[AusNOG] Optus Hack

Giles Pollock glp71s at gmail.com
Tue Sep 27 11:50:49 AEST 2022 

I'm hesitant to go down the punishment/penalties route, because it isn't a
lack of consequence which defines and allows for such breaches to occur.
I've never been involved with the response to a breach where the company
has gone "big deal, its just customer data!", rather they are all too aware
that they are now in an unexpected fight for their corporate lives. These
events can kill entire businesses, but that realisation often only comes to
the board and key decision makers when they're sitting in the war room
having it all laid on the table for them.

What seems to be the pervasive mentality is more akin to "it will never
happen to us". Sort of similar to assuming you'll drive to work and not be
involved in a car accident. The collection of the data and the construction
and growth of the systems that are involved is often organic and comes
under business as usual, so like a frog slowly being brought to a boil they
never really think about exactly what they are custodians of. Add to that
the tendency for government policy to come along and mandate the
requirements to collect certain sensitive information because the policies
have been written along the lines of "one size fits all (badly)" and we
have this recipe for disaster.

How many on this list can turn around and look at their own information
handling policies and say hand-on-heart (or other important body part) that
they're only storing what they need to, and that more importantly the
sensitive components of that data are 100% secure?

I'd suggest in the wake of this whole mess, it might be a good idea to go
have a talk to the relevant people inside your various businesses and start
thinking about how to run tabletop exercises on what would happen should a
breach occur, and how it might happen. There will be people in the
technical teams who should be able to identify risk points and flaws, not
only in the technology but also in the processes and procedures. Collect
those, build some scenarios and act them out in a simulation.
Fear is a great motivator, and the knowledge that these breaches and the PR
disaster that Optus experienced this time around can be business-killers
should be a good start to getting some buy-in on dealing with these issues
particularly given how fresh it is in everyone's minds. For the
accountant/beancounter/finance types, just remind them that cost of
remediation is always far higher than cost of protection and prevention!

On Tue, Sep 27, 2022 at 11:25 AM Brad Gould <brad.gould at gmail.com> wrote:

> I think the only remaining way forward is to enact heavy penalties for
> these incidents.
>
> Industry self-regulation and codes of conduct have repeatedly failed.
>
> I also fully understand that the Government has unwisely placed a
> requirement to collect and retain personal information, and on some levels
> poor policy put forward by security agencies has contributed to these
> terrible, predictable, outcomes. I'll also add that there is a similar lack
> of political accountability, so as an industry, we should be shouting at
> every opportunity that the Government required collection and retention of
> the data in the first place.
>
> The large companies that have breaches are not typically failing because
> solutions are hard, its because of lack of corporate-level care.
>
> Forcing Health and Safety obligations and penalties upon upper corporate
> management has seen business culture fundamentally change for the better.
> The same kind of legislation frameworks need to be introduced with regards
> to privacy..   .
>
>
>
> On Tue, 27 Sept 2022 at 10:16, Bevan Slattery <bevan at slattery.net.au>
> wrote:
>
>> Hi everyone,
>>
>>
>>
>> Obviously a big week in telco and cybersecurity.  As part of my work I am
>> on the Australian Cyber Security Industry Advisory Committee as an industry
>> representative.
>>
>>
>>
>> I am keen to look at opening up a dialogue with more and more telco, DC
>> and Cloud CISO’s on what they are doing around this issue and looking to
>> take a proactive step towards best practice on customer data and system
>> security.
>>
>>
>>
>> There will be some pretty serious consequences of this hack on the
>> industry and importantly we need to make sure we are as best placed to help
>> each other continually increase in security posture through best practice,
>> but also working with each other as an industry.
>>
>>
>>
>> Are people keen on having a online/VC session sometime in the next few
>> weeks where like-minded industry participants get together and discuss
>> security, retention, encryption, threat detection etc.?  If so, just ping
>> me directly and if there is enough interest I will send out an invitation
>> to the list for a call.
>>
>>
>>
>> Cheers
>>
>>
>>
>> [b]
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at ausnog.net
>> https://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220927/3fe8def4/attachment.htm>

More information about the AusNOG mailing list