Once more unto the breach: El Reg has a go at crisis management

And you can probably guess how that turned out

Hacks played representatives of a hacked company in an incident response exercise run by F-Secure this week.

The Live Security product interactive workshop was based on an actual customer experience adapted for a media audience. Around 20 members of the international media became the board members and managers of a company that had been attacked.

Attendees were split into four teams (CSIRT, management, IT management, press) to roleplay a breach at fictional VPN vendor COMSEC.

The groups were collectively taken through the processes the board needs to follow when such a hack hits – understanding what is under attack, where the vulnerabilities lie and how to stop the attack, what the responsibilities of staff are and how can they protect themselves from future attacks.

Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'


Competition, especially in the Chinese market, has intensified for the fictional firm. The competitors' devices are not technically superior to COMSEC's products, but the competitors' sales and marketing efforts have succeeded in drawing attention to the weaknesses of COMSEC's comparable products in some detail.

COMSEC sponsors an internship program in Italy where approximately 15 students from local universities are brought in and taught security fundamentals, participating in the configuration of multiple network devices for COMSEC customers.

The firm has strengthened its position as a technology provider for made-up telco GermanTel Communications. As an important part of the agreement with GermanTel, COMSEC is (for the first time) also providing remote maintenance and operation of their products as a service.

COMSEC recently entered into an agreement with the German government, which has obligated COMSEC to notify them of significant vulnerabilities within COMSEC products deployed to German customers. The IT kit supplier has also agreed to report any breaches of data that adversely affect GermanTel customers.

Action stations

COMSEC's VPN flagship product's source code appeared on a blog along with scathing commentary over allegedly negligent security practices. The blogger's identity was unknown. COMSEC's CSIRT reported the incident to HQ and launched an investigation. COMSEC had outsourced its cybersecurity through another fictional outfit called FSC, which handled forensic analysis and the like.

Your reporter worked on this team, whose main tasks were to identify the source of the breach and contain it. COMSEC experienced an increase in spam emails in all countries throughout the summer and autumn of 2017. One infection of a lab server in Milan exposed a serious breach that was challenging to address.

The CEO ordered IT management to review the blog, access information exposures and the theft of confidential data from the labs.

Outside of CSIRT, an IT management team in Milan and local management team in Rome, no information related to this security exposure had been shared with employees or customers. Pundits were commenting on the reported leak on Twitter, representatives of the German telco partner expressed public displeasure while "COMSEC workers" complained through social media about being swamped with spam and (later) issues with a file server.

A set of "Action Cards" were given to each group (except the press). All necessary actions for solving the crisis were included, but not all groups had all the cards, and not all cards were needed. In this way the exercise was akin to a game of Cluedo.

Next page: Spoiler alert

Keep Reading

Biting the hand that feeds IT © 1998–2020