When it happens, will you be ready? How to excel in handling your next cyber incident

I like speaking about incident response because there are so many important practical points to convey. Every so often I re-consolidate my thinking on the topic and do up a new slide deck. Here is one such deck from this week’s presentation at Canadian Society of Association Executives Winter Summit. It includes an adjusted four step description of the response process that I’m content with.

We’ve been having some team discussions over here about how incident response plans can be horribly over-built and unusable. I made the point in presenting this that one could take the four step model asset out in this deck, add add a modest amount of “meat” to the process (starting with assigning responsibilities) and append some points on how specific scenarios might be handled based on simple discussion if not a bona fide tabletop exercise.

Preparing for a cyber incident isn’t and shouldn’t be hard, and simple guidance is often most useful for dealing with complex problems.

Alberta OIPC finds Blackbaud incident gives rise to RROSH

Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.

Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.

Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.

On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:

In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.

This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.

See e.g. P2020-ND-201 (File #017205).

The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.

Cyber defence basics – Maritime Connections

I was pleased to do a cyber defence basics presentation to privacy professionals attending the Public Service Information Community Connection “Maritime Connections” event yesterday. The presentation (below) is based off of recent publications by the New York Department of Financial Services and the Information Commissioner’s Office (UK) as as the (significant) Coveware Q3 ransomware report.

As I said to the attendees, I am not a technical expert and no substitute for one, but those of us outside of IT and IT security who work in this space (along with the predominantly non-technical management teams we serve) must engage with the key technical concepts underpinning IT security if we are to succeed at cyber defence.

I’ll do an updated version next week at Saskatchewan Connections next week. Join us!

The role of legal counsel in ransomware response – cyber divergence on display

Two publications released earlier this month illustrate different views on how to structure ransomware response, and in particular on how to structure the involvement of legal counsel.

On Wednesday of last week, the Ontario Ministry of Government Services issued a bulletin entitled “What is Ransomware and How to Prevent Ransomware Attacks” to the broader public sector. It features a preparation and response playbook that will be much appreciated by the hospitals, universities, colleges, school boards and municipalities targeted by the MGS.

The playbook treats ransomware response as primarily a technical problem – i.e., a problem about restoration of IT services. Legal counsel is mentioned in a statement about incident preparation, but is assigned no role in the heart of the response process. Indeed, the MGS suggests that the Information and Privacy Commissioner/Ontario is the source of advice, even “early on” in an incident:

If you are unable to rule out whether or not PII was compromised (which will likely be the case early on in an incident), contact the Privacy Commissioner of Ontario (416) 326-3333.

Contrast this with what Coveware says in its very significant Q3 ransomware trends report that it released on November 4th. Coveware – arguably the best source of ransomware data – explains that data exfiltration threats now feature in 50% of ransomware incidents and that ransom payments are a poor (and becoming poorer) method of preventing threat actors from leaking what they take. Coveware says:

Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.  Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set.

The Coveware view, shared by Canadian cyber-insurers, is that ransomware is primarily a legal and reputational problem, with significant downside legal risks for institutions who do not engage early with legal counsel.

I favor this latter view, and will say quite clearly that it is bad practice to call a privacy regulator about a potentially significant privacy problem before calling a privacy lawyer. A regulator is not an advisor in this context.

This is not a position I take out of self-interest, nor do I believe that lawyers should always be engaged to coordinate incident response. As I’ve argued, the routine use of lawyers as incident coordinators can create problems in claiming privilege when lawyer engagement truly is for the “dominant purpose of existing or anticipated litigation.” My point is that ransomware attacks, especially how they are trending, leave institutions in a legal minefield. Institutions – though they may not know it – have a deep need to involve trusted counsel from the very start.

DFS report shows how to double down on remote access security

On October 15th, the New York State Department of Financial Services issued a report on the June 2020 cybersecurity incident in which a 17-year old hacker his friends gained access to Twitter’s account management tools and hijacked over 100 accounts.

