When Adobe was hit with a break-in to one of its code-signing servers last September, chief security officer (CSO) Brad Arkin used the crisis to drive security change and improvement.
Attackers exploited an insecure configuration on a server in the company and initiate code-signing requests for malicious software to infiltrate the corporate network.
The attack was quickly detected and shut down, but it revealed weaknesses in the security processes which Arkin set about changing, using a five-step plan.
“Rapid, dramatic change is most quickly achieved through a crisis,” Arkin told the Security Development Conference 2013 in San Francisco.
The plan is based on the view of French political economist and one of the founding fathers of the European Union, Jean Monet, that people accept change only when faced with necessity, and recognise necessity only when a crisis is upon them.
The first step, said Arkin, is to be prepared before a crisis hits. This involves building a network of people in the organisation that know and trust you as an information security professional.
He recommends building a formal network of people, who can influence change when required; and an informal, social network of people, who will tell you what is really going on in a crisis.
Read more about incident response
- Government launches cyber incident response scheme
- Security incident response below par at most firms, says Guidance Software
- Computer Security Incident Response Team (CSIRT)
- Developing an incident response plan of attack in the data age
- How to comply with updated NIST incident response guidelines
- Incident response template for effective incident response planning
- Royal Holloway 2012: An incident response process for armoured malware
- Incident management systems vs. emergency notification systems
“It is also very important to understand the business, business goals and what influences decisions, because if you don’t, you can’t give good advice when the business starts listening to you,” said Arkin
Another important part of preparation, he said, is to run through crisis scenarios facing other organisations and ask what your organisation would do in similar circumstances.
“This is useful in identifying gaps in your security and where you need to invest,” said Arkin.
Similarly, organisations should force themselves to “think big” by drawing up “magic wand plans” of what could and should be done, given unlimited resources.
Finally, as part of the preparatory stage, organisations should define the behaviour they are trying to drive and develop metrics so that they can track progress over time.
“Metrics are hard and tricky, they also take time to develop, so this can’t wait until you are faced with a crisis,” said Arkin.
“We eventually realised that counting vulnerabilities did not correlate to safety of users, and that it was real-world exploits that really mattered.”
When a crisis hits, Arkin believes it is important for information security professionals to speak the language of the business by saying how it affects them in real terms, and to start with the facts.
“Let go of the details, say what is going on and more importantly tell people what to do to move forward with clear recommendations, but resist the temptation to dive deep,” said Arkin.
Implementing the plan to recover and move forward involves people, process and technology. It also requires someone who is good at project planning.
“If you are not that person, step aside and find someone who has the skills needed,” said Arkin.
Typically this stage involves a training programme aimed at improving “security IQ” for each team involved, to enable each member to make better decisions.
Arkin recommends building and using automation tools to ensure remediation can be done quickly, consistently and at scale.
“Use existing management infrastructures, deputise people who are used to telling teams what to do to get thing done, rather than creating new crisis management structures,” he said.
Finally, ensure momentum is maintained, said Arkin, by exploiting the crisis to drive change and evolving the crisis plan into a longer term security roadmap, with longer term metrics.
This is the five-point plan Adobe followed with the code signing incident that involved re-signing 76 products by 3,000 people within 12 days.
According to Arkin, the plan worked well in helping to drive change and identifying areas where more work needed to be done to ensure any future crises would be even more beneficial in this way.
One of the biggest lessons learned was the importance of consolidating ownership for security processes to ensure there were no gaps.
“We learned the importance of remaining vigilant for gaps in risk ownership,” said Arkin.
In practice, the best way to communicate with the business was through regular updates at set intervals, rather than allowing new intelligence and progress to “leak” out in a haphazard way.
Deputising individuals to solve specific problems also helped to get thing done quickly and efficiently.
Exploiting focus on security crisis is an effective way to change specific behaviours and to enable the adoption of an improved set of best practices company-wide, said Arkin.
“And of all the steps, the most important was clearly being prepared,” he said.