Few CIOs will discuss their security incidents in public — with good reason — but there are many compelling reasons for more openness.
You cannot ignore the risk of cyber-attack. No vulnerability will be left unturned by cybercriminals, bedroom hackers, pressure groups or anonymous citizens looking to disrupt an organisation’s business.
Attacks of all kinds are increasing in intensity and more firms are having to admit to being victims of them. This means that any company currently embarrassed by an attack or incident should take some solace from the fact that they are not alone.
Recent months have seen attacks on high-profile organisations including Amazon, MasterCard, Visa, Twitter and NASDAQ: all big names with significant server and security systems behind them.
Equally significant is the fact that the firms were apparently ready and willing to discuss what was happening, and what they were doing about it.
The most recent and perhaps most notorious attacks came as part of the fallout from the WikiLeaks scandal when each side of the privacy debate began a war of attrition that sought to prevent the other from having their place on the internet.
Firms including Amazon and Visa refused to support the WikiLeaks cause by hosting its documents or accepting donations for it respectively, and became enemies of a loose collective of hacktivists that lurk under the name ‘Anonymous’. Anonymous, which had already showed its muscle in opposition to the Digital Economy Act, acted swiftly and effectively.
Perhaps because Anonymous was so open about what it was doing — it tweeted progress reports as it moved from target to target — so too were the firms it went after.
Amazon was bullish in its reaction to being taken offline. “The brief interruption to our European retail sites last night was due to hardware failure in our European datacentre network and not the result of a DDoS attempt,” the firm said at the time, suggesting that the attack had had no impact on its systems.
The same could not be said for others. “MasterCard SecureCode is currently down. This means that all MasterCard and Maestro transactions cannot be processed via 3-D Secure,” reported MasterCard in a brief to its clients.
Also vocal was Visa, which admitted that its corporate website was “currently experiencing heavier than normal traffic”.
“Visa’s processing network, which handles cardholder transactions, is functioning normally and cardholders can continue to use their cards as they routinely would. Account data is not at risk,” read the site.
The same could not be said for Visa now. Ask the firm to discuss the denial-of-service attacks, its reactions and any lessons learned, and you will receive a polite ‘No’.
Visais not alone in this, and the CIO who is happy to go on record discussing non-theoretical organisational security provisions and capabilities may spend the rest of his days fire-fighting ever-increasingly inventive system assaults.
Graham Cluley, security expert at Sophos, said that the way in which firms react to attacks varies widely, and often depends on whether the attacks were successful or not. However, he added that there could be merits to going public and questioned whether it was the IT team or public relations that dictated responses.
“Firms are often forced to go public about successful attacks. Regulations may demand that they inform customers and law enforcement agencies that personal information has been stolen by hackers, or if a public-facing website has been defaced there’s no way that it can be swept under the carpet as it’s out in the open,” he says.
However, Cluley added that it is most likely to be the corporate communications teams that dictates how a company reacts.
“Firms are often advised by their corporate communications departments to stick to approved statements, and that there will be no business benefit in providing any information beyond the minimum required,” he explains. “Indeed, they may worry that revealing too much information about what mistakes were made may shake the confidence of customers, who may choose to do business elsewhere.”
However, Cluley adds that the growth of social networking is changing the way firms interact with customers and clients, and was making businesses more open.
“This attitude is changing a little with the rise in social media, and companies are seeing the benefit in being more human and honest,” he says. “This means putting your hands up to your ability to make mistakes and get things wrong.”
A little knowledge sharing is not without its benefits either, and Cluley adds that CIOs often discuss issues between themselves. The wider public, he says, are more likely to be notified of a successful reaction to an attack, rather than how it happened. The reasons for this are obvious: organisations do not want to reveal their security details to those that might seek to exploit them.
“Firms are typically more comfortable with talking about how well they have done at protecting themselves against attacks, rather than how they have had problems,” he explained. “However, even then there may be staff in IT departments who would rather that the details of their security remained shrouded in mystery.”
Daniel Mitchell, founder and director of Lifeline IT, is hosting this year’s CyberCrime Security Forum in London — the first of its kind in the UK — on May 12-13.
“Organisations are very, very guarded,” he explains, “and it is only recently that they have really started to talk to each other.” Mitchell says that by discussing the risks, firms would be able to improve the way in which they react to them and be more confident that any response they make will be the best one possible.
“Events like this get the idea of strategy into the mind of CIOs. They can share their experiences and discuss their messaging. Better communications will help to protect industry against cybercrime. It is the preparation that needs sorting out. CIOs must be able to prove that they have observed best practice. Then you can say that you have done the best that you can.”
The event will focus on defence strategies, and John Craddock, panel member and speaker, sees it as a welcome opportunity to share key information with the people that really need it: the enterprises.
“We are going to open a lot of eyes,” he says. “There is a lack of knowledge, a lack of interest, in security and we are going to give CIOs a way forward.”
Craddock, External Infrastructure and Security Architect at Microsoft, added that one reason why firms may not want to discuss their security problems in too much detail is because although they have just discovered them, they are often not new.
In fact, he explained, it was not uncommon for a newly detected active vulnerability to have been in existence for two years or more before its ‘fix’ is reported to users. This sort of admission, he suggests, could be very embarrassing.
“If you have been attacked and found failing, you aren’t going to be looked upon favourably. But if you had it right, you should be able to deal with it.”
‘Dealing with it’ means improving security procedures and readying responses to attacks, a belt-and-braces approach that should appeal to the most cautious firms.
Craddock recommends that all potential areas of weakness be considered by firms, from the information kept in the hard disks of office printers right up to the monitoring systems used.
“Everyone will get attacked. But if you have your posture right you should be able to deal with it,” he says.
The best policy
Limiting the brand damage associated with being hacked does not just mean remaining mute on the subject, as the news will likely out itself anyway. It means being able to admit that yes, you were the victim of an attempted attack, but no, it was not serious and nothing was compromised.
It may be the public relations teams that currently dictate how an enterprise reacts publicly to attack, but it could become the responsibility of the CIO who, armed with the confidence and the knowledge that they have done all that they can, can admit to facing down an online dragon and — if not slaying it — then at least sending it back to where it came from.
Whether CIOs turn to social networks to admit such breaches or not, it is likely that such admissions will become the norm as users ask more questions about problems with their services and incidents become more obvious. After all, there is no better response to a problem than an answer that admits it, describes what happened, and then tells you how it was solved.
The CyberCrime Security Forum and CIO UK
The CyberCrime Security Forum will be the first of its kind for the UK’s public and private sectors. It is being launched in response to growing threats to UK business, following the government’s recent ranking of cybercrime as a major danger to national security. CIO UK readers can register and receive a 10 per cent discount. Register before April 21st and enter the promotional code CIO March.