COVID-19 Will Change Forever How We Look at Business Continuity / Crisis Management

The effects of the COVID-19 on businesses are already unprecedented. It’s also going to get worse before it gets better, and I don’t just mean the ridiculous demand for toilet roll. While I am not very good at thinking in ‘futuristic’ terms, even I already know that the businesses that manage to survive will have no choice but to fundamentally change how they do what they do.

Permanently.

Well, those for whom data and electronic communications are the primary keys to their business model that is. Face-to-face stuff (e.g. brick-and-mortar retail) is a whole other ball game and way beyond my ken.

From tele-working, to business travel / commuting, to the communication / collaboration technologies in use, the impact of this global phenomenon will be dissected and analysed for decades. The ‘old ways’ of working; 9-5; bum-on-seat; on -Fri could [and I think should] largely disappear if, and ONLY if, the lessons learned are taken on board. Every business is a series of functions, and it should not be of primary importance where the person who performs those functions is, or even who that person is.

This is the mistake most organisations make, and while the impact of something like COVID-19 has never been part of any BCP I’ve ever seen, we could certainly have extrapolated and prepared for events like it. Here in London for example, if TFL goes on strike there is an enormous impact on the daily commute; people take 3 to 4 weeks off in a row on annual leave; long term power outages at critical locations and so on. All of these things, and many more like them, have all pointed to what is now required but almost universally absent.

But while there are literally hundreds of articles on how to DO business continuity in the face of COVID-19, they are ALL too little too late. It’s not the security industry’s fault however, it’s the fault of every senior leadership team who saw the aspects of security from incident response onwards as nothing more than a paperwork exercise. Or worse, chose to remain ignorant of the right way forward.

Ignorance is a choice.

All that said, this blog is not actually about business continuity planning per se, that’s not really my forte, this is more about ‘crisis management’, and how the LACK of it has made the COVID-19 pandemic worse for everyone. Especially those in the medical professions.

At its heart, crisis management (and by extension, business continuity planning) is about four things:

  1. An understanding of the business’s individual functions;
  2. An understanding of how those functions are performed;
  3. An understanding of who performs those functions; and
  4. Appropriate communication

In other words, if what you do:

  1. and how you do it is known and documented; AND
  2. is assigned to the appropriate and accountable resources.

…then all you have to worry about is the ongoing communication. Yes, the implementation of appropriate technology(ies) is relevant, but that should really be a one-off exercise plus ongoing maintenance.

Clearly this is not happening as a matter of course. Very few organisations have been adequately proactive in communicating to their employees what COVID-19 is, what its impact could be, and what to do about it. Almost everything that has happened to date has been reactive, ad hoc, and ineffective.

You think maybe this is a little unfair? That it’s not the employer’s responsibility to keep their workforce both informed and safein the face of a pandemic? Tell me, who is better placed to do that? The Government? The newspapers? Your doctor?

It is my contention, and the real point of this blog [finally], that it’s the employers who should take the lead in these situations, because even Governments don’t have the level of influence over people that employers do. Of course everyone should follow what the Government and reputable experts say in these scenarios (CDC for example), but it’s the employers who have the most effective access to, and authority over, the lion’s share of the population.

They also have the best chance, by far, of heading off the rampant ignorance that leads to wearing a plastic bag over your head and other irretrievably stupid things that are still going on!

Not convinced? Think about it for a second. In the UK [for example] there are ~66 million people, ~half of whom are gainfully employed by ~2 million employers. If you exclude the public sector and the self-employed, you’re left with ~1 million employers with multiple employees.

I have long maintained that our employers have taken over the role of the communities of old (albeit very poorly):

  • Your and your family’s very livelihood (read Maslow’s Hierarchy of Needs) is largely dependent on them. Even your sense of identity;
  • You spend more than a third of your working life either at work or getting to and from it;
  • A huge chunk of your interpersonal interactions are a result of your place of work (I married an ex-colleague for example (much to her regret)).

Virtually everyone has a laptop/desktop, mobile phone, or both. And whether they are work-supplied or personally-owned makes no difference, your employer has direct and personalised access to you. They also have the ‘power’ to MAKE you listen/read/respond and ACT in accordance with their mandates.

