Season 1 Episode 3: Preparing for the inevitable cyber incident
Bastien: The Australian Census: we were all caught up with the frustration of not being able to log on, the media telling us various different stories, and getting upset about tax payer dollars being wasted. We essentially had an excellent politician put their hand up and on national television say that the census system was one hundred percent secure, that your data could not be hacked, and that everything was safe and would be fine, and everyone should use the portal and provide all their information.
We monitor threat intelligence feeds from all over the world, and pretty much about thirty seconds to a minute after that statement was made we saw message boards light up and emails firing around left, right and centre. A small army of people basically gathered to essentially prove this politician wrong. It was one of the largest DDoS attacks that we’d ever seen in Australia against a government organisation. A distributed denial-of-service attack is a whole heap of people getting together and they might use a software tool like Low Orbit Ion Cannon, which is a piece of software you can download, and control via a chat box. This software was downloaded en masse and it was used to basically fire a whole heap of packets at this portal, which Australian residents were meant to use to upload their information for the census.
Now we’re seeing a few things here: the politician shouldn’t have said that the data is a hundred percent safe because data, as long as it’s connected online, is never a hundred percent safe. They also threw out the gauntlet to every hacker that was listening and all the community boards that joined thereafter to prove that the statement was wrong. Afterwards, the census did a pretty poor job and unfortunately a few good Australian businesses were caught up in it. The organisation that was paid to load test this environment found themselves with a truckload of reporters on their doorstep the next day. Even though it was not their fault the organisation that had essentially load tested this thing, and load testing is checking to make sure it can cope with 15 million Australians logging on to this system at the same time, I believe they load tested up to 150 million users. So the environment was suitable to task but one stupid statement from a politician motivated a large group of individuals to attack it. I’m not a hundred percent sure on this one, but I’ve heard a rumour that someone actually breached that environment as well. Fergus, right up your alley with cyber breaches and I’m sure you’ve dealt with things like this before, but what are your thoughts on this hack?
Fergus: What happened in the lead up to the census was that for the first time ever the Bureau was insisting that people put their names and addresses and all the names of the people that live in their house. Interestingly, one of the world’s biggest hacking groups is actually called Anonymous, and here’s the census asking them to give up their anonymity. So of course they’re going to attack it, and also security hackers are generally mischievous. Throwing that statement from the politician was throwing a red rag to a bull.
Bastien: A lot of organisations fail to actually prepare for cyber criminal events, and what that means is the day that the cyber event happens they really don’t know what to do. We recommend that organisations straight up create a very simple one-page plan with a more substantial document backing it up, saying that “if our data gets stolen, if we end up on the front page of the news, if the police and reporters arrive at our door, these are the steps that we follow…” Unfortunately, we ask this question a lot to organisations, it’s the first thing we ask: do you have an incident response plan? Most organisations say no they don’t. That’s a pretty scary thing because if you try to solve a problem while you’re in crisis mode it’s not a good mindset to be in.
A great way for organisations to prepare for a cyber incident is to do some threat modelling. What happens if you get an email one day and a hacker advises you that they have your entire contacts database, they have all your IP, and they’re going to release it to the world and CryptoLock your entire environment if you don’t pay $150,000 into a Monero or Bitcoin wallet within 24 hours? Watching when we do these threat simulations, the utter chaos that ensues, especially when you throw something into the mix like the guy who normally deals with your cyber security is on an airplane, or the CFO or CIO is away, people have no idea what to do. The media ends up coming down and talking to your IT guy, who probably isn’t someone you want talking to the media, (I apologise to all the IT people out there, I’m one of them), we just don’t have the face for the media.
Fergus: Let me explain what a threat a simulation is, it’s when we come up with a real and nasty scenario, something that could potentially happen to the business, and then we throw that out on the table for the people who are meant to fix the problem and handle the incident. Now a lot of people will look at it and say it’s a cyber threat therefore the best person in the company to deal with it is the IT people or service provider. This is not necessarily true, because this is an organisational issue. Which means the CEO and other senior people in the company are going to need to make some decisions. When you’re under duress making decisions is very difficult, you’re being extorted, you have organised crime on your door – what are you going to do? This is why we always recommend that people put a plan on a page in advance.
So a threat simulation is a way to test how the organisation would behave under duress. It always breaks down in communications, believe it or not that’s the most common thing. We tell the media or our employees the wrong thing, we contradict each other (which is what happened after the census). The Minister and the Head of the Bureau contradicted each other very publicly in the media about exactly what caused the problem. That had terrible reputational damage for them. So have a think about the scenarios that might happen to you in advance and put it down on a page and outline who you’d call and involve, and if the CFO is on the plane who’s the person backing them up? So on and so forth.
