By Kenrick Bagnall
By Kenrick Bagnall
Let’s look at three areas of consideration for cybercrime risk, starting with system susceptibility.
This is a combination of the value the target represents to the attacker and the potential vulnerability of the target. Has due diligence been done by the system developer/manufacturer to minimize any zero-day implications? What steps have been taken internally to ensure that patch management is up to date? Has decommissioned hardware been removed from the network?
Threat accessibility is where information and physical security intersect. How physically and logically accessible are your systems and data? Have you implemented strategies like defence in depth and least privilege to protect your information systems? Are you using “air gapping,” a physical separation strategy, to secure your systems? (However, the ability to deliver a malware payload from one system to another by “piggy-backing” on the heat signature of the systems microprocessor, has been proven successful in a lab environment. This somewhat neutralizes the effectiveness of air gapping.)
Two important considerations for threat accessibility are social engineering and the insider threat. Human beings remain the weakest link in the chain of cybersecurity. This forces organizations to consider the potential threat represented by customers, staff and third-party organizations.
The third one, while significant, is the one you have least control over: threat capability. What are the tools, techniques and overall capabilities being used by those who are targeting you or your organization? When the hacking group “The Shadow Brokers” compromised the National Security Agency, not once but twice, it led to the development of some very sophisticated malware. It also solidified the adaptation of cybercrime into the Software as a Service business model. No longer does one have to be able to write code or understand computer networks to profit from cybercrime.
With all of these threats looming around us, what are we to do? Our mindset will dictate our actions. We must begin by thinking not if we will be breached, but when. This does not mean all efforts are put solely into cyber incident response and recovery.
We need what I refer to as the Y2K mindset. In 1999, the effort that was put into finding and mitigating potential issues to systems that would have been caused by the calendar switching over to the year 2000 was unprecedented. Addressing 2019 cybersecurity issues requires this same hypervigilance.
In the event of a breach, it’s time to execute your incidence response plan. You will want to control the narrative and get the correct message out in your initial media statement. You will need to notify your board, your staff and your customers. Regulatory compliance will require you to advise regulators and credit reporting. PIPEDA will require mandatory reporting to the office of the privacy commissioner, notifying your customers and also retaining logs/records of the breach. Breach mitigation will require technical cyber security incidence response either internally and or externally depending on available resources. The results of this work can be used for mitigation and if disclosed to law enforcement may also be used to form reasonable grounds and assist with attribution. If you have cyber insurance, a predetermined call to your insurer will activate your policy.
While there is no specific direction that law enforcement shall be contacted during or shortly after a breach, recommendations have been made that the involvement of law enforcement could contribute to mitigating the risk to the customer. When it comes to cybercrime, much like traditional street crime, law enforcement is interested in achieving attribution by working with victims, witnesses, partner agencies and prosecutors to build strong cases that have a reasonable prospect of conviction. Successful cybersecurity is a team sport and law enforcement is your strategic partner in the fight against cybercrime.
Kenrick Bagnall is a Detective Constable with the Toronto Police Service Computer Cybercrime Unit (C3) – Twitter: @KenrickBagnall.
This story appeared in the Spring 2019 edition of Canadian Security Magazine.