Cyber Security

The Latest

18 March 2021: Veeam released a report which suggests that 58% of backups fail. After validating these claims, and from the direct experiences of our advisors who have been CIOs or infrastructure managers in previous years, IBRS accepts there is merit in Veeam’s claim.

The real question is, what to do about it, other than buying into Veeam’s sales pitch that its backups give greater reliability?

Why it’s Important

Sophisticated ransomware attacks are on the rise. So much so that IBRS issued a special alert on the increasing risks in late March 2021. Such ransomware attacks specifically target backup repositories. This means creating disconnected, or highly-protected backups is more important than ever. The only guarantee for recovery from ransomware is a combination of well-structured backups, coupled with a well-rehearsed cyber incident response plan. 

However, protecting the backups is only useful if those backups can be recovered. IBRS estimates around 10-12% of backups fail to fully recover, which is measuring a slightly different, but more important situation than touted by Veeam. Even so, this failure rate is still far too high, given heightened risk from financially-motivated ransomware attacks.

Who’s impacted

  • CIO
  • Risk Officers reporting to the board
  • CISCO
  • Infrastructure leads

What’s Next?

IBRS has identified the ‘better-practice’ from backup must include regular and unannounced, practice runs to recover critical systems from backups. These tests should be run to simulate as closely as possible to events that could lead to a recovery situation: critical system failures, malicious insider and ransomware. Just as organisations need to rehearse cyber incident responses, they also need to thoroughly test their recovery regime. 

Related IBRS Advisory

  1. Maintaining disaster recovery plans
  2. Ransomware: Don’t just defend, plan to recover
  3. Running IT-as-a-Service Part 59: Recovery from ransomware attacks
  4. Ransomware, to pay or not to pay?
  5. ICT disaster recovery plan challenges
  6. Testing your business continuity plan

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

The Latest

9 March 2021: The Australian Defence Department has inked a deal with Fujitsu, Leido and KBR to blitz its ageing network and end-user computing environment in a program of work thought to be worth around AU$200 million.

Why it’s Important

Fujitsu is not the first vendor that comes to mind when thinking about end-user computing overhauls. However, in the world of highly secure workplaces, vendors such as Fujitsu and Unisys have unique offerings and experiences. Even if not using these vendor’s capabilities, the critical components of the security architecture are worth noting by organisations that need to protect information assets with an increasingly mobile or distributed workforce. 

Who’s impacted

  • End-user computing / digital workspace architects
  • Security teams

What’s Next?

With remote working no longer a choice, but a business continuity issue, organisations need to rethink traditional approaches to securing information assets and people when planning for the next upgrade of end-user computing. Identity management, contextual access control and encryption of information assets are three essential pillars of a modern, secure digital workspace. Building upon these pillars, organisations can look towards zero trust approaches and adopt emerging new techniques for detecting issues and protecting the organisation, such as embodied in products for user, entity and behavioural analytics (UEBA).

Related IBRS Advisory

  1. Architecting identity and access management
  2. Embracing security evolution with zero trust networking
  3. Trends for 2021-2026: No new normal and preparing for the fourth-wave of ICT

The Latest

10 February 2021: Competition for highly secure hyperscale Cloud capabilities for government services has been boosted with Oracle joining forces with Australian Data Centres (ADC) to provide Canberra-based services. Oracle now has three Australian regions for managed Cloud, with Sydney and Melbourne.

Why it’s Important

Oracle’s Cloud service is highly attractive for organisations looking for a simpler Cloud transformation journey for critical, Oracle-based solutions.

Last year, Oracle’s SaaS solutions in the areas of security, human services, and health were certified as offering PROTECTED data capabilities. ADC has a strong presence in the Australia government, already running sensitive workloads and being connected to the secure Intra-Government Communications Network (ICON). By leveraging ADC’s footprint in Canberra, Oracle is now able to meet the second part of the trust equation: the physical safety of the environment.

Who’s impacted

  • CIO
  • Cloud migration teams

What’s Next?

Oracle now joins Microsoft in offering a specialised, highly secure Cloud capability for government agencies in Canberra. Agencies looking to quickly adopt a Cloud first strategy now have clear Microsoft and Oracle trajectories that include a physical presence, while AWS approaches the PROTECTED Cloud stance solely through a service-by-service model. When considering Cloud migration, agencies should review the extent of Oracle in their ICT architecture and factor this into the Cloud platform (or platforms) to be selected. 

Related IBRS Advisory

The latest

14 December 2020: FireEye announced it had been breached. An extremely comprehensive overview is available from FireEye. This blog post includes timelines, technical recommendations, and IoCs (indicators of compromise). 

