The 7 ways compliance could have helped Optus, and why it should be their next step
AssuranceLab
Your cloud-native audit partner. SOC 2 | ISO 27001 | HIPAA | GDPR | CCPA | CSA STAR | ... MORE
The Optus data breach has exposed the data of millions of Australian's; from basic personal information, through to the details of sensitive documents like passports, drivers licenses and medicare cards. The hackers initially held the data for ransom.
After Optus refused to pay the ransom, at least 10,000 consumer records have been published online. It's yet to be seen what happens to the rest and whether it's already on the dark web or in the hands of others with malicious intent.
What this means for the millions of Australian's whose data is involved, is an increased risk of targeted scams, further security and data breaches leveraging that data, identity theft, and potentially even more serious repercussions where the personal details released have security consequences for higher risk people.
What is information security compliance? Why is it relevant here?
There are broadly two types of compliance, not to be confused here; (1) compliance with regulations that are mandatory, and (2) compliance with standards that are optional.
The Optus breach has led to fierce debate about Australia's regulatory compliance. Whether Australian regulations provide enough clarity on what's required, whether they go far enough to protect consumers data, and if the punishments from regulators are commensurate with the adverse consumer impacts of non-compliance. These debates will continue. Hopefully the update to Australia's Privacy Act 1988 will resolve the shortfalls identified. The Privacy Act is as old as I am! - the world has changed so much in the last 34 years, it's long overdue for an update.
This article is focused on the second type of compliance; aligning with optional standards for information security. Popular information security standards like SOC 2, take a broad and practical view of how information security is managed. Compliance is not the same as security, but it ensures there is a minimum baseline, consistency and effective governance that underpins effective security. Information security is only as effective as the weakest link.
I like to think of it like the wall in Game of Thrones - if East Watch by the Sea is unmanned and the easiest to scale, it's the most likely to be targeted by the White Walkers. A breach can compromise the security of everything in Westeros. Same deal with information security. Optus probably has rigorous protections for the consumer data sitting in most of their systems. But if they have one unsecured API that can access that data, or a new system not yet adequately protected that's holding that data, that can expose it all.
The seven (7) ways compliance could have helped Optus
There’s seven ways compliance could have helped Optus; preventing the data breach, or improving the response to it.
1.Defining non-functional requirements
There’s been talk of the breach targeted a new reporting system or API that accessed the data. In a compliant organisation, non-functional requirements (NFRs) like security and reliability should be considered and documented before building new systems. For a system that’s able to access sensitive customer data, the first considerations should be how to ensure that system is restricted to authorised people, secured to prevent exploitation, and the minimum security tests that need to be conducted before going live with the system. The NFRs could also include audit trails in the system design, which may have helped Optus to investigate what data had been breached. This seems to be lacking, with a slow response to notifying Australians and the government claiming Optus is not cooperating with requests for information about what data was accessed.
2. Security training
Security training is an important area of compliance that could have helped, albeit less directly. A compliant organisation has general awareness training for employees. Employees are usually the weakest link in system and data security. In this case there’s no talk of it being related to social engineering, which is often responsible for duping an employee to enable a breach. Reports are that the Optus breach was related to a new system or API that wasn’t appropriately secured. That relates to the other important area of security training - secure development practices. Secure development training should be conducted for system developers to raise awareness of security considerations when building systems. That awareness may have helped prevent these weaknesses in the systems security before they went live.
3. Segregation of duties
One article dissecting the Optus issue talked about the “poor engineer that made that mistake”. In a compliant environment, you have segregation of duties and independent checks, which prevents any talk of one individual being responsible. That doesn’t mean two or more people can’t miss something. We’ve been told this wasn’t a particularly sophisticated attack, suggesting something obvious was missed that a secondary check may identify.
4. Vulnerability scanning and patching
In a compliant environment, there are multiple methods of vulnerability assessment designed to prevent system weaknesses that can be exploited by hackers. Where vulnerabilities are identified, a formal program is followed to ensure they’re remediated in an appropriate timeframe. You run scans on the code base, the network, the live software, and a pretty standard industry practice is also independent penetration tests, for new systems and annually thereafter. Without speculating on which vulnerability assessments Optus did or didn't do, you would think if they had performed these activities, it would provide a defensible position for Optus to show they had taken reasonable steps to avoid the system breach.
Recommended by LinkedIn
5. System logging and monitoring
A compliant organisation logs system events, including user access. Monitoring can be manual and/or include configured alerts. That may notify of suspicious activity like the whole database being queried to access large amounts of customer data. The system logs can be used after a data breach to understand what data was accessed. That helps effectively communicate and mitigate the resulting security risks accordingly. Optus has been criticised for slow and ineffective communication, which may suggest weaknesses in their system monitoring and logging accordingly.
6. Incident response plans
There’s been a lot of criticism in how Optus has responded to the data breach; their lack of preparation, their poor communications, their slow reactivity as it’s playing out in the public eye. In a compliant environment you have defined incident response plans, disaster recovery and business continuity plans that may have been enacted in this case. The point of those is having a playbook of how to respond effectively. That includes:
The way it’s been responded to would suggest these were not in place, were not effectively tested in advance, or key personnel were not prepared to use them effectively.
7. Governance
Governance is a broad collection of management activities. Performing risk assessments, reviewing the internal controls, internal and external audits, management reviews, management and Board reporting, etc. If you're wondering what these are and how they help avoid data breaches - the point of governance is that someone is taking a big picture view, and asking questions like; "how do we know these systems and our customers data is secure?". That may sound obvious, but you'd be amazed how many organisations lack effective governance. Asking these questions, providing senior oversight and support, and performing independent reviews, play a powerful role in supporting the information security objectives.
Putting it all together
Compliance complements information security by establishing a minimum baseline, coordinating a consistent approach, with multiple lines of defence. Going back to the Game of Thrones analogy, with the White Walkers approaching Winterfell.
The defenders of Winterfell worked like a complaint organisation. They planned out their defensive requirements. They raised awareness in their troops and armed them effectively. They worked together in defensive structures without single point dependencies. They tested the defences before the attack. They had response plans for once the castle walls were breached. Their leaders Jon Snow, Daenerys Targaryen, Bran Stark, etc. exercised effective governance - asking the right questions, maintaining oversight, coordinating the defences. Of course no system of defence is perfect - sometimes you still need an Arya Stark to pop out of nowhere and save the day.
Why compliance should be Optus’ next step
In the immediate wake of the Optus data breach are some hefty costs for Optus. Potential regulator fines, obligations to support customers with credit monitoring and passport replacements, and just a lot of time and senior focus dedicated to resolving the matter. Perhaps more significant than those costs is the reputation damage and breach of trust that can take a lot longer to recover from.
The public are becoming wiser about the importance of data security. It’s not just their privacy, that some value more than others. This Optus breach has been a wake up call to the very real security threats of identify fraud and scams that are enabled by access to their data.
To regain that trust, and prove they’re taking security seriously, they need to take steps to prove they’ve changed their ways to prevent it happening again. Compliance standards like SOC 2 are used to build trust in that way. Achieving SOC 2 would send a message that they’ve invested into achieving a new standard of security to prevent this happening again.
Thanks for reading!
Paul Wenham, Co-Founder & Co-CEO, AssuranceLab