Now imagine if your employer implemented [or had access to] a service that provided not only the most up to date information from all of the reputable and relevant resources, but detailed instructions on what each employee should be doing at any given time? Would these millions of people who are now armed against ignorance not significantly ‘flatten the curve’? Imagine almost one HALF of the population influencing and protecting the other half, even if it’s only against themselves.

Bottom line; I believe organisations not only have a responsibility to keep their employees both informed and safe, they should be held accountable for it (up to and including regulation). It is, after all, in everyone’s best interests including the employers themselves. It just makes sense even if you’re mercenary enough to only see this from a financial perspective.

Eventually I’ll write up more specifics on how every organisation can put something like this in place, but now is not the time. All I ask is that you pay particular attention to how YOU are managing to perform your duties while stuck at home, because if you can’t do it the next time you’ll have failed yourself and your employer equally.

Everyone, please stay safe, informed, and help out where you can, even if it’s by staying in the house.

[If you liked this article, please share! Want more like it, subscribe!]

The Rise of the Breach Response Specialist

It was not that long ago that the most senior security incumbent at the time of a data breach was not only fired ignominiously, but torn to shreds by his/her ‘peers’ as being anything from unqualified, to incompetent, to grossly negligent.

They became nothing short of pariahs.

The vestiges of this ridiculous practice are still rife (take BA for example), but things are changing, and we all have a Recital to thank for it:

Continue reading

OWASP Top 10 2017: Logging & Monitoring Makes the Hall of Shame

Fact #1: There is no effective incident response without logging and monitoring;

Fact #2: There is no effective disaster recovery without incident response; and

Fact #3: There is no effective business continuity without disaster recovery.

Therefore logging and monitoring should be a fundamental aspect of every security program, regardless of organisation size. So why is it performed so universally poorly? Don’t organisations want to stay in business?!

It’s not like EVERY STANDARD ON THE PLANET has it as a prerequisite! Well, except for these obscure ones:

  • ISO 27001 – A.12.4 Logging and monitoring
  • COBIT – F.10 Monitoring and Alert Services for Security-related Events
  • NIST – Anomalies and Events (DE.AE)
  • PCI DSS – Requirement 10: Track and monitor all access to network resources and cardholder data
  • …and so on

So you can imagine my surprise and delight when OWASP – more commonly known for coding vulnerabilities – singled this out as one of their Top 10 for 2017. Yes, it barely snuck in at number 10, but there it is, finally in the light of day.

Unfortunately, OWASP isn’t exactly up there with the NISTs of the world, so the importance of this is probably lost on most. I mean, the DSS uses [loosely] the OWASP Top 10 as one of its “industry accepted best practice” providers, which is actually why a lot of people have even heard of OWASP in the first place.

So now what? What difference is this going to make?

Well, very little probably, if you don’t understand now just how important centralised logging and monitoring is, you probably never will. If you’re in a position where this makes a difference (you’re in technology or cybersecurity) then the only time your organisation will care is when your business suffers a loss. Then I’m sure you’ll start to care as you’re updating your CV/resume.

Honestly, I really don’t know where I’m going with blog. It was either write about this or the bloody GDPR again. But it’s really the privacy regulations that are beginning to drive things like this forward. Record keeping, data breach notifications, accountability and so on all have an enormous impact in how we will be running our businesses and logging is intrinsic to them all.

In my consulting practice I very rarely use the word ‘recommend’, and I try never to mention the names of security control vendors except as examples. So while the due diligence is yours in terms of finding the right logging solution for your organisation’s needs, I HIGHLY recommend that you start looking.

I’m sure there’s some out there, but I’ve yet to see one argument for not performing logging and monitoring, and I’m willing to bet there are no valid ones. The problem, like most things in security these days is that the name is just not sexy enough. Perhaps if we include in a brand new acronym like ‘Episode Reply & Adversity Restoration (ERAR)’ as I did in Froud on Fraud’s Top 10 Cybersecurity Technologies to Implement in 2017 it would get more attention?

Whatever it takes…

[If you liked this article, please share! Want more like it, subscribe!]

WPA2

WPA2 / KRACK, and the Coming Storm of Marketing BS!

This is going to be my shortest blog ever, because basically it’s just a warning: IGNORE THE MARKETING BULLSHIT AND THE DOOMSDAY JOURNALISTS!

Every time there is an outbreak of malware, or a new vulnerability exposed, or a protocol deprecated, the marketing departments of every security vendor go into overdrive. Their only goal; to make more money. Not to help, not to provide sound advice so that people don’t make bad decisions based on FUD, and not even because they know what the Hell they’re talking about.

Just money.

And the newspapers do what they do best; create panic with little to no understanding of the subject.

Yes, WPA2 has likely been broken, but because of the integrity of the researcher who discovered it we won’t have any information about it until later today. Which means we currently have no idea of the impact.

Apparently this is the guy you need to be watching; http://www.mathyvanhoef.com/

So here is what I would be doing right now if I were you:

  1. Determine what the impact would be on your organisation is WPA2 were truly broken;
  2. Update EVERY relevant device, as by now most of the bigger manufacturers should have a patch or a workaround;
  3. Tell your entire employee base NOT to panic, but they too should update their home computers (anti-malware etc.), mobile devices and home routers;
  4. Update your incident response plan to cover any issues.

The one thing you should NOT do is be part of the problem! Don’t spread rumours, spread fact, and be part of the SOLUTION! Share this blog if you want, or at least articles like it.

The security industry is rapidly becoming a bunch of used car salesmen, let’s each do our part to get THIS one right.

[If you liked this article, please share! Want more like it, subscribe!]

Been Breached? The Worst is Yet to Come, Unless…

The information security sector is rife with negativity and pronouncements of doomsday, and while this title is no better, this blog is not meant to scare, but to provide an alternative view of the worst case scenario; a data breach and resulting forensics investigation. The fact remains that if your data is online, someone has the necessary skill-set and wants it badly enough, they are going to get it. So the sooner you prepare yourself for the inevitable, the better you will be able to prevent a security event from becoming a business-crippling disaster.

By the time you make your environment as hack-proof as humanly possible, the chances are you have spent far more money than the data you’re trying to protect was worth, which in security equates to career suicide. Instead, you are supposed to base your security posture on the only thing that matters; a business need, then maintain your security program with an on-going cycle of test > fix > test again.

Unfortunately what happens in the event of a breach is that you are told what was broken and how to fix it from a technical perspective. This is analogous to putting a plaster / band-aid on a gaping wound. You’re not actually fixing anything. A forensics investigation, instead of being seen as the perfect opportunity to re-examine the underlying security program, is seen as an embarrassment to be swept under the carpet as soon as possible. Sadly, valuable lessons are lost, and the organisation in question remains clearly in the sights of the attackers.

For example, let’s say a breach was caused by an un-patched server. The first thing you do is fix the server and get it back online, but all you have you have done is fix the symptom, not the underlying cause;

  1. How did you not KNOW your system was vulnerable? – Do you not have vulnerability scanning and penetration testing as an intrinsic part of a vulnerability management program?
  2. How did you not know your system wasn’t patched? – Is not patch management and on-going review of the external threats landscape also part of your vulnerability management program?
  3. Did the breach automatically trigger a deep-dive examination of your configuration standards to ensure that your base image was adjusted accordingly?
  4. Did you fix EVERY ‘like’ system or just the ones that were part of the breach?
  5. Did your policy and procedure review exercise make ALL necessary adjustments in light of the breach to ensure that individual accountability and requisite security awareness training was adjusted?
  6. Were Incident Response, Disaster Recovery and Business Continuity Plans all updated to incorporate the lessons learned?

And perhaps the most important part of any security program; Is the CEO finally paying attention? Ultimately this was their fault for not instilling a culture of security and individual responsibility, so if THIS doesn’t change, nothing will.

If the answer is no to most of these, you didn’t just not close the barn door after horse bolted, you left the door wide open AND forgot to get your horse back!

Most breaches are not the result of a highly skilled and concerted attack, but by those taking advantage of the results of  systemic neglect on the part of the target organisation. i.e. MOST organisations with an Internet presence! Therefore, organisations that can work towards security from the policies up, and the forensics report down, have a distinct advantage over those who do neither.

[If you liked this article, please share! Want more like it, subscribe!]