Cyber Security Log

Before an attack:

Actually a lot crops to mind, almost like preparing a shopping list for the next few weeks…among the various items:

• We cannot avoid a cyber-attack but we can become resilient during an attack. It is NOT a question of IF we will get attacked, it is just a matter of WHEN it will happen…
• Prepare, prepare, prepare…
• Trainings and Workshops for the entire workforce
• Scenario thinking and scenario planning
• Prepare stakeholders maps
• Prepare a crisis response plan and team
• Prepare and update relevant communication templates
• Attack simulation, cat and mouse game, penetration testing, on-going vulnerability scans…

So looking at the above items preparation is the key, people need to be aware of the potential danger and be prepared rather than oblivious. In a big corporate like Liberty, it is easy to slip into the “sloppy shoulder ” mode: i.e. it is not my job to address security-related questions and matters…we have a full multifaceted CISO, GSEB, GSOC, etc…etc.. group. Should not be their job ? to safeguard the most critical assets of the company…NO: SECURITY IS EVERYONE’S CONCERN !!!

We cannot hide our head in the sand and assume that because we pay a department to set up policies, technologies…and train us…that it is all their responsibility.

So where is the human behaviour here ? I can speak about myself as several times during my day-to-day job as an Infrastructure Specialist, I have discovered vulnerabilities…

Weak passwords, unsecured and open to the Internet, systems and web portals, access to applications that should have not been granted in the first place or should not be there anymore…

So what did I do ? I have tried to address the issues, I have mentioned and reported them to the right group…

Did anything happen ? Not always...and again a bit of "sloppy shoulder" approach combined with a very dynamic and fluid reality: people leave the company, move departments, change responsibilities…and ultimately companies will have infrastructure, systems and applications living out there…and in some cases, no-one seems to take responsibility for. I could go on for a while, thinking about legacy systems floating around. But this article is about what we are currently doing to prevent and mitigate a cyber-attack and especially what we should do better and differently.

It always feels like running after the facts as even a simple task like maintaining a stakeholder map, point of contacts matrix of who to contact in case of a real or potential cyber-attack could be a daunting task, when people are leaving and joining the company on a monthly basis…

So how can we instill awareness ?

..and have what Allison Cerra calls good: "Security Hygiene".

Even back to basics, how can we build a picture showing the main threats ? and obviously have any relevant counter-measure in place?  I would like to conclude this section with two bullet points:

1. Have a culture of openness, honesty and responsibility: if in doubt report and make sure there is a follow-up.
2. Have a play book on your desk, desktop, phone. It does not have to be hundreds of pages, a couple of pages document that gets updated regularly by GSOC, so in case disaster strikes, we all know what to do next…

During the attack:

If we re-read the article, I mentioned above, in just hours, hundreds of thousands of customers were without broadband services inundating company calls centers asking for help…

So at this point, there is an attack going-on, we are in crisis mode and we need to act fast to resolve the issue or at least minimize damage.

Time is now the currency!!! What crops to mind here is the following mantra:

Communicate, communicate, communicate and be open and honest! Crisis management and more specific here, crisis communication plays the main role.

But wait a minute: communicate with whom, when, how ? Again a shopping list:

• Customers
• SOC Team/s
• Employees
• External parties, third-party vendors
• Press
• Government and relevant authorities

On the crisis communication subject, I have really enjoyed the Crisis Communications: The Definitive Guide to Managing the Message book written by Steven Fink.  I love this book because it highlights that a crisis can be bad, but bad communication or no communication at all can make the crisis a lot worst…and even kill the business!!! So what happened at Liberty in 2015 was bad, but a more recent incident involving a marketing database with almost 1 million customer’s data left in the open made me thinking about company-customers relationships.

The breach I am referring to, was caused by an incorrectly configured database, and exposed sensitive customer information such as full names, email addresses, dates of birth and contact numbers since at least April 19 2019. Additionally, some customers had details of their contract exposed. This included requests to block or unblock pornographic or explicit websites, potentially enabling blackmail and extortion opportunities for fraudsters.

Using same approach as previous section I would like to elaborate on two bullet points:

1. Being open and honest will always pay off
2. Being timely is a MUST and keep everyone updated on what is happening and what is being done to resolve or mitigate the crisis.

There is no point to hide the facts and keep customers, employee, press etc…in the darkness as soon or later the story will unfold and if told by others it might damage reputation of CEO, executive team, enterprise, to a point where things will be irreversible…

Obviously the verbiage will have to be different according to the audience and assurance provided to the customers that company is on top of the matter, teams are working around the clock to solve the crisis and compensation for loss or damage will be assessed and provided.  And that from the company’s perspective, before being sued, going to trial, having to pay a fine to relevant authorities, etc…

A company that cares and see an attack as an opportunity to improve services and strengthen relationships with customers, will always win over companies trying to hide the facts or shift the blame somewhere else…Now thinking about Chinese word "Weiji".

After the attack:

So what happened after that major attack, end of 2015:

As Liberty stated in its annual report, “the overload impacted 2.2 million customers, yet within 24 hours, our teams were moving 130,000 customers per hour to more resilient infrastructure. Two days later, full service was restored.” 

So...finally panic is over !!!  Can we then relax ? problem was fixed in "a timely manner", some explanations provided to customers via the support web site…everyone back in business and life carries on!

Nothing could be more wrong!

If we park the legal, financial and potential loss of image-related items, there is one aspect we need to focus on as a company:

• An internal post-mortem exercise and/or forensic analysis and once that is complete share the details…

In case of the 2015 hack, a full criminal investigation was performed and in addition to the police, Liberty called in digital detectives from the National Cyber Security Centre, which collects data and advises organizations on security, and a rapid response team from Deloitte, which focused more on forensics.

So what about the after-the attack exercise ? can we can get a clear root cause analysis ? i.e. what lead the incident to happen in the first place ? how did we react ? what did we do to resolve it ? were we ready with a playbook and counter-attack protocol ? how long did it take to resolved it ? where mistake made then ? could we have done things differently ? how can we prepare better…

So again my two bullet points:

1. It did happen to us and because it happened, it means that it can happen again and we will not get an alarm bell or when that will ring…it will be too late and we will have to deal with the attack.
2. What can we do differently ? As we are diving into the realm of Artificial Intelligence, one aspect that can be leveraged on top of human behaviour is definitely the tools and technology part…it is clear to me that even if we can implement the most sophisticated tools to monitor infrastructure, systems and applications…we still need to have a vision on how we can play this game. Our CFO might understand how important is to invest in cybersecurity but ultimately our enemies are getting smarter and stronger too!

So, after highlighting facts and several ingredients to the mix..what is the secret sauce, the magic ingredient that will make cyber-security counter-attacks a successful recipe for all people involved with the company and business ?

My conclusion, a bit of everything as we are dealing with a complex puzzle and each of us has a partial view, but if we all collaborate and institute a board across teams, departments, etc…we will have more chances to put all the pieces together, frame the puzzle and attach it to our walls. Till the next puzzle need to be resolved…