Cyber Mayday and the Day After E-Book

Table of Contents

Cover

Praise for

Cyber Mayday and the Day After

Title Page

Copyright

Introduction: Setting the Global Stage for Cyber Resilienceintroduction

A NEW SENSE OF CYBER URGENCY

A PEEK BEHIND THE CURTAINS, AND THE MAKING OF

CYBER MAYDAY AND THE DAY AFTER

THE THREE-PART BREAKDOWN

NOTES

PART I: A Leader's Guide to Preparing for the Inevitable

CHAPTER 1: If I Had a Time Machine

STARTING WITH THE UNKNOWNS – OR NOT?

AN ISOLATED PERSPECTIVE HAS MANY LIMITS

LEARNING FROM OUR PAST TO LEAD OUR FUTURE

FREQUENT RANSOMWARE ATTACKS PROMPT RESPONSE CAPABILITY ENHANCEMENTS IN NEW YORK STATE

LIKE A BAD PENNY

EDUCATION SECTOR TARGETED BY CYBERCRIMINALS

THE BATTLE CONTINUES

FIVE TAKEAWAYS

NOTES

CHAPTER 2: Fail to Plan or Plan to Fail: Cyber Disruption Response Plans and Cyber Insurance

THE MAKING OF THE MICHIGAN CYBER INITIATIVE

CONFRONTING CYBER EMERGENCIES: THE MICHIGAN CYBER DISRUPTION RESPONSE PLAN

U.S. FEDERAL GOVERNMENT GUIDANCE ON SECURITY INCIDENT HANDLING

POSITIVE SECURITY AND RISK MANAGEMENT FOR INTERNATIONAL ORGANIZATIONS

CHANGES IN THE PLANNING APPROACH POST-INCIDENT

THE WISCONSIN GOVERNMENT APPROACH TO CYBERSECURITY INCIDENT RESPONSE

A PRIVATE SECTOR PERSPECTIVE ON COMPUTER SECURITY INCIDENT RESPONSE

INCIDENT RESPONSE AND CYBER INSURANCE

NOTES

CHAPTER 3: Practice Makes Perfect: Exercises, Cyber Ranges, and BCPs

THE IMPORTANCE OF CYBER EXERCISES

HISTORY OF CYBER STORM EXERCISES

MICHIGAN PARTICIPATION IN CYBER STORM I

CYBER SCENARIOS, EXERCISE PLANS, AND PLAYBOOKS

HELP AVAILABLE, FROM A CYBER RANGE NEAR YOU

INTERNAL BUSINESS CONTINUITY PLANNING (BCP) PLAYERS

DESIGNING YOUR BCP IN ACCORDANCE WITH YOUR COMPANY'S MISSION

WHERE NEXT WITH YOUR BCP?

HOW OFTEN SHOULD WE BE RUNNING OUR BCPs?

AUTOMATED RESPONSES TO INCIDENTS

NOTES

CHAPTER 4: What a Leader Needs to Do at the Top

BUILDING RELATIONSHIPS WITH YOUR BUSINESS LEADERS

SPEAK THEIR LANGUAGE

LAYING THE GROUNDWORK

SECURITY VARIANCE

THE FUNDAMENTALS AND TOP MITIGATION STRATEGIES

SECURITY NEEDS TO HAVE A BUSINESS PURPOSE

FIGHTING THE INNATE NATURE OF A CISO

HOW SHOULD A SENIOR EXECUTIVE APPROACH CYBER ISSUES?

WHAT CAN THE BOARD CHANGE?

STORY-BASED LEADERSHIP

SETTING A SUPPORTIVE CULTURE LEADS TO CREATIVE SOLUTIONS

NOTES

PART II: Cyber Mayday: When the Alarm Goes Off

CHAPTER 5: Where Were You When the Sirens Went Off?

THE STORY OF TOLL

FINE-TUNE YOUR BCP

CYBER CRISIS IN PANDEMIC TIMES

MICROSCOPIC LESSONS – DAY ONE OF THE INCIDENT

THE RECOVERY

IMPROVEMENT WITH HINDSIGHT

THIRD-PARTY RISKS AND CYBER INSURANCE

EFFECTIVE LEADERSHIP IN TIMES OF CRISIS

A SUPPORTIVE MANAGEMENT HELPS BRING RESULTS

NOTES

CHAPTER 6: Where Do We Go When the Power Goes Off?

ASSESSING THE SITUATION

ESTABLISHING ORDER

CYBER TEAMWORK DURING A BLACKOUT

STEPPING BACK TO STEP FORWARD

PEOPLE, PROCESS, AND TECHNOLOGY IN CYBER EMERGENCIES

CISO MINDSET REGARDING SECURITY INCIDENTS

DEFINING SECURITY OPERATIONS?

MEASURING RESULTS: KEY PERFORMANCE INDICATORS

INFORMATION SHARING

STRENGTHENING PLAYBOOKS

MULTI-STATE SECURITY OPERATIONS

5

NOTES

CHAPTER 7: Teamwork in the Midst of the Fire

A BIG STEP BACK – AND ANALYZING WHAT WENT RIGHT AND WRONG WITH THE JCTF PROCESSES

A PRIVATE SECTOR INCIDENT WITH A (SOMEWHAT) HAPPY ENDING

GREAT LEADERS FOSTER TEAMWORK – BUT HOW?

SEVEN TIPS TO IMPROVE TEAMWORK

NOTES

CHAPTER 8: What Went Right?

SWIFTNESS MATTERS

PROACTIVE LEADERSHIP AND TRANSPARENCY AS KEY FACTORS

AVIATION INDUSTRY LESSONS FROM A CRISIS COMMUNICATIONS RESEARCHER

COMMUNICATING CYBER CRISIS WITH CONSOLE

MEET THE WORLD'S FIRST CISO

THE BASIC KEYS OF DISASTER RESPONSE

THE PROBLEM WITH MISINFORMATION

THE STOCKWELL TUBE INCIDENT

NOTES

PART III: The Day After: Recovering from Cyber Emergencies

CHAPTER 9: The Road to Recovery

CYBER MINDSETS FROM A WAR ZONE

HINDRANCES TO AVOID

ASYMMETRIC HYBRID WARFARE (AHW)

THE ROAD TO NO RECOVERY

THE FIRST STEP IN COMMUNICATION

THE FOUR STEPS OF A CRISIS-READY FORMULA

KEY ACTIONS FOR RECOVERY

NOTES

CHAPTER 10: What Went Wrong – How Did We Miss It?

MISTAKES AND SOLUTIONS IN WISCONSIN

HOSPITAL RANSOMWARE – AND LEARNING FROM MISTAKES

HOW OVERCONFIDENCE CAN IMPACT ORGANIZATIONAL SECURITY AND CAUSE DATA BREACHES

REFLECTING ON INCIDENTS WITH A MENTOR

NOTES

CHAPTER 11: Turning Cyber Incident Lemons into Organizational Lemonade

ARE WE LEARNING FROM THESE TRUE STORIES?

CALLS FOR MORE RESILIENCE AND DOING MUCH BETTER

MORE LESSONS LEARNED

BACK TO THE BEGINNING: A CIRCULAR APPROACH TO INCIDENT RESPONSE DURING CYBER EMERGENCIES

A HELPFUL HOSPITAL EXAMPLE

MAKING LEMONADE

FIVE LESSONS FROM THE HOSPITAL ATTACK

FIVE LESSONS FROM DIVERSE INFORMATION SHARING AND ANALYSIS CENTERS (ISACs)

