of vertical types we're doing, which I think is also kind of an interesting part of this as well.

Dan McDermott: It's fascinating that somebody's going to the effort of putting in a Freedom of Information request for some, for a report that comes out, you know, shortly anyway. Like, it's a ... I'm not sure like what the intention there was is almost to gazump I guess the the release of the report.

Garrett O'Hara: Yeah, I, I ... Who knows? Who knows what the idea was? And, and I don't know if it was that they were looking for the segment data which isn't traditionally included.

Dan McDermott: Oh.

Garrett O'Hara: So I don't know if the FOI was, was that, and as a result they got the sort of roll up data also. You know, again, yeah, don't, don't actually know.

Dan McDermott: Interesting. Well hopefully, I think this full report will be out shortly as well. So we'll we'll be able to re- review all of the details from the OAIC then. Finally, the Commonwealth Bank of Australia or CBA has been hit by a cyber attack at their Indonesian operations. Then what happened to CBA?

Vinh Nguyen: So the CBA Indonesia subsidiary, PT Bank said no need, like, mass panic. You're CBA bank customer right around... No. So PT Bank so that Indonesia subsidiary was hit by cyber attack has said on Wednesday, I think that was when it was. So there's no impact to any customers in Australia. So deep breath, like we're okay for now. Unless obviously [inaudible 00:31:37] with PT Bank, then yeah, maybe get in touch with them. But it's really understood that the details of about 11, I guess, of their customers might have been accessed by an external intruder. There isn't too much information outside of that. But we do know that the CBA did make an announcement to the ASX saying they're aware of a cyber incident and it relates to unauthorized access of, of software application. They're probably used for project management, and I believe it's, it's a [inaudible 00:32:06]. So the European Central Bank are onto something, right?

Dan McDermott: [laughs]

Vinh Nguyen: Yeah, outsourcing lawyer stuff and you know, your particular supply chain we [inaudible 00:32:15] logo. But you know, it, it's common practice, right, in, especially within financial, within the financial industry that, you know, you have your system segregated based off where you are. So Australia instance is Australia, and everything happens outside that is away from that. So what we have been told is that services will continue to operate as per normal, but just another instance of how supply chain can potentially if it was connected could have resulted into something bigger. So yeah, luckily not many bank and not distance CBA. It's a subsidiary of CBA for now.

Dan McDermott: Very good. Well, like you say, anybody banking in Indonesia with PT Bank just they're getting contact and protect your, your, your data and and your finances.

Vinh Nguyen: I guess, like as part of this as well, like it'll be interesting to see like what comes to ... It's still pretty fresh too, but they're in terms of you know, how that credential got leaked or was it leaked and who accessed that? Was it something wasn't supposed to internally, or was it someone external was meaning harm as well? So it- it's early days, but like I think like transparency, extremely important, talking about things like notifiable data breach and having more insight or learning from the rest of the industry, like, this could be a great learning moment if they choose to share it. But depending on how CBA kind go ahead with this, not sure it falls on the Australian jurisdictions being in, in Indonesia, but yeah, I, I'll keep it close on this one and update everyone accordingly.

Dan McDermott: Terrific. Thank you, and thanks Vinh and Gar for your insights into another big news episode today. Gar, who do you have as our special guest for next week?

Garrett O'Hara: So next week is David Higgins, who was the until fairly recently the CISO for Kiwibank. He's taking a career break. Vinh and myself met David actually over in New Zealand when we're at the Cybertech con and that was written by ChiliSoft. And, and I think, you know, any- anybody in, in New Zealand I think will know David, he's an awesome guy. He gave a phenomenal talk at Cybertech con. And yeah, like I say, right now is kind of leading by example and taking a bit of a break from, from cyber. But we got into a conversation around AI and ChatGPT, obviously, and you know, what that means for cyber, and what it means from the attacker side and also protector side. And, and he's pretty good at kind of getting through to you know what's hype and what's real, so... And really interesting guy go full of energy and full of heart, so definitely want to tune into.

Dan McDermott: Terrific. Yeah. Looking forward to hearing from David next week. And until then, if you'd like to continue exploring key topics in cybersecurity, please jump on to get cyberresilient.com and check out some of the latest articles, including a full wrap up of the news headlines from February with our this month insecurity article and to look into why the answer to cyber talent shortage could be staring CISOs right in the face. Thanks for listening, and until next time, stay safe.

Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott