Okay, perfect. Let's start. I was asked to do this presentation in English. I hope you're fine with that. First of all, good morning from my side. My name is Florian Jurgen. I will say some words about myself on the next slide. First of all, what can you expect within the next 60, 70 minutes? My goal is to create really bad mood. Yes, and this will work definitely. So ex expectation management is clear. The mood will be at the lowest possible point. This might be good for all upcoming speakers because it only can get better, but you will also receive a lot of benefits. You don't need to take pictures. I will send you all the slides. I will give you all the slides, so this is not necessary. Yeah. Just to give you a short introduction to myself, Florian Jurgen, I'm currently the Chief Information Security Officer for the For work group.
For work. We are famous for the best kitchen appliance in the world, the thermo mix, and our famous cobalt VA home cleaners. And I'm working for, for work since round about two and a half years now. So what are we going to do today? We are simulating a tabletop simulation. So you will take over the role as the cil, the information security responsible, the IT security responsible, and your company has been hacked and you need to make decisions. So this will be a very interactive session. So I hope that you will all take part of that and we will have a, yeah, very interesting and active discussion. We will simulate this in four rounds and each round I will give you additional information about what happened, what is the current status, and after each round, I will ask you as a person responsible, what is your next step?
What is your next decision? There is no right and wrong. It's not about the best practice approach. It's depending on the situation itself, but I will give each round some hints what might be useful at this point of the current attack. So let's start with the introduction. First of all, it's Sunday evening. Of course it's Sunday evening. It always happens Sunday evening. It could not be Monday morning or Tuesday morning. So it's Sunday evening. Your colleagues from it receive some calls, emails from your employees saying, my computer isn't working anymore, cannot start it. There's a SC on the screens. Very, very strange. And then your IT colleagues decided, okay, we will declare a major incident. We'll put all incident or tickets together, and then they will call you the cso, the person responsible for information security. Hey, there's something going on, please, we need, you have a look about what happened.
Typical ransomware attack. The attacker says they stole some customer data, and if you will not pay the 2 million US dollar in Bitcoin, then they will publish these customer data and with every hour you wait longer, the price will be higher. The 2 million US dollar is just afic number. So if you will be the victim of a ransomware attack, you will get an individual offer com depending on the revenue of your company. So if you are a big company, it's not very unusual that they want 20 million US dollar. If you are a smaller company, we're talking about 500,000 until to 1 million. So you will get a very individual offer, perfect for your company depending on the revenue, and they will choose an amount of money that will hurt you, but on the other side that you can pay because you will get it back within the next two, three years, something like that.
We will start short and small with a short interactive question. What is your first step? Three possibilities. First of all, you can contact your forensic company to get some more insights. They can help you to see, okay, how did the attackers come within your network, for example. Or you create a Microsoft Teams channel and invite all the relevant stakeholders to get a better overview, to have a possibility to communicate. To communicate. Or number three, you will declare the emergency, the crisis case by writing an email or by phone. So who wants to do the number one, the contact with the forensic company? Please raise your hand. What size company are we? Your company?
Okay, number two, creating Microsoft Teams channel. We are inviting relevant stakeholder. Okay, and number three. Okay, that from most of them. Perfect. Yeah, all of these things are, things are possible, but normally it makes sense to declare the crisis and the emergency at a very early stage because normally this is related and combined to additional resources, to additional possibilities. What you can do next, and it will start an an A communication channel. So therefore, this is always a good idea to start first with declaring the emergency. The crisis time is still running, so you make, you need to make your decisions fast. From the beginning, we had 40 computers, 40 clients infected due to the fact that the employees at Monday morning are all starting their computers. We have now roundabout, oh, not we, you one roundabout 130 computers infected and employees are affected from different parts of the organization. So be prepared for a global problem, a global crisis. Maybe you'll receive an info mail from a CSO pro network saying, oh, some scanners. Find something within your network. But to be honest, at this early stage, you don't have the the possibility and the knowledge to take care of that because you're still trying to figure out what happened.
Let's imagine that you have also some shops, some local shops, and some of them also started their computer on Monday morning, so they are also infected. Some of them are still offline due to a public holiday. But you can now imagine that you will have an customer impact very early because some of the shops cannot work any longer. So think about also think also about that. So what needs to be done Now, like I said, there is no right or wrong after that. I will give you some ideas what you could do now, but it's related to a specific to the specific case and your specific company. So ideas, it's an interactive session. Like I said, what are you going to do? You are the Cesar, you are responsible. Yes.
So coming back to whose company it is, I'm just looking at some of the newness. Two requirements on 40, whether you're an essential critical facility. So depending upon what type of company and when you declare the emergency under EU law, that's now going to start timing requirements. So at some point in time, hopefully one of the first things CISO called was the general counsel because there's gonna be obviously legal.
Good idea. Yes. Other ideas? Yeah. Containment. Yes, containment. So the first one for the people who are online within the stream, containment of the infected computers. Yeah. Other ideas? Yeah, starting document incident, maybe another one. Yeah,
Since it's infected, customers might be a good idea to have not already been done.
So infected customers. Yeah. Last one. Yeah. Look
At some other infrastructure providers like in the stores you have PC processors.
Very good point. Yeah. Thinking about P-C-I-D-S-S, first of all, explaining the situation to the security management team, getting an overview, getting the the right people, the relevant stakeholder all together and validate action, time, action items, and create a plan. Containment and defense. Yes. Looking now in the news for the last weeks, months, years, this is the thing where most companies failed. They all try to, or they deciding to late to disconnect the systems from the internet because they think we can handle that. The business impact might be too high. And you can see every successful ransomware attack is based on this problem that they decided this too late. Business impact discussion here, talk to the business. Definitely initial stakeholder information. Yeah, if you have some reporting requirements to N two or maybe data protection because the attackers told you that they have customer data, I don't know if it's true you, you don't know if it's true.
