Hi, Jaya. Thank you for agreeing to be interviewed by us today. Would you mind briefly introducing yourself and telling us about your role within KPN? >> My name is Jaya Baloo, I'm the Chief Information Security Officer of KPN. >> In early 2012, a hack was discovered at KPN which resulted in a hacker gaining access to highly sensitive data. What can you tell us about this incident? >> Well, to start off with, I was not working at KPN during the incident. I actually have my job here to thank to that set of incidents that happened in the beginning part of 2012. I joined in October of 2012 and what happened was actually two separate incidents. We had a teenage hacker. Hack via 1 vulnerability, 300 different systems within KPN. He was just able to pivot between those systems and then we had a second issue which was a compromise of customer information that did not happen from KPN, but actually happened from baby dump that resulted in the potential for us to have actions which we through were a result of a data breach. >> Could you talk about some of the most relevant security challenges that you face when dealing with this type of incident? >> Well, I think the biggest security challenges here is when it happened was that we didn't have eyes on target. We didn't know, first of all, that the vulnerability was there. That it was open. That it was exploitable. That was the first issue. So, you had no clue over what your exposure was as a company. That was the biggest issue, I think and the second issue is that when the hacker actually managed to breech his initial system, there was no giant alarm going off that was letting us know that there was an intrusion taking place. So the fact that he compromise one system is bad, but the network architecture, the time, the topology allowed him to pivot between different points of the network, because it was a sort of non-segmented network at a time and all of those things really presented the challenges which have been dealt with since. From your perspective as chief information security officer, what makes the manner in which this incident was handled so successful? What can a company like KPN learn from an incident like this? >> I always like to say never waste a good incident, so there's a lot to learn. And I think the best thing that happened to KPN is the fact that this incident really was sort of a wake up call for the company in order to figure out what they needed to do in terms of investment in not just technology, but also in the people and the skill set that's required across the company to really get security to a better place. So, I think the successful portion of this incident was what happened after it. The real addressing of the problem by the entire company starting from the top all the way to the bottom about how to deal with security. >> What are some of the dilemmas that come to mind when dealing with an incident like this? >> I think one of the biggest security dilemmas you face when you have an incident of this size is really being able to have some sort of preservation of data and having a proper forensic analysis and a really good forensic report not just to say what did happen, but also what didn't happen. There was no customer data that was actually in danger during this incident. This hacker had he wanted to, could have done a lot of evil stuff, but the fact of the matter is he didn't. He was interested in harvesting credentials and harvesting systems. Kind of having notches on his belt, but he didn't actually do anything beyond that. He didn't, you know... read the data, manipulate it. He didn't throw it away all of the things that could have been possible, but he didn't do that. So I think as a proper forensic evaluation and report, that was really one thing that I wish we had done better. >> What is the most important lesson learned from an incident like this? Well, I think the biggest strategy is that this is not a one time thing. I always like to say that security is a journey and not a destination. There's no point in time at which you could say, that's it. I'm done, my security project is over. I'm now secure, it's not going to happen. Your going to keep having to get better, to learn, to adapt and to evolve and I think that that is the biggest fundamental thing that it's not something that you can throw money at and its done and it's once. It's something that you keep having to look at how you can play sort of security money ball. How you can be very effective at employing different strategies to be able to combat the threats that are going to occur. I think the biggest realization that happens is that it's no longer a question of if I get hacked, but more when I get hacked. And I think that if you can deal with the fact that you're already compromised now or that you will be compromised again in the near future, it's a far more pragmatic way to look at how you place your investments. So I think in the past, we tend to very much kind of put all of our bets on prevention, but I think the name of the game, especially when you're confronted with an adversary that keeps evolving is really about detection and response. So that you can actually think about how you can figure out that he's in your network and how to get a proper response there rather than acting like chickens with their heads cutoff, that you can actually figure out how to scale up your communications, your crisis management team and your operational response as quickly as possible. So if you have that life cycle of prevent, detect, respond, verify that you can feed everything you learn from every incident back into your prevention cycle. Yeah, but that you don't only solely focus on it. That you really take into account how quickly you can reduce the opportunity window for a hacker, which he uses on the basis of your vulnerabilities in your incidents.
