How the Hamas-Israeli conflict puts CISOs on the spot

Conflicts have had a digital component since before the beginning of the century be they by the combatants or their sympathizers. The recent heinous attack on Israel by the Hamas terrorist group was no exception. These actions highlight the need for CISOs, especially those with entities in Israel, to flex their backup infrastructure and business continuity plans, look for new threats, and be more engaged.

Disruption, personnel drain affect crisis plans

Those who have lived or worked in Israel already know that the trigger points that cause companies to invoke their crisis plans run higher than in other locales. We are a bit over one week after the beginning of the war and it is no surprise that we find nearly every company with assets in Israel having seen their day-to-day operations experience some disruption.

The need to go to a war footing has also caused personnel issues. The call-up and activation of reservists to the Israeli Defense Force (IDF) have taken 360,000 Israelis from their day jobs around the globe. This means that the support personnel present on Friday, October 6, are not available on Monday, October 16, to focus on the network continuity. Then we have the targeting of both official and commercial entities with a plethora of distributed denial-of-service (DDoS) attacks and hacking attempts.

Attackers target key Israeli infrastructure, media

A number of groups have claimed to be behind attacks targeting the Israeli infrastructure. Cybersecurity researcher Julian B. has crafted an interesting timeline that intimates that some activities began on October 6. The timeline serves to highlight the activities of Cyber Av3ngers (Iran aligned), Killnet (Russia aligned), and Anonymous Sudan (a group sympathetic to Hamas, with alignment to Russia).

Anonymous Sudan has claimed responsibility for an attack on the Israeli alert system. The Israeli government advised that human error caused the alert system in northern Israel to activate, giving the impression that that area of Israel was under attack. The Noga — Independent Systems Operator (Israeli electric system management) found itself under a DDoS from the Cyber Av3ngers.

The Jerusalem Post, whose web page became inaccessible on October 7, also was targeted by a DDoS attack. The editors used social media to highlight their lights-out situation and to assure readers and others interested that they were still open for business. The paper’s website eventually was brought back online, but it took a day or two to achieve stability. ZeroFox issued a report that highlighted how the personal identifying information (PII) of individuals from the Israeli Defense Force or Israeli Security Agency was being shared by Russian language dark web forum, RAMP.

The level of disinformation and misinformation reached such a high level following the invasion that the European Commission reached out to X, Meta, and TikTok asking them to police their environment for images and that are illegal and clearly part of a disinformation campaign. These incidents are not happening willy-nilly; they are concerted efforts to shape the narrative and sow confusion within the rubric of situational awareness.

Conflict creates insider threats

As with any conflict, sides are chosen. No matter how repugnant, the fact there is a conflict is indicative of having a support base. The sympathetic base may include some of your employees who view the resources of their employer to be an extension of their own and may choose to leverage the computing and network bandwidth to push through a selected narrative.

That narrative might bring considerable embarrassment to the entity, as the views of an individual may run counter to the views the entity’s leadership wishes to project. The CISO is in the untenable position of being responsible for monitoring social networks for individuals launching diatribes and using the organization’s network as a command-and-control node for an attack directed at one side or another.

Similarly, when an entity comes forward and condemns the actions of Hamas or remains silent or condemns Israel, there is a very real possibility that an insider may view their role is now to punish their employer for this perceived “wrong-headed” position. Likewise, every insider-risk management program within entities that actively support the defense and intelligence sectors should be on heightened alert during this time. Employees’ opinions on what is right and what is wrong may empower the employee to abscond with data or information that if in the hands of Hamas or Israel would be beneficial to the respective side.

Dynamic situation requires the CISO to be engaged and visible

The situation is dynamic and fluid and will become more so. Embassies are evacuating non-essential personnel and dependents from Israel. When this occurs, that is a clear signal that all should be considering the same path. As staff is drawn down and attacks continue, having employees lean more heavily on telework than traveling to and from an office and risking personal injury is prudent.

The ability to conduct business may be impacted and degraded during this time of crisis. CISOs will need to take care of their people and their network. They also must ensure that the primary connectivity has ancillary and tertiary means of communications to stay engaged and relevant. Now is not the time to be “off the air.” Now is the time for the CISO to be engaged and visible.

CSO and CISO, Risk Management

Go to Source