BRINGING IT ALL TOGETHER

THE ECOSYSTEM VIEW

LEADING BY EXAMPLE

NOTES

Free Cyber Incident Resources

CYBER INCIDENT RESPONSE PLANNING AND PLANS

STANDARDS, FRAMEWORKS, AND POLICIES

EXERCISE TEMPLATES

CYBER STRATEGY DOCUMENTS

INCIDENT RESPONSE PLAYBOOKS

CERT RESOURCES

CYBER INSURANCE GUIDANCE

LESSONS LEARNED DOCUMENTS

TRAINING OPPORTUNITIES, INCLUDING CYBER RANGES

LAWS AND REPORTING ON DATA BREACHES AND PROTECTING DATA

CRISIS COMMUNICATIONS

Acknowledgments

About the Authors

Index

End User License Agreement

List of Illustrations

Chapter 2

FIGURE 2.1 Five Core Functions of NIST Cybersecurity Framework

Chapter 8

FIGURE 8.1 5x5x5 National Intelligence Model

Chapter 11

FIGURE 11.1

Guide

Cover Page

Table of Contents

Praise for Cyber Mayday and the Day After

Title Page

Copyright

Introduction: Setting the Global Stage for Cyber Resilience

Begin Reading

Free Cyber Incident Resources

Acknowledgments

About the Authors

Index

End User License Agreement

Pages

i

ii

iii

vii

viii

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

83

84

85

86

87

88

89

90

91

92

93

94

95

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

203

204

205

206

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

PRAISE FOR CYBER MAYDAY AND THE DAY AFTER

“This is the first practical book on cybersecurity I could not put down – it wouldn't let me. It is filled with easily relatable true stories and facts. It's exceptionally well-written and engaging, and nearly every page contains a gem of practical advice. This work is simply indispensable for all public managers to read, absorb, and act. Lohrmann's and Tan's frontline cyber experience brings years of collective wisdom together into one wonderful fact-filled book that one will treasure and will want to always have by their side.”

Dr. Alan R. Shark, Executive Director of CompTIA's Public Technology Institute (PTI)

“Most leaders I speak with have ‘cybercrime headlines’ fatigue. We all need a guidebook and to know we are not alone. A must-read on every leader's list is the collaborative book project by Dan and Shamane; they hit it out of the park with Cyber Mayday and the Day After! This is an extraordinary book, brilliantly put together for today's leaders as our modern world of cyberattacks does not discriminate between businesses and individuals. They have done a splendid job in storytelling and capturing battlefront lessons, revealing degrees of knowledge and wisdom in such a riveting way.

“If you are in the cybersecurity industry, a business leader, or an executive, this is the book you should read next. Readers will walk away with insights and knowledge gathered from behind the scenes. They summarize their findings in an effective guide to preparing, managing, and responding to future cyber maydays.”

Theresa Payton, The White House's first female CIO, author of Manipulated, CEO of Fortalice Solutions

“Cyber Mayday and the Day After is a book that everyone who cares about the survivability of their business should read. The insights and suggested approaches to the vast problem we face in setting up our defenses and better responding to cyberthreats in this book are top-notch. The authors have made a complex problem clear and easy to understand and have based their guidance on methods that make a difference. To be blunt, read this book now!”

Dr. Chase Cunnnigham, cybersecurity expert, known as “Dr. Zero Trust,” author of Cyber Warfare—Truth, Tactics, and Strategies and the new novel gAbrIel

“In my long career in cybersecurity, I have read and written about incident response, what it is, and why CISOs and their businesses should care. In Cyber Mayday and the Day After authors Daniel Lohrmann and Shamane Tan take it a step further and provide an exceptional guide on how businesses today can prepare and survive an incident. It is well-written with excellent insight into what it takes for security and business leaders to be resilient. I really enjoyed the chance to read this book and believe it will be an excellent resource for our community.”

Gary Hayslip, CISO of Softbank Investment Advisors

“As organizations face the continual onslaught of cyberattacks, leaders need a practical guide to understand where to start, how to prioritize, and what to do when the inevitable breach occurs. The amount of data available today describing what leaders can and should do is overwhelming. Cyber Mayday and the Day After provides a roadmap with specific examples, where leaders can learn from their peers and chart a course that fits their organizations to ensure that they are prepared for today and tomorrow. The book is a must-read for business and government CIOs, CISOs, and other government leaders.”

