Sunday 10 December 2017

Making resolutions - and keeping them

 

By Chief Editor and Blog Manager- Amanda-Jane Turner

I am stunned that we are already at the end of 2017! I know this will echo what many of you are already thinking but where did the year go?

As a year ends and another starts it is quite common for people to make resolutions. Sometimes they resolve to lose weight, get fit, stop smoking, pay off debt... endless lists!

According to Statistic Brain however only 9.2% of people succeed in their resolutions and, Business Insider stated that 80% of new year resolutions fail by February of that year!

So how do we make positive improvement resolutions  that we can keep?

Towards the end of the year I like reflect to on the year that was as I prepare for the year to be. So tonight, I am sitting in our lounge room with a cup of tea, thinking of the year and my goals and what I have achieved and learned. In January this year I made goals, not stereotypical hope for the best type resolutions – like stop eating chocolate (as if!) or other vague and unrealistic notions - but real goals that I had definite plans to work on to achieve. This year one of my goals was to become a Justice of the Peace (Qual) Qld.

Goal

Targets are more likely to be achieved if the steps towards them are both realistic and feasible, so as I work full time it was important for me to find a Justice of the Peace course that was offered online as I do not have the time to go to a physical training venue. Additionally, knowing that I would need to study, pass an exam and go through checks before I could be registered as a JP I made my target due date for this goal to be by December 2017. This made the goal more realistic as it allowed for the time needed to achieve it.

To become a JP (qual) in Queensland, I started by researching authorised training providers, looked for online options for both the course work and the assessment and ensured that I saved money to pay for the course and the registration. After researching course options I decided on one and saved up to pay for it. I aimed to enrol by July to ensure that I would meet my deadline of December to be registered!  In July I completed the online training and assessment. The process to become a JP includes police record check, referees, being sworn in/affirmed by a Magistrate and registration. By September all this was completed, and I became a JP!

Learnings

When making your plans for 2018, reconsider the standard resolutions that are often made while in party mode and are so vague they never stand a chance of being achieved, and think of two to three main things you wish to do or achieve in the year and make reachable plans on how to bring these into fruition. There is no guarantee that your goals will be achieved in the year, but at least this way you are working towards actual realistic outcomes with tangible steps.

What are your reflections of your resolutions or goals you made in January 2017? Have you achieved these goals/stuck to these resolutions? If yes, what did you do to ensure success? If not, what can you improve on next year to help your success?


(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Friday 17 November 2017

Dummies Guide to Bossing Men Around !

 

by Sheena Downey - one of the AWSN Brisbane Chapter Leadership Team
The IT world has, to date, been hugely dominated by men, from the likes of Steve Jobs, Woz and Bill Gates to the modern, young, stereo-typical hairy, girl-shy developers hiding away in mum’s basement, hacking into government secure servers trying to uncover who really shot JR.

Whilst there has been any number of strong successful women beating down the doors and breaking through the glass ceilings, many more women have simply walked away and found other careers, different directions or alternate industries.

We’ve been advised to dress and act like men in order to fit in and succeed.  Then been accused of being aggressive and bossy.    We’ve been advised to use our “womanly wiles” then accused of dressing inappropriately or worse !
I was accused of being “scary” after an argument with a junior team member repeatedly failed to do his job whilst he was blameless.

But, throughout my career, I have done 1 thing, and 1 thing only

I have been me !!!!


If I was “scary” when I argued with my team member, at least he actually did his job after our conversation.

I wear trouser suits – I like trousers,  I’ve even been known to wear cufflinks – they’re pretty and a little bit “different” – I like that too !   I swear – a lot and have long, painted nails  - And I look after the people in my care, my team, my customers, my stakeholders.

So, if you want to succeed in a man’s world -   Be yourself, it’s the best thing you can be !