The report stresses the critical risk against which social media companies employ their security measures and the simplicity of the hacker’s methods. The DFS raises the link between social media account security and election security and also notes that the S&P500 lost $135.5 billion in value in 2013 when hackers tweeted false information from the Associated Press’s Twitter account. Despite this risk, the 2020 hackers gained access based on a well-executed but simple social engineering campaign, without the aide of malware, exploits or backdoors.

The hackers conducted intelligence. They impersonated the Twitter IT department and called employees to help with VPN problems, which were prevalent following Twitter’s shift to remote work. The hackers directed employees to a fake login page, which allowed them to capture credentials and circumvent multifactor authentication.

The event lasted about 24 hours. The DFS explains that Twitter employed a password re-set protocol that required every employee to attend a video conference with a supervisor and manually change their passwords.

The event and the report are about the remote workforce risk we face today. Twitter had all the components of a good defence in place, but according to the DFS it could have done better given the high consequences of a failure. Here is a summary of some of the DFS recommendations:

  • Employ stricter privilege limitations, with access being re-certified regularly. Following the incident Twitter did just this, even though it apparently slowed down some job functions.
  • While multifactor authentication is a given, the DFS noted, “Another possible control for high-risk functions is to require certification or approval by a second employee before the action can be taken.”
  • The DFS points out that not all multifactor authentication is created equal: “The most secure form of MFA is a physical security key, or hardware MFA, involving a USB key that is plugged into a computer to authenticate users.”
  • The DFS says organizations should establish uniform standards of communications and educate employees about them. Employees should know, for example, exactly how the organization will contact them about suspicious account activity.
  • The DFS endorses “robust” monitoring via security information and event management systems – monitoring in “near real-time.”

These recommendations could make for very strong remote access and account security, but are worth note.

Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security.

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

UKSC decides data thief was on a “frolic of his own”

The Supreme Court of the United Kingdom has decided an important vicarious liability case in favour of a company whose rogue employee stole payroll information and posted it online.

The company entrusted the employee with payroll data pertaining to over 120,000 of its employees to facilitate an audit. The employee – who was still aggrieved about some discipline the company had earlier imposed – passed the data to the auditor as instructed, but kept a copy and posted it online as part of a personal vendetta.

As in Canadian law, United Kingdom law deems employers to be responsible for the wrongful acts of their employees that are not authorized if there is a “sufficient connection” between the wrongful act and the work that is authorized. The creation of “opportunity” to commit the wrong is a factor, and the analysis is to be conducted with a view to the policy-implications, leading some to argue that data security concerns justify broadly-imposed vicarious liability.

Nonetheless, the Court held that cause (or the creation of opportunity) was not enough to warrant this employer’s liability for its employee’s data theft. That is, the employee’s theft (and his public disclosure) was caused by the company’s provision of data to the employee, but the employee was still motivated to harm the employer and “on a frolic of his own” that did not warrant employer liability.

WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent), [2020] UKSC 12.

 

Hackers, hacking and cybersecurity for kids

Many of you know Dustin Rivers and Chris Lutz of the Public Service Information Community Connection, who run some of our major Canadian privacy conferences. Like the great entrepreneurs they are, Dustin and Chris have put together an online kids camp for delivery to COVID-sequestered kids from across the globe!

I volunteered as a camp instructor and just did this presentation. It was fun, and  a great exercise to reduce the subject matter I deal with in a far different context to something that could be understood by six to ten year olds! Not only that, my son and I created the deck together – more learning.

Here’s the deck. Next time I’ll record!

Good quotes on the impossibility of “ensuring” security and achieving zero risk

I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.

I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:

I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately.  Try as they might, it is impossible for anyone to absolutely guarantee information security.  All that anyone can do in that respect is the best they can.  There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer.  More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.

In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed.  But to be perfect the world would have to be populated by perfect human beings.

This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!

It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:

That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.

Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.