1

Speed of change – 90 days = 1 internet year Time to discover large sale serious data breach average 200+ days Legacy software / hardware and architectural solutions common SHA1 depreciated Dec 2011 / in mainstream browsers until 2017 1Bn smart devices sold last year – business moving to mobile Cyber Crime Deep Web markets – Crime as Service Ransomware – CryptoLocker V4.0 Buy Malware exploit kit for Android US$1000 + $300 support Identities sell for as little as US$5 Botnet / DDoS for hire on a hourly/daily rate at scale APT – tailor made and or traded - attack and exfiltration vectors

FBI aware of 60 hacker groups linked to state actors

2

3

JP Morgan Chase Attack started in April, noticed in July, fully

reported and evaluated October – 2014 Bank – US$2.63 Tn across business under

management US$250M p.a spend on IT Security Entry point - 1 server, missed in update program 83 million customer accounts/records stolen Did not appear to leave any signs of entry

4

Australian/s is a prime target! Not materially affected by GFC Seen as an open and fair society Small number of primary commercial institutions ▪ 4 big banks / 2 telco’s / Australia Post

Approaching AUD$ 2 Tn in superannuation No mandatory disclosure laws

5

Australia 2017 Scenario What would that scale of cyber enabled attack on

civil infrastructure / population look like now? How would we measure & qualify that decision

point. What tools/metrics/people provide insights? Decision Making Needs Impact of coordinated amplified Social Media

attack / misinformation / Rumour/ Trolls – Psy Ops relating to banks / logistics / infrastructure and public perception? 6

7

8

9