Bastien: One of the things that often surprises me is just how prevalent cybercrime is in Australia. It’s happening everyday and we see organisations spending millions of dollars preparing incident response plans for things like a shooter on site or a bomb in the building. There are all these steps that they’ve taken to address and they know these plans back to front. If there’s a shooter in the building they have these evacuation plans. Then you ask them this very simple question: has this ever happened? And their answer (for most organisations, hopefully) is no. But do you have a cyber incident response plan? The answer more often than not is no. Then the follow up question, how many cyber events have you had? They’ll respond often with “we’ve had quite a few in the last couple of years.” So why are they spending all this money on the shooter-on-site or terrorist plans and not spending money and putting some time and effort into a cyber incident response plan, which is happening to organisations everyday?
Fergus: When we think about the Australian Census and the devastating impact that had on the Bureau’s reputation, also the frustration that everyone felt and the fact that no one’s really relying on the census results anymore, and it used to be such a strong brand. Now what we’ve got is the new electronic health records, My eHealth, being introduced by the government. This is being introduced to help move the medical profession away from it’s heavy dependence on paper, which means a lack of efficiency and information not being shared easily and accurately.
I had an example of this when I was sick a few weeks ago and I was away, I went into a doctor’s surgery and they had to create a new health record for me on the spot, which made the consulting 25 minutes longer. This would be unnecessary underneath the new eHealth guidelines, however, if we take into account the census and what went on with that and the fact that the service providers are still bickering about who’s fight it was a few years later, are we going to trust the government to keep these records safely? Considering what the records are, they are extremely valuable for organised criminals to do identity theft. It’s very personal information, everything about your health from the moment you’re born goes into an eHealth record. I think that Australians have the right to be skeptical based on what we saw from the census. To be skeptical that the government can be depended on to look after these records and potentially think about opting out. I will caveat that though, I have two aging parents and they’ve often been in and out of hospital, so for older people who are having more health issues it makes better sense to have your digital healthcare records. The choice is entirely yours, but think about the census when you’re thinking about whether to opt in or out.
Bastien: Have you actually opted out?
Fergus: Yes, I was early in the opt out list.
Bastien: I’m in the same boat there, but obviously there needs to be some consideration and thought to the benefit of it as well.
Fergus, you come from an IT background and then you merged over to the insurance world. What kind of things would you recommend?
Fergus: Cyber insurance has come a long way in the last believe it or not it’s actually been around for about fifteen years, but definitely in the last five years we’ve seen the take up. In terms of how the insurance interacts with the regulations what we’ve seen is a far higher take up of cyber insurance in the US than we have in Australia. One of the reasons for this is that the US has had mandatory data breach notification regulations in the country for some eight years, depending on which state. They’ve got a bit of a messy environment because each state has different legislation with different terms and conditions under the regulation. In Australia, we’ve got the mandatory breach notification and that means a couple of things. One thing that’s important when you’re dealing with regulators is that you need to be seen to have done something, you need to seem to have preempted an issue and you need to be ready to handle an incident. I’m afraid Australian companies are largely woefully unprepared to handle an incident. But if you have an insurance policy, and what a lot of people don’t realise about a cyber insurance policy, is that you will have within that policy an A-team to fly out and help you when you have an issue.
Bastien: We saw this recently with a big insurance partner who called out to us, and we became the A-team to help them through the challenges they were facing after a breach.
Fergus: That’s it, and this gets paid for by the insurer by some of the terms of your insurance agreement. Basically you involve IT forensics and that’s where we come in to have a look at the incident and make sure that it’s not going to happen again and that the bad people are still not in there. You also get legal advice as part of it, and that’s very interesting when you’re talking about regulators because how you notify the regulator is really going to impact how they move forward with taking any action on you. Then the other thing is communications, and this is where it falls down for me all the time when we test the incident response plans. How do we communicate internally, to our staff, to our customers, to the regulators, to the authorities, and to the media about the data breach?
All of these things, if handled well, can minimise the brand and reputational damage to an organisation. One thing that’s increasingly coming up is how prepared an organisation is for a cyber incident, what have they done to avoid this from happening or making sure it’s not a complete debacle that happens again? So if you’ve got a plan on a page, you’ve gone through a threat simulation process, and you’ve mapped your scenarios and risks, then when you get invested by one of the regulators you will be in a much better position, as opposed to doing absolutely nothing.