 This post has been written by Sheena Downey
An 18 year old rebel trapped in a significantly older body, Sheena has been a PPM professional for almost 20 years and has a passion for all things Business Continuity Management focussed. Ex-RAF, working mother and specialising in IT, Sheena has made a career out of telling men what to do and holding them accountable when they don’t do it.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Friday 10 November 2017

Simple use of Twitter to access world class malware advice

___________  by Mary-Jane Phillips___________________

I had just finished a course on ransomware when Wanna Cry hit. This ransomware was not typical in the way it was delivered, so I spent time reading media articles and tweets about the 'outbreak'. Experts on Twitter led me to Malware Tech's botnet tracker which sadly, is not currently available.  At the time, I was able to see the map of Wanna Cry infections over time.  (Including in Australia).  https://www.malwaretech.com/
I also saw the famous tweet from Marcus Hutchins of Malware Tech about the Wanna Cry 'kill switch' domain name being registered.  Mass media was much slower to report information than Twitter and was often incorrect.  So Twitter has become my source of information on rapidly spreading, malware. 
Now, I use malware events on Twitter to fine tune my feed of malware information.  This is the simple process. 
  • Find the relevant trending hash tags on Twitter.  E.g. #wannacry #wannacrypt or #expeta #expetya #notpetya or #bad rabbit #badrabbit ransomware
  • Scan through the tweets to see which ones get a large number of likes, re-tweets or comments (or are liked by experts).
  • Critically assess the tweets (E.g. Large numbers of comments can mean it is controversial).
  • Follow people that give you valuable information on the level of risk, prevention methods, short and long term fixes. (or whatever you are looking for in particular)
  • Think hard before clicking a link.  During an incident, a certain percentage of malicious links will appear.  People who care about the security of society will communicate as much information as possible within the tweet and not just have a hook for you to click.
  • Expand and refine your list with every malware incident. 
  • Identify your favourites.  (You will see who collaborates and who is marketing). 

I particularly like Hasherezade on reverse malware engineering.  She is scientific and has a great network of people she calls on for rapid help. https://twitter.com/hasherezade 
With a relatively small amount of work over time, Twitter gives you fast access to a diverse range of experts on malware risk, as well as short and long term fixes. The method  would probably work for most areas in cybersecurity but it works particularly well for malware due to the speed of communication and collaboration required in the community.
Have a look to see the reverse malware experts I follow. This is the link to my Twitter profile. And please connect with me on LinkedIn.  I look forward to meeting you all. 
Have a great day.
Mary-Jane Phillips

Mary-Jane Phillips BSc GDip Eng MBA

Mary-Jane began her career in scientific equipment sales, then moved into environmental management and assisted with ISO14001certifications.  Mary-Jane is currently working on her micromasters in cybersecurity at Rochester Institute of Technology, and CISSP associate certification. Mary-Jane is highly skilled with risk and compliance management systems and is actively looking for a cyber security role in Brisbane, part time in 2018 and full time in 2019.



(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Friday 3 November 2017

Cyber Security Risk Management in Context


by Robyn Bailey
_____________________________________________

A good cyber security program requires good management of risk, usually in accordance with Risk Management Standard ISO31000, although there’s almost always one critical step that is overlooked.

Setting the context of a risk assessment is the first and one of the most important steps – if all participants of the assessment are not working and analyzing at the same context then there is bound to be a mismatch and incorrect risk ratings assigned. This can lead to over-application of controls (and a lack of return on security investment leading to reputational issues for the cyber security specialists) or under application.

The following diagram represents the multi layered approach to cyber security risk management and examples of key stakeholders for input to a risk assessment within each context.   

Each layer should then be further broken down into vulnerabilities and threats.

An example I often use to explain these layers and contextual awareness (or lack of) is the identification of a vulnerability in a browser on a server by an operational staff member. Whilst industry vulnerability ratings (eg http://cve.mitre.org/) may identify the vulnerability as High, the threat may be low (no or minimal human threat actors as there is very minimal use of the browser) therefore the risk, even at the Operational context, is not High. Once we “roll-up” the risk to the layer layers, this particular risk should get consumed within more important business cyber risks – the CEO and Audit and Risk are not concerned with one vulnerability on a server. 

Delving deeper into individual risks, as a risk practitioner of many years, I often see a lack of contextual alignment in the likelihood and impact. For instance, using a basic risk of Weather event causes data centre outage, we can assume that a weather event may be Possible and a data centre outage could have a Severe impact when the factors of the risk are treated separately – perhaps giving a Very High risk rating. However, when the full context of the risk is documented – for example, Weather event causes data centre outage beyond 3 days, we can see that the likelihood is probably Rare, the Impact remains as Severe, giving a Medium risk rating (depending on your risk matrix of course).







