Leading a horse to water
We’ve all heard the saying: “You can lead a horse to water but you can’t make it drink”, right? Well, the Australian Securities and Investments Commission (ASIC) seems to have different ideas!
ASIC has commenced a law suit in the Federal Court of Australia. ASIC alleges [that] from March 2019 to 8 June 2023, FIIG Securities Limited failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place.
The filing claims that FIIG was responsible for “systemic and prolonged cybersecurity failures“ that allowed attackers from ALPHV to exfiltrate a claimed 385GB of data, in an attack that took place at FIIG in May 2023. ASIC’s federal court application is made under sections 1101B, 1317E and 1317G of the Corporations Act 2001 (Cth) (Corporations Act).
Furthermore, according to ASIC, “FIIG did not investigate and respond to the incident until 8 June 2023, almost a week after it had been notified of potential malicious activity by the ASD’s ACSC.”
Leaving ALPHV to play on your computers for six days is probably not going to end well, and ALPHV posted their ransom note on June 10:
As you may remember, ALPHV was part way through it’s 2023 Across Australia tour at the time, having just returned from a gig where they exfiltrated roughly 4TB of data (about 2.2 million files) as part of their breach of the law firm HWL Ebsworth (that one is apparently being investigated by the OAIC) in April of that same year!
So what does ASIC claim?
The ASIC application states in part, that in order to meet its obligations under s 912A(1)(d), FIIG was required to have available adequate financial, technological and human resources. ASIC further states that those resources were either not available and/or ineffective, and ASIC’s notice includes a list of “Missing Cybersecurity Measures”. The list runs across two pages (with an extra half page for “missing risk management measures”) and includes:
- A tested cyber incident response plan that includes key roles and responsibilities.
- Privileged access management.
- A prioritised patch-management scheme that take into account patch criticality and that provides compensating controls for systems that cannot be patched.
- Multi- Factor Authentication (MFA), Endpoint Detection and Response (EDR), vulnerability scanning and NG firewalls.
- A security awareness training program that addresses organisational risk and employee responsibilities.
- A process or processes to review and evaluate the effectiveness of existing technical cybersecurity controls on an at least quarterly basis, known in the ISO 27001 world as a risk identification and treatment plan.
We’ve bleated on about all of these things in previous posts… risk-management, and control frameworks, and regular testing and assessment, and AOCs in previous posts…. and… oh for heaven’s sake, does no-one read our blog? 🙂
Oh look! ASIC noted SIEM!
Two of the Missing Cybersecurity Measures that stood out for us were these:
As anyone who reads our posts (yes, both of you!) will know, we’re big on SIEM. How big?
- dotSec has over 14 years of Splunk Enterprise experience, over 8 years of Splunk Enterprise Security experience, and over 25 years of implementation, integration, testing and assessment experience.
- dotSec deploys, services and manages PCI DSS-compliant Splunk infrastructure for clients in the retail, government and legal sectors, and we have references from those clients.
- The dotSec SIEM team includes experts with PCI DSS QSA, and ISO 27001 lead implementer and lead assessor certifications. It also includes experts with certified Splunk Enterprise Security Administrators, CISA, CISM, CRISC, CDPSE, Masters of Information Technology (Computer Networks and Information Security), Masters of Cyber Security and Bachelor of Technology in Electrical & Electronics Engineering.
- dotSec has over 14 years of Splunk Enterprise experience, over 8 years of Splunk Enterprise Security experience, and over 25 years of implementation, integration, testing and assessment experience.
Yep, that big!
Why do we rabbit on about SIEM so much? Because it works and without it, you’re fighting blind! DotSec has been providing MSIEM services, assisting organizations across various industries in handling real-world cybersecurity incidents. In our next post, we’ll share a presentation that we used to highlight four case studies where we’ve used SIEM to help our clients with the following:
- Comprehensive Log Collection: Security monitoring is only as effective as the visibility it provides. Expanding log sources and ensuring structured data ingestion significantly improve detection capabilities.
- Machine Learning for Baseline Analysis: Establishing a baseline for “normal” activity remains challenging, but tools like Splunk MLTK provide valuable insights when applied carefully.
