There is a lot to be said for the similarities between getting breach ready, and getting beach ready.
Both require careful planning and a relentless focus.
Both also ensure that you are not left with your arse hanging out.
Both require effort. Breach preparations requires a detailed understanding of the business, of business-critical applications and data. You can’t protect things when you don’t know what they are, or which processes they impact.
But this is all stuff that you know already right?
You have done this kind of extensive inventory analysis for things like GDPR, right?
Or Business Continuity?
You will be surprised how many companies have simply looked at the top of the iceberg, rather than attempting to understand their business.
Too difficult, too much effort, not enough resources, no appropriate or effective tools, the list of excuses is endless.
But as the hackers in the 2015 Talktalk breach clearly showed, sometimes it is much easier to find this information out from the outside, rather than rely on the data that exists within the company on the inside. In that particular breach, the hackers were able to expose data on servers that Talktalk were no longer actively managing. These servers had sat in a corner of the data centre, with no-one knowing what they did or why they were there for over three years.
Understanding where your data is, and what your applications do with it, is fundamental to protecting the organisation in a breach situation.
Having a Plan
If you were managing a football team (soccer for our American colleagues), you would not send out eleven players without any of them knowing what positions they were going to be playing. That’s what you do in Primary School. You all chase after the ball like a swarm of bees. No formation, no tactics, no plan.
You have a plan when you play football. You play to your strengths and you try to expose your opponents weaknesses. So we can do it to win at Sport. Why can’t we do it for Cyber?
What is so difficult about sitting down and working out how to fix/ mitigate your weaknesses, and play to your strengths?
We know what the other team is going to do.
- There is this huge guy playing centre-forward -> We need to stop the crosses coming in.
- They have some really fast guys on the wings -> We need to drop back and cover them 2 on 1.
- They have a genius in midfield who can play a pass with his eyes shut -> Man-mark him so he cannot get a touch of the ball.
Your website will be attacked to flood it with requests to stop it working properly.
What’s that you say? You host this website internally. Through the same connection that all of your Internet traffic uses. So if your website gets attacked, you will not be able to use all of your cloud services, your email, etc.
It’s not really sensible that you have architected the demise of the entire organisation, when the hacker only set out to attack a website. This is Architectural self-harming.
Can we architect around this situation? Of course we can. Is it in the plan? (Incoherent mumblings……..)
If you are in the situation where:
- you do not fully understand your IT estate,
- which systems are required for key processes,
- and which systems rely on other systems,
then you will not be in a good place when all of it gets encrypted.
But you have everything backed up right? Well, everything that you know about. Well, at least everything after 2015, when that new process came in. Possibly, but we have never tested any of it. But it’s ok because Fred knows how it works. There is nothing written down of course, because that would spoil the fun.
So now the entire company is dependent on Fred being available, and Fred simultaneously teaching 20 other people what to do, whilst fixing systems on his own as well.
Fred, do you know which order we should reinstate the servers in so that it all works properly? Yes. Can you write it down in a plan please? Or at least talk about it so someone else can write it down into a plan?
Exactly how many Nigerian Princes are there? Granted some of the scams out there are getting more sophisticated, but we are still falling for some pretty lame scams.
How about we send out test phishing emails to everyone and keep a league table by department to see who is best? A bit of internal competition. Departmental pride. There is nothing like a bit of peer pressure to stimulate the right behaviours.
The ways we can be attacked and our responses to mitigating those attacks are quite limited and straightforward to analyse.
It does not take a genius to work out a plan. It also doesn’t take a genius to work out that
A Plan that has never been tested is not a Plan, it is just a set of assumptions.