Terry Cutler – The Ethical Hacker
Home » A lesson on the need for incident playbooks learned the hard way
Articles Internet Safety Media

A lesson on the need for incident playbooks learned the hard way

Howard Solomon @howarditwc
Published: January 9th, 2019

When consumers type their names into a search engine they want to know how much personal information is available about them is on the public Internet.

What they shouldn’t find is private information a trusted organization is supposed to protect.

So a U.S. woman was stunned recently when she Googled her name and up popped an image of her driver’s licence. She’d submitted the scanned image of her licence for an Atlanta-area school board after applying to be a substitute teacher.

Following a link on the photo, it went to an open file that had many other personal identity documents that had been filed by applicants. Those documents — including images of passports — could easily have been used to create phony identities.

The school board stored those images in a folder on a secure server. However, on Dec. 22 until the district’s cloud-based web server crashed due to a vendor-related event. It was restored on Dec. 24, but according to a Jan.4 news report the crash had corrupted security software, leaving the data unprotected.

It wasn’t fixed until a TV reporter who the woman called notified the school board.

It’s an example of how IT teams not only have to think things through but also not rush, says a veteran penetration tester who looks for holes in enterprises. Misconfiguring systems “is one of the main reasons why I break into companies,” said Terry Cutler, vice-president of cyber security at Montreal-based Sirco Group.

“I think these guys [at the school district] panicked and did whatever they could to rebuild the server and put it back online as soon as possible. So they misconfigured the system.”

“Those guys obviously didn’t do their audit. Had they run a vulnerability scan they would have found it. A scan would have picked it up as critical. Even if they had done an advanced Google search and typed in “site:” and the name of the [district] web site it would show every web site linked, and it would have shown up.”

The lesson is IT must have processes for staff to follow when restoring any server knocked online to ensure pre-incident security is restored.

The U.S. National Institute for Standards and Technology (NIST) Cybersecurity Framework outlines five functions CISOs should follow to create a mature cyber security program. One of them is Respond, which urges IT leaders to create processes to oversee response and restoration of service.

Sometimes these processes are called playbooks, detailed instructions on how to respond to a variety of expected issues. Playbooks first identify an organization’s assets, weaknesses, expected threats and how to respond to a range of problems. Experts also say playbooks must be tested to make sure they are relevant, and that they work.

Subscribe to our mailing list

* indicates required

Related posts

How Facebook can be damaging to your Career Radio interview with 940 AM

Terry Cutler

Sextortion scam knows your real password, but don’t fall for it

Terry Cutler

Governments, companies often skimp on Internet defences

Terry Cutler

How to spot online Internet scammers and how to protect yourself

Terry Cutler

Terry Cutler wins prestigious International Cyber Security and Intelligence Academic and Leadership Awards

Terry Cutler

Protecting your WiFi baby monitors

Terry Cutler

LEARN THE SECRETS OF THE WORLD’S MOST SUCCESSFUL CYBER SECURITY EXPERTS. Close I'm Interested

Privacy & Cookies Policy