Teri Takai, Executive Director of the Center for Digital Government, former CIO for the U.S. Department of Defense (DoD), and former CIO for the states of California and Michigan

“Dan Lohrmann and Shamane Tan have written a truly important book on what to do when cyber calamity inevitably strikes. It is both an extensive resource and an operating manual for anyone in cybersecurity leadership roles (plus anyone connected online). With the growing digital ecosystem of billions of devices and sensors, we are all potential (and likely) targets of sophisticated hackers abetted by automated technologies searching for cyber vulnerabilities. Their book provides strategies and plans for gap analysis, incident response, and especially resilience. Disruptive breaches are going to happen no matter what. Reading and keeping Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from the Inevitable as a ready reference is indispensable.”

Chuck Brooks, President of Brooks Consulting International, Georgetown University Adjunct Professor, Named Top Tech Person to Follow by LinkedIn

“Loved the book! In a world of never-ending ‘shock’ statistics and cyber doom mongering, Shamane and Dan combine the power of storytelling and practical checklists in a refreshing way to help cyber and risk management professionals increase their cyber resilience. Read the airport data leakage or CISO hire-gone-wrong examples in Chapter 1 and ask yourself, ‘Could that be my company?’ If so, I highly recommend that you read the rest of the book. Learn from it. Apply the many resilience blueprints. And then share it with someone you care about.

Written in their usual engaging and deceptively simple style, Cyber Mayday and the Day After is an invaluable reference guide for today's cyber risk management community.”

Ellie Warner, Global Head, Training and Awareness, Trust Data and Resilience, Standard Chartered Bank

“Writing a book on cybersecurity is a tricky business. It could dive into low-level technical details or float too high, proffering overly general advice, either way losing the reader. A practicing or aspiring CISO is looking for pointers to prevent, manage, and recover from cyber incidents. This book, organized in three sections of pre-attack preparation, on-attack actions, and post-attack recovery, hits the sweet spot by driving home the points through context-appropriate case studies presented in lively prose. The case studies presented by the authors, mostly from recent times, offer a rich trove of knowledge for any security practitioner. The authors have taken the extra step of interviewing the CISOs in these case studies and brought out subtle nuances of their thought processes and how they execute their actions. This easy-reading book is a must in every security practitioner's bookshelf.”

Dr. Siva Sivasubramanian, Chief Information Security Officer, Singtel Optus

CYBER MAYDAY AND THE DAY AFTER

A LEADER'S GUIDE TO PREPARING, MANAGING, AND RECOVERING FROM INEVITABLE BUSINESS DISRUPTIONS

DAN LOHRMANN AND SHAMANE TAN

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data is Available:

ISBN: 978-1-119-83530-1 (Hardback)

ISBN: 978-1-119-83532-5 (ePDF)

ISBN: 978-1-119-83531-8 (ePub)

COVER DESIGN: PAUL MCCARTHY

COVER ART: GETTY IMAGES: AERIALPERSPECTIVE IMAGES / JOSE A. BERNAT BACETE

Introduction: Setting the Global Stage for Cyber Resilience

We worried for decades about WMDs – weapons of mass destruction. Now it is time to worry about a new kind of WMDs – weapons of mass disruption.

–John Mariotti

Tuesday, May 1, 2035

Something was not right.

As Julie stood by the front door of her parents' home in Park Ridge, Illinois, her A-ride (slang for autonomous transportation) was nowhere in sight. She was going to be late for work. “My new boss is going to be furious,” she inwardly panicked.

This was the one day a month that she actually was required to be downtown for a team meeting, and her 7:15 a.m. FastUber pickup (with nonstop express service to the Chicago Loop) was nowhere to be found. And FastUbers are never late.

“Miranda – where is my ride? What's going on? Where are all the cars?”

Strange, no response from her automated assistant, which usually answered her questions before she even finished her sentences. Julie momentarily thought about her grandmother as she peered angrily at the small speaker over her glasses. She briefly smiled when she thought about how she nicknamed her personal assistant Miranda, in memory of her grandmother.

“Now I'm pissed! I even paid extra for express today.” As Julie noticed that both the children across the street and Mr. Stevens next door were also waiting for their rides, she realized something else must be happening. A new emotion overcame her – fear.