Talk to the workers' council, maybe to the employees, law enforcement and so on and so on. But we will get to this point later on. Core team, create an action plan, communication plan, and think about additional budget and resources. This will be extremely relevant in the upcoming rounds. There are some points which could also be relevant. Potential data protection impact, analyze other incidents or engage a forensic company. Let's move on and let's, yeah, imagine about that. We handled the situation like nearly every other company. You did not decide to disconnect the systems from the internet, but maybe you contacted your forensic company, then you receive a security report and this security report. Typically, there are some hints and some ideas what you could or what you should do next. And they will also tell you, disconnect the system. We are not talking about shutting down systems because in this case, you will delete or destroy all the forensic evidences, but to disconnect the systems from the rest of the world, from the internet.
But if you are going to do that, please think about, maybe you need to work with a forensic company who is working from remote or your IT provider and they still need a connection to your company. So you just cannot remove all the cables and then you are fine. You still need to think about how can you work with the external companies together? Analyze, analyze our new admin users created, are the existing ones compromised? It's not that their techers just installed ransomware and then they're fine. They are still trying to figure out, okay, can we implement a backdoor? What kind of possibilities do we have to extract additional information, customer data? Or maybe we'll come back in later in, in some months. So you also need to check our new admin users created or are the existing ones compromised? Check ransomware, lateral movement, if you to be, to be, to get an idea.
How are the systems infected? So what is the way of the ransomware of the malware? What could happen next? Further malware, like I said, it's not that they install the ransomware and then they are done with that. Maybe they install additional malware and check your backups for infections. If you want to take one. Lessons learned from this presentation from this workshop. It's that one. Make sure that your rans, that your backups are resistant against ransomware. This will, sorry for saying that. Save your ass. Definitely. This is the most important lessons learned. There are a lot of different providers available at the market. Choose one, but please take care of this. There was a question. Yes, yes. Yeah. Otherwise,
You need to imagine how set up obviously backup.
Yeah, we, we will talk about that. Thank you. So backups checking for most for infection. First of all, that your backups has not been encrypted and that you do not backup up infected files. So these things, make sure if you have already think about that and you have a solution plan set up of new network segments, you cannot restore your data within your old infrastructure because it's totally compromised. You need to build up your whole network infrastructure again as a new segment where you can later on restore your data and your information. More PCs are infected, the employees are still starting their computers. We are now talking about roundabout 300 PCs, and due to the fact that you probably did not decide to take the whole company offline, congratulation, your server are now infected as well. SA PS now is not long working. Any longer customer relationship management system is not working any longer.
We are now talking about over thousands of employees, of users who are affected at this point. What could now possibly the, the, the worst thing which could additionally happen? What do you think at this point? Of course, it's going viral. It's going viral. The customers are now complaining their devices are not working any longer. They cannot board your products in the store. And now there's pressure on this topic, definitely, but there's also pressure from the inside. For example, the sales department contacted you and said, okay, cso, the CRM system is not working longer. SA PS not working any longer. The shops cannot work, but I, I need to sell products. I I just bought a house. I have a wife, two kids, I need to pay my bills. So why? What can I do? When can I work again with the system? Of course you could tell him, do you have a workaround?
Ah, this was part of the BCM project business continuity management. And this was a project we skipped last year because it's too much work and nobody wants to take care of that and it's not really part of the CSO environment. And due to the fact that it's getting viral now the newspaper is asking your head of communication, found something on the internet saying your company has been hacked. Please provide some information about what happened, why did that happen? Our customer data impacted and please do that within the next 60 minutes. Otherwise, we will write something by our, by ourself. This is also fine with that. So like I said, the mood is getting lower. That's fine. What are you go going to do next? The list of task is getting longer. Definitely, but what are your initial steps now Just raise your hands. Like I said, there's no right or wrong. It's about an interactive sharing of of ideas. Yes.
Try to increase employee morale and not regret all the decisions that have led to this
Point. Okay. Increasing. Yes. It's
Partially a joke and partially not because if you don't do that, then you're gonna start making bad worst decisions out of making the,
Increasing the moral of the employees. Yeah. If you have a possibility to communicate with them. Because imagine Microsoft teams is not working any longer outlook and the intranet. So how are you going to reach your employees? Interesting question. Yes.
Contact your marketing
People, people to make sure that you have
Uniform marketing people involving Yes. Anything else? Any ideas? Yes, you should now contain. Okay, at least at that point. Yes. Yeah,
Maybe talk to your,
Oh, talk to your insurance if you have one. There are pros and cons. Yeah. Maybe they have a forensic company which can help you. Yeah. Last one I would consider
Something like isolate network but
To to, to isolate the tech vector. Yeah. So first of all, advise the shops to take the systems offline, definitely at this point to contain the possible infections. Are there alternative work scenarios? Maybe they can still sell their products and write it down with pen and paper and after that you will get a, an army of students within the company and then will just type it within the SAP system. Possible scenario, isolate all infected systems, sec, separate the relevant network segments, request proposal for emergency operations from IT services and from business. I will talk about that on the next two slides. What that mean? Like I said, make control or make sure that there has no admin users bin created. Ask group IT service project to take availability of the unencrypted backups. Lessons learned for this one here. But then you also need to prepare a clean network segment where you can restore your data, evaluate contact with the hackers.
