Members of the Information Systems Security Association, Ottawa chapter, got some advice late last week about handling security breaches from a source whose experience is well known.
“All of you at some point in your career are going to deal with a security breach,” Paul Girard, chief information officer of Treasury Board Secretariat, told the group’s September dinner meeting. “Be prepared for it. Have a plan.”
Early this year, the government revealed that networks at Treasury Board and the Department of Finance had been broken into. News reports said classified information and senior officials’ e-mails were compromised. Some capabilities, such as internet access, were shut down for significant periods while security staff fixed security issues.
Girard started his ISSA talk by warning that he would not discuss details of the breach. He also wouldn’t talk to reporters. But he did talk about managing security breaches, with occasional cautious references to the incident.
Girard’s first piece of advice was to engage experts. “I don’t have all the answers. My team don’t have all the answers.” Bring in those who do as needed.
Next is to “have a playbook if you will of how you’re going to manage through an incident.” That should be in place so that when an incident happens, you’re not making up the response as you go along. Girard also suggested dividing planning into the short, medium and long term – what needs to happen in the next 24 hours, in the next couple of weeks, and after that.
But while he stressed advance planning, he also told his audience to “be prepared to call audibles,” which he explained as a football reference. In football, as he sees what the opposing defence is doing, a quarterback calls “audibles” to tell teammates to adjust a planned play accordingly. In a security crisis, “your adversaries will move, they’ll change direction,” so you may need to change plans quickly.
When a breach occurs, Girard said, it’s important to act immediately. There is no time to lose, and your superiors should back you up. “If not, then you should probably find a different place to work.”
A key point is to limit losses, Girard said. Certain information makes up the “crown jewels” of an organization. A former CIO for defence contractor General Dynamics Canada, Girard said he knew of one incident where an unnamed defence contractor suffered a security breach that compromised plans for a large military project in which the U.S. Department of Defence had already invested $4 billion. The project was cancelled. “That type of breach could have a profound effect on the viability of an individual company.”
At Treasury Board, protecting the crown jewels after this year’s breach was apparently a key reason for shutting down internet access from employees’ computers until security problems were fixed. Girard admitted he heard from employees about it – “you’re impacting people’s ability to do their jobs in some cases.” He said the department tried to minimize the inconvenience, setting up internet access kiosks not connected to its networks.
Girard also had some advice on managing security day-to-day. He emphasized the importance of patch management and segmenting networks, advised limiting user privileges and “closing doors” where practical, and urged security staff to measure their progress constantly. “If you’re not getting better, you need to make some changes.”
He also said application whitelisting – specifying what software may run on both desktop PCs and servers – is a security precaution worth looking at.
In response to questions, Girard said he believes there have been “some pretty significant improvements” in cyber-security at Treasury Board since the breach, and that more than 75 per cent of the changes were technical ones.