Round table discussions

Round table discussion: Cyber-resilience in an age of ransomware

DELL Technologies hosted a virtual round table discussion with experts from across the public sector and semi-states to explore organisational cyber-resilience in an era of increasingly sophisticated and frequent ransomware attacks.

To what extent has the necessity for increased remote working enhanced cyber-preparedness across organisations in Ireland?

Tom Digan

The last 18 months have been both an unpredictable and challenging time for organisations as they pivoted their workforce to almost 100 per cent remote working. Not only have the perimeters of IT changed for organisations but many have also sought to accelerate their digital transformation projects, which has increased the attack surface for bad actors, through the adoption of cloud and other emerging technologies. In addition, there is a recognisable skills shortage when it comes to cybersecurity, evident even before the pandemic, hence highlighting the importance of automation through leveraging cutting edge technologies such as artificial intelligence and machine learning. I believe organisations need to develop a mindset based on automation first for both prevention and recovery, where possible, to deal with the ever-increasing sophisticated threats.

Donna Creaven

The blended model of working has altered cyber preparedness. It is a similar scenario to the emergence of mobile phones, laptops and tablets; however, I believe working from home has increased the levels of risk attributable to humans. I think the destructive and disruptive nature of attacks is more impactful with people working from home and so there is a greater need for risk management and security around processes. It is impossible to keep up with the scale of the attacks and I think organisations need to change work practices to cater for the expected levels of remote working but also to update incident plans to respond when an attack does happen.

Bruce Hopkins

The rapid nature of the shift to remote working en masse created a situation whereby those who did not have the basic technology to transition smoothly were forced to focus their attention in the early months on getting operational, rather than on the value-added controls from a security perspective. We were fortunate in that we had the capacity and a good starting point to focus on security controls but the migration of staff to remote locations was and remains a security challenge. Something we had to address was how the changed work environment created a different dynamic in how people use their computer, with some people transitioning from their workday to their leisure time without realising that the use of additional services on your laptop can lead to additional risks.

Paul Rochford

The rapid movement of people to working remotely has extended the corporate boundary. As well as the increased threats that come with extending infrastructure and software to peoples’ homes, there are also enhanced risks associated with simple things like printing and knowing where that document will end up. Those same risks apply for third parties that may be doing offshoring, who are also likely working from home. Remote working not only increases the threat but also presents challenges around response. Where previously you could expect a ‘war room’ type response in office, you now have to consider that key people might not be available. Despite the increase in risk, most organisations have handled the mobilisation of the workforce quite well through policy updates and awareness.

Liam Stewart

We found that the need for greater levels of remote working presented many opportunities from a cybersecurity perspective. Technologies we had previously struggled to introduce or that staff were not receptive to, such as multi-factor authentication and VPN connections from remote locations, suddenly became the norm. The move to remote also helped us focus our attentions and policies on things like where data was being stored, the need for encryptions and who was actually logging on to the network. Additionally, we were able to take an existing cloud video conferencing solution and expand it to the point where we have now actually got rid of over 100 telephone systems across the organisation and removed most handsets across 140 sites.

“To date many organisations have spent heavily on prevention and underinvested in recovery capability.”
Tom Digan

Currently, what are the major threats to an organisation’s cyber-resilience and where are these threats originating from?

Bruce Hopkins

To some extent, the threats are consistent in that email remains the main method and while there are multiple reasons, the most prominent is the expected generation of money (ransomware). In our experience, as a provider of critical infrastructure, we see custom-designed pieces of malware coming our direction, be they random or targeted. The random attacks tend to be predictable to some degree in that there is a consistent and constant level of traffic, but a targeted attack is much less predictable and can be much more difficult to counter. My number one concern is an attack which has been created specifically for your organisation and where the attacker may have an understanding of your defences.

Tom Digan

There is often a misconception that cybersecurity and cyber-resilience are the same thing. Cybersecurity describes a company’s ability to protect and avoid the threat from cybercrime i.e. prevention, while cyber-resilience focuses on the ability to prepare for, respond and recover from a cyberattack. To date many organisations have spent heavily on prevention and underinvested in recovery capability. With an increase in ransomware attacks, we are also seeing an increase in ransom demands being paid because organisations do not have confidence in their ability to recover and resume business operations quickly following successful cyber breach.

Donna Creaven

The greatest threat to organisations is outdated business continuity plans, whereby businesses are ill-prepared for withstanding an attack and the levels of disruption caused by an attack. The inability to keep up with the sophistication of attacks is a real threat.

Liam Stewart

The first major threat is technological obsolescence. There is a lot of old technology out there, particularly in the public sector, and recovery of some of those systems would be very difficult. The second is technological complexity. Technology is currently more complex than it has ever been, networks are more complex than before and when you add the cloud on top of that, it begs the question do we really understand our own systems? That understanding is needed if you are going to recover from a cyberattack successfully.