Bastien: When we take our clients through the process we do a bit of research on the industry that they’re in, we look at recent attacks that occurred on that industry, and we create a threat simulation model. First of all, we run that threat simulation model before we’ve done any work with the client, and we rate them on how well they’ve done on various key aspects. Then we take them through the process of writing a proper incident response plan, and then we do the threat simulation again and review them. It’s like chalk and cheese – the organisation communicates well, the incident is dealt with well, the impact to the business is reduced, and people know what they need to do. I liken it to the military because they go through drills, they test and train, and when the real war scenario arrives it’s like clockwork and everyone knows their roles and knows what to do. If someone is missing from that role then other people know how to step in and complete that role themselves.
Fergus: What do you think are the key industries that should be extra weary of what’s happening in the cyber world?
Bastien: I think we’ve seen an increasing trend with real estate companies being targeted, I’ve also seen an increasing trend for manufacturing organisations, transport, and emerging technologies. We see that a lot of data seems to be shifting off to China for IP being developed by R&D companies in Australia, they are getting targeted for sure. Organisations that have high input and output and invoicing, real estate is again a great example of that and homebuilders too. There’s an example of a homebuilder that’s transacting 90,000 invoices daily with over $150 million in and out of their bank accounts, they’re a huge target. If you think of a juicy payday then that’s probably not a bad one to motivate individuals or organisations overseas.
Fergus: I’ve seen some interesting emerging risks coming out: financial advisors. There’s a lot of them and they have the same problems with passwords and other things as we have. In a lot of cases they have high net worth individuals and their assets and they’ll definitely be on the radar for organised criminals. The other one which doesn’t make me very happy is the aged care industry. You’ve got elderly people who aren’t savvy and don’t realise that they’re potentially being socially engineered because they’re not as tech savvy as the younger people. Also we’ve seen from the commission into aged care that a lot of the systems are not particularly secure or up to scratch, that’s an industry ripe for hackers.
Bastien: We’re seeing some really cool technologies emerge to help address some of the issues. So with your first example of financial advisors, we’ve actually got a client of ours that came on within the last twelve months and they had $160,000 transferred out of their client’s account by them into a crypto fund. Essentially the same kind of invoice fraud email breach hack where the financial planner’s email system was compromised. Then they watched the interaction between the client and the financial advisor over six months, we traced this back with forensic information to an outside IP address. This client would often send buy or sell commands to the financial planner and in this case it was a buy command for a cryptocurrency of $160,000 which wasn’t made by them.
The cool technology that I’m talking about is one called CyberHound, now they’re big in the school and also the email play. They actually monitor user behaviour and look for keywords. So a financial planner, for example, should have policies and procedures in place that any transaction should be backed up by say a phone call or a second factor authentication, some means of verifying the identity of that person. What CyberHound does is it looks for key elements in attacks, it’s a very intelligent system using machine learning that constantly develops new attacks and threats. It scans emails and communications for that risky behaviour and stops them in their tracks. In schools we’re seeing it being used for students to prevent bullying and to prevent adults coming to exploit children for money, but it really works well for businesses too.
We get a smile on our faces when a startup comes and approaches us to ask what they should do about cybersecurity. We can help them and really address a greenfields environment, we can get things like policies and procedures in place from day zero and really grow with that organisation right up until you see them hit the stratosphere. It’s a little bit different when an SME approaches us because they’ve got all these pieces of software and there’s a lot of technology coupled together. They’re somewhat set in their ways and it’s a little bit harder to ingrain good cybersecurity practices within them. It really comes from educating the top of the business in an SME, then getting them to help us educate their staff, and put proper policies and procedures in place that they actually implement and disseminate within their business. Then employing some technology and services to protect them from current cyber threats. Lastly, testing them to make sure that they’re following all the processes.
Fergus: What are the simple steps that all organisations can take in order to prepare themselves for a cyber incident?
Bastien: Essentially they need to understand the industry that they’re in, understand the risks that they face, then use that information to create an incident response plan that is very easy to understand. You can do things like putting it into a poster format and put it up around the office. The crucial thing to any incident response plan is that it’s tested. So once you’ve created this document, run some scenarios that use a third party organisation to do some threat modelling for you and test your incident response plan. Modify it as a live, working document as required and constantly check this thing. So if you implement a new control or new staff, make sure they understand it and make sure it’s tested. Then you’ll be in good stead should the inevitable happen. Everyone knows what they need to do and knows their roles within the organisation, and you can take the steps required to return to business as usual as soon as possible.