Posts by: Julia Wailes-Fairbairn
Incident Response & Forensic Expertise Webinar – Would your business survive a cyber-attack or security breach?
As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, do you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach?
Watch this recording of the informative webinar where Alan Batey, Head of the SRM forensic team, takes you through:
- What is a retained Incident and Forensic response service?
- Why do organisations need it?
- What is the impact of not having it?
- Why is there such a market appetite for this service in the current climate?
- Followed by a Q&A
To view, click this link.
Wondering where DPA and GDPR overlap? The Yahoo! ruling by ICO can provide some clarity
A recent investigation by the Information Commissioner’s Office (ICO) highlights an interesting aspect of the current system. Although the ruling against Yahoo! was announced on 12th June 2018, three weeks after the enactment of the General Data Protection Regulation (GDPR), the incident was considered under the Data Protection Act 1998. This is because the breach actually occurred in November 2014, although it was not publicly disclosed until September 2016, almost two years after the attack compromising 515,121 accounts had taken place. Investigated under the DPA, the fine was a modest £250,000. Naturally this would have been significantly larger had it been judged under GDPR.
However, this does mean that today’s organisations can take their foot off the gas. At the time of the investigation taking place, although it was considered under the DPA, the ICO still expects to see adherence to GDPR going forward.
This isn’t ‘new’ news to the SRM team. We had anticipated the issue and had submitted this question to the ICO months ago:
If a breach occurred before 25th May but is not discovered until after GDPR becomes effective, will the breach be considered under the DPA 1998 (when it occurred) or under GDPR (when it was discovered)?
We received this reply from the ICO:
It is likely in this instance that the breach would be assessed under the DPA, the legislation in force at the time of the breach. However, we would expect the processing of information at the time the breach was discovered to be GDPR compliant. Therefore any lessons learned or actions taken as a result of the breach would need to be in line with the GDPR.
So what does this mean in simpler terms? It means that from 25th May 2018 every aspect of an organisation’s networks and infrastructure is required to be managed in line with the requirements of GDPR. This applies even if the actual breach is judged under the rules of the old Data Protection Act (1998).
The most important point is that a notifiable breach must be reported to the ICO without undue delay, but no later than 72 hours after becoming aware of it. So even if a breach actually occurred prior to 25th May, as soon as the breach is discovered, the new 3 day reporting timescale must be adhered to. The organisation’s systems will then be scrutinised through the prism of GDPR.
Should it not be possible to obtain all of the necessary information within 72 hours, the required information can be provided in phases, as long as the investigation is conducted as a priority. The breach still needs to be reported to the ICO when the organisation becomes aware of it, and they must submit any further information at their earliest convenience.
Having a Retained Forensics engagement in place makes the whole process significantly more efficient. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR.
For more information on GDPR see our website.
To find out more about Retained Forensics, register for SRM’s free webinar: Incident Response & Forensic Expertise: would your business survive a cyber-attack or security breach?
Or read our blog:
The GDPR compliance fallacy
The key to GDPR is common sense
The GDPR compliance fallacy
There is a curious irony that the enactment of the General Data Protection Regulation (GDPR), drawn up to protect the rights of individuals and their right to online privacy, has brought about an unprecedented torrent of spam. In the fortnight leading up to 25th May, inboxes were filled with emails asking people to opt in to mailing lists, supposedly so that the organisation in question could comply with the requirements of GDPR. There are two fallacies to be addressed here.
Firstly, although individuals should be given the option to be removed from any mailing list, if they have willingly provided their contact details to the organisation and that organisation has maintained a record of the data collected, with the data subject being informed about what the data would be used for and for how long it would be kept, their consent may be considered to be implicit. In these circumstances new explicit consent is not required.
Secondly, although the principles of GDPR are enshrined in UK law and failure to adhere to them can lead to significant fines, there is currently no concrete GDPR compliance process. It is expected that a GDPR compliance standard will be drawn up in the near future, but for now, organisations can use the organisational governance requirements provided by the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 to provide a helpful framework. It is then the responsibility of the organisation’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) to ensure that the additional requirements of GDPR are included in their systems. These are just two of many fallacies surrounding the GDPR.
