NQ Blog – December
Your Company Has Been Hacked. Will You Respond or React?
by Chip Mesec, Senior Product Manager, NetQuest Corporation
Breathe and Think
While reading about the U.S. Treasury and Commerce Department hacks on Krebs on Security, it got me thinking about the panic going through the minds of the SIOs across the world. In fact, it made me sad to think of what their holiday season will be like having to deal with a hack of this magnitude in addition to COVID-19, year end pressures, the economy, and other demands on their time. Companies in the business of securing IT systems, as we are, share customers. There is a mindset in all of us:
We’re the good, fighting against the evil underground hoards!
This hack is so sophisticated that the SolarWinds Orion software to manage IT systems did not have a vulnerability. It appears that the hack was built-in as a trojan by the Russians – which changes the game entirely. It is always easy to blame a single company, but SolarWinds is a wonderful company and creates a great set of products that are respected in the industry. When you are dealing with hacks of this level of ingenuity, you go through your mental list of what could have been done to prevent the intrusion in my company, my code, my systems – have we done enough?
Watch Dogs for Watch Dogs
All of this gets me thinking about how intelligence groups have operated throughout history: the group that watches the enemy, the groups that watch the groups that watch the enemy, and so on. My first inclination is to create a group to watch IT, and a group to watch them. It all fizzles and begins to look like the script for a Mel Brooks movie about a government coup in a small Eastern European country.
Analysis or Rabbit Hole?
When you do the analysis, it’s not long before fear creeps in. If you can choke that down there are some positive learnings that we can gain from this exercise.
- We as human beings have become very good at-risk reduction and mitigation – it is built into our DNA – flight or fight, go around the long way, wear your seatbelts.
- We perform risk vs. reward analysis very quickly – What is vulnerable? Who had access? How far do I go back to get a clean system? What was taken and how do I get it back? What is the number of my lawyer?
What Ifs and Worst Case
Here are some things to think about that may open your mind to think outside the box with respect to security and worst-case scenarios.
- How would you operate your business if every piece of software you used was vulnerable or being manipulated – how would you survive?
- Is there a zero-trust model that you could put in place so that every action within your IT framework provides a high-degree of confidence?
- How do you create a test to validate or invalidate your assumptions?
Another way of looking at it…
- What if I ran a bank and all the tellers were thieves?
- How could I get to work if my tire gets flat every 5 miles?
I do not have a magic potion or a product which will drop in and cure your ills – there is no company that can offer that. But when dealing with the “first of its kind” type of seminal hacks, it opens your mind to solving difficult problems and that is why most of us got in the business.
Consider it on the job training.