Paul Rochford

Understanding how your systems integrate with each other is critical, otherwise you are faced with a major knowledge gap when a major incident does occur. Also of critical importance is that organisations know their ‘minute zero’ actions. What you do right away could be the difference between triggering something or preventing something. The expectation by many that the cloud is a silver bullet, where everything is secure, backed up and recoverable is also a risk. It can be, but only if you pay for it, put controls in place and understand what it is you are putting up there. If you don’t, then you can expose yourself very quickly.

I view ransomware as the greatest threat, however, an interesting development is the emergence of human-driven ransomware, where people at the end of a keyboard are in your network for days and weeks understanding your patterns before pulling the trigger. Realistically, recovery from this kind of attack can take weeks, time which not many organisations have, and so business continuity plans, and playbooks need refreshed. I would suggest from a resiliency perspective that organisations classify their critical applications to prioritise asset protection and recovery.

What are the most common cybersecurity misconceptions you would you like to see dispelled?

“My number one concern is an attack which has been created specifically for your organisation and where the attacker may have an understanding of your defences.”
Bruce Hopkins

Paul Rochford

The longest standing misconception is that information security is IT’s problem. It is not, it is a business problem and slowly businesses are starting to realise that information security is a business enabler. Another misconception is that to be compliant means that you are secure. Compliance is not security; it feeds into security but it is important to make the distinction. Lastly, it is often said ‘we have backups, we can recover’. Unless you have really tested those backups in anger and know what is on them then they can’t be relied upon. Your processes must be robust if you are going to have to rely on your backups.

Donna Creaven

Common misconceptions that I have encountered are that only big companies will be targeted, that antivirus is fully protective, that cyberthreats are always external and that cybersecurity is an IT issue, all of which are untrue. Additionally, I often hear that cybersecurity is expensive to deploy and maintain. Cybersecurity is critical to your business, and it needs investment.

Tom Digan

Reliance on backups as a recovery plan is a common misconception. Studies show that when hackers breach an organisation’s network, their average dwell time in the network is approximately 200 days. What are they doing when they get inside the network? In many cases their first target is the backups with a view to taking out the backup infrastructure and compromising the integrity of the backup data, therefore backups alone will not give you immunity from ransomware. Another misconception is that cyber threats come from external actors, but there is a noticeable increase from insider threat. An attack from a trusted insider, who typically have privileged network access to critical applications and data, can be the most destructive type of attacks, and are also hard to defend against. Finally, that disaster recovery is cyber recovery. If bad actors breach a network, it is likely that any infection will be replicated from production to the disaster recovery site. Cybersecurity recovery must be in place alongside disaster recovery plans.

“I would suggest from a resiliency perspective that organisations classify their critical applications to prioritise asset protection and recovery.”
Paul Rochford

Liam Stewart

I agree that compliance with standards is no substitute for understanding security issues on your network. I would also emphasise the point that antivirus does not protect from ransomware. OPW has not used antivirus software for four years after a ransomware email made its way through three different types of antivirus software and encrypted servers and we now use a different solution.

“Compliance with standards is no substitute for understanding security issues on your network.”
Liam Stewart

How can organisations better mitigate ransomware or other cyber-incident threats?

Donna Creaven

Cyber awareness is about preventing social engineering and how to respond. There are a range of measures, such as backing up and testing your restores, which need to be included in business continuity plans. However, I think there are measures that can be taken earlier in the form of security-by-design. There is a direct correlation between ICT infrastructure management and cyber hygiene and good governance, so organisations need to take a more holistic approach and understand the interdependencies between different systems and business operations.

Bruce Hopkins

By joining the dots. Many organisations have various multi-layer controls throughout their overall IT environment in the form of infrastructure, applications, and awareness training. Some, like ourselves, will also have 24/7 security incident monitoring in place. The last 18 months has seen a rise in activity and a rise in incidents, so, while we had the tools in place, we have also seen the value of getting the human intelligence into the conversation. That means pulling together the information from our automated toolkit and assessing that alongside the email alerts or instant messages from staff to get a better understanding of the daily threat landscape. We aim to see what is happening from an end user experience but with the hindsight of what might be happening elsewhere in the organisation to ensure that we are directing our resources to the correct area.

Tom Digan

From a recovery perspective, there are no shortage of recommendations from the US and the EU following some recent high-profile attacks. Emerging recovery recommendations have centred around protecting the backup system, in particular making a secure offline copy of backups that are isolated away from the attack surface, having immutable copies, and then utilising anomaly detection capability to look for things such as encrypted files in the backup data. At Dell Technologies we have been a market leader with six years history of protecting organisations most critical data, and our proven approach aligns with all of the industry emerging and best practice recommendations.

