Lessons in War
Security by Design.. a little thought can save a great deal of expense!
Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.
There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.
The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.
This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.
For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.
For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems. We can seek to create an environment where we have the upper hand!
This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)
If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.
If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.
Game of Thrones: data theft and pen testing
‘Hi to all mankind’. Thus began the email sent to journalists by hackers who have reportedly stolen 1.5TB of files and videos from entertainment giant HBO. What has made the headlines is the fact that the script for next Sunday’s episode of Game of Thrones has been released. The HBO hackers conclude their email saying that ‘HBO is falling’ and it is perhaps chilling to consider the vulnerability of even the largest and best-protected companies to breach and data theft.
In April Netflix was also compromised and refused to pay a ransom demand. Ten episodes of its series ‘Orange Is the New Black’ were leaked by a hacker group known as TheDarkOverlord. It is not yet clear whether the HBO hackers are seeking a ransom payment. Yet although advance plot lines for a TV series make headline news, there is another important aspect to consider. Namely the sensitive corporate data held by HBO which may now also be in the hands of unprincipled criminals.
HBO confirmed this week that it had experienced a cyber incident ‘which resulted in the compromise of proprietary information’ and that it is examining the breach. Forensic investigation will reveal how the system was breached and enable the company to secure its systems. But assuming that a company the size of HBO has access to the very best cyber defence, what more can they do?
First of all it is worth pointing out that anything to do with Game of Thrones is a huge headline draw. With 8.9 million people reportedly watching the finale of Season 6, hackers will have been particularly motivated to succeed. Yet all organisations which hold data are vulnerable to a greater or lesser extent. Those with a strategic plan which includes regular penetration tests, network security testing and vulnerability assessments are, however, better placed because they have created inbuilt responsiveness.
Expert pen testers put themselves into the mind of potential attackers, exploring and exploiting all opportunities. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
As an additional precaution, organisations should defend their systems by assuming that they have already been breached and that a hacker lurks quietly within. If information is encrypted and secured with high difficulty passwords regularly updated, hackers may just prefer to concentrate their efforts on easier prey. When it came to the fate of the Seven Kingdoms, perhaps the hackers felt the effort was worth it, but, like Jon Snow, let’s make their lives as difficult as possible.
SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services.
Information Security Testing & Compliance
NotPetya – does society need to start thinking differently?
Talking to a well-respected and hitherto successful businessman at an event recently, he mentioned the NotPetya malware attack and then dismissed it as “another one of these spotty teenagers misbehaving – something I leave to my technical boys”. It was very clear from his comments that his perception of cyber risk is that it is, at most, peripheral. I will not identify his business out of courtesy, but I would have said he is likely to be a pretty high value target, and is probably custodian of a huge amount of valuable information belonging to 3rd parties.
One of the most striking things about the recent series of global cyber attacks is what appears to be a subtle shift in motivation for some of these events…. Whilst the analysis continues and our understanding will continue to develop, there is a clear shift in some of these attacks from cyber banditry to strategic attack. Whilst this is not necessarily a new phenomenon, it is now something that should be understood as mainstream operational risk by those running organisations.
Even if we set aside many of the practical and technical implications (which are widely covered elsewhere), the moment we become part of a strategic target, valuable for our collective value, rather than as an individual target, valuable for our own intrinsic value, then we can expect to see a very different attack tempo. Where attacks are motivated by anarchy rather than theft, the rules change significantly. When the rules change, our response may need to change too.
This shift is analogous to the evolution of the doctrine of asymmetric warfare over the past two decades where it has become clear that the fundamental differentiator is not the way that protagonists behave, but the fundamental value set and drivers that shape their strategy, behaviours and decisions. If, for example, our security strategy is based on the assumption that we can remain safe by creating conditions which are too unsafe for a potential attacker, we become vulnerable to attackers who either care little for safety, or perhaps define it differently to us. This, of course, is the paradigm that underpins suicide bombing as an attack strategy in the physical and space.
Where does this leave us?
As individuals and organisations, we need to think a little about those who might seek to compromise us and what drives them. It is no longer viable to dismiss these attackers as vandals those who behave badly; just as it is no longer sensible to repeatedly hit the “update later” button when our machines ask us whether we would like to update them. Senior decision makers dismiss cyber security as something purely for the technicians to manage at their peril.