Yes, this is a possibility, but the important thing here is don't do it by yourself. Please don't do it by yourself. There are some specialized companies available at the market who are expert in Yeah. Talking, discussing with criminal subjects. Definitely. So please don't do it by yourself. You can talk with with that. Absolutely. I have seen some real screenshots of a ransomware attack, the where they have given a Christmas discount of 10%. So to to, to be honest, on the other side, there are people on, on at the end and they are working. Yes, of course it's a criminal business, but they are working, they want to create revenue and you can talk with them. It's business in the end. One
Of the when experience you had authorities
In terms of
The different I would, I would talk about that. Yeah. Thank, thank you. Evaluate necessary steps for potential Bitcoin payments. I will also talk about that in detail later on. Communication strategy, watch on social media and how to reach your employees. This is a very interesting topic. So how, just answer the question for yourself. How can you reach your employees when Microsoft teams, the internet and Outlook is not working any longer? I'm I questioning this every time and there are different kind of answers. There was one guy who said we will send them an an SMS Oh, every employee has a, a more a company device. Wow. I've never seen a company where this happened. Ah, okay. Then another, another one said, we have an an, an app developed where we can send out messages to all of our employees. Now does everyone have a company device?
No. No. They need to install that on their private device. Oh, the workers' counsel is going to love that. They are going to love that. That the employees need to install a company app on their private devices. They will love that. Definitely. So you need to think about that. I had one situation from a, from AC within my network who told me that their IT partner print out posters and they just put the posters within their, their company building to make sure that when their employees will, will, will come to the building. That they will directly go to the field support and not start their computers.
The next question would be how should you talk to yourself that you company?
Yeah, communication I
Five people and they're asking me to, to I talk about my, yes, how should I trust you? I mean Chinese, I no idea meditate that they know each other because I've never talked to them. That's that might be, yeah, we have to talk to some tech guys.
Yeah. This is a part of the external communication. Okay. You received feedback from your IT department, the server has been shut down, employees were sent home and all other systems also shut down or disconnected from the internet. On the other side, the infection party is still going on on the clients because your employees who could not been reached are still starting their computer. But congratulation, your backups are safe. They are not encrypted. So you can use them to restore all your data. We just talked about, or I just mentioned the point about additional resources, additional budget for the IT colleagues. Let's just do the math. Okay. The IT colleagues told you installation of PCs and laptops, eight hours per device. The shop systems have less software. We're talking about five hours server, two days per system, SAP, three days per system. And now do the math within your head.
So how long will it take to restore all these systems? Your IT colleagues will working over nights. They will work for 10, 12, 14 hours. This is a realistic scenario. They need to do that. But if they do, then you need to make sure different things and additional questions will now appear. Where will they sleep? Who has some, some beds where they can sleep? Who has the credit card to pay for the food when they still sleep in the office and restoring all the systems. I just talked to an friend of mine who was a CSO who went through a ransomware attack. It's a company with roundabout one 1 billion revenue and 5,000 employees. And then he told me that their responsible top management took two cars and drove around North Raman and bought all the notebooks they get from media marked and zaza because they had not any other devices which where they can restore their data and this is a realistic scenario.
So there are additional things you need to take care of. Yeah. Due to the fact that it went viral, it's now in the newspaper of course. And at least at this point you need to involve the law enforcement. I personally think you should do this at early as possible. We are work working very close together with the, yeah, state office of criminal investigation, EL criminal armed and especially with the colleagues from the S central cyber crime. We worked so close that we invited some of the colleagues to our awareness session to share some insights how we are doing this as a, as a company. But you only have advantages if you do that as early as possible because first of all, they need to yeah, take care of the confidentiality. So they will not tell that you have been hacked to other companies or to the use of course not.
The second thing is they probably know already this attack surface, this attack vector because you are not the first company who has been hacked. So they can give you additional information. What is going to happen next? What is the goal of the attackers? Are they from Russia? Are they from Sheena and whatever and whatever. And they can also give you some additional information. Maybe if oil pool had found your customer data in the dark net or something like that. So involve them as early as possible. This is, yeah, you always have a benefit of that. It was now in the newspaper. Of course then your supervisory board has also taken knowledge about that there's something going on within their own company. And yes, they're asking you, okay, what happened? Why? How could that happen? We are paying so much money every year, investing in security in IT security. I thought we have a hundred percent security and yeah, but they want answers from you. So what are you going to do now? Ideas? You are the cso, not me. Not in this case. Oh, quit. Quit. Okay. You should have done that earlier. Yes.
So one of the things we talked about earlier was engaging external experts. Part of that would, I think they could help perhaps with the messaging to show that this is not unique even though we've been this much, this cross. So showing what is going on, getting that information from your peers that have gone their stuff. Yeah. To show the board that it's happened to other companies. Other companies have succeeded that this is just part of us being successful. So that I think would be important.
Yeah. Yes. But I think,
Yeah.
Oh, this is part of the business continuity management. Yeah.
Yeah. I can do. Someone has to steer and moment you have a plan. I otherwise,
Yeah, of course. That's to say
That's do this, do that. Having a good and work have focus.
But you need to make sure that you have that before. Yes. Because if you ask now the business, what are your critical system? Everything. Everything we need to work. We need to work now. And then this is a funny situ situation. We had at Forward group, we had last year indicator of compromise that our web shop could have been infected and therefore we decided to te to, yeah. Disconnected from the internet Friday evening. And the business was not very happy about that. And they told us, oh, we need that system on Saturday. There is an event and so on and so on. And then we contacted the respective, the relevant IT provider who told us there is no we can support within the SLA, but nobody was aware of that. Maybe the business was back in that day when they signed the contract and decided, oh, it's too expensive to have a weekend support. And the system, we don't care if it's not available on the, the weekend
That you're still lucky, I would expect.
