"If your incident response plan didn’t provide for an instance of home working, then you plan was lacking."
Greg van der Gaast, Head of Information Security at the University of Salford talks to Jeremy Swinfen Green about home working and how this isn’t, or shouldn’t be, a risk that is new to security professionals.
Greg van der Gaast will be speaking at the teissR3 | Resilience, Response and Recovery summit taking place online, 15 - 24 September.
This year, the very popular teissR3 event focuses on how to improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Space is limited. Register your free place by clicking here.
So my next question to you is about some Incident Response playbooks. And I'd like to know how Incident Response playbooks should be rewritten in the light of this pandemic we're all going through at the moment. What effect will the increase in the home working have on its incident response generally?
I don't think they should be rewritten. It seems like everything in security over the last few months has been how we have to change for COVID. But it seems-- like, COVID to me has been an extension of home working. You know you've got to ramp up your PN capability. You've got to ramp certain things up.
But if your Incident Response planner didn't provide for an incidence arising from a home worker, as it was, then I would say your Incident Response plan was lacking. That's not necessarily a COVID recommendation. Yes, the likelihood of that incident scenario has increased, but you should have always had an incident response plan from a remote worker.
And, sure, the phishing will be more focused on COVID scams. But, you know, during a tsunami, it was more focused on tsunami scams. That's just par for the course. It's literally making fun of that.
A lot of vendors are saying there are a 400% increase in COVID phishing emails since the start of COVID. It's, like, yeah, well, obviously. There was a lot more hang gliding incidents since the invention of hang gliders. But, you know, it's just, you know, obviously, but you know the overall amount of phishing, I don't-- I haven't seen a significant increase. The people I speak to overall haven't seen-- it's just a theme has changed.
So the issue then isn't so much playbooks. It's about making sure that people who are new to home working, remote working, are adequately trained and informed.
Yeah, yeah, I think-- and you should have had, as part of your home working policy, you know, you should have had the training to begin with. It's just now going to apply to a lot more people. And it might be a good time to revisit it and resharpen it a bit, obviously, because of the increased likelihood of that particular risk. But I don't think it's as game-changing as people are making it out to be.
OK. Well, thinking about that then, is the pandemic having any effect on the root causes of breaches? Obviously, you're saying that in terms of phishing, for instance, it's just a different theme. But are there new vulnerabilities that are coming to light because of the pandemic or is it just more of the same?
I think it's been more of the same for about 25 years, to be honest. This is-- I've been quite adamant about this, and this is my personal brand. I've been doing this for 22 years. I'm not seeing the root causes change at all.
And every time it's a sophisticated nation-state attack. In the industry chats on Whatsapp or whatever, 20 pounds says it's SQL injection from 1998. Everything has to be deemed, you know, oh, it's, you know-- it's-- everything is sophisticated and scary and highly, highly complex. No, it's the same.
It's buffer overflow. It's unpatched vulnerabilities. It's people that have machines they didn't know about or code on their machines they didn't know about or didn't inspect or a third-party supplier they didn't vet. It's always the same things. It's always the same things.
And we just-- we just don't focus enough on the root causes of those things. I mean, if you look at all the big breaches-- and I think we'll get to this in your next question-- but it's all basics. It's all a lack of asset management, lack of architectural standards, poor patching processes, things not being patched, code not being reviewed. It's pretty much those four or five basic things that just come back and account for 95% of breaches.
And yet the human element, which phishing is probably more prominent now than it ever was in the past, but they usually feed into those things. You know, the attacker will get a foothold, and then it spreads throughout the network because those things have been neglected. But it's been the exact same things.
And it's why I really believe the most important thing you can do consistently, not a point in time, but make sure you're doing them and doing them everywhere, and that requires a huge level of business engagement and interaction and, in many cases, influence because they're not necessarily happening in places that are security's job. You will have to influence projects. You will have to influence IT. You will have to influence business processes. But if you can get that done, then you prevent all those things.
And I really haven't seen much change over the last 20 years. A lot of hype, a lot of hype, a lot of new AI, and this and that. But, fundamentally, if you dig deep enough, it's the same stuff.
That's good-- that's good to hear and perhaps is not frightening. But I just wonder, are the issues around the scale of what's happening-- if you suddenly have 95% of your organisation working remotely, is there a danger that certain things just get overwhelmed because you haven't necessarily planned for that change in scale?
See, I think-- I mean, you should have had-- organisations should have the ability to manage assets remotely. And this is what a lot of people are waking up to. Like, oh, we have no way of updating our patching devices when they're off the network. Oh, we don't have enough VPN capacity. But, you know, stuff like VPN capacity, that was sort of in the first week.
We need to buy more licences. We need to upgrade the kit. That's not technically complicated. But did you have a VPN? Did you have the capability of working remotely?
Were your processes-- was home working integrated in your processes? If it was, then it shouldn't really matter. Yeah, there's a question of ramping it up, but everyone's ramped up now. It took no more than a month. So I think we can stop harping on about there being different causes to breaches because of COVID because we've not seen a COVID-related breach, have we?
No, that's quite true, unless-- unless the CISO has gone down with the pandemic, I suppose.
Yes, there you go.
OK. My last question to you, Greg, is a fairly simple one. Does incident prevention always have to cost a large amount of money? What can you do on a limited budget?
See, I hear this a lot. I think it's a great question. And it boggles my mind, to be honest, because I see this trend. That I see more and more CSOs and every, like Gartner and other survey that I see, moving away from prevention and into detection and response.
So what we're doing is, we're not going to bother locking the doors anymore. But we're going to spend a fortune on alarm systems. And that just doesn't make sense to me.
But everyone sees it the way you posed the question of, it's too expensive to do prevention. I'm, like, what do you mean? Because it's far cheaper.