The roots of cyber security are informed by the real cyber attacks and breaches that have occurred.
Understanding the context and root cause of cyber breaches increases insight into cyber risk, informs the actions to take, and clears away some cobwebs of uncertainty.
Types of breach
Cyber breaches range from the exploitation of easy vulnerabilities, such as the Talk Talk breach which was due to a SQL injection exposure, to truly complex multi layered exploits, such as Stuxnet, which has been helpfully reverse engineered here in a seventy page document by Symantec.
But the more typical cyber-criminal is rather like your common thief: he will go for the house with the window left without security locks, rather than the one which is secured and alarmed up to the hilt. There is a high element of opportunism. And from speaking with an ex-hacker who had done time for various exploits against organisations such as the NSA: the fact is that many organisations are in the same position as Talk Talk: their house is on the street without the window security locks installed.
But not only is there the window locks issue, there is also the zero-day threat (a vulnerability for which there is no patch available yet, and of which the technology vendor is unaware), and this same ex-hacker had sent zero day vulnerabilities to six different organisations, and got a response of zero, until he published one, and then unsurprisingly got a response from the impacted company the same day.
The truth is that organisations are moving to cyber resilience, but slowly.
The roots of a breach
A valuable thing that can be done to help clear the FUD is the root cause analysis of cyber breaches and where the failings lie.
For example the Target exploit, many are aware that it was an exploitation of the Point of Sale systems that resulted in the data breach. Fewer are aware that Target had its CISO position vacant for a number of months while the breach was in progress, or that it was cyber secure up to the button holes from a technology perspective, with Fire Eye technology accurately reporting on the breach as it happened, except no one was monitoring the reports. Perhaps a minority are aware that the source of the Target breach, a backdoor on PLCs that were on ‘intelligent’ air-con units installed on Target’s network, was provided by a company Fazio Mechanical, which was only cyber secure to the extent of having installed open source free anti-virus software on their systems: highlighting the importance of due diligence on the cyber security posture of vendors. The vacant CISO position is an example of how People and Process failings allowed the breach to happen. The third ‘take home’ from the Target hack is that the air con units were part of the Internet of Things/IoT: any smart items on your network, from TVs to cameras to anything with a PLC chip in it, or a SCADA system running it, are a potential, if not real, security hazard; how they work, what they communicate with, and how they can be accessed needs to be understood, alongside performing cyber due diligence, prior to their being installed on your corporate network.
A second example, which truly stinks, is about the ex-employee with a grudge. An Australian sewage processing plant in the midst of an area of special scientific interest, and outstanding natural beauty, had a large number of sewage spills, and no one could understand why…. until a random check on a car parked outside the perimeter fence found the culprit, with a PC with remote radio control of the plant’s SCADA systems. This highlights the importance of security access management for leavers, and of monitoring for insider threats, along with being another IoT issue.
A third example is in respect of the recent Experian breach: the actual breach was not from Experian core systems but from an acquired company, Court Ventures Data Broker, which did not have sufficient cyber resilience. Again highlighting third party risk – but this time in the context of due diligence on companies that are to be acquired. Also from a communications perspective the Experian breach was interesting: it was a T-Mobile data breach, and the MD of T-Mobile was tweeting directly to customers about their data loss, inferring an interesting implication for communication planning when it is third parties who are the holders of customer data.
A fourth example was the Talk Talk breach, largely in the context of effectively dealing with the media after a breach has happened. Without going into detail, the message is to keep with corporate best practice, have both disaster recovery plans and business continuity plans / BCPs that are current, tested and fit for purpose. The BCP needs to have communication plans available for each type of disaster, including a data breach, and that communication plan must clearly identify scope of responsibility for internal versus external PR, internal versus external legal counsel, who signs off on the communications and at what point in the process etc.
A final observation is having a level of cyber security awareness and understanding in an organisation so that individuals are not only aware of how easy it is to fall for a phishing attack, but are also aware that it is unacceptable to communicate about any corporate issues to the media, including cyber security, without the authority to do so. An employee of M&S spoke for twenty minutes to the press about a cyber breach without being authorised and without knowing that this was not correct corporate communications practice.
Gaining an understanding of the detail behind real breaches is not only an interesting exercise, but it also informs the approach to both mitigate against the risk of breaches, and makes a company more able to limit the damage if a breach has occurred.
A cyber secure organisation is one that has not just purchased the latest and greatest technology and has strong process and procedures but is also one that has implemented effective communication strategies so that there is not the employee naiveté or lack of understanding that is often the root cause of a serious breach. The best work has already been done and should be leveraged. For example ISO27001 is a standard for working on alignment with, to be aligned with, to be compliant with, or to be certified for depending on the size of your organisation and the budget. The UK Government’s Cyber Essentials is useful for a company starting out on improving its cyber security posture. Finally, due diligence on suppliers is critical. it is not good enough to ask for an assurance: more than kicking the tyres, the right questions should be asked in order to be reassured that a supplier has a sufficiently resilient cyber profile.
For a no obligation discussion around cyber security, and an approach to improve corporate cyber resilience, please contact thomas.naylor”at”enablement.tech.