Robyn has worked as a technologist and strategist in the cyber security industry for over 20 years. She established the first Australasian Chapter of the Information Systems Security Association (ISSA) around the year 2000, and bought the first CISSP exam to Australia in 2002. She has worked for Business Aspect for the past 10 years as a Principal Consultant and she also leads their Security Testing team. A quiet achiever, Robyn constantly challenges the status quo through analyzing and asking the right questions.   Largely self-educated, she has a passion for learning about technology and has extensive technology knowledge including communications, app dev, databases, cloud and integration platforms. In her “spare” time, Robyn is a mother of two teenage boys and a pre-teen girl and also volunteers for code.org (teaching coding to teachers and students in Primary schools); Mensa (co-ordinating events for, and teaching technology and cyber security skills to gifted children); CSIRO STEM Professionals in Schools (explaining Comp Sci to teachers); Tech Girls are Superheroes; and various other non-profit organisations.  Robyn’s experience of 25 years as a female technologist drives her to especially provide support to other analytical girls and women with outstanding capacity to succeed as a technologist.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Monday 30 October 2017

On Writing

By Kristine Sihto


“Once upon a time, there was a girl. That girl dreamed of being a writer…”

I have always liked words. As a child, I had a stammer. Not enough for my parents to ever worry, but enough for me to hear my own voice and feel constantly ashamed. It was different when I wrote. On paper, there was no hesitation. No repeated consonants at the beginning of a word, no grasping for words that would never come to my lips – I could be eloquent and graceful and smart on the page.

When I was introduced to poetry in high school, I flourished. Adding deliberate structure into those words was like a dance. I could craft my words to mimic the ebbs and flows of water or the crackling flames of fire, use sibilance to sigh the wind’s whispers or rhythm to push the beat of a heart. I knew that I wanted to write. There was never an inkling that I would become a technical writer, however. Facts, I thought, were dull and dry; I wanted to be Tolkien or Blyton. I wanted to be Blake or Wright or Cummings. I wanted to fill the world with rhythm and language that would turn the head and speak to the heart.

It turns out that writing is hard without motivation. It takes effort and commitment to get up and write thousands of words a day with no solid incentive.
The drive that I maintained as a teen to write every day was slowly eroded by rejection letters and competing priorities, like dishwashing and children and television. The works-in-progress piled up as new ideas were born before the old ones had reached completion, and suddenly I was in my 40s and still dreaming that someday I would be a writer.
My break back into writing was a series of lucky events. A chance conversation put me into a professional editing role, and a few years later, another chance conversation found me in a technical writer’s position, in an industry I’d never considered before. That industry is Information Security.
Older eyes see that while there is a hazy, elusive value in the work that I dreamed of in my younger days, being able to explain facts on paper has solid worth. We communicate in written words: in policy, in reports, in emails, over the Internet. Clarity is essential.
I used to say that I could write anything I could understand. My role as a technical writer has forced me to revisit that idea. I research as I write, and often, as I am writing about something, I am learning it for the first time. It is poetry again, fitting concepts that are new to me into the structure of sentences, identifying the nouns and verbs and adjectives and making them flow in meaningful ways. I now see that I can understand anything that I can write. I no longer need to feel I can speak to the heart, so long as the head hears me.
 


About the author - Kristine Sihto has been writing intermittently over the past three decades. Most recently, she has found joy in technical writing for Alcorn Security Group. Kristine has plans to self-publish a book of poetry in 2018


(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Tuesday 10 October 2017

Bridging the gap between uni and industry - AWSN Cadets

_____________________________________________________________________________
By Jacqui Loustau, Founder and one of the Directors of the Australian Women in Security Network
________________________________________________________________________________

I remember when I was at school, I always questioned why I was learning certain subjects (typical teenager I guess..!). Why we had to study maths, why I had to learn french. I didn't understand the importance as I couldn't apply it to real life situations. When I started uni, studying the Bachelor of Information Systems, I was lucky enough to also work part time at Australia Post in their helpdesk. It was then that I started to understand the point of all this learning.

Having a curiosity for technology is one thing, but to understand why you need to know something can enhance your learning considerably. Being able to apply and understand how things operate and work can be a great advantage before entering the workforce. 

