Highlights

Highlights from previous CIO Cyber and Risk Network gatherings

May 2022

In this month's discussion, the CIOs shared various issues they are currently facing:

1. Progress towards ISO27001 certification
2. Preparation with insurers to talk about cyber policies.
3. Results from third party cyber assessments.
4. Preparation for board reporting
5. One of our CIO's discussed planning for bare metal/scorched earth/worst case scenario's. What are other CIO's approaches, frameworks, and thoughts on how to start the planning process.
April 2022

During our April call, the CIOs discussed:

1. Their various approaches to gaining assurance from their key suppliers.
2. Experiences around seeking and renewing cyber insurance.

A recurring point from the CIOs was the recognition that if they ask a supplier to complete a questionnaire around security, the CIO's team should ensure that:

- The answers are reviewed,
- The answers need to be viewed through a risk tolerance lens shaped by the level of criticality of the service, and
- The questions also need to be updated on a regular basis to ensure they align with any external obligations.
March 2022

During our March call, the CIOs discussed:

1. What their peers were doing in terms of security KPIs for senior executives to ensure that the right behaviour was being encouraged at the most senior levels. Few were doing this, but there was a general recognition that ensuring any KPIs aligned with board-visible risks was crucial.
2. Around the room the CIOs shared what additional steps they were taking in preparation for any cyber spillover event. About half the attendees were not doing anything additional as they were already in the middle of a strong capability improvement program driven by various external standards/regulations. About half the attendees were taking additional steps; which ranged from additional penetration testing, through to increasing the scrutiny on attachments in their email gateway filter. One participant shared they were approaching niche improvements following a people/process/technology framework. Another participant shared that their organisation spent a half-day working with all staff to ensure that all were using a password manager and had MFA set up on all important accounts.
February 2022

During our February call, the CIOs spoke about:

1. One of the CIOs shared a TLP:RED session on a minor incident their organisation went through this year. The session included some key lessons learnt, solutions that worked, and next steps. A key control shared among all the CIOs on the call was the importance of rolling our MFA as quickly as possible.
2. The CIOs spoke about various phishing controls; both for protecting their users, as well as training the users to be able to identify and report on phishing attacks.
3. Finally, we went around the room sharing experiences and lessons from Log4j. A typical comment was that there was minor exposure and the whole process, while intensive, was a good workout for the processes in place. The lack of response from some SaaS vendors regarding their responses to log4j was noted.
December 2021

On today's call The Network had an IBRS Advisor present to the CIOs on Microsoft's strategy, in particular their view on security. The following points were presented and discussed:

1. Future of passwords
- Although this was not discussed in detail, IBRS does not see much in the roadmap from MS regarding passwordless management outside of Azure Active Directory (ADD) and SSO (which is a different issue). It was agreed that the current MS approach is quite convoluted, especially when staff and personal accounts collide. This is complicated by the fact that Microsoft’s approach to identity is not consistent across the entire portfolio, although it is being consolidated.
2. E5 plus F3 and interest in moving to F5 - implications especially for mobility - From a security perspective, F3 is not fundamentally different from E3.
- From a security perspective, F3 is not fundamentally different from E3.
- Note, F3 is only covering the Office environment, much like O365 E3. Microsoft E3 is where the additional device management and device security features may be useful for field workers with Windows devices.
3. Remote desktop instances that got boosted into the cloud are now out of compliance:
- Microsoft’s changes to its ‘mobility’ licensing rights for running servers in VMs on cloud changed in Oct 2019. This has a major impact on people looking to migrate existing on-prem servers (with SA) into the cloud. The main products were VM and Citrix workloads for VDI, that there are other areas of concern. For people looking to use VDI to secure remote working, this has steep costs and compliance ramifications. By Oct 2022, all older MS licenses covering the use of its servers on competitive cloud platforms will expire, meaning they need to be reacquired under different (and more costly) licensing terms.
4. In relation to the above, Windows 365 was implemented by one member of the panel to provide secure remote desktops. The experience was positive.
5. Microsoft is using 'licensing steps' between products that exist within the O365 E3 licensing to drive people up to E5. For example, DLP is available for Exchange in E3, but to use DLP with Teams (which is available in E3) requires an E5 licensing.
6. Microsoft is aligning its security story to the Essential Eight. This is a work in progress, but worth watching.
7. Microsoft does not have an 'implementation roadmap' for its security offerings.
8. The claim that going ‘all-in’ with Microsoft reduced skill sets and complexity is not being born out in practice. Microsoft’s security products remain disjointed and there are many different admin control panels, reports and dashboards spread over many different products.
9. In relation to the above, Crowdstrike was mentioned several times as being a product of choice, even when MS was being heavily adopted.
10. Sentinel has hidden costs in relation to data ingestion and export into reporting / analytics platforms, even if all within the Azure ecosystem.
11. Sentinel appears to be an immature product, especially in relation to connecting to the rest of the MS ecosystem. Rapid7 and Google Chronicle were mentioned as alternatives.
12. 'E6' will likely be Azure add-ons on top of E5 licensing.
13. Data classification is a major bottleneck in deploying MS security fully.
14. Microsoft changes to Dynamics licensing and very aggressive audits of late are a cause for concern.
15. The PowerPlatform is another area where security and governance needs to be considered.
November 2021