Julie went back in the house and shouted at the wall. “NEWS!”

A holographic image of CNN lit up the room, showing two reporters standing under a chyron reading: “BREAKING NEWS.” An artificial intelligence voice announced: “Widespread impact is simultaneously hitting global airports, Wall Street firms, international banks, the London Underground, Australian ports, and thousands of educational learning centers.”

Julie posed her question to the hologram: “Do you believe this may be a nation-state attack?”

A reporter standing in front of New York's One World Trade Center responded: “That's certainly a likely possibility. Mass transit has stopped, banks are down, some cities are experiencing power outages, hospitals are on emergency generators, school technology is down, universities have canceled classes, and, most shocking of all – trading floors from London to New York to Chicago are now closed.

“Hold on a moment, please, we are receiving word that the president of the United States has just declared a Nationwide Cyber Emergency, under the authority of the Cyber Disruption Act of 2028.”

A NEW SENSE OF CYBER URGENCY

While this 2035 Mayday scenario is just fiction, the bombardment of daily security incidents is beyond eye-opening in real life. With the ongoing digital transformation, which accelerated even faster in diverse areas of society and every corner of the globe during the COVID-19 pandemic, the impact of cyber emergency incidents has been felt from hospitals to high schools, from elections to electric grids, from main street retailers to Wall Street bankers, and from small-town PTA meetings to United Nations Security Council meetings.

The following quotes are very real, coming after an unprecedented barrage of cyberattacks hit global governments and businesses in 2020 and 2021:

President Joe Biden:

“We've elevated the status of cyber issues within our government,” President Biden said in a national security speech at the State Department. “We are launching an urgent initiative to improve our capability, readiness, and resilience in cyberspace.”

1

U.S. Federal Reserve Chairman Jerome Powell:

When we talk about cyber risk, what kind of scenarios are we looking at? U.S. Federal Reserve chairman Jerome Powell responded to host Scott Pelley, as part of a

60 Minutes

interview, “All different kinds. I mean, there are scenarios in which a large payment utility, for example, breaks down and the payment system can't work. Payments can't be completed. There are scenarios in which a large financial institution would lose the ability to track the payments that it's making and things like that. Things like that where you would have a part of the financial system come to a halt, or perhaps even a broad part.”

Powell continued: “And so we spend so much time and energy and money guarding against these things. There are cyber attacks every day on all major institutions now. And the government is working hard on that. So are all the private sector companies. There's a lot of effort going in to deal with those threats. That's a big part of the threat picture in today's world.”

Pelley: “How have we gotten away with not having a disaster like that?”

Powell: “You know, I don't want to jinx us. I would just say we've worked very hard at it. A lot of us have worked very hard at this and invested a lot of time and money and thought. And worked collaboratively [sic] with our allies and with other government agencies. But there's never a feeling at any time that you've done enough or that you feel safe.”2

FireEye CEO Kevin Mandia

during U.S. Senate testimony on the Solarwinds breach: “Early in our investigation, we uncovered some tell-tale signs that the attackers were likely working for and trained by a foreign intelligence service. We were able to discover and identify these signs in reliance upon our catalog of the trace evidence of thousands of computer intrusion investigations conducted over the last 17 years. We record the digital fingerprints of every investigation we have undertaken with great rigor and discipline, and we are often able to use this catalog of evidence in order to attribute the threat actors in many of the incidents we respond to.

“Based on the knowledge gained through our years of experience responding to cyber incidents, we concluded that we were witnessing an attack by a nation with top-tier offensive capabilities. This attack was different from the multitude of incidents to which we have responded throughout the years. The attackers tailored their capabilities specifically to target and attack our company (and their other victims). They operated clandestinely, using methods that counter security tools and forensic examination. They also operated with both constraint and focus, targeting specific information and specific people, as if following collection requirements. They did not perform actions that were indiscriminate, and they did not appear to go on ‘fishing expeditions.’

