Decision Point Focus in IR and BR Plans
Incident Response (Technical Effort): Detection - Analysis - Containment Eradication
Breach Response (Harm To): Legal - Partners - Customers- Regulators - Press/Media Employees
Practices: Unauthorized access, malware
The malware that is supposed to have been used in the Sony attack known as Destover or WIPER deletes and overwrites hard drives, destroys data and makes it extremely difficult and costly, if not impossible, to recover information using standard forensic methods. Specific numbers have not been publicly released, but the cost to Sony in hardware, software and data could be immense.
While the delivery mechanism of the malicious payload has not been publically released, it could come down to poorly managed access and privilege controls that allowed insiders unnecessary and dangerous levels of access to the corporate network. Physical access controls, sensitive data classification policies, data encryption and remote backups can all contribute to business resilience in an attack.
- Strange or altered device behavior (unprecedented slowness, erratic cursor etc.)
- Changes in network traffic and/or speed could point to data exfiltration or theft
- Increases in phishing and spam email levels may mean a targeted attack is underway
- Employees accessing physical or digital assets at odd times or outside their assigned areas of responsibility may mean stolen credentials stolen or insider theft
- Train employees to notice and report unusual events or device behaviors
- Monitor network traffic for irregularities in source, destination, and volume
- Keep software patched and updated
- Train employees to avoid and report phishing attempts, and follow up regularly with
Key Lessons for the Risk Executive:Take a hard look at what IT services should be operated in-house versus outsourced. By the time data-wiping malware or ransomware is detected, it is often too late to recover data. The least expensive and most reliable method to protect company data is to keep a regularly-updated remote backup or shift to a cloud provider. Core business applications such as email, HR/Payroll (ERP), user storage and other services of a similar nature can usually be outsourced to a trusted service provider hosted in the cloud that is cost effective.
Define and Manage
Adversaries are almost always after two capabilities: privilege escalation and freedom of movement. The challenges with denying both of these lies directly with corporate culture and how it relates to user convenience. The challenge is identifying the best position between secure and usable. Here's how to strike that balance:
- Engage in an honest discussion with business executives on the topic of secure versus usable and define what "well positioned" looks like for the organization based on internal and external liabilities.
- Conduct a data governance and threat assessment with a focus on business resilience. Attacks cannot always be prevented, and some level of resilience must be planned in the event of a successful assault. Joseph Demarest, assistant director of the FBI's cyber division, said of the Sony attack, "the malware that was used would have slipped or probably gotten past 90% of net defenses that are out there today in private industry and [likely] challenged even state government."
- Lastly, regardless of organizational size or regulatory requirement, establish a risk committee that has oversight of business resilience risks and make "cyber" a focal pillar of the overall enterprise risk management program reporting to the board.
Having a business resilience plan that includes cyber will not only save money on impacting events, but will also allow business to resume much more quickly than if data is lost or compromised.
Sign up for Computerworld eNewsletters.