Open Source projects can be a great asset, or they can be a curse. It is all in how you manage it. To be successful in using open source, there are several things to keep in mind, from licensing to updates. And if you ignore any of them, it can cause problems. Here are some […]… Read More
We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.
Passwords: a good day to try hard
No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.
The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.
WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.
Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.
GDPRversary getting closer
Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.
The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.
The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.
Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).
Breaching the c-suite
Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.
Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.
Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.
The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.
Links we liked
Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE
An unfortunate trend that needs to change: security pros think users are stupid. MORE
It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE
Want a career in cybersecurity, or know someone who does? Free training material here. MORE
NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE
NIST also issued guidelines for vetting the security of mobile applications. MORE
Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE
Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE
A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE
A new way to improve network security by analysing compressed traffic. MORE
As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.
Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.
In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.
De do do do, de da da da
Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.
Message in a bottle
The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.
We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?
In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.
Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.
You don’t have to put on the red light
So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.
Photo by Harshal Desai on Unsplash
This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).
Once we know what we’re protecting, we get to the how.
If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
If the mark or sticker is amber, the person holding it must lock it away overnight.
Any document with a green mark doesn’t have to be locked away.
Every breath you take
You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.
It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.
Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.
So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.
Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.
Guest article by Damon Culbert of Cyber Security Jobs Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.
Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.
With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:
1. Secure your internet connection 2. Protect from viruses and other malware 3. Control access to your data and services 4. Secure your devices and software 5. Keep your devices and software up to date
All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.
Invest in Software and Hardware While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.
It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.
Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.
Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.
Compliance The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.
The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.
Pre-emptive planning Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.
Plan of Action The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:
Fraudsters are targeting consumers with one-ring phone scams that exploit people’s curiosity so as to trick them into paying exorbitant fees. According to the U.S. Federal Communications Commission (FCC), this scam oftentimes begins when a fraudster contacts an unsuspecting consumer using a one-ring phone call. Many of these calls appear to originate from phone numbers […]… Read More
Passwords may not be the favourite piece of your workday, however, I have a theory – if I could share with you the value of a password and the reality of how simple they can be to create; then passwords may not be the monster you avoid. When you get the “your password expires in […]… Read More
Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy.
Tech Connect Live 2019: Dublin, 30 May
BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here.
Data Protection Officer certification course: Vilnius/Maastricht June/July
BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here.
IAM Annual Conference: Dublin, 28-30 August
Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page.
As I reflect upon my almost 40 years as a cyber security
professional, I think of the many instances where the basic tenets of cyber
security—those we think have common understanding—require a lot of additional
explanation. For example, what is a vulnerability assessment? If five cyber
professionals are sitting around a table discussing this question, you will end
up with seven or eight answers. One will say that a vulnerability assessment is
vulnerability scanning only. Another will say an assessment is much bigger than
scanning, and addresses ethical hacking and internal security testing. Another
will say that it is a passive review of policies and controls. All are correct
in some form, but the answer really depends on the requirements or criteria you
are trying to achieve. And it also depends on the skills and experience of the
risk owner, auditor, or assessor. Is your head spinning yet? I know mine is!
Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security
business. One auditor will look at evidence and agree you are in compliance;
another will say you are not. If you are going to protect sensitive
information, do you encrypt it, obfuscate it, or segment it off and place it
behind very tight identification and access controls before allowing users to
access the data? Yes. As we advise our client base, it is essential that we
have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start
with a canvas that has the core components of cyber security: protection,
detection, and reaction. By addressing each of these three pillars in a
comprehensive way, we ensure that the full conversation around how people,
process, and technology all work together to provide a comprehensive risk
strategy is achieved.
People Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Policy are established, documented, and socialized. For example, personal
laptops should never be connected to the corporate network. Also, don’t send
sensitive information to your personal email account so you can work from home.
Some examples of the barriers used to deter attackers and breaches are edge security
with firewalls, intrusion detection and prevention, sandboxing, and advanced
The average mean time to identify an active incident in a
network is 197 days. The mean time to contain an incident is 69 days.
Incident response teams need to be identified and trained, and all employees
need to be trained on the concept of “if you see something, say something.”
Detection is a proactive process.
What happens when an alert occurs? Who sees it? What is the documented process
for taking action?