Wherever we sit in society or in the workplace, we all need to make a little effort to understand a little about the digital environment and how to stay safe in it. Specifically, we need to think a little about those who may be using this environment to exploit us or do us harm. Whether we read e-books, tablets, hardbacks or red tops – there is material out there to suit most tastes. If that fails there are increasing numbers of people and companies who are able to advise.
Whilst we are not all expected to be experts, we should all have an informed view that is consistent with our role!
The environment we live and survive in is changing, and we either embrace that changing environment, and take responsibility for our own safety, or we should expect to be exploited as a a commodity.
The flaw in the plan: business continuity management
When is a plan not a plan? When it is an out-of-date plan. The latest research from the industry-respected Ponemon Institute, reveals that 26 per cent of IT and IT security professionals from UK companies have some sort of cyber resilience plan, but that 49 per cent of these have either not reviewed or updated it since it was first put in place.
In a world where the sophistication and determination of malicious attackers is on the increase, this is concerning. Because it effectively means that nearly half of those who have actually made a concerted attempt to develop cyber resilience are not actually maintaining these defences. So, when even those who have put in place a strategic plan are failing to update it, where does this leave UK organisations and businesses? Well, at the very least, it puts those with an up to date, regularly reviewed plan at a sound competitive advantage.
Research shows that a Business Continuity Management (BCM) plan, applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience, thus protecting financial and reputational assets. Made up of the Business Continuity Plan (BCP), Disaster Recovery (DR) plan and Business Impact Assessment (BIA), the BCM process identifies risks, threats and vulnerabilities that could impact an entity’s continued operations in the face of potentially damaging attacks. An effective BCM plan provides a framework for building organisational resilience and the capability for an effective response; but it also goes further than that.
An overarching strategic plan also sets out how the individual BCM strategies will be delivered into the future. This includes the assigning of responsibilities, the establishment and implementation of BCM within the organisation and its ongoing management. Properly executed, this not only builds in a level of business resilience but also the capacity to continue to adapt quickly to disruptions, maintain continuous business operations and safeguard people, processes and technology into the future.
Planning is the key to an effective strategy, as is exercising the plan to ensure that it is effective and continues to support the business appropriately. It is worth considering bringing in professional expert support at this stage to assist in developing and maintaining an ongoing BCM plan that not only ticks the boxes but actually has a scheduled updating process, delivering optimum results in the event of a breach. The cost of professional input is cost effective in the context of restoring business function.
To find out more visit Business Continuity Management
What is an Incident Response Plan?
Information security breaches can and do happen, even to the best prepared organisations. Every year, companies that have demonstrated ongoing PCI DSS compliance will still fall victim to an information security breach. Because, in the war for our card data security, the enemy always has the element of surprise.
Most can imagine a scenario which would compromise their security. A serious fire destroying the whole office function. A rogue employee exposing customer data. A terrorist or criminal hacking their systems. With a war fought on so many fronts, however, it is impossible to defend against all attacks. Because an organisation that is defended to the hilt is also likely to be impenetrable, and therefore not in the business of doing business.
In this war of attrition, some attacks will get through. And the repercussions could be disastrous if there is a long delay in getting the business back on its feet. But the aftermath need not be catastrophic. Recovery can be accelerated to restore normal trading in the shortest possible time frame. That is where a robust Incident Response Plan comes in. Not only does it go a long way toward anticipating and avoiding potential disasters but if an organisation is compromised, it will mitigate the damage and accelerate the road to revenue and reputational recovery.
PCI DSS Requirement 12.10 states that entities must “be prepared to respond immediately to a system breach.” Guidance notes go on to state that such a plan should be “thorough, properly disseminated, read, and understood by the parties responsible”; and include proper testing at least annually to ensure the process works as designed and to mitigate any missed key steps to decrease exposure.
In reality, while all PCI DSS compliant organisations have a degree of incident response capability, in some cases this is simply a box ticking exercise. Few have an adequate Incident Response plan which fully outlines the process for recovery in any number of situations and provides a framework for rapid restoration.
Planning is the key to an effective strategy. It is also important to consider bringing in professional expert support at this stage to assist in developing and maintaining an Incident Response plan that not only ticks the boxes but actually delivers in the event of a breach. If a breach does occur, having engaged professional support, it means that there are expert investigators with an intimate knowledge of your organisation on standby. They will ensure the breech is stemmed, card holder data is secured and revenue generating activities suffer minimal impact. The cost of professional input must be seen as cost effective in the context of restoring business function.