SESSION ID: LAB1-R08 Only After Disaster Can We Be Resurrected: Field Lessons in CyberIncidents Mark Sangster Jon Washburn VP and Industry Security Strategist eSentire, Inc. @mbsangster South Hall 1453 Chief Information Security Officer (CISO) Stoel Rives LLP @Stoelrives #RSAC #RSAC Quick Poll! SESSION ID: 1996726785 South Hall 1453 2 #RSAC Quick Poll! SESSION ID: 1996726785 What is your role in your organization? Have you ever been involved in a data breach investigation? Have you ever been involved in a regulatory or privacy law compliance investigation? South Hall 1453 3 #RSAC “Only after disaster can we be resurrected.” South Hall 1453 #RSAC Tyler Durden Fight Club 1999 Chuck Palahniuk South Hall 1453 #RSAC Field Lessons in Cyber Incidents COMPLEXITY SUPPLY CHAIN INTEGRITY A passenger airliner runs out of fuel at 41,000 feet A deep-sea drilling rig explodes and sinks Architects build a skyscraper then discover it will fall over in a storm South Hall 1453 6 #RSAC When we blame the people, we miss the chance to learn Human error is never the cause. It is a symptom of underlying systemic problems. Ask what is responsible not who. Understand why they made their decisions. Seek forward accountability. South Hall 1453 The three biases through which we assess cause HINDSIGHT OUTCOME TIME The exaggerated ability to predict and prevent the disaster. Knowing the outcome tends to lead to harsh judgment. The tendency to focus on the most recent factors. South Hall 1453 #RSAC #RSAC The Air Canada flight 143, the sinking of the Deepwater Horizon, and retrofit of the Citicorp Tower are true stories. DISCLAIMER The workshop examples and exercises are drawn from our experiences, observations and activities and do not represent our work for any one, or set of, customers or clients. Facts have been changed to obscure the identity of the parties where elements are based on actual events. All exercises in today’s lab, while plausible, are fictional scenarios. South Hall 1453 Assessing Risk We are going to run through three twopart “tabletop” scenarios during this lab that will focus on assessing risk and determining how we’d respond to specific incidents. South Hall 1453 #RSAC Assessing Risk While we will be asking you to do qualitative assessments, it’s always good to visualize where a risk might land on a quantitative “heat map” when considering how you’ll plan/respond. Like real life, our exercises are designed to be layered, with a few twists and turns that are designed to get you to re-evaluate risk. South Hall 1453 #RSAC Assessing Risk If you’ve done this before, use whatever assessment scale works for you. If not, we have printed out example probability/impact tables you can use. South Hall 1453 #RSAC #RSAC Lesson 1: Cyber Events Are the Consequence of Multi-dimensional Factors Air Canada Flight 143: The Gimli Glider #RSAC On July 23 1983, Air Canada Flight 143 was a passenger flight between Montreal and Edmonton. Midway through the flight at an altitude of 41,000 feet, the plane ran out of fuel. 12 November 2007: https://www.damninteresting.com/the-gimli-glider/ South Hall 1453 Priveleged and Confidential #RSAC The crew was able to glide the brand new Boeing 767 aircraft safely to an emergency landing at a former Air Force base in Gimli, Manitoba. There were no fatalities and only minor injuries. This unusual aviation incident earned the aircraft the nickname "Gimli Glider.” South Hall 1453 15 23 July 2017 https://twitter.com/aircrashmayday/status/889077639130091520 Following the airline’s investigation, the Captain was demoted and First Officer suspended for two weeks. Three maintenance workers were also suspended. 14 February 2017: https://worldairphotography.wordpress.com/2017/02/14/the-story-about-air-canada-flight-174-the-gimli-glider/ South Hall 1453 #RSAC Subsequent investigations found additional factors LACKING NEW ADOPTION Company Policies Aircraft Model Emerging Technology FAILURES ERRORS CONFUSION Mechanical Systems South Hall 1453 Pilots and Mechanics Units of Measure #RSAC We face the same factors with Cybersecurity GOVERNANCE Culture, Policies and Budget ADOPTION Business-driven Decision-making EMERGING TECH TECH FAILURES HUMAN ERROR REGULATORY Patching and Updates South Hall 1453 User Errors and Talent Gap And False Assumptions Changes and New Laws #RSAC 73% Believe Digital Transformation Led to a B