T​elstra CISO blasts cyber 'attribution distraction'

Telstra's chief information security officer Mike Burgess has delivered a withering attack on organisations that focus too much on attributing cyber attacks, or blame the 'sophisticated' attackers for their networks being hacked.

"The discussion and debate that occurs here takes away from focusing on the human element of this problem, and [from] understanding the root cause," Burgess told Check Point's Cyber Security Symposium in Sydney on Tuesday.

"Don't get me wrong at this point. I'm not saying that attribution isn't important. I'm not saying that issues of source, great technical intelligence, and other forms of intelligence to understand the threat and the intentions of those looking to steal information from you, or disrupt your organisation for some purpose that may be unknown to you, [are not important]," he said.

"But what I observe, what I fear, what I see too much of, is many commentators, many in the industry, and many in media, focus on attribution, with very little focus on the root cause. No-one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age. And I've got to tell you -- my view at least -- too much of this distraction around attribution takes away from focusing on what's really important here."

Burgess referred to this wrong-headed focus as "attribution distraction" and "threat distraction. He illustrated his point with some of the language used by companies to explain away massive data breaches.

After the Home Depot breach, for example, the company said: "The malware used in the attacks had not been seen in any prior attack, and was designed to evade detection by anti-virus software."

"Really?" said Burgess with dripping sarcasm, to audience laughter. "I mean, really?"

After the Anthem breach, that company said: "We have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack."

"Really?" said Burgess again. "I'm not meaning to disparage others, because I know this is a hard challenge. But really, when I see language like that, the use of the word 'sophisticated', I do worry."

Attribution distraction was at "fever pitch" in the aftermath of the Sony Pictures hack, Burgess told the conference.

"You see language like this: 'a brazen cyber attack'. Well, maybe I'd agree with them on that one. But interestingly, in an internal memo: 'unprecedented in nature' [and] 'the malware was undetectable by industry-standard anti-virus software'.

"Really? Here we go again: 'The attack was an unparalleled and well-planned crime carried out by an organised group, for which Sony Pictures nor other companies could have been fully prepared'," he said.

"Well, excuse me for saying this, but actually, it is a reasonably foreseeable event that someone will attempt to hack your organisation to steal data from you, or someone will attempt to hack your organisation to disrupt your organisation. I disagree with Sony in that comment. You have to be prepared. You've got no excuses."

Burgess pointed out that in most of the major breaches, there was a root cause with a known remedy for that vulnerability or weakness. We know that socially-engineered emails arrive with a malicious attachment, or with a link to a web-based exploit of a known vulnerability. We know about the exploitation of vulnerable web-facing code.

Burgess also spoke out against an excessive focus on technological measures. He understands that technology is important, and that much more can be done. But managing the risk requires an understanding of the human element, something which is "just as important".

"If anyone thinks that this is a problem brought about by technology, and solvable by technology alone, I'm sorry, but I've got news for you. That will take away from you being able to effectively manage this risk," Burgess said.

"Cybercrime is just a crime, cyber espionage is just espionage, hacktivism is just protest," he said.

"[But] in this day of connectivity and continuous uptake in technology, ... crime, protest, espionage, and even mistakes, happen at a pace, scale and reach which is unprecedented." And so can their impact."This is the reality that we must deal with."

The Five Knows of Cyber Security

Burgess outlined how Telstra structures its approach to dealing with this reality using it's "Five Knows of Cyber Security", a framework that Telstra has been presenting both internally and externally over the last six months.

1. Know the value of your data. Know its value to customers, yourselves, maybe your competitors, and most definitely those who wish to do harm. "The data that you don't want lost or stolen or destroyed," Burgess said.
2. Know who has access to your data. "This challenges a number of organisations, because this requires you to look deep inside your supply chain, you own system, and the way your company operates and interacts with your customers, and your partners," Burgess said. "And then understand whether they should actually have access to all of that data."
3. Know where your data is, both domestically and globally. "While some people, some regulators, some customers will have a view of where the data should be, and that's absolutely entirely right for them to have that view, I prefer to think of this problem as protecting the data wherever it may be. But I've got to know where it is, for a whole range of reasons," Burgess said."It's absolutely critical that you protect information at rest, in use, and in motion, and not get hung up on 'It's inside my network so it must be OK,' because guess what? The internet doesn't work that way."
4. Know who's protecting your data. "Do you actually know who's making sure your data isn't lost, corrupted or destroyed? In some cases that's easy to figure out ... but in other cases you might be surprised that some companies haven't thought about that, and some elements of their data they don't know who's actually protecting it" Burgess said.
5. Know how well your data is protected. "That's where some frameworks and compliance regimes do come in, absolutely," Burgess said, pointing to the usefulness of advice like the Australian Signals Directorate's Top Four.

Telstra's Five Knows of Cyber Security are detailed in the company's Cyber Security Report 2014 (PDF).