Yeah. Yeah. Of of course
On Sunday morning at six where you're still,
Hmm. Yeah. So you need to make sure from a security perspective that you have some kind of manager on duty 24 7 concept, what needs to be done now, business impact analysis versus Bitcoin payments. I am getting this question every time. What should I do? Should I pay or should I not pay? There are pros and cons for both decision. There's one pro or one argument for, for paying a ransom. If you don't have any other idea what you could do now, if your backups have been encrypted, your whole infrastructure have been encrypted, and yeah, closing the whole company is the only alternative then you should pay. But on the other side, there are more points where you should not pay. First of all, you are talking to criminals and I don't know how trustworthy they are. So will you receive your and your decryption key?
Will they delete the customer data? Now you might say, okay, Florian, but that's her business model. And if they don't, will will. Yeah. Will not give your, your data back and delete the customer data. Then your business model is gone. Okay? Then they will be back next day with another name we don't know. So this is the first thing. Second thing is you will be on a list. You will be on a list at the companies who are willing to pay. And the criminals are very good connected. They are talking to each other, not like the security persons within the companies who are, yeah, sometimes don't want to share their knowledge with, just from my perspective, a bad thing. And the third thing, you also need to restore your whole environment. You need to build up everything new because it's compromised, it's infected. It's not that you will receive a password and type it in and then, okay, let's go back to work.
We're fine. We just paid and no, no, you need to build up everything new from scratch. So therefore it is a good idea from my perspective, not to pay, but if you want to or if you decided to pay, there are questions which needs to be answered. First of all, who has access to Bitcoins? Who's the owner of the wallet? Who has the accounts on different platforms? You cannot transfer 20 million US dollar on a Binance account. What about tax? Anyone thought about text when we send Bitcoins? I don't know, but you need to think about that
Question please. There's one thing missing loud to
Pay. Of course. Yes. Depending on the country you are working. Yes.
Depending on that actor I'm dealing with because point consider
Terrorist organization. Yes, yes. Financing terrorists. Yeah.
Brings you on the
Guidance. Yeah, absolutely. So you need to think about that before. Yeah. Back up. We talked about the production discussion discussion. Currently you are not selling your product, so why are you going to produce them? Maybe it might sense to talk to the production and tell them, okay, send your employees home. Currently we don't need to. Yep. Could
You talk a little bit about whether it's ever appropriate to go offensive
If you have the possibilities? I don't, I don't. I don't know any company who has the possibilities to do that, to be honest. Yeah. And the, and the, the problem is you don't really know who is the attacker. You know a system. But if you are trying to attack this specific system specific, maybe you have now another problem because you're attacked and Yes. Yeah,
I, I see most frequently the common counter offense would be ransomware software are controlled by command and control server. And frequently they're set up rather naively domain names that could take action against them. Yeah. So at the very least, that may be an alternative to tier network offline. If that becomes
Too different. Yeah, if, if possible down their command control service. Yeah. If you want to, you can contact the Heer group and ask for an example of the stolen customer data. Maybe it's not true, maybe it's true, I don't know. But like I said, don't do it by yourself. There are companies available at the market who are experts in that and yeah, how to reach employees. We already talked about that round four and therefore the last round, if you receive an example of the leaked data, the business have to check, are these real credit card information or are they fake? Maybe they had been stolen two, three years ago, I don't know. But you need to check that. Let's suggest that there had no admin users being created. Workers' council is of course asking you send all your employees home, but they will receive their monthly salary.
No, please. We need to document that to make sure that they still get their money. And of course the sales department is still asking when they can work again. So yeah, like I said, you need to make sure that the businesses now checking the data, if these are true customer data, data protection, need to report that. If you decided to restore the the systems, you must think about a plan, which system can be restored first. Maybe there are some independent, some, some dependencies. Maybe you have a system which needs to be online before another one can be restored and can be started. Again, you need to talk about that topic with your it of course, scan your, your network, ask it to prepare comprehensive recovery project. And of course progress communication to the stakeholder. We at the forward group had done this simulation and if you take a normal size company, the conclusion after nine, four weeks roundabout took you or it will take you four to six weeks to recover.
Social media went comma, there are still data gaps due to the fact that you write down information maybe by using pen and paper. And the servers were up and running round. But after nine days, we had done this in nine rounds, live for four hours. And I can promise you after four hours, we were so exhausted. We were definitely, it was done together with an external company and they had a clock. And after all 20 minutes they said, okay, round is over. What are your next steps? What are you doing to do? Now was high pressure, high stress, but this is a real situation. This is a real simulation as you can see here. These are the exact slides I used for this presentation. Now we had a lot of participants, especially from the top management of A-C-O-O-C, F-O-C-I-O, it, security, data protection, head of communication, all involved.
And after we had done it, we received two major benefits. First of all, especially due to the fact that there were so many participants of different kind of departments. And ransomware attack or crisis is a situation where nearly everyone is involved and has to do something. It's not that, okay, ransomware attack and IT security is taking over and tell us when we can work again, everyone has to do something out of communication, needs to talk to the newspaper. Data protection needs to contact the authority, finance need to maybe think about potential Bitcoin payments. COO has to make a decision about the production. Everyone is involved and they all need to work together. And the second benefit is, I'm always been asked, okay, Florian, how do you get budget? Budget for employees, resources for systems? And we decided, while when we're in the communication with the top management, we are using a fictitional, KPI.
So it's not the real KPI is just for our communication strategy. And our benefit is based on this KPI, the return on damages not incurred to make sure that we are a preventive department. We make sure that specific damages will not incur. And this is our benefit to the company. And this helped us a lot. I have, or I went through a similar situation working for my last company, a chemical company, Lanxess based in Cologne. We had some indicators of compromise of a Trojan software within our systems. And due to the fact that we could not make sure that the malware is only in the software, not within the hardware, we decide we will change all the hardware from our network. So our IT colleagues, it took round about six to eight months, traveled around the whole globe and changed all our servers racks and the whole network infrastructure because we could not make sure that the malware is not within the, the hardware.