During our November call, the CIOs spoke about:

1. Enabling company directors to access board reporting. The CIOs shared their various approaches, and the takeaway was that no one was terribly happy with how they were managing the risks of BYOD and board members sitting across multiple organisations.
2. Two of the CIOs shared how their organisations viewed security as a competitive differentiator. One specifically said that their company had done the heavy lifting and was now at the front of the queue for a number of large government tenders.
3. Better practices with staff training. One of the CIOs shared that it was a noted shortcoming in a recent audit against their organisation. The general discussion on this topic noted the value in ensuring that staff understood how the training was relevant for their lives outside of work.

Two links to organisations that offer staff training:

eSafetyCommissioner

IDCARE

October 2021

On our October call, the CIOs spoke about:

1. Ransomware simulations; one of the CIOs shared some lessons from a recent exercise with their board.
2. Passwordless authentication; One of the CIOs was actively looking at this area, and the conversation evolved into a discussion around strong authentication and U2F, and privilege access management. The ability to issue and revoke passwords to privileged users, and prevent these privileged users from either knowing of sharing these passwords was seen as an important capability.
3. The Security of Critical Infrastructure Act (aka SOCI); the CIOs discussed their own organisation’s varying levels of perceived exposure to SOCI, the implications of ‘step in’ powers and the potential conflict with the interests of the business, and the potential additional regulatory burden on financial services.
4. Cyber insurance; The CIOs shared their experiences with their cyber insurance renewals. One CIO reported that their insurer was interested in org charts and bios of key security people. Another mentioned that they were early in the renewal process but would need to negotiate with the insurer around using a preferred incident response provided and not one of the insurer’s panel providers.

Quote of the call

“I’m not sure which has been more invasive, the executive health check or our cyber insurance renewal”

Some links referred to during the call:

'$5.9M ransomware attack on major agriculture group poses risk to US grain, pork, chicken supply', Fox Business, September 2021

YubiKey’s Universal Second Factor Authentication (U2F)

'PJCIS recommends critical infrastructure bill split to tackle urgent threats', September 2021.

Comments by Vanessa Teague on SOCI Act

Cyber Insurance: Moody's is spending $250 million to measure the risk of America's biggest companies getting hacked", CNN, September 2021

'Cyber insurance market encounters ‘crisis moment’ as ransomware costs pile up', Cyberscoop, 23rd August 2021.

September 2021

On our September call, the CIOs and guests spoke about:

1. Their various experiences with using UpGuard and/or AssetNote and/or BitSight. They spoke about the business cases for each, and the value proposition. UpGuard was broadly considered better for having a high level take on suppliers and helping them understand any significant changes to their internet presence and configurations, whereas AssetNote was considered more useful for reflecting back vulnerabilities to the customer organisation. Each had their shortcomings and these were also discussed.
2. A few of the CIOs noted that their insurers were becoming more insistent on which suppliers were used for incident response; and had a strong preference for their own identified suppliers. Two of the call participants noted that as long as they listed their preferred incident response suppliers on the policy document, the insurers would acknowledge these.
3. One executive noted about their experience with a data breach: that their organisation had good incident response plans, but did not have a good data breach response plan; and the importance of knowing that these were two different types of incidents requiring different response components and business input.
4. The recent report from OAIC which emphasises that reporting is still required even if in doubt about loss or the harm of the loss.
5. The legitimacy of running phishing simulation campaigns that clone current business communications. These can rile both staff and executives, but the call participants agreed that criminals do not play fair, and so phishing simulations should not have artificial guard rails.