Being in a male dominated field can sometimes make it intimating for some females to fit in and can make some of us shy away from asking questions in the fear that we will be judged. 

The importance of role models and finding great mentors is vital. To see someone working in an area and to understand what their everyday job entails can help shape where you want to go in the future. 

The AWSN Cadets brings together female students from different universities interested pursuing a career in the information security space.
It provides a safe environment to:
- meet others with similar interests and challenges
-  facilitate networking opportunities to help apply study into real life and relevant industry contexts
- practice hands-on technical skills
- helps broaden perspective and provides real insights into what it’s like to work in cyber security

- connect with industry
- build confidence

We are about to complete our first AWSN Cadets pilot programme - 5 technical workshops on the basics of malware reverse engineering. Our first mentor Noushin Shabab has been teaching us the difference between static and dynamic analysis, the tools analysts would use in order to understand and dissect what malware does. These have been very interesting sessions, and have helped these students understand why file types, address of entry points and size of code matter! 

To get this rare insight to what a malware reverse engineer does in her every day job is fascinating. I wish I had known this years ago, my life may have taken a different path! 
We are thankful for Noushin and our future mentors for the time they are giving in order to pass their knowledge onto to us.

The last session will have various companies come and present on what they do as a malware reverse engineer at their company. This helps provide different perspectives on what this type of job entails.

The group of maximum of 10, meets every fortnight and each topic runs for approx. 5 weeks after hours.Future topics currently lined up are penetration testing, blue teaming and digital forensics.The initiative is run and supported by Kaspersky labs, ANZ, Telstra and PWC.

We will be opening future places over the next few months. Places are strictly limited and selective due to the nature of what is being taught. If you are interested in participating, finding out more information or becoming a mentor, then please contact our AWSN cadet leaders Elizabeth Bonny and Diane Loi at:



Testimony from an AWSN Cadet:


The AWSN Cadets technical workshops with Noushin Shabab have been a rare and valuable opportunity for me to expand my info sec horizons! I have experienced a completely different side of the information security industry - malware reverse engineering - that I may not have otherwise had exposure to as a university student. The small class size of 10 students also means that you really get to know both your peers and the industry mentor well. I feel like I've formed some great friendships as a consequence.  
Thoroughly recommend AWSN Cadets and their workshops for their content, networking opportunities, and support - you'd be hard pressed to find opportunities like this anywhere else for tertiary female students interested in all things information security!" 


(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Monday 9 October 2017

Stay Smart Online Week 9 - 13 October 2017 #SSOW17

The Australian Women in Security Network (AWSN) encourages everyone to be diligent with their safety and security online. Stay Smart Online, an initiative of the Australian Government, provides information on how to be safer online and has an alerts service as well as a national awareness week to promote more secure online practices. The 9 to 13 October 2017 is Stay Smart Online Week #SSOW17 and AWSN is pleased to share the tips to stay smart online,
  

Your personal and financial information — like your address,
birthday or telephone number — can be used by cyber
criminals, so limit the personal information you share online.
   
¨    Check the privacy settings on your social media accounts and apps to control the amount and type of information you want to share.
¨    Use a separate email address for shopping, discussion groups and newsletters.

¨    Only share your primary email address with people you know.

For more information check out Protect yourself at www.staysmartonline.gov.au




 This post has been created by Amanda-Jane Turner on behalf of AWSN. 

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Monday 2 October 2017

AWSN Announcement: AWSN Brisbane chapter

AWSN is organically evolving to continue to connect, support, collaborate and inspire and we appreciate all support past, present and future. Today we announce a change in the Brisbane Chapter Lead, and give thanks to those who have been instrumental in getting AWSN started in Brisbane.


Thanks to Sheena Downey PMP and Sarah Hufnagel for organising the last brissy meet up and giving the AWSN Brisbane chapter a great start! Also thanks to Jodie Siganto  for the first AWSN Brisbane meeting last year.

We are pleased to announce that Amanda-Jane Turner (Mandy) will now be leading the Brisbane chapter with support from both Sheena and Sarah.


If you are in Brisbane and are keen to join, Mandy has lots of great ideas and an amazing passion for our cause. Please reach out to her if you want to be involved. 