I know these are a lot of information and a lot of questions. And to make it easier for you, I just created a short handout. If you want that, just send me a short LinkedIn message, click on the three dots, connect, and then please send me a message that you want to send out. Not only the, the invitation on this seven pages, you will only find questions. There's not a single answer within this document. Only questions, how are you going to reach your employees? How can you pay bitcoins? What does disconnect mean? Am I going to to pull out a cable while standing next to the router, to the fritz box? And who is going to, to do that? Who is allowed to do that? What does that mean? Where is the employee? Where are the IT employee, the IT staff sleeping while they are restoring the systems? Who is contacting the, the hackers who is talking to the external providers? And so on and so on. You are responsible to find answers for all these questions. We still have sometimes left, so I will pick out some questions of this handout and I will ask you that we continue with the interactive part. And I'm looking forward to, yeah, share your ideas, to share your insights. How did you, something within your company. So therefore, first of all, thank you very much and then we will continue with some questions from the handout.
Okay.
So, ah, I need to share that. Oh, perfect. It's working.
Okay, let's start with the communication part. Internal communication. How is communication done with the crisis emergency team? So how do you solve that within your company? Let's think about Microsoft teams. It's not working any longer. Outlook and internet is not working any longer. Maybe someone is now saying, yeah, okay, but the probability is Microsoft teams is not working. It's very low. Yes, but it's compromised. It's totally compromised. The attackers can, can have a look within your communication, so you cannot use it. Yeah, of course it's still available, but you should not use that because it is an unsecure channel. So how are you working within your crisis team if your infrastructure is not available or compromised?
Emergency contact list.
Emergency contact list. Okay. And then by phone
Basically. Yeah.
Okay. You have that printed out, right? Because on the SharePoint it's
Absolutely
Perfect. Okay. Other ideas? Yeah. Well,
As far as with phone, I think that's where you go with the hierarchy. Hopefully a supervisor is in contact with his employees. So I would kind of look at it as like a hierarchical tree. Start down and tell supervisors, you know, have you been in contact with these people? It's almost like a fire drill when you leave the thing. I want every supervisor to report to me. Have you been able to contact how many people Yeah. Are responsible? How many were you able to contact via phone? Which you know, everyone should have.
Yeah, everyone should have Company phone. No, no personal phone. I mean, I would just, yeah, but how do you get the personal numbers?
So I think this goes back to the point of a supervisor interacting. You go to softball league sports, social events, I would say in most companies, you know. And then the flip side is on Monday morning for those people to physically come into work, that's probably your best
Bet. I, I would say in Germany it's not very common that your company has the personal or the, the private phone number of your employees because the workers' council will not, will not like that. But yet it's a possibility. Of course. Yeah.
Speaker 10 00:45:30 And for the next time you're doing this, I would think about contact list and add some secrets.
Okay. Medium person. But how will you make that? Sure. Because you first need to, to contact them any anyway.
Speaker 10 00:45:45 I mean if I contact someone,
Yeah. Meeting this, this was one of our lessons learned. We had, sorry, one thing we licensed, we call it third party communication tool. There are different kind of tools available at the market. Fact 20. Yeah. Fact 24. Alert media. So we have a tool only with 100 licenses and when we press a button within our app, we will create an, yeah, a telephone conference and invite all the necessary relevant stakeholder from the crisis team. Another very cheap solution that a cso, a friend of mine taught me, they created a signal channel. They just installed Signal and created their own Google mail addresses. Which is a valid scenario. Yeah. And that's the cheapest one. Just create a signal channel, invite your crisis management team. And in case of use this scenario, of course
Speaker 10 00:46:44 The idea, just using cliche secret still, that if you could just share your hot numbers and put random numbers on it and then you could print it out on paper.
Yeah. And then
Speaker 10 00:46:58 Everyone calling everyone and saying, please read the number there. Or whatever you can imagine on we,
Yeah, there was a hand. Yeah.
Speaker 10 00:47:09 Mentioned Signal group.
Signal group. Yeah. More in case of use WhatsApp. I know. Data protection, so on, so on. But we are talking about a crisis and emergency. Yeah.
So what about actually the workers' councils should be, shouldn't they work, work with them? Should, wouldn't they have the employee data, the workers'
Speaker 10 00:47:32 Council?
Yeah, they should be involved. Of course. Yeah.
Speaker 10 00:47:36 Just want to say for the sign group you also against having financial requirements.
Yeah. That
Speaker 10 00:47:48 Case you need some
Diff different things you need to think about before that happened. Okay. External communication. How do you commu communicate with your service provider? How are authorities informed? How you want to communicate with hackers? How would the press be informed? This is an interesting topic. Has someone ever talked with your communication manager, head of communication, and do they have some kind of prepared templates, something they can give out to give you some additional time? Something like nonsense? We are, we are securing our company based on best practice approaches and currently we don't have any information about that. Our customer data had been stolen, which means that your monetary systems are so bad that you did not get any information, but you did not say anything, which is not true.
Speaker 10 00:48:56 We have such a policy for marketing.
Okay. It's
Speaker 10 00:49:00 Two oh pages long.
Wow.