Having detailed information security policies and procedures is an important step, but on their own will not ensure that the requirements of GDPR are satisfied. Plans and policies simply demonstrate management intent and will be ineffective in satisfying the requirements of GDPR unless clear guidelines are provided in an easily understood format, to the grass roots of an organisation. Many businesses would do well to use some of the energy expended in communicating with their customers on ensuring a good channel of communication around GDPR with their employees.
It is important to remember that GDPR should not be seen as a burden but rather a positive force for change, focusing attention on implementing better processes for how we collect, store and manage data and thereby enhancing and building better customer relationships.
Professional expert guidance will assist in streamlining this process. SRM’s GDPR team provides a business-focused service to organisations of all types and size at all ends of the GDPR-readiness spectrum. We have operated in this arena for many years and our GDPR consultants have undertaken GCHQ certified training. We can also take on the full CISO or DPO role if required.
To gauge your level of GDPR readiness, see our step by step self-assessment guide.
See our GDPR web page.
Or visit our blog:
The key to GDPR is common sense
How PCI compliance puts you on course for GDPR
The A to E of cyber maturity
In a recent report, the Philippine government’s Department of Information and Communications Technology (created in 2016) outlined a scale of cyber resilience based on an A to E grading system. With ‘A’ being the most robust in terms of cyber security maturity and ‘E’ being the weakest, it put the Philippines in class D. The reasoning behind this grade stems from the fact that they are reactive to attack using only the available tools and technologies. They do not proactively seek out vulnerabilities and exploit them to ascertain the extent of a weakness. Nor do they deploy cutting edge strategies or prepare for the process of remediation to address the issues ahead of time.
This reactive approach is not limited to the Philippines. Far from it. In fact, these same principles can be applied to a frightening number of organisations across the globe. Those who simply react are always behind the curve, attempting to patch and mediate the impact of attacks on an ad hoc basis. An immature organisation focuses simply on prevention and regulatory compliance but with limited co-ordination, using basic technology and simple configurations.
In contrast, those with cyber maturity demonstrate their vigilance by employing a proactive strategy rather than simply waiting for a breach to occur. So what are the characteristics of cyber maturity?
- To begin with, in a mature organisation, cyber security is not seen as something that should be done, but is already embedded within the fabric and culture.
- Information and cyber security is not the responsibility of an overstretched CISO, who reports only to the head of the IT department. It is in the hands of a CISO who is well resourced, supported and who exerts confident influence at board level.
- Information security policy and testing is documented and has a formal structure, using automated tools, regularly scanning systems and web applications to identify any vulnerabilities in a proactive way.
- A mature organisation has built-in enterprise security technology architecture and strict focus on incident prevention, detection and response; regularly undertaking advanced and manual penetration testing to uncover weaknesses in the ever-changing scope.
- Business Continuity and Disaster Recovery Planning are integral to a mature organisation, together with the associated training across all staff, not just those within an IT or infosec department.
Our recent blog post on the topic of the NHS’ response to WannaCry highlights a ‘work in progress’ but certainly an admirable move towards cyber security maturity. Their plans centre around Test and Exercise methods, and are inclusive of annual Red Team Engagements to push their plans to the limits and ensure complete peace of mind.
SRM’s Test and Exercise (T & E) team works with all sizes and types of organisation to achieve cyber maturity. With wide experience in other areas of information security consultancy the T & E programme is not conducted in isolation but within the wider context of a client’s business activity. Every project is bespoke and our team includes consultants who are CREST ethical security testers as well as those with the Offensive Security Certified Professional (OSCP) qualification. Additionally, we often work with CISOs and organisations to develop and implement proactive robust and innovative T & E plans.
For more information on our T & E team, visit our website.
See a recording of our webinar: Incident Response & Forensic Expertise – would your business survive a cyber attack or security breach?
Or see our blog:
What we can all learn from the NHS response to WannaCry
Three stages to building a robust defence against external threats
Cyber resilience: it’s a board level issue
eDisclosure: some real life examples of the benefits of a Managed Service
eDisclosure (sometimes known as eDiscovery) is a complex process. With automated tools available some opt to manage these in-house but, unless highly skilled and experienced personnel are involved in the process, there is no guarantee that these tools will be used to their maximum effect or that mistakes will not be made. Given that the ultimate goal is court acceptance, many firms opt to work in partnership with an expert eDisclosure Managed Service provider.
SRM’s forensic team, established in 2002, is drawn from law enforcement, government agencies and military with over 60 years’ combined experience. The team has delivered thousands of cases supporting law firms, government agencies and commercial organisations in the accurate production of case papers and reports to be tendered in court. The following case studies show, in brief, the added value we bring to real-life eDisclosure cases.
FTSE 250 Company vs Local Authority
This case, involving a FTSE 250 company and a local authority related to the forensic collection of over 150GB of data. This data included the email accounts of 15 custodians and their shared work space folders on the server.
- The forensic collection was carried out by trained, experienced forensic investigators which ensured the data was collected in its original state and the integrity of the data maintained.
- Once collected, the data was processed using the Relativity eDiscovery platform which allows the analysis and review of the data by secure access.
- When processed on the platform the data is automatically searched for duplicate documents and these are highlighted and removed from the data set. In this case we were left with over 460,000 documents for review.
- Further reduction of the data set was achieved firstly by email threading which removes emails which are part of a thread and only highlights emails which are unique. Secondly agreed keyword searches were run across the data and only documents which contained a keyword hit remained in the data set.
- The final number of documents for review was just under 260,000, nearly a 50% reduction which saved the reviewing lawyers considerable time when it came to the review of the documents.
Two large companies in the service industries
A litigation between 2 large companies in the service industries involved the collection of data which was in excess of 1.2TB. What made this eDiscovery task more complex was the format of the data. The usual email server was captured as well as 8 laptop computers and 2 mobile phones.
- The total volume of data captured could have been processed directly onto the Relativity platform at great expense to the client due to the volume. To reduce the volume SRM used forensic software to identify irrelevant documents such as system files and other known files commonly found on digital devices. Files such as documents, spread sheets, pdfs and emails were identified and extracted.
- The ability of SRM to use forensic tools to reduce the data volume prior to processing onto the platform is a method which saves the client money and time when it comes to processing and reviewing the data.
- The reduction in the data went from 2 TB to 160 GB which was then uploaded to the Relativity platform. This was then de duplicated, threaded and keyword searches were run across the data to further reduce the volume.
Secretary of State vs PLC
A litigation between a Secretary of State and a large PLC involved the forensic collection of over 30 GB of data. This data included email accounts and shared work space folders on the server. Prior to the forensic collection of the data, forensic investigators at SRM were named in the court order as being the only persons who could handle the data. This was based on the experience, background and vetting of the individuals.
- Once collected, the data was processed using the Relativity eDiscovery platform which allows the analysis and review of the data by secure access. When processed on the platform the data is automatically searched for duplicate documents and these are highlighted and removed from the data set.
- Further reduction of the data set was achieved firstly by email threading, which removes emails which are part of a thread and only highlights emails which are unique. Secondly, agreed keyword searches were run across the data and only documents which contained a keyword hit remained in the data set.
- The method of usage of the Relativity platform in this case proved innovative because it was used by both parties in the litigation as well as an independent party appointed by the court. This involved setting up of 3 separate review platforms each one restrictive to the other parties.
- In addition to being used for review, the separate platforms were used as a repository for shared documents along with comments which were placed on the documents by other parties.
- The forensic investigators under instruction was also responsible for the redaction of documents which contained privileged or irrelevant material.
- By using the named individuals in SRM considerable time and expense was saved by the client when it came to the review. In total the 6 million documents were reduced to 17,000 for review.
The head of SRM’s eDisclosure team Colin Gray hosted a live (free) webinar on the benefits of a Managed eDiscovery service on Wedneday 18th April at 3pm. A recorded version is now available. To view, click here.
To find out more about SRM’s Managed eDisclosure service, contact Mark Nordstrom on firstname.lastname@example.org or 03450 21 21 51.
To find out about the specific benefits, visit our website.
Or see our blog.