A partner's guide to weeding out Australia’s “warmware” risks

Why “warmware” risks are on Prime Minister Malcolm Turnbull’s national security radar, and what local partners can do about it
Australian Prime Minister, Malcolm Turnbull

Australian Prime Minister, Malcolm Turnbull

Australia’s Prime Minister, Malcolm Turnbull, has warned that vulnerabilities stemming from “warmware” are among the top contenders for potential weaknesses in Austalia’s national cyber security posture.

“You can have flaws in the hardware that provide vulnerabilities, flaws in the software, and - as I often say - the biggest vulnerability is often the 'warmware'; the humans making mistakes, or, indeed, taking information as, say Edward Snowden did, in a criminal fashion,” Turnbull told journalists on 24 January.

“The most important thing is to be aware and to practice good cyber hygiene,” he said. “What they [organisations] need is better practices. Generally, as I said, most of these vulnerabilities are a consequence of the 'warmware', the humans failing to protect themselves…opening an attachment to an email that contains fishing malware for example, something of that kind.

“Everyone – most people – are aware of it, but not sufficiently aware. You need to be alert as well,” he said.

Turnbull’s comments were made following a briefing with the Australian Signals Directorate (ASD) – the government intelligent agency tasked with keeping an eye on Australia’s telecommunications, electronic data networks, and external radio monitoring activity – and arrived via the prism of national security.

“Now, as you know, there has been evidence of Russian efforts to influence the recent American election. This is acknowledged now on all sides,” Turnbull said.

At the same time, he conceded that he was “not aware of evidence in recent times that a foreign country has sought to influence an Australian election in the way that has been described in the United States”.

Yet, this didn’t stop Turnbull from talking up the need for both public and private entities to take strides in their efforts to protect themselves against such cyber threats.

“You can pretend these threats are not there, if you like, but that will only make you susceptible to being taken in by them,” he said. “Alertness, awareness is absolutely critical. We have the means to mitigate the risk. You can't eliminate it completely but it is very important to take those steps to do so.

“It is more important than ever, and just as you’ve seen with our Cyber Security Strategy, the appointment of a Cyber Security Adviser, with the efforts we are taking to protect Australians online, to ensure that our critical infrastructure is safe from cyber-attack.

“This is the new frontier of warfare. It’s the new frontier of espionage. It’s the new frontier of many threats to Australian families, to governments, to businesses,” he said.

The Missing Link's Aaron Bailey
The Missing Link's Aaron Bailey

According to Aaron Bailey, security director at The Missing Link, Turnbull’s “warmware” warning highlights a genuine and continuing source of cyber weakness for both private companies and government entities in Australia alike.

“Something like 80 to 90 per cent of all breaches start with an email to a human,” Bailey told ARN. “A large chunk of initial infections come from a dodgy email sent to a human, and somebody clicks on that link, or opens a zip file or an attachment or whatever it is.”

Page Break

While latent human error and the deliberate social engineering that accentuates it remain, perhaps, the number one external influence resulting in network vulnerabilities among public sector agencies and private sector enterprises, there are a growing number of ways to combat the potential threats.

“You can’t patch a human, but you can teach a human,” Bailey said.

Bailey, who has a history of doing security work for some of Australia's largest banks and other enterprises, notes that many government agencies and large private businesses would generally have some level of internal cyber threat reduction training in place, to help employees be more aware of the potential threats arising from social engineering exploits.

"Staff security awareness training is part of the ISO 27000 standard, which relates to government and corporate," he said.

For those that do not have their own internal programs in place, however, local IT providers with some level of security specialisation and the appropriate certification, such as The Missing Link, are in a position to step in and help public and private organisations to identify their weaknesses and take measures to protect themselves.

“Some of the consulting services we offer are social engineering,” Bailey said. “And the sole purpose around that is that, rather than scan a network and break a machine, you break a human, basically.

“That social engineering can be in the form phishing, sending fake emails, and even in the form of simply calling up and saying, ‘hi, I’m in the IT department, can I change your password?’ or just gaining information like date of birth.

“You really only need someone’s full name, date of birth, and an address to wreak havoc with their identity in most cases,” he said.

Certainly, the education and awareness approach to reducing potential threats rates high on Turnbull’s list of what the nation needs to do in order to protect itself from malicious attacks on Australian companies and government agencies.

“We need to be aware of the threats and how to mitigate them and protect against them,” Turnbull said. “Awareness is the absolutely most important first step. A lot of the vulnerabilities, as you will have seen, are because people do not follow good cyber practice.

“They open attachments from sources they are not familiar with. They're not sufficiently careful in the way they manage their passwords. They don't, for example, use two-factor authentication with cloud-based application and so forth.

“So it is very important to be aware - the vulnerabilities are always there - if people are not. It is also critical that we maintain the integrity of our political process,” he said.