Speaker 10 00:49:04 Maybe in case of an emergency is difficult, but we have this pre text things that's
Yeah. And it's also important if the press or the employees or the supplier needs to be informed, don't let the IT guys do that. Please. I'm, I'm a guy by myself, I don't want to do that. I just send all the relevant information to the marketing and communication and they will write something. They will create a a fancy statement. Otherwise we will, we will give out too many information. Yeah. Communication template. The communication checklist, who, when, how, with what are the stakeholders informed. And maybe you will then realize, okay, in IT we have 24 7 security. Maybe we have 24 7, we need 24 7 in marketing and communication in hr workers counselor, like I said, it's Saturday evening and we cannot wait until it's Monday. So we need to make sure that the people are available. Service partners, overview of service partners globally, who has an A list, an overview of all your service partners or think you have most of them.
And the ones the business had contracts with applications on a cloud platform. You've never heard about typical shadow it. Yeah. That's also a problem. Which additional external parties are required. Forensic service provider. This may is also very useful to get in contact with forensic partners before something happened. Because especially when you have an an attack or something like log four J, which infected or affected nearly all companies, the number of forensic service provider is limited. So it makes sense to have someone in mind. Maybe your cyber insurance company will have someone who can Yeah. Give you, give you access to.
Speaker 11 00:51:16 One of the things that we used to advise on when you're doing supply chain risk is just to talk to your accountants and do a budget analysis of where you spend your most money on third party services. And that usually indicates a heavy dependency based on the proportion of the amount of money spent. So the accountant accounting department can also help to provide some basic information
I just accumulated also relates to business continuity management. What are your relevant providers? What are the business critical processes? And therefore what are the business critical systems who are supporting these processes? SMS Gateway. Yeah. Maybe this is a possibility to reach your employees if they have company devices or they give you their private phone number. Network segmentation, backup and recovery. We also talked about that. Like I said, make sure that your backups are protected against ransomware. Not only that the backups cannot be encrypted, but also that you will not back up infected. Yeah. Documents, restart, plan and recovery. This is also very interesting, especially when you talk about the priority of the systems. So sometimes if you, well, not sometimes very often, if you ask the business, what is your critical system? What are the critical process? They will tell you everything. We are the most important department within the whole company and all of our systems are business critical.
Okay. Okay. Okay. Then you will tell them, okay, these are the requirements which needs to be fulfilled because the classification is, I don't know, confidential or secret and availability and integrity is very high. And they say, ah, okay. We are not that business critical. We are not that business critical. We are more public classified, maybe internal and yeah. But there needs to be a list together with the colleagues from it, how they are going to restore the system. What is the priority, what is the right order? What systems needs to be online before you are going to start other systems. Yes.
That can also backfire. I've been in the companies where you say we're not a critical system. And then you look at the data and
Then, yeah. Yeah. Especially when you tell, when you tell 'em the price, okay, you need MFA, you need encryption, this and that. And then it's getting more expensive. And then they decide, okay, we are not that critical. We don't have that money. Yeah, of course you need to talk with them. You need to create the awareness for this topic and you need to make sure that they Yeah. Have a realistic classification. Yes.
So where in the recovery plan would you cover the aspect where you said for sales, you started taking stuff by hand, or one of the things you talked about was manually processing as part of the recovery. So when you start doing manual stuff, there's not GDPR PSD two. So when you collect a lot of that data, that potentially opens up another can ofchemical
Of course.
How in the recovery process do you account for closing those loops and perhaps doing triage? Where does that fit in? In the recovery program?
As early as possible. Because we are talking about work around, and this is also part of business continuity management. So we are here talking more about the technical recovery recovery process. Yeah. Crisis documents. Oh, this is a, this is a lovely one who has a crisis plan, emergency crisis plan. Okay, print it out. Yeah. Oh, I like, I like that question. Because a lot of them have some or some of them have crisis documents stored on the SharePoint and then, oh, they are encrypted. I have printed out a version 0.3 and the the newest one is, I don't know, four point something. And most of the people who are in the contact list has also has already left the company. Yeah. Crisis documents. You ever tested it? Okay, perfect. Very good. I was once on a conference and there was a presentation about crisis plans, emergency plans, and the CSO told, okay, we created a, a very good crisis plan together with external consultants.
Created a really good plan was six steps to be come to be coming back on track. And then we tested it and the first test, we came to step one and then the whole thing broke together. And then they took them two months, they changed some things, they implement the thing and then they tested it again. And then they came to 0.2 and yeah. But this, this is a realistic scenario. It will, it will also, it will fail at the point when you cannot reach the people from the crisis management team on Saturday evening because they're on holiday, they don't have access to their computer. Something like that. Then you realize, okay, we need to make sure 24 7 availability. And then you, okay, next time maybe you have the possibility to create a conference call and invite all the relevant people from the crisis management team.
The next step would be, okay, let's contact our provider. Okay, number is not available. Hmm. We now have a problem. And then you will move forward and forward and you need to test it, test it, test it. Processes. Who can declare a crisis? Is it the CO? Is it the CIO? Is it the top management? And when someone is not available who then can declare a crisis? And what are the, the, the, the points that we are talking about a crisis and not a, a problem, not a major incident. You need to look, you need to document that within the crisis plan. Yeah. Business continuity management, emergency shutdown shut, shutdown plan, defining what shutdown means, unplug server rec, shutting down the system, cutting the, the energy connection. I don't know. What about Microsoft 365, how the service provider integrated. If you decide to disconnect or shut down systems, maybe your IT colleagues will not have the possibility to do that because it's all in the responsibility of the external service provider. So even if they want to, they cannot technically do that. They need to call their support of the external service provider and tell them, okay, we need to disconnect the system. Yeah, okay. It will take eight hours maybe. I don't know. You need to check that.
Okay. Yeah. Like I said, the mood is at the lowest point. I'm very happy. So do you have any additional questions? Anything you want to share with this audience? Your insights, your ideas? Yes.
