C I A
That got you interested didn’t it?
Alas we are not talking about the Langley Virginia based intelligence service tasked with ‘gathering, processing, and analyzing national security information from around the world, primarily through the use of human intelligence’.
What we are talking about is the well-established security model, sometimes called the CIA triad; Confidentiality, Integrity, Availability, considered by most to be the most crucial components of security.
Now please don’t go to sleep or go back to your online banking to see how long you have in January before the coffers run dry, for we have much to report! As we mentioned in last week’s somewhat self-indulgent back slapping exercise:
‘As those of you trawling the security news over the festive period will no doubt be aware, there has been little reported on the standard channels. We all know that the bad boys will not have downed tools in favour of mince pies so expect a flurry of activity when everyone wakes up.’
Well wakey-wakey. They have, so buckle up.
Confidentiality, we all know that this is keeping stuff secret? Well sort of.
Confidentiality is all about deciding who should have access to specific pieces or sets of data, large or small, defining the rules for accessing that data – who, when, why, what, how (much have you got), enforcing those rules, identifying breaches, measuring and reporting appropriately.
Despite the massive forces deployed to keep it out of the news after the initial expose, you will all remember the Panama Papers scandal of 2017 in which 1.5 million documents from Panama based, totally scrupulous, not at all shady, nothing to see here guv, lawyers Mossack Fonseca were leaked.
This week, the hacker group (collective/swarm/drift/sounder) ‘The Dark Overlord’ mwahahahaha, has threatened to leak 10GB of encrypted litigation documents relating to the terrible events of September the 11th 2001, suggesting that they may contain matters revealing.
Opportunistically playing on the conspiracy theory, to which we do not subscribe, the positioning of the value of this data and the outing of the sources – ‘major global insurers like Lloyds of London and Hiscox, but also Silverstein Properties, which owned the World Trade Center complex, and various government agencies‘ puts the hacker’s targets in a very tough place. If they pay, what are they hiding? If they don’t, probably time to put a book down the back of their trousers. Time will tell.
Law firms, consultancies and all other third-party suppliers to your business will have different retention and archiving policies than you do and may not be terrifically proficient or diligent at data security, as these events illustrate. Only the biggest businesses have the clout to insist on how their data is managed by third parties and even then, probably audit the supplier once in a blue moon.
Breaches via third parties present a massive risk to every business. This risk should be managed. Our very own esteemed William Kilmer Esq. wrote this excellent piece on the subject – well worth a few minutes of your time.
ITC’s Cyber team have launched a third-party risk management service, which supported by our razor sharp team of advisors, can really make a difference. Please contact us to discuss, it is an issue for everyone and has regulatory implications, not least the dreaded GDPR which you will have of course been spammed and FUD marketed to for the last few decades (at least that is what it feels like – we really try not to do that).
Integrityis a tricky one. Defined by sages as ‘involving maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle‘, there are great examples of how this scope needs to be broadened to include programs and systems which you provide to customers, suppliers etc.
Looking back, you will recall the monster British Airways breach, which was facilitated by the integrity of its website being breached by third-party code.
You will also know all about ‘malvertising’ where advertising content served up by third parties via a broker might contain nasty little malwares. Does this represent a breach of the integrity of the host site? We think so. If you provide advertising content on your sites, we urge you to have a chat with these people, who can make your world a better, less risky place.
This week we are being warned about mobile devices being shipped with malware built into apps. The management of mobile devices accessing your data (see above) and the viability of Bring Your Own Device going forward will present interesting challenges.
ITC doesn’t offer mobile solutions but some of our very best friends are total experts in this area and jolly nice people to boot, we would be happy to introduce you.
Availabilityis surely the most obvious of the CIA triad (mwahahahaha). Of course it is, but the causes of the lack of availability (up==0, down==1) are a very broad church indeed.
This week saw a massive outage at the data centre behemoth CenturyLink, whom we have long suspected of going to work by horse, which took out pretty much all of their customers including the 911 service in the United States.
After the 48-hour (plus) outage, CenturyLink sent a message to its customers, which reeks of the rear end output of a bull blaming a single management network card.
Even with the massive growth in the cloud world, especially acquisitive, there should be no way at all that management traffic can break production, we think the tweet above means ‘policing’, not polling. Looking at the timings, this has a whiff of a change gone badly wrong about it.
What do you think? Answers on a postcard please. Maybe they should have engaged better plumbers?
In a totally different outage, this week saw a load of US Newspapers taken down by malware, revenge, profiteering by preventing the supply of data, who knows? Maybe they were CenturyLink customers?
Somewhat unbelievably, we also saw the US Governments NIST Computer Security Resource Center site taken down on purpose because of funding issues. As a go-to site for businesses and individuals the world over, this is nothing short of demented.
Yes, yes, you can see just how nerdy our tabs are.
The point to make here is ‘what is critical’?
We will be discussing this in next week’s blog and might even bang on about the subject at our annual security conference, which will be held on Thursday 31st January 2019 at Grace Hall on Leadenhall Street in London.
The format is different this year, in that we will be running a live breach masterclass for your entertainment and education. Don’t miss it, register your interest here.
In summary Confidentiality, Integrity and Availability are all crucial. Only by understanding the impact that failure in any of these areas will have on you or your business can you effectively prepare, defend and manage.
Obviously we would love to talk to you about any of the content of this blog, especially if you have made it this far down. You can reach us at: [email protected] or 020 7517 3900.
Happy New Year to you and yours.