Links Shared

A free resource for scanning your own internet facing environment based on domain: Coalition Control

Article about Flubot: Flubot

Article about the recent OAIC report: OAIC report

August 2021

On our August call, the CIOs and guests spoke about cyber security messaging to the executive team and the board:

1. The value in having third parties come in to validate either the current operational maturity level, or to perform interviews with board and executives to understand their risk priorities. One CIO said, “You rarely learn anything you didn’t know, but having a third party give it their stamp is valuable".
2. Striking the balance between meeting the eagerness of the board and their desire for information against the highly esoteric domains of both technology and cyber. One CIO said, “They want to know, they want the detail, but then they pull back". Another said that it’s more important to the board to know that you know what you’re talking about, and that running a one off dedicated session to go as deep as they needed was worthwhile.
3. How to position the stories from the industry and how they are relevant to the organisation, and then to also address any of the issues raised and whether they are handled or need to be handled.
4. This article was also discussed: Real and present danger: Government considers making company directors personally liable for cyber attacks 

Other News

Surviving a cyber breach without damaging your brand - A Case Study of Australian Red Cross Life Blood Breach - Webinar and Q&A 26 August 2021 11.00 AM EAST (1 hr) Registration

July 2021

On today’s call, the CIOs discussed:

1. Zero trust, and one of the members shared their early journey heading into zero trust, with Netskope. A key benefit of going down this path they realised was the full management of all devices. A guest executive noted that zero trust was an overused buzzword and vendors are using it to drive a product-centric approach. As always, it’s important to understand the entire environment and focus first on what matters most to the business.
2. PrintNightmare - The CIOs broadly agreed they were much more concerned around their suppliers.
3. Kasaya ransomware exploit - The CIOs have not seen any material local impact.
4. When discussing various security suppliers who had provided useful perspectives, the call participants recommended:

- Solista

- ParaFlare

- The Missing Link

- Hakluyt

5. Two other products that were highly recommended by the CIOs for their ability to support better security:

- Assetnote

- What is Azure Sentinel?

June 2021

On today’s call, the CIOs spoke about:

1. How to get value from becoming a JCSC partner. The conclusion was that for the present, it’s worthwhile to get access to the ACSC portal to get insights into risks that organisations in the local environment may be dealing with.
2. One CIO shared that their new goal for their organisation is to be able to rebuild their environment within seven days, as this was the window within which the company should be able to recover and continue from a cash flow perspective.
3. One member shared that a subsidiary after a ransomware attack took 3.5 months to rebuild.
4. On the option of paying the ransom, one attendee mentioned the board have changed their tone now, and are adamant that they won’t pay. Others had yet to get to that position.
5. One CIO shared that their executive team is now questioning why they need cyber insurance. If they are determined - and they are - to not pay a ransom, and they want to control the engagement themselves, and choose the incident responder, why would they want an insurer in the room?
6. The need for ransomware drills at the executive level, as this becomes a powerful mechanism for business units to understand that technology and security cannot create recovery systems if the business units cannot articulate their critical assets and processes.
7. One of the CIOs shared that their executive team were fully on board with a material step change in cyber security, and the CIO was keen for recommendations on cyber security recruiters.
May 2021

On the Cyber & Risk Network May call, the CIOs spoke about:

1. Ransomware concerns with their suppliers. This topic was split between the suppliers being targeted themselves, and the resulting business impact to their customers; but also the use of third parties as a vector of attack against their customers.
2. Increasing their focus on backup and recovery as part of a drive to become more resilient.
3. What factors may lower cyber insurance premiums, and the increasing intrusiveness of both cyber insurers and auditors.
4. Various experiences with 3rd party Security Operations Centres (SOCs). One CIO shared that their 3rd party SOC was demonstrably not actually taking information from their environment and had reported no AD Account creations in the last month, while the CIO knew that was not the case.
5. A few of the CIOs noted the steady shift from broad-sweep phishing attacks to increasingly targeted spear phishing.

Resources

Expel is a SOC that actually has happy customers.

The Commonwealth Department of Industry, Science, Energy and Resources has developed a cyber security self assessment tool, which may be useful for smaller suppliers: Cyber Security Assessment Tool.

James recently wrote a piece, 'Recent FBI intervention on compromised Exchange servers is a bad sign for taxpayers everywhere'.

April 2021

We had the pleasure of hearing from the CIO of a medium sized Australian company. The CIO took us through their company's recent experience of a ransomware attack; from their own self-assessed level of security maturity before the attack, the timeline of events, and lessons learnt.

Through the Q&A session some of the key priorities that emerged were: On the Cyber & Risk Network March call, the CIOs and guests spoke about:

1. The importance of having an existing agreement with incident responders that understands your business, and not just relying on whatever firm the cyber insurer may want to allocate.
2. The thinking behind the very rapid decision to not pay the ransom.
3. The value of simple and clear guides like the ASDs Essential Eight.
4. The need to focus on both prevention and resilience so that a company can spring back into operations as quickly as possible.
March 2021
On the Cyber & Risk Network March call, the CIOs and guests spoke about:
1. Patching policies and differentiating between internet facing and non internet facing. Often, the differentiation is driven by an IT department recognising that it needs to prioritise its efforts, and so internet facing software will get priority.
2. Similarly, if a vulnerability is being actively exploited, then that gets patching priority, and most organisations will aim for 48 hours to have that vulnerability patched.
3. As services move to Cloud providers, the CIOs raised the issue of how to gain assurance that their Cloud vendors are also doing the right thing with patching. With larger and more Cloud-oriented vendors it may be more automated, but many businesses rely on niche providers, and the operational maturity of these smaller providers may not be at a level the CIOs are comfortable with.
4. This raised the topic of open source dependencies, as well as software sprawl across business units, and how to keep track of what software is being pulled down from various repositories, such as GitHub.
5. Responsible disclosure statements are an important first step in moving toward bug bounty programs.
6. The efficacy of dark web monitoring services and the relative value from these.
7. The dual value in decommissioning software and services. The removal of phone bridges which have effectively been replaced by online video conferencing was used as an example of reducing both costs footprint.
February 2021
In today’s call, the CIOs and guests spoke about:
1. Their various experiences around the SolarWinds breach, the Accellion breach, and any flow on considerations for third party suppliers (supply chain risk).
2. Open source - despite being reviewed by “many” eyes, the industry continues to surface vulnerabilities that have been in the code for years. Number of eyes does not equal quality.
3. Privileged Access Management, and a broad discussion around how to use existing tools to deliver on desired outcomes.
4. Password expiry policies and various practices.
5. Working with a cyber insurer, and the insurer’s requirement for the policy holder to nominate a prefered third party for incident response. The call discussed experiences and market perspectives on various incident response vendors, including: Crowdstrike, Mandiant (FireEye), Accenture, and Klein & Co. (now part of CyberCX)

You might also like to include these links

"Notifiable Data Breaches Report: July–December 2020", Office of the Australian Information Commissioner, Jan 2021.
Useful data points here, including the increase in breaches through human error.

"Cybersecurity Insurance Has a Big Problem", Harvard Business Review, 11 Jan 2021
This article is well worth reading.

"FMA releases review of NZX technology issues", 28 Jan 2021.
This article contains sharp objects.

Local public incidents

"Accellion hack behind Reserve Bank of NZ data breach", IT News, 12 Jan 2021.

"Australian securities regulator discloses security breach", Bleeping Computers, 25 Jan 2021.
(Also via Accellion)

"Allens victim of high-profile cyber attack", AFR, 22 Jan 2021.
(Also via Accellion)

"Law In Order – Cyber Security Incident", 3 December 2020
Quote, "When this incident occurred, we implemented a response strategy to investigate the threat actor’s activities, safely restore our systems and prevent potential disclosure of client information." [Emphasis added]

November 2020
In today's call the CIOs spoke about:
1. Their own examples of metrics that did, or did not, resonate with directors and executive management.
2. There are many frameworks, but most are so long or so technical that boards lose interest.
3. NIST’s Cybersecurity framework is a common approach from a broad perspective, whereas the Center for Internet Security’s Critical Security Controls are focussed on the technical aspects.
4. One participant made the point that with a control, “Unless you have 100% coverage, it is zero % effective” because an adversary only needs one way in.
5. Performing a full rundown on all costs associated with a typical incident - i.e. similar to what is currently in the news - provides a financial perspective of the cost of not being adequately prepared.
6. Continual progress is required, and any snapshot - or third party assessment - becomes the baseline that future progress must improve on.
7. All the CIOs agreed that focusing on the top priorities of the business was crucial, because it helps focus attention on what really matters to the business. Because, “No business exists just to be secure.”
8. For security budgets to resonate they must be mindful of the business margins.
October 2020
On today’s call, the core issues the CIOs spoke about included:
1. How to approach a cyber security framework.
2. How to position framework maturity benchmarking (performed by external audit) with business stakeholders.
3. The issue that benchmark scores may align with cost-effective business priorities.
4. The value of understanding business processes and dependencies on technology, so that controls can be weighted pragmatically.
5. Because the ASD’s Essential Eight and CERT NZ’s Top 10 Critical Controls are drawn from post incident response reviews, they are an excellent resource to prioritise controls within larger frameworks.
6. The call finished with a deep dive case study of a DDoS attack and lessons learnt.