“Such focused targeting, combined with the novel combination of techniques not witnessed by us or our partners in the past, contributed to our conclusion that this was a foreign intelligence actor. Therefore, on December 8, 2020, we publicly disclosed that we were attacked by a highly sophisticated threat actor – one whose discipline, operational security, and techniques led us to believe it was a state-sponsored attack utilizing novel techniques… .”3

Microsoft president Brad Smith:

“The Russians did not just want to get inside the houses of the victims. They wanted to find the most interesting valuables, which to them meant reading, examining, and in some cases taking data and information. Just as they used many ways to initially attack their victims and open a back door, they also used a variety of ways to compromise identity.

“It is important to understand this aspect of the attack: Unlike some attacks that take advantage of vulnerabilities in software, this attack was based on finding and stealing the privileges, certificates, tokens or other keys within on-premises networks (which together is referred to as ‘identity’) that would provide access to information in the same way the owner would access it. This approach was made much easier in networks where basic cybersecurity hygiene was not being observed – that is, where the keys to the safe and the car were left out in the open.”4

SolarWinds CEO Sudhakar Ramakrishna

: “We believe that the entire software industry should be concerned about the nation state attack as the methodologies and approaches that the threat actor(s) used can be replicated to impact software and hardware products from any company, and these are not SolarWinds-specific vulnerabilities.

“To this end, we are sharing our findings with the broader community of vendors, partners, and users so that together, we ensure the safety of our environments.”5

Federal chief information security officer Christopher J. DeRusha:

“We are at a crossroads for the nation's cybersecurity. The SolarWinds incident exposed gaps in our cybersecurity capabilities and risk management programs, not just in the federal government, but in some of the most mature and well-resourced companies in the world. This event should serve as both a wakeup call and a galvanizing opportunity for the federal government and industry to come together and tackle these threats with renewed resolve. This collaboration is critical, as private-sector entities have primary responsibility for the defense and security of their networks. The government must communicate threat assessments to inform private-sector security operations and ensure common situational awareness.

“This incident comes amid a series of aggressive and high-profile attacks on federal systems, attempted theft of the data used to develop the COVID-19 vaccines, ransomware attacks on U.S. hospitals, and new technology and security challenges that arose with the rapid shift to remote work. These myriad challenges underscore the importance and urgency of modernizing federal IT and strengthening U.S. cybersecurity capabilities.”6

U.S. Senator Ben Sasse (R-Neb.) after a critical U.S. fuel pipeline system was shut down by a cyberattack in early May 2021:

“There's obviously much still to learn about how this attack happened, but we can be sure of two things: This is a play that will be run again, and we're not adequately prepared. If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors.”

Australian prime minister Scott Morrison: “

Based on advice provided to me by our cyber experts, Australian organizations are currently being targeted by a sophisticated state-based cyber actor.

“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, central service providers, and operators of other critical infrastructure.”7

A PEEK BEHIND THE CURTAINS, AND THE MAKING OF CYBER MAYDAY AND THE DAY AFTER

So why did we write this book?

First, we are passionate about cybersecurity. We love to share true stories and cybersecurity challenges and solutions in numerous ways, including our books, blogs, magazine articles, social media, global speeches, podcasts, and more.

Second, we believe that our unique backgrounds, experiences, and cultures offer a powerful combination of award-winning cybersecurity leadership experiences, partnerships, and stories. This book is intended for a global audience; in addition to a rich resource of insights brought in from around the world, Dan brings a U.S. perspective, while Shamane lives in Australia and works extensively throughout the Asia-Pacific region.

Third, this is a vital topic for the world at this time. The earlier quotes make that abundantly clear.

Fourth, other materials on this cyber topic tend to cover cyber incident response, cybersecurity emergency planning, cyber exercises, and related people/process/technology materials from one of two approaches. Some take an academic approach and offer checklists and detailed frameworks, such as walking the reader through the implementation of the five-function NIST Cybersecurity Framework: identify, protect, detect, respond, and recover. Other materials offer ad hoc stories and fun facts about statistics and costs associated with data breaches, ransomware, and a long list of other security incidents.

