Recently, global IT services across industries ranging from aviation to banking, universities and many other businesses and workplaces were taken down due to an issue with a cyber security supplier’s product which rendered large amounts of computers within businesses unusable. Understandably, this escalated to national cyber security regulators and reporting bodies. Here, we will investigate some aspects of how this was handled, communicated and handled.

What constitutes a security incident?

Reporting in the media from both the Australian Government and the company itself stressed that this was not a cyber security incident. If at all possible, a company will deny that any to minimise reputational damage and to try to avoid any potential legal ramifications.

Government releases will play down the size and scope of the issue and any communications will try to reassure the public. Alternatively, Government officials may not be knowledgeable enough on cyber incidents to give an accurate assessment. Their response will also likely come from the frame of reference of “Is this event caused by a malicious actor?”. It is important to note that not all incidents are malicious.

Assessing information security events and incidents is undertaken with time pressures and has to be done without all information available. To really assess whether this (or any event that you may encounter) is indeed an incident is to look at it in a calm, unbiased and rational light. The most pragmatic approach to this is to apply a structured methodology to assess - the CIA triad and determine if any of the pillars were affected.

  • Was Confidentiality breached?
    • Based on what has been reported - No
  • Was data Integrity compromised?
    • Again, based on reporting - No
  • Was there a compromise to Availability?
    • Definitely

So, using this unbiased, pragmatic methodology, the answer becomes very clear – YES, this absolutely WAS a security incident.

Quality in Cyber Security

The root cause analysis indicated that the issue was caused by an issue (bug) which was introduced into the product as part of a software release. This was also one of the aspects which contributed to one of the major data breaches in Australia from 2022.

Quality is an extremely important aspect to cyber security within software products. However, it is often overlooked within companies in the haste to get new features out to market.

Ensuring that quality criteria, which include any security requirements is determined and documented within tasks so that adequate testing can performed is an often-undervalued part of the software development process lifecycle.

Testing of functionality, based on the acceptance criteria of a task should be undertaken to verify that the functionality built meets the requirements. Choosing how to test the functionality can be done using several different methods or techniques. The options, and some of their best uses are:

  • Automated unit tests within a code base
    • These are often best for regression, to ensure that deeper code changes don’t have any unintended consequences
    • This is a good way of testing validation, and that it will fail gracefully should incorrect inputs be received.
  • Automated testing scenarios
    • These are also a fantastic way of checking that code is compatible with other functionality within the system. Things like testing automated integrations where consuming files, or APIs can be tested automatically to verify that processes will work as expected.
  • Manual testing undertaken by a Quality Assurance team 
    • Having a tester to test the functionality is best for testing functionality that users will be using your system. Having a real person to test out how your system works gives you the best indication on how end users will use your system.

As well as testing each piece of functionality in isolation, there should also be tests for common workflows and security tests on environments which match production environments as closely as possible.

Conclusion

When assessing a cyber security event, it is important to be analytical, and clear headed as possible. Often this is not easy, and using the CIA approach to determine the effects to assess the impact and how to classify the event to ensure it can be properly handled.  
Ensuring quality of software products by testing functionality, and environments is a vital, and often underappreciated aspect of cyber security. This has been a contributing factor in multiple high profile data breaches and incidents. 

Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Loading...

Relevant articles and events

You may also be interested in this
Blog
compliance-management-middle-class-dqs-interlocking gear wheels compliance standard rules
Loading...

Practical Steps for Policy Compliance and ISMS Independent Review in Controls A.5.35 – A.5.37

Blog
ISO 27001 Quality standards assurance business technology concept.; Shutterstock ID 1348453067; purc
Loading...

A Strategic Approach to ISO 27001 Implementation

Blog
information-security-incidents-dqs usb stick lying on keyboard
Loading...

From Prevention to Recovery: A Guide to Business Continuity and Incident Management in Controls A.5.24 to A.5.30