The last few days have been interesting to say the least, the Bundestag got hacked once again and no one is the wiser. With all the “fake” news and reports its very hard to distinguish what is and isn’t real about this new breach or even if it was really a new breach.
What we do have is something that resembles a badly coordinated dance show, where one person doesn’t know all the things that the others are doing. In the middle of this we have the customer and that customer is surrounded by suppliers or supporters that are tasked with protecting the customer.
Coordination of very important tasks during a breach or any security incident are critical and crucial to daily operations and getting back to normalcy. What we see to an extent is some suppliers claiming their networks where never touched but a forensics analysis and critical thinker would question this unproven claim.
And it is unproven, and what’s worse down right wrong! Why? Well if my customer’s networks are being managed by me, how are the networks not connected in some way with each other? If they are not how can that supplier really manage that network like it was like their own? It all smells rather “weird” to say the least.
So let’s focus for a few minutes on who, how and where the incidents are defined as processes and what happens, is this in the BSI’s “Grundschutzhandbuch”, the Security policy or somewhere else, what do you think? It’s actually well defined in ITIL, yes ITIL!
That curse word among most hackers, crackers and security consultants with overly pumped up egos. This (and other reasons) is why most newbie security professionals don’t get their security designs and architecture right and secure.
If you are like me you were around when wheels where just created, soon after that we saw the first versions of the UK’s Information Technology Infrastructure Library or ITIL emerge.
ITIL is so important that we are likely the only security trainers and company (I believe) that start our certifications with it and emphasis the importance of knowing ITIL! ITIL, when done correctly, will help you implement processes, procedures and communicate how different teams work and more importantly communicate with each other before, during and after a breach or incident.
What we can see based on a certain agencies fast reaction (in this specific instance) was to say how safe their networks are (and by that pointing out) that they didn’t see the customers network as of the same value or as secure, we also saw in this reaction that they don’t (likely) have a lot of awareness and training around classical ITIL processes and procedures that deal with incident response, incident management and knowledge management.
It’s really unfortunate because these are the very people that believe they can audit the networks that have now been breached (if it’s true) by a 20 year old student that had access to one of the most critical and crucial networks and data in Germany. So why say this and point it out? Well we can teach you how to do this correctly, not by slamming you and blaming you but by going through scenarios like this one and others that can help you stop attacks from going further or even detecting them before they turn into a breach.