Optus Data Breach Just the Beginning
Optus Data Breach Just the Beginning
The Optus Data Breach has, appropriately, directed huge focus onto the cyber security processes of that organisation. There are number of very good analyses already available online (this by Toby Murray is very good: https://verse.systems/blog/post/2022-09-25-optus-breach/). Importantly, this event demonstrates the limits of security technology to compensate for poor security processes.
But this really is just the very beginning of this security event. The consequences will echo on for months, probably years. Long after Optus has reviewed and remediated the root cause of their own security issue, and the CEO has resigned (maybe? – someone is going to have to take responsibility), Australians will be dealing with the targeted phishing, whaling and identity theft attacks that will follow.
For CIOs and IT Managers it is important to acknowledge that a significant number of your staff/end-users will be Optus customers. Those staff are now at higher risk of becoming entry points for hackers into your organisation. Particularly in the next few weeks there will a huge opportunity for attackers to exploit the massive media coverage of this event to slip in under the cover of the confusion end-users will have around how to protect themselves from the consequences of this data breach. Again later, possibly years later, the flipside will present itself – when the media and your end-users have moved on and the Optus breach no longer a hot topic – everyone’s guard will be down.
Practically speaking there are a few concrete steps that are worth taking now, and into the future:
- Communication – Let your end-users know right now that this is a particularly dangerous time for any staff who are Optus customers. Make them aware that attackers may use this event to impersonate Optus, or your own IT Department staff, with emails or messages that are actually designed to give the hackers a foothold into the organisation.
- Cyber Security Awareness – If you already have cyber security awareness and training systems in place, now would be a great time to send out a refresher course on identify protection and phishing attacks. And if you don’t have cyber security awareness systems in place – get one!
- Endpoint protection – Check the status and the capability of your end-point protection systems. When was the last time you got a report on your fleet? Is it running everywhere? Where do the alerts go? Are the agents up to date? If you can’t easily answer these questions, then time to get on that.
- Beyond Endpoint – You will want to look at your broader intrusion detection and protection capabilities too – in particular, email. Many attacks have nothing to do with viruses or unpatched systems, they simply exploit what is already allowed by the systems. Detection of anomalous behavior, through correlation of logging data and profiles of standard behavior, can help to identify these types of attacks. Indeed, it looks like in the Optus case it was a detection of a huge volume of requests that triggered the initial investigation.
The Optus Data Breach has, appropriately, directed huge focus onto the cyber security processes of that organisation. There are number of very good analyses already available online (this by Toby Murray is very good: https://verse.systems/blog/post/2022-09-25-optus-breach/). Importantly, this event demonstrates the limits of security technology to compensate for poor security processes.
But this really is just the very beginning of this security event. The consequences will echo on for months, probably years. Long after Optus has reviewed and remediated the root cause of their own security issue, and the CEO has resigned (maybe? – someone is going to have to take responsibility), Australians will be dealing with the targeted phishing, whaling and identity theft attacks that will follow.
For CIOs and IT Managers it is important to acknowledge that a significant number of your staff/end-users will be Optus customers. Those staff are now at higher risk of becoming entry points for hackers into your organisation. Particularly in the next few weeks there will a huge opportunity for attackers to exploit the massive media coverage of this event to slip in under the cover of the confusion end-users will have around how to protect themselves from the consequences of this data breach. Again later, possibly years later, the flipside will present itself – when the media and your end-users have moved on and the Optus breach no longer a hot topic – everyone’s guard will be down.
Practically speaking there are a few concrete steps that are worth taking now, and into the future:
- Communication – Let your end-users know right now that this is a particularly dangerous time for any staff who are Optus customers. Make them aware that attackers may use this event to impersonate Optus, or your own IT Department staff, with emails or messages that are actually designed to give the hackers a foothold into the organisation.
- Cyber Security Awareness – If you already have cyber security awareness and training systems in place, now would be a great time to send out a refresher course on identify protection and phishing attacks. And if you don’t have cyber security awareness systems in place – get one!
- Endpoint protection – Check the status and the capability of your end-point protection systems. When was the last time you got a report on your fleet? Is it running everywhere? Where do the alerts go? Are the agents up to date? If you can’t easily answer these questions, then time to get on that.
- Beyond Endpoint – You will want to look at your broader intrusion detection and protection capabilities too – in particular, email. Many attacks have nothing to do with viruses or unpatched systems, they simply exploit what is already allowed by the systems. Detection of anomalous behavior, through correlation of logging data and profiles of standard behavior, can help to identify these types of attacks. Indeed, it looks like in the Optus case it was a detection of a huge volume of requests that triggered the initial investigation.