FireEye, a company that exists to track and thwart advanced and persistent adversaries, was itself compromised by an advanced and persistent adversary. FireEye was compromised through a product from SolarWinds. 

What now?

There are four main areas worth exploring. 

1) Check your SolarWinds instance(s) 

The FireEye blog post includes instructions for what to look for. Good asset management will be useful in this verification process. One CISO noted they found an unmaintained SolarWinds instance in one of their OT environments. 

A core lesson that many security executives drew from the MobileIron vulnerability (CVE-2020-15505) was that anything an organisation has that is internet facing needs to consistently receive critical patches quickly, even out of cycle. 

This will require a process to identify critical patches, but for the process to actually be executed. Citrix, VPNs, staff home routers (see FF no.02), and now MDMs have all been leveraged this year for compromise. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained. This relates to patching but also asset management. 

Further, it's an opportunity to review privilege. Just because a product can do something, doesn't mean it should. Does SolarWinds really need to talk to the Internet? There are technical controls like host firewalls and properly profiled application allow-listing that will significantly frustrate an adversary in this scenario. It’s a great example where a zero trust architecture would make a big difference.

2) Organised crime 

The ACSC has noted that once a vulnerability is disclosed, threat actors can develop an exploit within 48 hours. We've seen this timeline achieved this year, with both F5 and MobileIron vulnerabilities. Now that the advanced and persistent actor has been ejected from FireEye (and hopefully from SolarWinds) it could be a matter of time before organised crime tries to exploit unpatched SolarWinds instances. 

FireEye will recover, and have an even better story to tell. At this early stage it seems that FireEye was the last target compromised by this adversary, and probably compromised for the shortest duration before the adversary was detected and ejected. It sounds like FireEye was targeted as a source for further intel on government agencies.  

I've got no evidence for this, but I wouldn't be surprised if FireEye was the last, trophy, "let's see if we can do this" target. 

3) Supply chain

The critical point about FireEye being breached, is it points to what industry has been saying for years - "it's not if, it's when". What matters after bang (or 'right of bang'), is how the organisation responds and FireEye is giving a master class on how to respond. But FireEye is only able to do this on the back of years of refining their art. 

However, going left of bang will encourage technology and security executives to look at their supply chain. What other products have access to systems, data and privileges that would be a nightmare if you did not have sole occupancy?

What other software has pervasive access like SolarWinds? What protocols are my service providers following when they use tools like SolarWinds on my environment? We cannot boil the ocean but, as Kevin Mandia said at a CISO Lens gathering in 2016, "protect most what matters most". 

4) Cyber insurance

I've not heard anyone talking about cyber insurance regarding this whole hostile campaign. It seems inevitable that public attribution will end up pointing to a particular nation. If this is the case, many insurers will likely point to exclusion clauses that indemnify the insurer from costs incurred through nation-state activity.

If you have cyber insurance, it may be worth getting a position from your insurer on whether you would have been able to make a claim against your policy if your organisation had been compromised.

The Latest

10 Nov 2020: CyberArk launches an AI-based Cloud entitlements manager. The solution combines principles of ‘least privilege’ and ‘zero trust’ to reduce risks of poorly configured access privileges for the major hyperscale Cloud platforms. CyberArk uses AI to determine the context and intent, which in turn provides risk assessment and recommendations for appropriate actions, and automation of remediation. 

Why it’s Important

Poorly configured privileges to Cloud solutions - in particular storage services - is a major cause of data breach. It is a significant risk for all organisations that leverage Cloud resources. Reviewing and maintaining privileges over resources is problematic, even with high levels of automation, because automation will only impact known entities in the environment, and can only address well-defined use cases. 

Who’s Impacted

  • CISO
  • Cloud Teams

What’s Next?

The use of Machine Learning algorithms to interrogate Cloud services and identify and remediate risks is a welcome addition to Cloud security management. While the efficacy of the CyberArk solution is not yet known, IBRS anticipates that this approach will be beneficial and at least provide an additional ‘check’ over sprawling Cloud environments.

Related IBRS Advisory

Organisations that are resisting the shift to Cloud computing are often basing their decisions on common misconceptions around security, price and integration.

That’s a key finding in a recent report conducted by IBRS, The State of Enterprise Software Report 2019.

The Security Myth

Many of the organisations surveyed declared security as the primary reason for not moving to Cloud services.

Concern over the security of systems — and, critically, of the data they hold — was common in the early days of Cloud computing and it seems at least some of that legacy remains. But it’s a myth.

Dr Joe Sweeney, author of the report said cloud service providers exceed most organisations’ budget and capacity to manage complex cyber security risks.

That’s certainly the view of the Commonwealth Government, which is moving to Cloud-delivered enterprise solutions aggressively.

Full Story