Speaker 12 00:58:50 You should also take care of the people involved in ing. All our exercise was very stressful. You could just imagine how stressful that is for all the guys ing the business, which take care of all the people involved and especially after that. Yeah.
This
Speaker 10 00:59:24 Business,
This
Speaker 10 00:59:26 A second to this and I think communication is part of the key because usually I really concentrate on, on the service. I don't think about the consequences and make sure that the people who are really actively having hands on, on services don't get calls. That doesn't help if someone is calling up for 15 minutes saying, are you done yet? Are you done yet? Are you done?
There are whatever,
Speaker 10 00:59:50 I mean, make a communication structure and that people who have to work, have resources and and do them, do the thing. Don't put more pressure on them.
There are, if they're
Speaker 10 01:00:04 Like me, I'm, they, they take responsibility already. It doesn't make sense to push them even more.
There are some, sorry. There, there are two additional things, especially focusing on the people. One of the lessons learned from our table top exercise was that we have now a written approval from the top management that we information security reporting to the governance and the colleagues from IT are now allowed to disconnect any system from the internet without asking the top management. It's based on professional judgment. Because the top management realized, okay, we need to have more time or time is the, the important part. So they should not ask us. These are the experts. And if they decided, okay, we are disconnecting this system, then they need to do that. And the other thing, the friend of mine who went the csar went through an ransomware attack, which costs the whole company including the, the loss of production, like I said, as a company, 5,000 employees, 1 billion revenue costs them round about 15 to 30 million euros, all inclusive, the whole ransomware party.
And he told me one thing, which I found extremely important. The employee who had local admin rights combined with some other rights, who clicked on the link within the phishing mail, which leads to the whole ransomware attack, does not know that he was the one who clicked. They didn't tell him. They know who it was, but they did not tell him. And I really like that idea because on the other side, there is no benefit. So why you should tell him. But on the other side, I think the pressure is so high for a single employee, what is he going to do with that? That he or his decision, his failure cost his employer, his employer, 15 to 30 million euros, what's the case? So they did not tell him. They know, but I really, really like that, that they did not tell him that he was Yeah. Patient zero. No, no, no, no, no,
No, no, no, no, no. It's a com It's a combination of different things. Local admin rights, local admin rights, I think is a, it's a pain point within every company. We have developers who say they can only work with their own programs and their own systems. They have admin rights or they are people who have admin rights for years, they did not need them, but they always had them and they don't want to give them back. And so it's a combination of different things. And you cannot judge just one single employee for his, for his action. Yes.
Speaker 13 01:03:05 What is the update policy? I mean, people go, service providers are terminated, new contracts are there, how often do you update that?
Which policy?
Speaker 13 01:03:16 Well, all the, the crisis documents. How often do you update
Them? Yearly, like all of our documents. Yeah. Yearly. Together with our policies, we have some kind of circle to, to control and update them. We do that on a yearly basis. Yeah.
Okay. How often do you practice this again, because you, you practiced it one time.
Nice. Yeah, we, we just tested this last year, but to be totally honest, we are still working on the lessons learned. So it, for us, it does not make sense to, to the whole tabletop simulation. But we will simulate an emergency call this year, I think next month. Next month definitely. And we will just try to get the relevant stakeholder from the crisis management team together in one conference call. And I'm pretty sure this is not gonna work, to be honest. Yes.
Speaker 14 01:04:12 You spoke earlier about ransomware resistant backups. What does that look like? What, how are they ransomware
Resistant? So the solution must make sure, two things. First of all, that your ransomware, that your backups cannot be encrypted and that you do not re that you do not back up infected files. There are different providers available at the market Comm, Rubik, Dell. Just have a look. Choose the one you ever prefer. I don't want to do some kind of marketing. So there are different kind of companies available at the market. The important message is that you think about that, that you are aware about that there are solutions available and that you need to check your Yeah. Backups,
Speaker 14 01:05:00 Thank you.
In the procedure for defining what shutdown means, is there a step to define what network actually means? Because, and a lot of the more sophisticated attacks might have scenarios where they got in via Bluetooth module or something like that. And it may not be just as simple as disconnecting from the internet. You may have to, to air gap your systems. You may have to go beyond that and to really shut it off from the outside
World. Yeah, of course. But unfortunately I have to say, you need to define that for yourself. It's the same when we talk about, okay, which application needs to be restored at first? And then we find out, okay, what is middleware? Is the middleware is application. Yeah. Not in a, not in a classical way, but then it colleagues say, okay, but first we need to start the middleware, which we are not on screen, for example. Yeah. Yep.
Speaker 10 01:05:55 One question you told that we can use signal chat for internal communicate, but my question, we need to create a new channel or, or we can use business chat because for example, we can have one infected installed signal and ransomware. Is it safety or how we can create new chats without the,
Like, this was just an idea to do that. There are tools available at the market. Fact 24 Alert Media where you have a standalone solution. The signal solution is just something, a friend of mine who told me they used this one, but this is something you have decided to decide for your own, for your own company. I'm just sharing ideas. I, like I said, there's no right or wrong. There are, I don't even wouldn't call best practices. There are ideas how you can manage this system. There are possibly answers to these questions, but there's no right or wrong.
Speaker 10 01:07:06 Maybe at this point you have to crisis, bring all the people together, check first if that your emergency is still
Safe. Yes, of course. Could be one of the, yeah.
Speaker 10 01:07:23 Checks that from the,
The, like I said, the probability that Microsoft teams is not available is very low, but the probability that it might have been compromised. Yeah. This is a valid scenario.
