[BreachExchange] Disinformation and the CISO

Wed Oct 28 10:42:35 EDT 2020

https://www.infosecurity-magazine.com/blogs/disinformation-ciso/

Whenever we hear about disinformation or fake news, most of us will
either imagine elections, the undermining of democracy, or big
faceless social media corporations doing anything to make some money.

So, the question is, while disinformation may play a role in
influencing individuals, does a CISO have to worry about
disinformation at the organizational level? With all the other plates
a CISO must keep spinning, is disinformation really another thing they
want to add to their list of responsibilities? Unfortunately, it
appears that there is little choice in the matter.

Otavio Freire, CTO at Safeguard Cyber says: “Disinformation is a
cybersecurity issue. It has already been used as a means for brand
value destruction to create divisiveness and conflict within a
company's employees, used as a social engineering lure, and as a form
of ransomware; where if you want the disinfo to stop, you need to pay.

“It is deployed against the company by hacker groups, criminals, and
even nation-states. Security organizations are best equipped to build
the right tools to fight disinformation since they have experience in
defending the company against attacks at scale.”

Quentyn Taylor, director of information security at Canon Europe added
to this, “If we as an infosec community believe that disinformation
isn’t a thing, then we are deluding ourselves as we ultimately guide
and set policy for organizations.”

It’s hard to disagree with Otavio and Quentyn, as all the evidence
points towards disinformation becoming a standard tool of nation-state
actors, cyber-criminals, activists, and all manner of competitors.

Distributed Denial of Service (DDoS) attacks have been a common tactic
by criminals for many years. But as Wayfair discovered, all it took
for one conspiracy theory to take hold, and the organization suddenly
found itself having to fight for its reputation and try to ascertain
which requests hitting their website were legitimate requests versus
those looking to see if there was indeed any truth to the rumours.

Even on a small scale, disinformation can be annoying according to
Shan Lee, CISO at Transferwise, “The type of disinformation that
annoys/worries me is poor security advice, to staff (if it gets past
my team) and in particular to customers. Especially stupid advice
around how to create/remember passwords instead of just using a
password manager.”

Shan touches on an important issue. Although this kind of
disinformation may not be entirely malicious, and it may seem trivial,
the knock on effect of such can be far reaching. A CISO is not just
responsible for securing technology, but also processes and people.
Disinformation over a long period of time can result in a death by a
thousand cuts.

A common tactic of criminals peddling ransomware is to steal data
before encrypting it. Recently, a private psychotherapy clinic in
Finland was hacked, and the therapist notes of potentially 40,000
patients were stolen. The attacker then proceeded to email the
victims, asking each for €200 ransom in Bitcoin.

This on its own is a terrifying prospect for organizations and their
customers, and while in this case it may be true, it’s not too
difficult to imagine a scenario where attackers can claim to have
breached an organization and try to extort money from the
organization, its partners, and customers.

This becomes quite the challenge for a CISO. In such circumstances,
they are immediately put on the back foot. They have to validate
whether a breach has actually occurred or not, and if so, what data
was stolen. Notify regulators, inform customers, agree what the best
course of action is with stakeholders, brief PR agencies, and discuss
it with the legal council. It becomes a wide-scale issue involving
many different disciplines of which the technical side forms but a
small component.

Fighting disinformation may be one of the biggest challenges that
CISOs will face in the coming months and years. We spent much of the
last decade seeing talks about how CISOs should talk to the board, but
in the coming times, we’ll likely see the communication requirements
expand and discuss how the CISO should communicate with everybody, not
just the board. This includes employees, partners, stakeholders, the
press, and the public at large.

In terms of defenses, radical transparency would appear to be the
order of the day. If there’s a breach, or an incident, CISOs should
not let bad guys or circumstances dictate the story. They need to get
ahead of the game and lay out the narrative.

Quentyn added that we should take the advice we give to users around
phishing, and apply it to a wider context. “Be aware of the source, be
aware that people lie, ask yourself is this too good to be true?”