Those who live in Glass Houses
In light of all the comments I'm seeing, regarding the media reporting and individuals making comment on the recent British Airways(BA) breach, reminds me of a well-known phrase:
"Those who live in glass houses shouldn't throw stones"
It is all too easy to criticize others but the reality is that many people may have had a part to play in allowing this breach to happen:
The Board failing to recognize the importance of InfoSec.
The Risk Committee for failing to communicate the risks.
The CIO for failing to invest in the most effective countermeasures.
The IT Operations Director for failing to prioritise the remediation efforts.
The InfoSec team for failing in their responsibilities.
The Audit teams for completing a 'tick box' approach.
The PCI SSC for failing to ensure that the PCI DSS includes the need to avoid a single point of failure.
The Qualified Security Assessor(QSA) for failing to identify an exploitable vulnerability.
The Data Protection Officer (DPO) for being complacent with the diligence of the risks identified during the Data Privacy Impact Assessments (DPIAs).
.......I could go on!
I must confess, when I first read of this incident my initial reaction was to be critical but then I took a moment to reflect and put myself in the shoes of those individuals, within BA, who may have been struggling to do their day to day role. Remember, this would have been a balance between delivering an interface that is easy for the customers to use, whilst making sure it is not vulnerable.
Anyone who has been employed within a business' InfoSec or Audit role will be all too familiar with the dismissal of identified risks, being conceived as being unplausible. Watching the box set of 'Jack Ryan' TV series, reminded me that the problem with a potential attack is that they are often unplausible, until they happen. One of the most notorious unplausible attacks has is anniversary coming up - The attack on the World Trade Centre (Patriot Day).
I am all too familiar with the internal politics where senior members of the business have dismissed potential risks I had identified, for example:
An organisation allowing the convenience of allowing access to Office365 from ANY device. 5 days later, the same business had multiple senior exec email & Skype accounts compromised, as the result of a Spear Phishing attack. As a result, the attackers almost convinced a member of staff to pay a bogus invoice, to the tune of 100s of USD, through the misuse of these compromised accounts.
During a deployment on the Counter Intelligence Field Team (CIFT), reporting a potential risk to the physical perimeter allowing an unsighted area in the perimeter fence. Not long afterwards, once there a more valuable and attractive target had been deployed to Camp Bastion, the Taliban exploited the same vulnerability to make the incursion through the perimeter.
This is an opportunity for businesses to learn from this incident and to have a good look at your own environments. Senior Management need to start to think of WHEN and not IF and to consider the most unlikely scenarios and to prioritize Cybersecurity as a key business issue, rather than something that only gets considered in response to potential serious fines (i.e. GDPR) or as the result of a post-breach.
I even know of companies who have made remarkable decisions in response to the changing legislative and cyber threat environments. They decide it is best to make the InfoSec role obsolete (to be managed by non-specialists), rather than having an InfoSec specialist pointing out areas requiring improvement and allow the prioritization of any remediation efforts. Life is made far easier for them if they can 'tick a box' to meet their compliance obligations, rather than adopting a proactive approach.
Learning the lessons from the past, centuries ago, the Romans identified the vulnerabilities of applying a Preclusive Defensive style (Neutralizing incursions by stationing units along its border, as well as in forward outposts, to trap enemy forces that came between them in a pincer movement) and moved to the more effective Defense in Depth (DiD) style (Rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time or as it covers a larger area).
Adopting a DiD style for modern Cyber-defense is highly recommended and requires a team-effort and an additional military tactic for team specialists to know and being capable to carry out the roles of supplementary roles (A rank above and a rank below yours). In the event of that person not being available, someone is capable and ready to deputize.
I can fully appreciate the anger and the reason for critical analysis and the reason why the media are taking their opportunity to making this incident front-page news but this should be tempered with the reality of struggling to maintain your environment. Frequently, criminals are making far more profit from their activities, than business do from theirs.
Businesses need to identify and manage all of their vulnerabilities, all of the time, to avoid losing money, whilst the criminals just need to identify one to make money. Consequently, it will be interesting to read the findings of the sophisticated attack and the lessons that can be applied to the benefit of all. I just hope that BA are candid in publicizing the mistakes they may have made and the tactics employed by the perpetrators to exploit their vulnerabilities. No organisation wants to be the recipient of a cyber-attack, much as no home owner wishes to be burgled because of an oversight, mistake or vulnerability (e.g. Forgetting to lock a door, leaving a window ajar or having a pick-able lock).