We Truly Need to Learn From Our Mistakes

“Those who cannot remember the past are condemned to repeat it.” -George Santyana





In the InfoSec field, the professionals strive to protect the enterprise, create or update processes to secure the users as much as possible, and if an issue falls through the cracks, to analyze the issue with a forensic lens. Although this sounds like a pretty simple process, this is rather complex with the number of persons and departments involved, all of which have to agree.


One particular area of our operations which tends to be frustrating involves breaches. Occasionally things happen and users click on something (link, picture, etc.) they truly should not have. The lure may be an enticing picture, promise of a package delivery, or virtually any other topic. When, however, this happens repeatedly, especially after the increase in training and announcements, the InfoSec Department begins to wonder what are the users thinking, what can be done so this does not happen again. These thoughts are meandering through the InfoSec mind all the while remediating, or attempting to, the issue. Depending on the compromise, this may be re-imaging a workstation, analyzing effects on a server farm, or simply taking a moment to ponder “Why me?”


An incident like this occurred in Texas recently. This involved ransomware being introduced into the Riverside Fire and Texas Police Department computer servers (http://www.ehackingnews.com/2018/05/texas-police-department-server-again.html). This attack occurred on May 4th of 2018. Ransomware is well-known and used throughout the globe. The issue compounding this was the police department was a victim of ransomware attack previously on April 23rd of 2018. With the initial attack, the police department lost approximately 10 months of sensitive data generated by on-going investigations. In this latest attack, the ransomware was coded to lock the files and delete others located on the affected server.


In this case, the police department did not pay the ransom and was able to recover some of the data. The police department finally had learned their lesson with this set of operational exercises. There is a backup protocol in place, and the admin staff only had to re-enter approximately eight hours of work.


The initial attack vector was the simple phishing email, however, the second attack’s method of successful delivery is unknown. This emphasizes the need for communication and staff training. To supplement this, there may be an internal, entity-based phishing campaign. The results of this may also be used as another training tool and opportunity.