Telstra’s CSO Mike Burgess says it’s critical to avoid distractions when fighting against cybercriminals.
In a presentation given at the Check Point Cybersecurity Symposium, Burgess warned against attribution and threat distraction.
“Don’t get me wrong. I’m not saying that attribution is not important. What I observe, what I fear, what I see too much of is commentators, many in the industry and many in the media, focus on attribution with very little focus on the root cause”.
Burgess says there is no instance where an organisation should lose data when there is a known remedy for the root cause. Citing the examples of Target, Home Depot, Sony and others who, in public statements blame the “sophistication” of attack methods, Burgess noted that all of these companies should have expected to be targeted by attackers and should have carried out better hygiene and been better architected.
“That is unforgiveable in this day and age,” he says.
The sibling to attribution distraction, says Burgess, is threat distraction.
Burgess read quotes from public statements issued by a number of hacked companies. From our place in the audience, Burgess derision at the language used in these statements was palpable.
After reading Home Depot’s statement, where they said “The malware used in the attack had not been seen in any prior attacks and was designed to evade detection by anti-virus software,” Burgess sarcastically asked “Really?”.
“I’m not meaning to disparage others because I know this is a hard challenge,” said Burgess. “But really, when I see the use of language like that I do worry”.
In discussing the Sony hack, Burgess noted there was a lot of activity around attribution but very little attention was given to how internal emails were able to be exfiltrated from the network.
While a great deal of attention is given to identifying hackers and discussing the attack methods, not enough attention is given to how data losses, through theft or deletion, can be allowed to occur.
In Sony’s case, the loss of corporate data meant the company was unable to meet quarterly reporting obligations to the stock market. That was on top of leaked emails, leaked HR reports and all the corporate embarrassment that accompanied the hack.
Reacting to Sony’s statement that “The attack was an unparalleled and well-planned crime carried out by an organised group that neither Sony Pictures nor other companies could have been fully prepared,” Burgess reacted saying “Well, actually, it is a reasonably foreseeable event that someone will attempt to hack your organisation, to steal data from you, or someone will attempt to attack your organisation to disrupt your organisation. I disagree with Sony in the comment. You have to be prepared. You’ve got no excuse”.
Looking at the examples he cited, Burgess noted that in all of those cases there was a known remedy for the vulnerability or weakness that was exploited.
Finally, Burgess took some time to discuss the reliance on frameworks and compliance. Although he suggested they were useful but he told the 500-strong audience a focus on those without an understanding of what the business was actually trying to protect was a danger.
“When you lose site of the back-office or what you’re really trying to protect, you will find yourselves still in trouble even if you completed those numerous tick and check exercises”.