What is in place to ensure you are detecting malicious activity? Is it
configured to ignore noise and only alert you of a real event? Will it help you
bring that 197-day mean time to detection way down?
What happens when an event occurs? Who responds? How do you recover? Does
everyone understand their role? Do you War Game to ensure you are prepared WHEN
an incident occurs?
What is the documented process to reduce the Kill Chain—the mean time to detect
and contain—from 69 days to 69 minutes? Do you have a Business Continuity and
Disaster Recovery Plan to ensure the ability to react to a natural disaster,
significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
What cyber security consoles have been deployed that allow quick access to
patch a system, change a firewall rule, switch ACL, or policy setting at an end
point, or track a security incident through the triage process?
All of these things are important to create a comprehensive
InfoSec Program. The science is the technology that will help you build a
layered, in-depth defense approach. The art is how to assess the threat, define
and document the risk, and create a strategy that allows you to manage your
cyber risk as it applies to your environment, users, systems, applications,
data, customers, supply chain, third party support partners, and business
More Art: Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk
responsibility or do you give your risk responsibility to someone else?” Hint:
I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also
science if you use, for example, The Carnegie Mellon risk tools. But a good
risk owner and manager documents risk, prioritizes it by risk criticality,
turns it into a risk register or roadmap plan, remediates what is necessary,
and accepts what is reasonable from a business and cyber security perspective.
Oh, by the way, those same five cyber security professional we talked about
earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the
rules, standards, and requirements that are primarily based on a foundation in
science in some form. The more experience one has in the cyber security
industry, the more effective the art becomes. As a last thought, keep in mind
that Connection’s Technology Solutions Group Security Practice has over 150
years of cyber security expertise on tap to apply to that art.
For years, many organisations – and their users – have
struggled with the challenge of password management. The technology industry
has toiled on this problem by trying to remove the need to remember passwords
at all. Recent developments suggest we might finally be reaching a (finger)
At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices
running Android 7.0 or later can provide password-less logins in their browsers.
To clarify, the FIDO2 authentication standard is sometimes called password-less
web authentication. Strictly speaking, that’s a slightly misleading name
because people still need to authenticate
to their devices a PIN, or a using a biometric identifier like a fingerprint.
It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’
seems to have caught the imagination.
that web developers can now make their sites work with FIDO2, which would mean
people can log in to their online accounts on their phones without a password. This
feature will be available to an estimated
one billion Android devices, so it’s potentially a significant milestone on the
road to a password-less future. Last November, Microsoft announced
password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s
option requires using the Edge browser on Windows 10 1809 build. So, the true
number of users is likely to be far lower than the 800 million Microsoft had
been promising. But this is just the latest place where Microsoft has inserted
FIDO technology into its products.
It’s not what you know
I spoke to Neha Thethi, BH Consulting’s senior
information security analyst, who gave her reaction to this development. “Through
this standard, FIDO and Google pave way for users to authenticate primarily using
‘something they have’ – the phone – rather than ‘something they know’ – the password. While a fingerprint or PIN
would typically be required to unlock the device itself, no shared secret or
private key is transferred over the network or stored with the website, as it is
in case of a password. Only a public key is exchanged between the user and the
From the perspective of improving security, Google’s
adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises
that we’ve seen in past few years is because of leaked passwords, on the likes
of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned
website gives a sense of the scale of this problem. By that measure, going
password-less for logging in to online accounts will definitely decrease the
attack surface significantly,” she said.
“The technology that enables this ease of authentication is
public key cryptography, and it has been around since the 1970s. The industry has
recognised this problem of shared secrets for a long time now. Personally, I welcome
this solution to quickly and securely log in to online accounts. It might not
be bulletproof, but it takes an onerous task of remembering passwords away from
individuals,” she said.
Don’t try to cache me
Organisations have been using passwords for a long time to
log into systems that store their confidential or sensitive information.
However, even today, many of these organisations don’t have a systematic way of
managing passwords for their staff. If an organisation or business wants to
become certified to the ISO 27001 security standard, for example, they will
need to put in place measures in the form of education, process and technology,
to ensure secure storage and use of passwords. Otherwise, you tend to see less
than ideal user behaviour like storing passwords on a sticky note or in the web
browser cache. “I discourage clients from storing passwords in the browser cache
because if their machine gets hacked, the attacker will have access to all that
information,” said Neha.