- Proactive Incident Response: Identifying anomalies quickly enables organizations to contain breaches before they escalate.
- Adversary Emulation for Security Validation: Testing security measures through red team exercises ensures continuous improvement and validates the effectiveness of implemented controls.
Which brings us back to the horse
ASIC is suing FIIG because “FIIG’s conduct exposed FIIG and its clients to the risk of a cyber intrusion and the adverse consequences thereof to a heightened and unreasonable extent”, and ASIC Chair Joe Longo stated the obvious when said, “Cybersecurity isn’t a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures.”
As business owners, one of our jobs is to manage business risks, especially risks to our clients and staff, as well as risks associated with business continuity and integrity.
And as we know, risks can be:
- Avoided. Well, not really in this case, unless your business has somehow travelled back to the pre-Internet era of Abba and flared jeans. And wild hairstyles… and my Ford Escort… good times!
- Transferred. That’s usually done through cyber insurance as discussed previously, but coverage increasingly relies on the business being able to show that it can demonstrate an adequate level of cyber security maturity.
- Managed (reduced). This where the business is proactive and sets up a well managed and reasonably funded maturity-improvement plan to manage (reduce) cyber risks to an acceptable level.
- Accepted. This is where the organisation has a formal system security plan, risk register and associated risk-management plan, and can be confident that it has addressed managed (as per point 3) or transferred (as per point 2) risks that cannot be accepted.
We have long suggested that it is better for a business to take the initiative and spend it’s hard-earned coin on it’s own terms, managing cost and risk as part of a mature security-control and risk-management framework. The alternative approach is to have the costs and payment plan dictated by one or more third parties, whether that be an attacker like ALPHV, and/or a regulator like ASIC.
As ASIC noted in the Concise Statement, “Had FIIG had the Missing Cybersecurity Measures in place, it would have detected suspicious activity on its network on or shortly after 19 May 2023, identified that its system had been compromised by on or about 23 May 2023, and prevented the threat actor from downloading some or all of the stolen data or, alternatively, had the opportunity to do so.”
So, what happens next? Well, ASIC fined RI Advice in 2022 for $750K plus the “costs of Security in Depth and the implementation of any Further Measures“, with the “engagement of Security in Depth referred to in paragraph 3(a) is to commence by no later than 1 month from the date of these Orders“. According to Allens, that was apparently the first time ASIC has exercised its powers in relation to cybersecurity risk management. Other commentators have suggested that ASIC’s action against RI Advice was a warning shot across the bow for other Australian businesses.
I have no idea if the RI Advice case is relevant to or sets a precedent for the FIIG proceedings. But if we look at the scale of the RI Advice and FIIG breaches, we see that although RI Advice suffered nine breaches over seven years, the broadest impact was described as “the potential compromise of Personal Information of several thousand clients and other persons“. “Several thousand” contrasts sharply with ASIC’s allegegation that FIIG’s failings “enabled the theft of approximately 385GB of confidential data, with some 18,000 clients notified that their personal information may have been compromised“. Time will tell on that one, but the initiative does now seem to be with ASIC and the Federal Court.
Don't wait until it's bolted; get the horse to drink, now!
As Robert S. Mueller, III, former Director of the FBI and Special Counsel into the Russian interference of the USA election noted: “There are only two types of companies: Those that have been hacked and those that will be hacked.” But Mueller’s advice was not given so that we could all just throw our hands up in the air and give ourselves over to abject, pre-ordained hopelessness like Marvin.
Meuller’s advice was in fact optimistic: It is reasonable, prudent and cost-effective to manage risk pro-actively, and to maintain a suitable level of cyber security maturity; that way, when an attack does come, there is a realistic expectation of timely detection, investigation, defence and recovery, without major consequences for the organisation’s client base.
Mueller’s advice was not only optimistic, it was also amazingly prescient in light of HWLE, RI Advice, Optus, Medibank, FIIG and so many other breaches. Why? Because Mueller made his observation in 2012!
Give us a call! We really can help with all of this and we have 25 years of references to back us up. We look forward to hearing from you soon.