I’m writing this off the back of the explosion in Beirut. You’re probably wondering the relation here, so for context we have an office there that was impacted by the blast, and whilst no-one from the company was seriously hurt or killed, a lot of people were. This is a post about showing respect whilst still performing aspects of your job.
For those of you wondering the security relevance here, when your office becomes nothing but the foundations there’s a lot that needs considering. Is the hardware secure? The paperwork? What was once a secure site is now an investigation site that, depending on the level of control and priorities of the local law enforcement, may be accessible to just anyone. But even if it’s not, you still have a responsibility over the data for you employees, your customers and anyone else you’re holding data on.
At the same time, the local team and the country in general have just experienced something horrific. Many people will know family or friends that have been impacted, some of them never coming back. It’s a crazy and unique situation that you don’t plan for or probably ever even expect to happen, I know that in my years in cyber security, destruction of an office is not something I thought I’d be involved in, but when the time comes you want to know you can deal with it whilst being as respectful to the situation as possible. No-one wants to be asked if they had passwords on sticky notes or if they secured the hard drive when they are going through a period of mourning, whether it’s part of the job or not. (Yes, the question did come to us…) So how do you deal with this?
Use all the data sources you have. Absolutely anything and everything that can get you the information you need that leaves those personally impacted to focus on what matters more. Security tools, infrastructure tools, CMDB (Configuration Management DataBase), remote teams. Every question you can answer that doesn’t involve talking to local teams means they can spend time with family or friends. It lets them process what happened and work on more important items, whether personal or business. Items like how to get operations back up and running and other DR (Disaster Recovery) activities.
So how did we do this? And what needed to be looked into and why? Lets start with what.
- Paperwork – What sort of data was now gone with the wind? (quite literally, when the windows are blown out…) We all know people do it, put passwords on sticky notes, in documentation etc. so what’s our risk here? In most organisations, hopefully none. After all, you’ve implemented MFA for any accounts that can log in from an external source, right? So yes, that password might be out there, but they’re still not getting in. Sure, you could reset all passwords to be sure, but remember you’re trying to minimise impact as much as possible. They just lost their place of work and they have a lot on their mind, do they really want to remember a new password? And whilst that’s easy with users, it gets more difficult when it comes to service accounts and other unattended logins.
- Hardware – Are hard drives encrypted? Your laptops probably are, what about your servers? Do you encrypt your data or just the hard drive? Do you print access badges on site? Smart cards for login?
- Networks – Has your internal network now become one cable away from being exposed and accessed by some random person on the street? It may not even be malicious, just someone wanting to get in touch with a loved one and your network is a bit more resilient, but who knows what’s on their device?
- Anything else – Being in Security, you tend to know a lot of people and have a lot of visibility into different things. Can you help them get the local servers up and running? Even if you’re just facilitating communications. Have your investigations turned up other useful information that can take some weight off the local team? You want to be careful here and not step on other people’s toes, but making yourself available can help a lot.
How did we do this?
- Paperwork – Honestly, this one’s difficult. No-one keeps track of all the paper they have, you effectively just assume loss and work around that.
- Hardware – This all starts with an asset list. Maybe you’re that magical company we all like to imagine is out there with an impeccable CMDB and all the information you could possibly need on the asset? Chances are you’re not, but CMDB is still a good starting point, after all that’s what it is there for, but then supplement this; your security agents, infrastructure agents, network scan data. If the devices are managed remotely, talk to those teams, see what they can give you.
You’re starting to get a, not necessarily more accurate, picture, but one that covers as many bases as possible. This way, you’re unlikely to miss anything.
Now what’s on this hardware. Documents? Applications? Databases? Backups? Figure out what sort of data could get exposed.
Follow that age old saying “Prepare for the worst. Hope for the best.”
Again, you could be that magical company with data classification all sorted out, but lets assume you’re not. However, perhaps your tools tell you what processes were running, what files were access or saved. Maybe CMDB gives a hint as to what might be there. Maybe somewhere had backups you can check.
You’re getting closer to figuring out what could be lost. - Networks – Kill the links. The office is gone, so nothing is going to be using them. There’s no reason to keep any of these live in this situation.
- Anything else – Whilst not in our remit, we know people. Sure, it’s not our focus to get their servers back up so they can continue operations, but we know who can help. Reach out, lighten the load, come with solutions to problems they either haven’t discovered, asked or figured out yet.
You’re probably thinking to yourself that this could be so much easier talking to the person, and you may be right, depending on circumstances. But when you have the information at your fingertips, you should use it, at least in these situations. Let them focus on what’s important to their job, whilst you focus on yours.
You might be asking yourself about the title, as so far this content hasn’t quite matched up to it, so here’s where I clear that up.
In our meeting, I had to say that we should remain respectful considering there were now hundreds dead and thousands injured. I never thought I’d ever have to say anything like that, I figured it was implied, but it was that day I realised that people can get so focused on their “issue” they become oblivious to what else is going on, and that’s why I wrote this, so no-one is asking people about the passwords on their sticky notes during a disaster.