[BreachExchange] When the cyber attack comes, will you be prepared?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 6 19:13:55 EST 2018


You need a HOT group to manage a cyber-security breach. That doesn’t mean
they need to be dressed well or good-looking. HOT stands for hour one team.

Work in this area began long before widespread fears of cyber attacks. It
began in the resource sector, where an incident might be in the Arctic,
kilometres underground in a mine or in the middle of nowhere.

Events in unpredictable locations had unpredictable outcomes. First
responders have told stories of police officers roughing up journalists
trying to cover a petrochemical spill and other officers saying an event
was just a drill when it was a real emergency. The cops were well-meaning,
but the company had to clean up both the petrochemicals and the bad
relations with stakeholders.

The remedy was to train first responders as rudimentary spokespeople,
because that would be the reality. The truck driver, the responder with
absorbent material, the firefighter and others were first on the scene, and
they would be asked about what was going on. They couldn’t look or act
guilty, or pretend they didn’t hear the simple question. They couldn’t be
overall spokespeople for the company but also couldn’t pretend what they
were doing was a secret.

Training and messaging involved sticking to their technical knitting – how
to deploy floating fences (booms) to contain oil, what skimmers that pick
up oil are, the physical properties of oil and chemicals, response gear and
so on. These rudimentary spokespeople were trained not to talk about the
price of gas, executives’ salaries or anything else they had no business
speaking about.

The workers’ simple explanations filled the first few newscasts with facts
to make the critical content shorter and more factual. They could also
satisfy politicians, regulators, neighbours and other stakeholders for a
short period. Then out came the public relations people and senior
executives with more detailed messages and more content.

To bring this method up to date, a cyber incident can happen anywhere in
your system. It can happen within a supplier’s system or anywhere in the
supply chain. The attack can manifest itself instantly or lay dormant for a
few years, then the payload can deliver damage, shut down your system,
spread rumours, or do anything else a hacker, terrorist, enemy or deranged
person can think up. The attack can originate anywhere in the world.

Spokespeople will be cashiers, whoever answers the phone, the guard at the
gate, any one of your employees on social media, or just about anyone who
will speak or can be reached. Third-party commentators will include
competitors, those in your supply chain and politicians out to solve the
problem in favour of customers.

What a mess.

Your response team won’t have an hour. It will have minutes. In fact, it
should really have a time machine to start a few years ago in order to
catch up. More realistically, now is the time to inform frontline workers
on what to say in an event. They are the rudimentary spokespeople. Now is
the time to codify messages for spokespeople and get an understanding of
the characteristics of your system and supply chain. Now is the time to
work with stakeholders and generate third-party advocacy in times of crisis.

Now is the time for a lot of things – legal advice, insurance and a due
diligence defence. Due diligence means doing all that the reasonable person
would do to prepare and reduce damage. This means thinking now about how
much technical information to release when the time comes. Nobody will need
to know how to build a cyber-security system in the early hours of your
crisis, but they will need to know that you know or your suppliers know.
They will also need to know such things as whether the breach has been
contained, how many users may have been impacted and what else is to follow.

Any crisis can disable your office. A cyber event certainly can –
especially when a portion of an organization’s workforce does the bulk of
its work using remote access or telepresence. So now is the time to decide
where you’re going to go to set up computers, phones and other gear to
manage the event. You’ll also want to be prepared to do all of this from a
secondary location, in the event that the cyber attack is followed by a
physical threat.

And don’t count on your existing methods of communication to work when you
need them. Crises are known to cause an influx in network traffic. If the
network is compromised, good luck calling someone using your
Internet-connected (VoIP) phone, let alone sending an email or instant
message. Go old school. Paper, pens, dry-erase boards, typewriters and
sticky notes will prove invaluable assets – perhaps even more than their
technological counterparts.

Crimes feature crime scenes containing evidence. It’s important that in
everybody’s zeal to get back to normal, they don’t ignore preserving
evidence that can lead to an arrest or conviction. It’s great to get back
to normal but what if it were an inside job, only to be repeated next week?
You may have a legal obligation to notify affected parties and in certain
ways, and now is the time to find out.

The evidence you will need can come from reviewing hours of video
surveillance, or paging through visitor access logs or server logs. It
could even include reconciling active and inactive users listed in your
system’s directory. An employee on vacation could very well be the culprit
– or even a planned decoy. Now is the time to check.

All crises can feature a hit to reputation. Now is the time to enhance that
asset and determine ways to preserve it during a crisis. Now is also the
time to consider the help you may have to give to those whose data you made
public. In some jurisdictions, fines are up to $100,000. Damage can include
bodily harm, humiliation, damage to reputations and a range of other harm.

After forming your HOT team, give them a fighting chance to succeed. As in
the military, use war games, simulations, training and drills – and
stockpile the ammunition you’ll need.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180206/ab2399ce/attachment.html>

More information about the BreachExchange mailing list