Reloaded: Paying Lip Service to Incident Response

"It will take a massive incident for our company to wake up to itself!" How often do you hear that in the information security industry? All the time — so what generally happens when things go horribly wrong after the "incident" occurs?

Here's how the scenario plays out:

1. A big internal WTFJHM (What The **** Just Happened Meeting) takes place. (Generally 95 per cent executives with no idea and 5 per cent staff — with some idea).

2. The meeting will go along the lines of:

  • What happened? Do we know? (Regardless, we'll tell the media we do and that it's not what they think).

  • How did it happen?

  • What's the risk to our revenue and share price?

  • Who's to blame? Can we blame someone else? (Response for anyone potentially in the firing: adopt the ‘three wise monkeys’ approach, say "We didn’t know something like this could happen", blame APT.)

Alternative Text

  • Do we have some "friendly" media mates who we can use to get some spin out?

  • How do we actually fix this problem?
  • 3. Draft a press statement along the lines of: "We take our client information very seriously, and always have!". Where possible, find a scapegoat. Nowadays, use the ‘APT’ line of defence because that is the “save our backside” line that works consistently!

    4. Call in IT to fix the problem so that the media can be told that it's all under control. Sit back and wait for the magic to happen.

    5. When IT explains the greater problem and what investment is required to fix and to stay on top of it, check whether media is still running hot on the story.

    • If media is still interested, tell them “we” are tirelessly working on it to ensure that it never happens again and reinforce statement regarding care for client information security. (Bloody APT). Then give IT lip service along with bare minimum support and funds to do some bare minimum security theatre. (Do we need a penetration test to demonstrate we’ve done something?)

    • If media has moved onto something else, perhaps the latest Kardashian ‘leaked’ video scandal, quickly lose interest and get on with business as usual.

    6. Has the storm blown over? If not, repeat step 5. If it has, move to step 7.

    7. Wipe incident from memory. (After all, Australia has no regulators to worry about and, besides, history shows that data security breaches in large companies rarely result in any noticeable long term loss of business).

    8. Keep IT security spending at bare minimum and ignore IT security team reminders of the incident. What incident? Something about APT?

    In my experience, the only time it plays out differently is when some form of regulator is involved (for example, PCI DSS and the Payment Card Brands). If no one holds a big stick over the company, little changes regarding their long-term corporate security practices and mind set.

    As an industry, we must remain vocal and continue to push for change. No one else out there knows the extent of how bad things really are in data security these days.

    If we don't speak up, who will? As usual, I welcome your thoughts.

    Drazen Drazic is managing director at Securus Global.

    Follow @CSO_Australia and sign up to the CSO Australia newsletter.

    Join the CSO newsletter!

    Error: Please check your email address.

    Tags Incident responseinformation security

    More about APT

    Show Comments

    Featured Whitepapers

    Editor's Recommendations

    Solution Centres

    Stories by Drazen Drazic

    Latest Videos

    • 150x50

      CSO Webinar: Will your data protection strategy be enough when disaster strikes?

      Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

      Play Video

    • 150x50

      CSO Webinar: The Human Factor - Your people are your biggest security weakness

      ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

      Play Video

    • 150x50

      CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

      Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

      Play Video

    • 150x50

      CSO Webinar: Get real about metadata to avoid a false sense of security

      Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

      Play Video

    • 150x50

      CSO Webinar: How banking trojans work and how you can stop them

      CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

      Play Video

    More videos

    Blog Posts

    Market Place