“The greatest threat to organisations is outdated business continuity plans, whereby businesses are ill-prepared for withstanding an attack and the levels of disruption caused by an attack.”
Donna Creaven

Liam Stewart

A full asset register of devices, services and datasets on your network is critical. So too is knowledge of all entry and egress points, including an understanding of third-party access to your network. In OPW we have found it very useful to have good monitoring and alerting tools, to the point where we know in real time when someone changes a file name or has multiple log-in attempts, because these are known characteristics of malware attacks. Finally, I would say that it is important to keep on top of the privileged accounts in your network and understand the accesses they have because that will also determine your response.

Paul Rochford

The most fundamental mitigation, but also one of the most basic, is user awareness. Enabling users to recognise unusual behaviour indicators and have the confidence to report it. Mitigation is often not about having the latest and greatest toolkits; many organisations have capabilities in their environment right now to severely reduce the impact of ransomware. One example is around privileged and services accounts because reducing unnecessary privileges across your organisation will go a long way to reducing exposure. There is very good guidance available to organisations and what I would suggest is not only to benchmark your organisation in relation to the guidance but also to regularly test and understand how your infrastructure will respond in the event that someone is in your environment and trying to deploy ransomware.

What are the most successful methods of recovering from a cyberattack with confidence?

Tom Digan

The first step is to accept that you need to prepare for a successful cyberattack and that starts with having a recovery strategy. That typically involves protecting the backup systems, but it all starts with creating a business case for investment to create recovery capability. At Dell Technologies we built our first cyber vault solution six years ago following the high profile Sony attack, and have been evolving that solution since 2015. Our approach is to work with customers to identify critical business services, applications, and datasets, that make up what call the minimal viable corporation. That data is locked away into a cyber vault, we then isolate that critical backup data, and make it immutable, protecting from external bad actors and also insider threat. We then scan every file and database looking for indicators of compromise. We leverage AI, machine learning and forensic tools to detect, diagnose and accelerate data recovery with a clean copy of backups, allowing companies to effectively recover in a risk free manner.

Liam Stewart

Identifying the subset of the critical services you need to run your business is crucial. Immutable backups are very important but that goes beyond data. Looking at the HSE attack, they lost their email and telephony system. If you are an organisation dependent on fixed line telephony for example, then you probably need to be thinking now about moving to a cloud-based system.

Donna Creaven

To recover with confidence, you need to prepare in advance. Having visibility of your systems, your asset register and understanding your critical services is crucial.

Paul Rochford

Having immutable backups is one of the only ways you can recover with confidence, especially in the era of ransomware. Having immutable backups offers the opportunity to have a clean point to build back from, focusing on your critical assets and then aligning other services. However, having the clean data is irrelevant unless you know how to recover from that point. Business continuity plans need to be focused on prioritising what can be recovered, if it is to be done with confidence. It is important to say that this is a business decision, not just an ICT decision.

Bruce Hopkins

I think it is important that everyone in the organisation knows their role in terms of an overall response. Currently I have a paper copy, a soft desktop copy and a Sharepoint synchronised copy of our incident response checklist. If our internet was to go down, we would all have the latest version, ensuring that across the business we start the response as quickly as possible. IT security and cybersecurity is a key element of recovery, but they are only one part, everyone must play a part if an organisation is to have a successful response.

 

Roundtable participants

 

 

 


Donna Creaven

Donna is Director in the Irish Prison Service with the Department of Justice. Prior to joining the Irish Prison Service, Donna worked as Assistant Commissioner in the Data Protection Commission. Donna holds a Bachelor of Commerce and a Bachelor of Laws LL.B from the National University of Ireland, Galway and a Master’s in management and corporate governance from the University of Ulster. Since 2018, Donna is a member of the Board of Directors for Pobal, appointed to the Board by the Minister of the Department for Rural and Community Development. She has served as a director for a number of voluntary organisations.

 

 

Tom Digan

Tom is Cyber Resilience Director, Dell Technologies Ireland and Northern Ireland, helping organisations in both the private and public sector develop comprehensive strategies around cyber recovery. Tom has over 25 years’ experience in working for many leading global brands and prior to joining Dell, Tom held senior positions as Regional Director for Ireland/UK and South Africa in data management and cybersecurity.

Bruce Hopkins

Bruce is Head of IT Security in daa plc. He has over 20 years’ experience in IT security and management of technology risk. Bruce started his career as a research physicist before moving into software development, project management, and then IT security. After a number of years as an IT Security Consultant with KPMG, Bruce spent over a decade in telecoms security with Vodafone. He joined daa plc four years ago, tasked with setting up a new team to tackle the challenges of cybersecurity as well as the new GDPR regulations.

Paul Rochford

Paul is the Head of Information Security for An Post. He has over 20 years’ experience in information security and has held various leadership and technical roles during that time. Paul has a MSc in information security from Royal Holloway, UK, as well as holding numerous professional security certifications.

Liam Stewart

Liam is the Head of ICT in the Office of Public Works responsible for the management of all ICT services including infrastructure, networks, software applications and cybersecurity. He has 30 years’ experience in various ICT roles and holds a BSc in computer science from Trinity College, Dublin and a Master’s in information technology from NUIG.

Show More
Back to top button