Once the website was taken offline King and his team were able to move from the identification phase to the containment phase of the incident response process.
Containment activities often start with the forensics, according to King, and involve response teams, war rooms, crisis centres and, importantly, media and communications activities.
From containment, King and his team moved into the eradication phase. This step was made more difficult than usual in some ways due to the severity of the breach, but easier in others as there were no adversaries to contend with – as is the case with many breaches resulting from malicious activities.
“Generally you’ll need to have an eradication strategy that you’ll need to come up with,” King said. “So you need to reimage and reinstall affected systems. But, depending on your supply chain, logistics, third parties, that is not as simple as it used to be; where can that data end up? Is it communicating via APIs? You’ve got to work all that out.”
This is where forensics come in handy, according to King, with the eradication phase often made more difficult if organisations don’t have a clear understanding of their digital assets. Fortunately, the Australian Red Cross Blood Service did.
Next came the recovery and remediation phase, which King suggests should leave an organisation in a stronger position than it was previously, in terms of its digital assets and data security regime.
“You need to recover to better than you were before, so you’re no longer at the same risk level,” said King. “It’s not an exact science, it’s mostly science, but it’s partly art, because these situations a very fluid.”
The final step of the process, lessons learned, is perhaps one of the most important phases, according to King. It is this step that helps lessen the chances of a similar event occurring again in the future.
“You need to do a post-incident review, and be honest in your appraisal of what went well, what went wrong, what can you put in place to reduce the risk of that happening again,” King said.
King also recommends that organisations create a culture where employees don’t have fears around failure, as it will encourage open communications about potential issues, meaning they are likely to be addressed early, before they turn into problems.
“If you have a culture of fail early, fail fast, or don’t fail alone. If you’re having issues, don’t hide them, let someone know,” he said. “That’s how you have to manage the incident. It’s about being open, honest, and transparent.”
It is, perhaps, this culture of openness that helped the Australian Red Cross Blood Service deal with the breach as effectively as it did.
Ultimately, the Australian Red Cross Blood Service said that, following its forensic investigation, it could confirm the relevant data was accessed by only one person, the anonymous source who subsequently shared the information with Hunt.
“Our investigation indicates that the copy of the data which had been accessed and all known copies of the data have been deleted,” Park said in a statement on 14 November last year.
“We are continuing to strengthen our protection of your personal information and over the coming weeks we will be announcing newer, stronger steps to enhance this,” she said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.