(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Saturday 30 September 2017

AWSN Announcement: AWSN national events manager




We would like to thank Claire Pales (Fulford) for the terrific work she has done as the AWSN national events manager for the past year. Everyone has appreciated her passion, professionalism, her insightful blogs and her amazing ability to organise events nationwide. 
Claire will be concentrating on some very exciting projects. 
and will be handing over the AWSN events manager role to Heide Young from October 2017. 
Please join us in thanking Claire for the time she has dedicated to our cause and please help support Heide in her new role at AWSN.
- Jacqui Laustou, AWSN Founder 

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Sunday 17 September 2017

Diversity - harness the differences to work together and achieve greatness

________________________________________________________________________________
By Amanda-Jane Turner - Chief Editor and Manager of the AWSN official blog
________________________________________________________________________________


“I can do things you cannot, you can do things I cannot; together we can do great things.”-  Mother Theresa
I passionately believe in a diverse workforce and community to embrace all types of people with all sorts of education, personality, gender, race and culture to make the world better. Harnessing a diverse workforce gives access to skills, innovation and networks that otherwise may not be open to us; a diverse group together can achieve great things. 


Without diversity, workplaces and communities have the same types of people in the same types of roles doing the same things, with no new ideas, skills or positive disruption to encourage a change for the better.

Without diversity our ideas are never challenged, we will not learn and grow, we will stagnate and lose innovation.



I firmly believe that diversity is much more than gender, it is personality, beliefs, culture, race, education, ability and disability, background and preferences - it is acceptance and embracing of differences that can be harnessed to improve our work and our world.  What can we do to make diversity accepted and disrupt the stereotypes?


 This post has been created by A. Turner

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Thursday 13 July 2017

The need for cyber security role models globally


________________________________________________________________________________
By Claire Fulford
________________________________________________________________________________


“If I have seen further it is by standing on the shoulders of giants.” — Isaac Newton

Earlier this year, members of the Australian Women in Security Network (AWSN) along with industry peers, participated in a Prime Minister and Cabinet (PM&C) event focused on women in cyber.  PM&C invited participants to respond to several questions, to understand and address the causes of low participation by women in cyber security careers. This was a key action outlined in Australia’s Cyber Security Strategy, under the theme of A Cyber Smart Nation.

During the event, questions were discussed in roundtable settings followed by panel discussions to bring key points to the larger group.

The first question asked was ‘What are the barriers to women choosing cyber security careers?  What can be done to address these barriers?’ One of the key outtakes was that “both within the industry and externally, role models and mentors were a significant factor for participants pursuing a career in cyber security. These role models or mentors were not always female, some participants described males who had encouraged and supported them in their endeavours. Importantly, participants noted that role models could be anyone in their lives, from parents, to friends, to management staff, to people they had never met”.

Interestingly, ISACA’s (Information Systems Audit and Control Association) 2017 Global Survey of Women in Tech asked a similar question regarding to barriers for women in technology in general.  Almost half of participants raised a lack of mentors and role models as the top two barriers to entry. 

Finally, the 2017 Global Information Security Workforce Study: Women in Cybersecurity – sponsored by (ISC)2 and Booz Allen Hamilton had 19,641 respondents from 170 countries, likely making it the largest study of its kind ever conducted.   The study indicated that 61% of women surveyed reported job satisfaction and more likelihood to succeed in their careers when mentoring, training, sponsorship and leadership programs were available.

The correlation between how women feel about their role in the industry and the offering of mentorship and support is clear across the globe.

In August, the Australian Women in Security Network will host a panel discussion at the Gartner Security & Risk Summit.  The panel will compromise of male and female AWSN members providing their feedback on their roles as mentors and role models in the industry and the impact of great mentoring relationships. When landing on a panel topic, we saw the PM&C commentary about the need for mentors and role models as a key outcome – and one that should be talked about more broadly.

With many incredible leaders in the industry, and some emerging talent to be harnessed, the AWSN is always encouraging mentoring conversations and highlighting the great work of some of Australia’s cyber security role models.  If you are having trouble finding a mentor, please reach out here, join us at Gartner in Sydney on 22 August or alternatively, let us know how mentors have made an impact in your career?




(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.