While we reference many of these works at the end of the book and point readers to helpful resources throughout, our goals are to bring cyber incident response and the associated planning, response, and recovery to life with true stories that offer compelling lessons and provide practical, actionable advice from leading global technology and security leaders and business executives who have been through the storm. We want to provide CxOs, directors, managers, technology professionals, and frontline business people with the tools they need to prepare for inevitable security incidents.

Bottom line, we offer powerful stories that motivate, along with cyber plans and free resources with practical steps that can be taken from small businesses to large enterprises in the public and private sectors. The goal: cyber resilience that will prepare your team and get you through most cybersecurity challenges you will likely face.

THE THREE-PART BREAKDOWN

The book is presented in three parts: Part I: A Leader's Guide to Preparing for the Inevitable; Part II: Cyber Mayday: When the Alarm Goes Off; and Part III: The Day After: Recovering from Cyber Emergencies.

Part I presents the gift of a time machine, seeking hindsight from top industry leaders around the globe and things we can do differently before having to go through any cyber emergencies. We cover playbooks from cyber disruption to risk transfer options, and explore the power of “perfect practice.” We also unpack a handbook specifically for leaders at the top, and the keys of proactive leadership.

Part II is when Cyber Mayday hits! We walk through real-life cyber emergency incidents and what actually happens when the alarm goes off. In that split second when the virtual walls are crumbling down, what are the most important steps to take and where to go? Who are the players you should be working with in times of crisis and immense pressure? And, in the midst of your Mayday, what can go right?

The chapters in Part III address critical issues when you finally have some breathing space. This is the opportune time to be intentional and reflect on what went wrong, how to recover, and how to level up in your strategy.

This comprehensive exploration of tales, woes, and lessons of leaders is a gift of hindsight and insights, which will enable and position current and next-generation business leaders with the required foresight to continue leading at the frontline. We hope you gain lots of invaluable takeaways from your time spent with us; enjoy.

NOTES

1.

President Joe Biden speech, quoted in Maggie Miller, “Biden: US Taking ‘Urgent” Steps to Improve Cybersecurity,”

The Hill

, February 4, 2021,

https://thehill.com/policy/cybersecurity/537436-biden-says-administration-launching-urgent-initiative-to-improve-nations

.

2.

“Jerome Powell: Full 2021 60 Minutes Interview Transcript,” 60 Minutes, April 11, 2021,

https://www.cbsnews.com/news/jerome-powell-full-2021-60-minutes-interview-transcript/

.

3.

“Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence,” February 23, 2021,

https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf

.

4.

“Testimony of Microsoft President Brad Smith before the United States Senate Select Committee on Intelligence,” February 23, 2021,

https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf

.

5.

“Written Testimony of Sudhakar Ramakrishna, Chief Executive Office, SolarWinds Inc. before the United States Senate Select Committee on Intelligence,” February 23, 2021,

https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf

.

6.

“Testimony of the Federal Chief Information Security Officer Christopher J. DeRusha, United States Senate Homeland Security and Governmental Affairs,” March 18, 2021,

https://www.hsgac.senate.gov/imo/media/doc/Testimony-DeRusha-2021-03-18.pdf

.

7.

Gloria Gonzalez, Ben Lefebvre, and Eric Geller, “‘Jugular’ of the U.S. Fuel Pipeline System Shuts Down after Cyberattack,”

Politico

, May 8, 2021,

https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984

.

PART IA Leader's Guide to Preparing for the Inevitable

CHAPTER 1If I Had a Time Machine

The real trick in life is to turn hindsight into foresight that reveals insight.

—Robin Sharma

Imagine going back in time to watch and listen and change things.

Where would you go? And to what point in time?

Do you have the knowledge, tools, and influence to change things for the better? If so, who would you interact with to alter the specific outcome(s)? What one (or perhaps two or three) things would you do differently, and why?

Yes, you can ponder these questions about virtually any area of life. However, this book specifically addresses cybersecurity incidents or other emergency situations that contain significant cyber components that have in the past, or are in the present, or will in the future, impact global organizations in substantial ways.