That’s not to criticise users, she emphasised. “If an
organisation is not facilitating staff with a password management tool, they
will find the means. They try the best they can, but ultimately they want to
get on with their work.”
The credential conundrum
The security industry has struggled with the problem of
access and authentication for years. It hasn’t helped by shifting the burden
onto the people least qualified to do something about it. Most people aren’t
security experts, and it’s unfair to expect them to be. Many of us struggle to
remember our own phone numbers, let alone a complex password. Yet some
companies force their employees to change their passwords regularly. What
happens next is the law of unintended consequences in action. People choose a
really simple password, or one that barely changes from the one they’d been
For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.
Poor password advice
Bill Burr, the man who literally wrote the book on
passwords for NIST, has since walked back on his own advice. In 2017, he told
the Wall Street Journal, “much of
what I did I now regret”. He added: “In the end, it was probably too
complicated for a lot of folks to understand very well, and the truth is, it
was barking up the wrong tree”. NIST has since updated its password advice, and
you can find the revised recommendations here.
As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.
Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!
If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.
These exercises are
designed to be immersive. They might start with a scenario like a board
meeting, or a company orientation day. All participants will get a role to play;
for the purpose of the session, they might be designated as a head of HR,
finance, legal, or IT. As the scenario starts to unfold, a message arrives. The
press has been enquiring about a major data breach or a ransomware attack on
Muscles tighten, a wave of
nausea passes over the stomach. The fight-or-flight instinct starts to take
hold. Your role might say manager, but you don’t feel like you’re in control.
What happens next?
That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.
The exercise should prompt
plenty of questions for the participants. What exactly is going on? How do we
find out what’s happened? How is this affecting operations? Who’s taking charge?
What do we tell staff, or the public, or the media?
A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).
Other organisations may
already have a series of steps for what to do in the event of an incident or
breach. In these cases, the table-top exercise is about testing the viability
of those plans. You can be prepared, but do the steps on paper work in
practice? Or as Mike Tyson memorably put it, “everybody has a plan until they
get punched in the mouth”.
The exercise can show the
value of having a playbook that documents all procedures to carry out: “if X
happens, then do Y”. This will also shed light on missing steps, such as
contact numbers for key company executives, an external security consultant,
regulators, law enforcement, or media.
Fail to prepare, prepare to fail
When it comes to
developing or refining an incident response plan, the devil is in the detail,
says David Prendergast, senior cybersecurity consultant at BH Consulting. Here
are some useful questions to ask:
If your policy
says: ‘contact the regulator’, ask which one(s)
Who is the
specific point of contact at the regulators office?
organisation have the email address or phone numbers for that person?
Who in your
company or agency is authorised to talk to the regulator?
are they likely to need to have that conversation?
Do you have
pre-prepared scripts or statements for when things might go wrong (for
customers, stakeholders, staff, and media (including social media channels)?
It might also force the
company into making certain decisions about resources. Are there enough internal
staff to carry out an investigation? Is that the most appropriate use for those
employees, or is it better to focus their efforts on recovering IT systems?
That’s the value in
table-top exercises: they afford the time to practice when it’s calm and you
can absorb the lessons. There are plenty of examples of companies that handled
similar situations spectacularly badly in full public view. (We won’t name
names, but the list includes anyone who uttered the words “sophisticated attack”
before an investigation even started.)
By the (play)book
It’s more helpful to learn
from positive examples of companies that showed leadership in the face of a
serious incident. That can be as simple as a statement of business priorities
while an organisation copes with the fallout. In 2017, as Maersk reeled from a
ransomware infection, CEO Soren Skou gave frontline staff in 130 countries
clear instructions. As the Financial Times reported,
the message was unequivocal even as the company was forced into shutting down
IT systems. “Do what you think is right to serve the customer – don’t
wait for the HQ, we’ll accept the cost.”
Some larger companies will
run an exercise just for themselves, but some organisations run joint
war-gaming scenarios with industry peers. Earlier this month, financial
institutions and trade associations from around Europe carried out a simulated
According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.
Whether it’s a war-gaming
exercise or a table-top event, the goal is the same: to be ready for the worst
ahead of time, and knowing what steps are available to you when bad things
happen for real.
2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.
Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.
Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.