Speaker 11 01:07:41 So the cyber insurance is a real difficult thing right now. There's not a lot of insurance companies that are willing to write cyber insurance policies that are broad enough for a lot of the attacks because they're not, they're worried about defined duties. Have there been any discussions of this kind of document that you've prepared with insurance companies? Because one could imagine insurance companies saying, Hey, you do this kind of thing and we'll give you, write your insurance, we can give you lower premiums, right. To start to use that as a way to convene around best practices for this kind of thing. Yeah. Is there any discussion you're aware of with
Insurancers to use the insurance? No, because we don't have a cyber insurance and I don't want one. Yeah, I, I don't, I don't like the whole concept because from my perspective, I think the money who gave or you, you give to a cyber insurance company might be better to buy some, don't know new technology or invested within the awareness of your employees. So the cyber insurance is good for the last, I don't know, 5%, but most of the company do not reach the 95%. And I could say it also for, for us, we are not at that point that I would say, okay, we still have 5%, 5%, let's get a, a cyber insurance. So therefore when I have the budget, I would always invest it in the, in the people. Because still, depending on the, on the studies, 70 to 90% of all cyber related attacks are still focusing on the human factor. So you have the biggest leverage to, to increase the overall security level or implemented in maybe an audit or maybe in a tabletop exercise, something like that. Or new technologies. There are so many possibilities where you can invest your budget compared to a cyber insurance company. But this is just my, my personal opinion. Just to follow
Speaker 11 01:09:45 Up on that, have you had heard anybody being contacted by banks where the lending criteria requires certain cybersecurity coverage because they're worried about their exposure if the business goes down and they don't get paid back on their loan?
No.
Speaker 11 01:09:59 Yeah, we
Did. Okay. Yeah,
Speaker 11 01:10:01 Exactly that. Yeah, because those are the two lever points from external parties where it's an actual cost thing for the budget where it's insurance or lending challenges where they, we had a discussion one time with the airlines years ago where you know, you point, you say, say to a banker, you point up to an airplane in the sky and say, that's a security for your loan. Would you be unhappy if that thing fell out of the sky? 'cause the airlines were not really interested in making the airplanes more cybersecurity. They didn't have the money. The fuel was so expensive, da, da, da. So you get the leverage point from the banks to say, you know, you want to borrow money from us, we need to make sure that the thing stays up in the sky.
Back in the days, I think it was three, four years ago, there was a company in Switzerland, I think was called Mendels, which is related to milker, the chocolate company. And they have been hacked. And after that they asked their cyber, cyber insurance, okay, can we, can we get some, some money, some additional help. And the cyber insurance told them, due to the fact that this attack came from Russia, we are now in some kind of war scenario, which is not part of the cyber insurance. So if you have a insurance, make sure what is, what is covered. Or for example, the CEO fraud, mostly CEO fraud is not covered within your cyber insurance because it's not related to IT system. When someone is taking the phone and calling your financial department saying, please transfer, I don't know, 10,000 euros to a bank account
About the, the, the war scenario. I think they went to court and then the judge said that it was not an act of war.
Okay. I, I don't know. Okay. But it's the, the insurance companies always find a way, not, not to, not to pay. It's their business. So who's, who's judging them. Alright. Okay. Thank you. Yeah. One last question. Yeah.
Speaker 15 01:12:07 So I think one of the key roles with the ci o, even in like severe incident crisis, perfect order to chaos is what is the heritage information? One, the direct do so is to be organized yourself Oro. So just asking someone who has been there, apparently someone who for yourself organized bomb.
Mm. The the answer is simple practicing, practicing, practicing. When we organized this real tabletop simulation, I was asked by the external company on which site you, I want to be, if I want to be some kind of the, the moderator and the lead through the tabletop simulation and told them, no, of course not. I want to sit on the other side because in the real scenario I cannot be the, the puppet master in the background. So therefore you need to practice this practice, practice, practice.
One final question, is there any organizations or certifications that you would encourage CISOs to participate in to, to share this knowledge? Is there any organizations or trade associations that you would recommend
Organizations in which, in which case associations
Or professional certification bodies where other CISOs work
Together? Yeah, there are a lot of different conferences available. I'm a huge fan of networking, so this is one of the, the reasons why I'm speaking very often at conferences and security conferences and I'm trying to, to build up a, a network because like I said, the criminals are very well connected and they talk to each other. What company did you attack? Was it successful? And so on and so on. And we, from a security perspective, as person responsible for information security needs also do the same. So participate in conferences, share the link in details, talk to your colleagues, maybe build your own network. There are different kind of of conferences available. Yeah, try to build your, your own network, stay in contact all but also share your own knowledge. Maybe if you create a, a template or an ex excel filer PowerPoint presentation, small things or talk about a good process, maybe you have implemented a good incident process simulation.
You had done share this knowledge with other CSOs and other information security because we are all sitting on the same boat. We are all working on the, on the right side, on the good side. And the information security has only one goal and one goal only. And this is to support the business strategy. So what we are going to one or what we are want to achieve is that our colleagues from business can do their work. This is our only goal and if we share all our knowledge, I think we can all yeah, improve our overall security level.
Speaker 16 01:15:24 And may I skip, how can we get these?
Just send me a LinkedIn message? Yeah, just send me a LinkedIn message. Just send a request, three dots connect and then please send me a message that you want this. Just don't, don't only send the request, otherwise I have no overview and then I will would send it to you. Alright. We have still 10 minutes left for coffee. I will be available the whole day and of course tomorrow, tomorrow there will be two slots, a panel discussion and I will do the presentation in a shorter form again tomorrow. But if you are here today, you're not going to miss anything. So tomorrow we will just skip the whole discussion part within the handout. So yeah, if you have any questions, like I said, I will be here today and tomorrow. So have a great conference. Thank you very much.