Stretching further, society is growing even more reliant on resilient infrastructures that demand functioning cyber protections that involve people, process, and technology components. If we fail, the consequences will be dramatic in real life.

This journey must start with the lessons from the past. We can learn from stories from global cyber leaders and practitioners who have been through cyberattacks and come out stronger. Along the way, we will point to frameworks, checklists, standards, protocols, white papers, and other helpful materials.

If we are going to be equipped for the inevitable cyber storms that are coming in the decades ahead, we must learn from each other and improve faster than the bad actors who are causing such online destruction. In doing so, we first explore what works and is repeatable regarding cyber incident response.

STARTING WITH THE UNKNOWNS – OR NOT?

“I don't want to know, and I don't care to know. If I don't know about it, it does not exist.” Shocking, but in fact, there are many business leaders who think this way.

The truth is that sometimes, some data takes only a minimal effort to discover, and when you realize the type of information that is available out there and accessible to anyone (including malicious actors), then you will have no choice but to care. As the chief growth officer at Privasec (a Sekuro company), a top-tier and agnostic cybersecurity firm, Shamane leads the security outreach strategy team, spearheading industry awareness initiatives while working closely with the CISOs (chief information security officers) in bridging their business gaps. She met Todd Carroll, a former 20-year FBI cyber intelligence leader, virtually, in a cyber security summit she organized, where he shared an intriguing story. Todd walked through one of the real-world findings that CybelAngel's data leak detection technology came across a few years ago.1 CybelAngel detects exposed data, devices, and services outside the enterprise's perimeter, enabling remediation before the exposure is weaponized. In this instance, it detected several pieces of information that exposed a bigger issue involving several airports, their ecosystem, and exposure of their data.

The thing is, data is always being shared. The aviation industry, like other industries, works with third parties. The moment any organization shares information with a third party, it loses visibility or control over what is done with the data, despite their best efforts or intentions.

In this case, when CybelAngel performed a search and monitoring on keywords related to airport security, they detected nearly 10,000 servers that were publicly available, on which over 400 blueprints of airports worldwide were identified, sitting on unprotected third-party connected devices, or in misconfigured cloud storage.

Some of these blueprints were extremely detailed, including the location and angle of the security cameras, revealing which were motion activated or had facial recognition capabilities and even precise information on how to access and take control of them. In addition, these blueprints contained the location of the detention rooms that are hidden from the public, runways, and the position of the fuel lines from the tanks leading to the runway where fuel is pumped into the wings of the aircraft.

There were blank signed templates of security application access forms that, if compromised, would have allowed access into the airport facilities. There were also completed security badge application forms with official stamps and signatures, and over 300 files describing safety procedures and policies. Those procedures included instructions on how to bypass the whole security system, and how to deactivate it.

There were also identity details of air marshals and departure and arrival dates, as well as the list of weapons they are allowed to carry on planes. Such intricate information can easily serve as a blueprint for a terrorist attack.

The frightening part of all of this is that the data was found on third-party servers in many countries, including the United States, France, the UK, India, Spain, and others.

It was fortunate that the findings were reported to the impacted organizations in time and the FBI and Interpol worked on closing the thousands of open servers around the globe. Imagine the terrorism disaster that could have occurred had this information not been discovered due to a lack of interest and blind obliviousness.

As the world continues establishing even more interconnectivity, it becomes more critical than ever to position industry leaders to have better foresight before a crisis even happens.

AN ISOLATED PERSPECTIVE HAS MANY LIMITS

John Yates, QPM, is a former assistant commissioner in the London Metropolitan Police Service. He retired in November 2011 after a 30-year career. In his last role, John was the UK lead for counterterrorism and the most senior advisor to the prime minister and home secretary on law enforcement issues relating to terrorism. In this role he was also responsible for protecting the royal family and senior government ministers as well as the Houses of Parliament and Heathrow Airport.

John is currently the director of security for Scentre Group, which owns and operates Westfield Shopping Centres in Australia and New Zealand. He shared his lessons for the cyber industry from his counterterrorism days: