Highlights From Previous CIO Cyber and Risk Network Gatherings
On this months call the CIOs discussed the Optus outage with a view to how to build resilience.
- One CIO was discussing how they are now tracking down who uses what connections for both business and private use
- It was agreed that organisations need diversity with their communications platforms, usually resulting in a mix of telco partners rather than a strategic vendor relationship
- All CIOs voiced their disappointment at the Government’s response, it was used for political grandstanding
What has changed;
- One CIO quite mature with diversity/redundancy
- Drive whether they need to push harder around diversity of multiple carriers
- Improved SLAs – with providers
- Optus will never agree to SLAs with 100% uptime
- With technology being so pervasive this has emphasised the risk
The DP world breach was also discussed
- The CIOs noted the changed tone from Govt regarding DP world versus Optus
- Supply chain an issue once again, opening up vulnerabilities of supply chains
- One CIO recommended patching Citrix vulnerabilities, this was first published July
Dave also shared hot issues being discussed across the cyber community
- Supply chain – critical that we know what we’ve got and where it is
- Suppliers/vendors in Middle East and Ukraine
- SLAs not being met
- Looking for alternative suppliers due to conflict
- Taking a long time to map their supply chains
- Staff once available at vendor are now fighting on frontlines
- Israeli company support channels affected by the war – staff and support no longer available
Dave also shared details of the latest ACSC annual threat report. More incidents and greater impacts observed nationally. Exec talking points have been attached – to assist with briefing boards.
On Wednesday 11th October, we held our CIO Cyber and Risk Network roundtable in Sydney. The CIOs got to receive a TLP:RED briefing from a government agency on what this agency is seeing online from both criminals and nation state actors, as well as how adversaries are using AI as a force multiplier. (TL;DR, “It’s not Skynet, it’s just a bunch of people who can do stuff faster.”)
David Cullen from CISO Lens delivered a session on lessons learnt from the 2019 Victorian hospital ransomware attack. Also, a guest security executive from a large organisation which had suffered a recent public breach shared their perspectives on the aftermath of an incident and what that means for the staff of the company.
One of the CIOs shared the results of a red team exercise conducted against the company’s 100 most senior executives. The data from this exercise helped the executives realise that they were an easy way in, and that they needed to tighten up their policies and practices.
The CIOs also spoke about cyber insurance, Microsoft’s performance as a security vendor, and which vendors are producing good awareness content.
Some Key Takeaways
- All tech projects should include a 10 percent allocation for security. This allocation should be for: time, effort, cost, and headcount. Some projects may be less, some will be more, but 10 percent for all projects should equal out over time.
- If a platform or service is important, it must have multi-factor authentication (MFA).
- Phishing is a key avenue of attack for most organisations, so the HR consequences of failing phishing simulations need to be agreed on and adhered to. One participant shared that after two failed phishing simulations, that became a component of their performance review, but after three failed phishing simulations it became a key component and could result in zero payrise and/or performance bonus.
On our call this month, the participants shared their variuos approaches to vulnerability management:
- The discussion centred on both their own patching policies (and the different SLAs for Critical and High versus Medium or Low, as well as internet facing, or not); as well as their concerns around the hidden vulnerabilities from SaaS providers.
- This moved into a discussion on how the participants went about assuring themselves on alerts, and ensuring that filtering out false positives did not potentially scoop up important alerts.
- One of the participants shared a recent incident where a staff member’s access has been compromised via an emailed QR code, and the resulting effects within the organisation.
- This moved the conversation into a discussion on awareness training, and another of the call participants shared that they were doing an intensive campaign against their executives ahead of a leadership offsite so they could present the results at this offsite.
- We also spoke a little about this incident, and will carry it over to the next call to talk in more depth.
– ‘Microsoft’s slow outage recovery in Sydney due to insufficient staff on site’, DCD, 4th September 2023
This month on our call, the discussions were focused on:
- AI and business impact, experiences and perspectives. From the discussion, it appears that most organisations are still working out how best to use LLMs (like ChatGPT). There was general agreement that putting a popup on the screen when users went to the OpenAI website to warn them against posting sensitive information was a pragmatic approach. The AI discussion was in response to one of the CIOs being asked to brief their board on this AICD discussion paper.
– What Are the Risks of Artificial Intelligence?
– A Voice Deepfake Was Used to Scam a CEO Out of $243,000
– What is Worm GPT? The New AI Behind the Recent Wave of Cyberattacks
- Changes in Zoom’s terms and conditions and what this could mean for sensitive calls. It was noted that apparently enterprise customers are being given the option to turn off their calls being monitored by Zoom; but this raised the question of how a third party using the free version would go when having a call with an enterprise version. It seems reasonable to assume that the enterprise version settings would take priority, but this is an assumption.
– Zoom’s Updated Terms of Service Permit Training AI on User Content Without Opt-Out
- A brief discussion was also had on Microsoft security on the back of a threat actor, alleged to be Chinese, managing to force authentication tokens.
– Schneier On Security: Microsoft Signing Key Stolen by Chinese
- An extensive conversation about the HWLE data breach, and specifically around the government response to this.
- A brief discussion on the corporate use of a keylogger in a recent case in Australia.
– IAG Used Keystroke Logging to Investigate Productivity of Remote Worker
This month on our call, the particpants:
- Shared their organisations’ responses to ChatGPT. Depending almost entirely on the nature of the business, ChatGPT was either blocked outright, or was permitted but with cautions to not paste sensitive information into it.
- Discussed their views on the efficacy of third party assessments. Various approaches were shared; ranging from including the right to audit in contracts, through to ensuring that the most senior stakeholders were in alignment that the business would not use a supplier which did not pass a security assessment.
– “Not doing a third party assessment is worse than doing one and relying on it.”
– “It’s hard enough to bring Shadow IT into the IT tent, nevermind getting them up to our cyber security requirements.”
– UpGuard was mentioned by some of the call participants as the platform they used to help with third party assessments; while noting that it is still very manual.
- Briefly discussed their views on cyber insurance.
Resources mentioned in the call:
- ‘OpenAI Sued Over “Unprecedented” Data Scraping, Use of Personal Info’, The Fashion Law, 29th June 2023.
- ‘Takeaways from the Optus and Medibank data breach class actions’, Allens Linklaters, 7th June 2023. “In all of the claims, the fact that a major data breach occurred is said to support an inference that the defendant’s data-handling and cybersecurity systems and controls were inadequate.”
- Optus data caught up in HWLE breach, because OAIC used HWLE for advise relating to Optus
On our June call, the CIOs spoke about:
- Various approaches to identity management. Many relied heavily on Microsoft and leveraged their HR team to understand who needed to be onboarded and offboarded.
- Role agglomeration and/or over provisioning could be an issue depending on the nature of the organisation, and striking the balance between when to put a contractor through the HR system or not was another issue that only works when it’s the exception to the standard process.
- MFA is being used extensively within organisations. Texts to mobiles was felt to be the mechanism that most external users were comfortable with, but internally it was predominantly authentication apps and one organisation rolling out FIDO devices (specifically, YubiCo’s YubiKeys).
- Use of Windows Hello was limited, and none were looking with any intensity at passwordless options.
This month was a fantastic face-to-face session and the feedback from all attendees was extremely valuable. A summary of our dicussions:
- Matthew Smith Assistant Director General, Incident Management Australian Cyber Security Centre provided a TLP Red industry briefing on the state of cyber crime, ransomware and state actors. Matthew also provided some insights into how the ACSC role is evolving and what their plans are to support Australian organisations.
- The CIOs and guests then discussed the pre-approved structures each organisations have in place in order to effectively respond to any cyber threats.
- A topic of conversation that was not on the agenda was third party risk, this was also discussed in detail in particular around the visibility that the ACSC are giving it
- Everyone around the table shared what was working for each of them and their organisations. In particular that was a lot of sharing of vendors and services that the CIOs were using and whether they would recommend engaging with these providers
There was another agenda item that was flagged however we ran out of time, and this was – ‘what is your criteria to recommend to your business to re-engage with a supplier that may be experiencing a security incident’. We will add that to next months agenda.
In summary of today’s call, the CIOs spoke about:
- Various approaches to integrating networks (e.g. via M&A) and how the call participants have done this in the past.
- Some of the preliminary lessons we’re drawing from the Latitude breach.
- A key issue is external comms and the consensus is that it’s important to get information out to customers as quickly as the information is going to any potentially public third parties (e.g. the stock market).
- Another important lesson from the Latitude breach is to review how all third party service providers are connecting into enterprise networks and ensuring that these are as tight as possible, in case the third party service provider has a compromise.
- ChatGPT continues to be a challenging topic. Staff want to use it, but this either means pasting sensitive company data into ChatGPT, or it means training the staff to understand that the answers provided by ChatGPT may not be accurate. We also discussed Microsoft’s Copilot.