South Africa’s eligible voters cast their ballots in national and provincial elections on 8 of May 2019. Although there are many internal and external factors that may affect the results, a more pressing security concern for the Independent Electoral Commission of South Africa (IEC) is the threat of cyber-attacks.
These attacks may harm the computer systems that support our election thereby changing the results and irreversibly affecting the fate of the country.
Preparing for the ‘day after’
Data storage and protection is therefore a key consideration along with a proactive plan if hackers succeed with an attack.
An election campaign is the ultimate test for the successful deployment of a large-scale data recovery and investigation the day after an attack. If the country were to fall victim to a cyber-attack during the election process, the process would be similar to that of a business recovering from an attack or data breach. As a result, lessons can be learned from the ‘business world’ on how they execute such plans.
Two crucial pillars
In order to prepare for the "day after" scenario, two main pillars must be in place, namely preparation and rapid recovery.
"Although there are many internal and external factors that may affect the results, a more pressing security concern for the Independent Electoral Commission of South Africa (IEC) is the threat of cyber-attacks."
Firstly, parameters must be put in place that define what information can be stored as evidence and how this data should be collected in order to be easily analysed after the fact. In addition to ensuring that adequate data is gathered, a procedure needs to be in place to record those who have accessed the system. This includes identification methods and the location or source of access, etc. The information will assist the investigation and provide an answer as to how the breach occurred.
The second pillar that needs to be in place includes the skills to analyse the information that is gathered, a proficient investigation and the ability to respond accordingly. Here, tools used in the attack against the organisation are examined. This evaluation and investigation are usually conducted by a Security Operations Centre (SOC) and cyber security experts as they are able to answer critical questions such as how and when did the penetration take place? Is there still access to information or remote-control systems? What can be learned from this and how to neutralise activity along with who is involved and what information is leaked?
In recent years hackers have been known to use malware that destroys the information that can detect them, intentionally corrupting all the data around them. Such a "scorched earth" policy makes it difficult to interrogate and assures hackers that the tools they have developed will be used for a longer period of time. This makes the second pillar crucial in apprehending suspects.
These parameters ensure that organisations are prepared for the “day after” by providing investigators with information and the ability to retrieve it easily and quickly. However, a major problem lies in the fact that the data collected and investigated is often saved on inexpensive media, such as cassettes, that is not readily available for immediate retrieval.
Data availability and performance
When it comes to election campaigns, the availability of information is paramount and the public cannot wait months for retrieval and analyses of results. The process must be conducted as quickly as possible.
In other words, planning the deployment for the "day after", a proper level of performance must be ensured that will enable them to produce accurate insights and analysis, timeously. Furthermore, a thorough feedback process must be conducted in which checks are done to establish if all the data is collected and if the organisation is adequately prepared for another attack.
It is vital to locate, identify and retrieve information and this must be addressed through the infrastructure. Modern intelligent storage solutions include mechanisms called snaps that enable accurate monitoring of cyber threats and detection of active attacks. Snaps allow for rapid recovery, as there is no need to transfer terabytes of information back from backup destinations. Recovery time is also a critical element in an election campaign and therefore retrieving large volumes of information in a short period of time is a must.
Therefore, organisations, whether a country or a business, must examine and leverage the infrastructure tools at their disposal in order to carry out comprehensive and thorough planning of the mechanisms that support the analysis of critical questions the day after an attack.
Intelligent storage solutions need to be in place that provide performance, availability at a reasonable cost. Moreover, a holistic operating approach is required, enabling efficient implementation, while obtaining rapid recovery. Consequently, turning the tide from a disaster scenario to a positive development and a return to a beneficial routine.
Cover image credit: IEC South Africa.