Logistics / Transportation / Shipping Firm decides to wait for remediation
Industry: Transportation
Location: Toronto, Ontario, Canada
Size: 700 employees
Reason: Client needed to provide due diligence to Insurer prior to getting a Cyber Security policy
Effort: 2 week assessment - No Ongoing work
The Story:
The VP of Operations engaged us to review their Cyber Security Controls maturity against best practices, and provide them a gaps analysis and road to remediation.
The Company had attempted to acquire Cyber Security Insurance, and the Insurer wanted confidence that basic controls were in place to protect against a typical cyber attack.
Conducting the Assessment:
Similar to other companies we've assess, this one has a single physical location, with data center onsite. Primarily office and IT staff had computers, with the odd "communal workstation" scattered throughout the facility. The entire Review and assessment phase was completed inside of two weeks.
Maturity Assessment:
We conducted an ISO27002 maturity assessment to identify what security controls, infrastructure, and practices were currently in place, who was managing them, and what gaps there were, even for this size of business.
The VP of Operations has copied The NIST Information Security Policy Framework, and had branded and modified it slightly. Very few of the actual controls were in place as documented. They *did* have adhoc controls in many places, but should have either modified the document to suit, or modified the process.
Nobody but the VP of Operations and the IT manager had access to the documentation.
Change control was managed via emails. More of a notification of impending change as there was no approval process nor requirement.
Most of the Servers were up-to-date Linux servers - set to auto update the lastest patches. Many workstations were also Linux based, but up to date. The problem is that the IT team could not tell me this, as they were not "managing" the devices. There was no unified Directory service like Active Directory in place, and they did not run vulnerability scans.
Assets lists were assembled from procurement and verified accasionally against network switch and firewall logs.
Only "some" logs were collected... none were reviewed.
Backups comprised of nightly tar scripts, but were infrequently validated. .....
Vulnerability Assessment:
We conducted an internal Network Vulnerability Assessment to identify and enumerate all network attached assets, their patch status, as well as if there were any software / operating systems at or beyond end of life.
For the most part, the Open Sorce Operating systems were up-to-date. Things like java and SQL server software were out-of-date / had documented vulnerabilities, but were within several months of current.
The issue was with all of the Commercial software and Operating systems. The entire lot was beyond end-of-life. A dozen servers, a few dozen workstations, MSSQL server, Microsoft Office Suites, Adobe, etc...
Pen Test:
We then conducted a standard blackbox Network Penetration test on their Internet facing presense. Firewall, VPN, Mail Gateway, Citrix, and a stand alone WordPress Website. No company portal to speak of.
The Firewall / VPN did not limit brute force attacks
Credentials were found in the WordPress site that happened to work to gain access through the VPN, you know... typical stuff, but all fixable.
The Report & Recommendations:
We made several recommendations, as you can imagine.
We tried to give them a positive spin, in that they were going in the right direction.
We documented everything against it's risk rating:
How Probable was it for that threat to cause harm vs how much harm could it cause.
We provided an executive heat map with risk profiles and a roadmap/timeline to remediation.
We provided a technical document describing what needed to be done, including links to acquire patches/updates/configuration recommendations.
Finally, we offered to help remediate (at a fee of course), as well as showed them our Virtual CISO offering to provide periodic guidance and oversight of the remediation.
We wrapped this all up in a nice Executive power point deck.
At close out:
The transportation Executives thanked us for our professional conduct, the informative reports, and well documented guidance.
They managed to acquire Cyber Security Insurance based on the few documented security controls they DID have in place, and a promise to fix the rest.
9 months later:
As it turns out, the company did not have time to follow any of the remediation guidance. They were breached, and their corporate Intellectual Property was compromised. Several of their systems were taken off line for over a week. They never regained the lost data.
During the 3rd party forensic investigation, it was identified that the breach used several of the documented deficiencies that the company had promised to fix.
When they went back to the Insurance company for financial relief, they were denied.
In this case, the company did not see the value in a Virtual or Fractional CISO providing oversight and governance on the Cyber Security Program. They were content with getting enough accomplished to attain their Cyber Insurance. Strapped for resources, they had more pressing things to do than remediate the outstanding security issues.
The residual cost of this one breach would have covered more than 10 years of a Virtual CISO's due diligence.
Are you prepared for a breach?
Do you have a communications plan in place?
Could you recover quickly and be back in business?
Previous Case Studies in this Series:
Case Study #1 - Cellular Communications Provider in Merger & Acquisition
Case Study #2 - Fintech Service Provider requires Interim CISO
Case Study #3 - Software Startup requires Governance on a Budget
Case Study #4 - Wealth Management Firm with Poor MSSP contract
Case Study #5 - Small Family Law Firm concerned about Privacy Breaches