You have been asked to present next month to the board about the enterprise readiness for Advanced Persistent Threats. From what you understand it appears that, either the Chief Risk Officer, External Auditor or a ex colleague of the Board has made this suggestion.
Unfortunately you really don’t know what level of awareness the board members have about Advanced Persistent Threats. With trepidation you start to prepare for this, and the first question is how honest should you be?
Then you wonder about opening pandora’s box and making this a moment that you will regret.
Honesty is the only policy
While you don’t want to incite any panic, it is all about getting the balance right around being confident in the approach that is being adopted, but also realistic to not provide any suggestion that your approach is bulletproof.
Yes, be honest. The worst situation would be to leave the board with the perception that everything is under total control. In the same vein you also never want them to think it is out of control.
For most of us, we aren’t good at lying and this will show in our expression. I’d hate to be in that situation. Honestly is the only policy.
Start at the Beginning
It is critical that the board gets it that an Advanced Persistent Threat is not a virus that can be simply addressed. Instead it can take many forms and the best ones morph to use different attack vectors.
This could be started with a simple virus infection, or malware that comes from an email or even code coming from a USB thumb drive. The board themselves are perhaps also part of the targeted group that hackers look to exploit.
That email from a board member’s personal pc at home to the CFO, could indeed be the mechanism to penetrate to the senior executive. Once this is understood that the scope is as wide, any reference to the need for education is a really great angle to ensure is shared.
The APT Lifecycle
What is going to help is use as much as possible ‘plain english’ and explain that these APT threats while using various approaches to get into an organisation, have an objective to remain undetected as long as possible.
Thus admitting to the fact that it is possible that these may indeed be already in the enterprise, collecting sensitive information and assessing when to take action. In your defence you can explain the measures that are in place to address this:
- We have a ‘state of the art’ firewall to restrict access to your corporate network.
- Endpoint software is deployed on all devices to prevent and detect malware
- Strong passwords with two factor authentication is in place
- The enterprise has strong Privacy and or PCI measures in place to protect sensitive information
- Acceptable Use Policy is in place for all staff and they understand that Cyber Security starts with them no clicking on the wrong links
Wearing the Black Hat
Moreover it will be critical to demonstrate that we have internal staff and partners that we ask to wear the black hat. That means we are doing our own monitoring for vulnerabilities – reconnaissance if you like.
The resource will use all the dirty tactics of phishing, social media engineering attacks and perhaps even dumpster diving. We could also use a tactic to try mock attacks. This could involve a mock spear phishing attack and seeing what happens when random staff are sent a false message with an attachment etc.
Understanding the network and the perimeter and which ports are vulnerable. To this end I’ve met with Security companies that are pitching to work with me that have conducted such an exercise and they can highlight potential risk areas, even without breaking the law.
A random audit of SIEM logs can also provide some interesting insight. If your team is not closely monitoring these, then it is likely that any clues are being missed. Taking that sample and checking that any items that should be deemed suspicious was noted would be a great exercise. This is all about ‘trust but verify’.
Be confident but not smug
The board will appreciate your humility and that you are taking all measures to stay on top of any threat from Advanced Persistent Threats.
Being confident about the approach and having the board now fully informed, they are now in a position to re-evaluate the Enterprise Risk Appetite.
(Phew) you can keep your job – for now at least.