We are not a bank! But we are a University and we got hacked.
I read an article last week about MSSPs basically being the devils and providing organisations a false sense of security. The article went on to suggest that Red Teaming was all an organisation needed for security and didn't take a holistic or layered approach. From day 1 of any formal qualification, we are all taught the most critical thing, Defence in Depth! This is why frameworks such as NIST and ISO27001 exist, to ensure that organisations and not just whacking in some form of monitoring and hoping for the best. It is the reason the Australian Prudential Regulatory Authority (APRA) has clamped down and are enforcing CPS234 from 1st July 2019. The whole industry is built on this approach and nobody ever suggested engaging an MSSP was a be-all and end-all.
Then, the 4th of June 2019 happened. A day that millions of Australian and overseas students are never going to forget. This is the day that news broke of a Westpac "hack" (it wasn't, PayID was used to scrape details based on user enumerations. The approach of rate limiting is a discussion for another day) and then Australian National University (ANU) revealed that all student details dating back 19 years had been compromised. When I say all student records, I mean everything. Names, addresses, phone numbers, bank details, superannuation details, even PASSPORT DETAILS. Let that sink in for a minute...
Do you know what you could do with the compromised details? Let me list some of the things:
1) Get a home loan.... yep, 100 points of ID right there.
2) Get a new passport.... the most sensitive form of ID right there.
3) Get a phone contract... rack up the calls under someone else's name and not pay the bill.
4) Get a Credit Card... load up mounds of debt and never pay it.
Now, think about being a student who entrusted their most sensitive details to an institution that is built on trust and integrity and had that exact trust and integrity broken. Oh, I would be angry. Then, as a cybersecurity professional, I would be asking how this happened. How does an organisation that is charging thousands per student not have even the basics in place?
I circle back to my original point about MSSPs being heretics. To all the haters, do you think Red Teaming would have saved ANU in this scenario? Or do you think following a framework for end-to-end cybersecurity (developed for critical infrastructure) with regular board reporting might have been better? There is room in our industry for us all to get along and provide the approach organisations need which is Red + Blue Teaming (yep, the unicorn Purple Team) and Advisory from non-techies.
If this is not a wake-up call for Australia, I do not know what is. For so long, we have heard “I don’t have the budget” or “it won’t happen to us” and my personal favourite “we are not a bank”. Well, guess what…. This breach is going to cost ANU millions, possibly even hundreds of millions. Consider that LandMark White revised their earnings to be $11.5 MILLION down following their breach. Now, consider 19 YEARS OF DATA walking out the door. And you know what, neither of them was a bank either but they held more PII and financial data I am guessing, more than any of the Big 4.