Planning in an attack-ridden landscape: Continuity planning


With apologies to English songwriters Anthony Newley and Leslie Bricusse, it's a new dawn, a new breach…

Considering the current climate, are organizations changing the way they do business, assessing their vulnerabilities, taking stock of and protecting the crown jewels, and getting prepared for the time when/if the network does get breached, damage will be minimized and operations will not be crippled indefinitely?

Well, some appear to be doing so. The onslaught of cyberattacks have caught the attention of the C-suite in all sectors alerting them to the importance of warding off potential threats.

Staffing and investment levels for state-of-the-art IT security planning are slowly rising, and not a minute too soon, concur IT security experts.

“It's a pattern that we're brought in almost always after there's a problem, rather than before,” says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based research think tank dedicated to advancing privacy and data protection practices. “The problem at least gets them to think more seriously about the issue. Board members start to worry that [the event] will damage their legacy or they might have personal liability.” 

Continuity planning

Sol Cates, CSO, Vormetric 

Chris Coleman, CEO, Lookingglass 

Gene Fredriksen, CISO, PSCU 

Ron Gula, CEO and CTO, Tenable Network Security 

James Knight, CEO, Beta Unlimited 

Larry Ponemon, chairman, Ponemon Institute 

Raj Samani, CTO, EMEA, McAfee/Intel Security 

Tom Smith, VP, Gemalto

A sea change is occuring altering perspectives on who is accountable with a dawning recognition that risk falls on the board and the business, not just the security team and the CISO, agrees Raj Samani, London-based VP and CTO at McAfee EMEA, part of Intel Security. 

Samani points out that a board will recognize the future ROI benefit in beefing up security when alerted to the potential of a three to five percent sales decline following a data breach. 

Further, marketing, PR, legal and all other departments need to be involved in breach response to ensure business continuity, which should be laid out in an existing crisis plan that anticipates unwanted eventualities. 

“The awareness level has gone way up,” says Tom Smith, VP of business development and strategy at Gemalto. A 2015 report on cybersecurity from the global digital security company, found 89 percent of IT pros surveyed reported “some impact from recent security breaches,” of which approximately half raised concerns, while 40 percent were actually re-evaluating or changing policies. 

As a best practice, predictive models should be deployed, says Gene Fredriksen, CISO for PSCU, a Saint Petersburg, Fla.-based provider of PCI transaction clearance for more than 800 credit unions.“Rather than running around with your pants on fire playing Whack-A-Mole, [you] at least have an idea on what your emphasis should be.” Too often organizations just focus on warding off inbound attacks, Fredriksen says, “getting only half the picture.” Potential inside threats within your infrastructure must be vigilantly monitored. For example, an unauthorized connection from a company computer to a command-and-control server in China is a pretty huge red flag that the machine needs to be shut down. “Once you understand where the bad guys are coming from, you can start to be proactive,” he says.

Monitoring a company's computers is not about “Why is Wayne spending so much time on Facebook? It's why is Wayne's computer always transferring all this data over DNS and returning all these DNS query responses in the middle of the night?,” points out Chris Coleman, CEO of Lookingglass, an Arlington, Va.-based cyber threat intelligence management firm.

Inside breaches typically involve an employee copying data from an office workstation, agrees James Knight, owner of New York-based company Beta Unlimited, which provides Mac-based forensics. “External hacks wouldn't login into a file server to copy files, but gets at the files through some sort of security hole.” For clients looking to protect sensitive data, Knight writes “a script to alert when multiple files are opened from one IP address in quick succession, which usually indicates a copy is happening.”

Vulnerability treadmill

Poor asset management is usually at the core of most IT security incidences, points out Ron Gula, CEO & CTO of Tenable Network Security, a Columbia, Md.-based provider of continuous network monitoring to identify vulnerabilities.

“If you don't have knowledge of what's on your network, how can you possibly manage it? You won't be able to detect intruders,” Gula warns.

A byproduct of the recent deluge of breaches is that some organizations are “unfortunately doubling down on maybe ineffective practices – just buying security defensive products,” Gula (left) says. They're stuck in a “vulnerability treadmill,” doing some sort of periodic security audit, getting a big report of vulnerabilities. They work hard to get rid of them, never improving, constantly see-sawing up and down. Such companies typically do not patch effectively on a continual basis.

“They're grabbing the wrong metrics,” he notes, adding organizations should be counting the number of computers that are not being managed or missing a certain vendor's patches. 

The whole business – from top to bottom – must be aligned and scrutinized. How it makes money, engages and supports new and existing customers must be examined by analyzing the collection, storage and management of CRM and ERP data, Gula adds. 

Sol Cates, CSO of Vormetric, a San Jose, Calif.-based provider of data security solu- tions, agrees and urges all organizations to ask: “Do I have appropriate monitoring controls and procedures across every step throughout the organization to help minimize the impact of an event?”

Knowing the whereabouts and number of copies of all data is critical, points out Cates. He advocates encryption, which received “a bad rap because it was a nightmare to manage.” Key management and access control issues are now easily overcome by technical solutions, Cates says.

Cloud providers aren't necessarily a weak link. “If you're going to put your data in somebody else's house, then protect their house [with encryption],” Cates (right) advises. “Quite often the service provider is better at security than you. But you want to keep the key just in case they're comprised.”

Another preventive measure is removing potential risk from administrators. Hackers can't steal what a compromized administrator doesn't have privilege to, Cates notes.

And, when assessing vulnerabilities, just don't rely on technology, Coleman points out. “Organizations have to get their staff really dedicated to actively hunt for anomalies for things that aren't right,” he says. “Humans need to question information flows, asking such questions as: Who is the organization talking to in the public internet? Should this transaction happen? Does this really make sense?” 

For his part, Fredriksen advocates a balanced, proactive approach. “Security professionals can't do it all themselves,” he says. It takes a holistic mix of people, process, and technology to“effectively protect that information.

Aside from technical actions, Cates advises that – before a breach – organizations proactively align themselves with experienced outside counsel that has previously waded through the legal aspects of a breach. “They already have the expertise from other clients. Counsel can be an enabler in getting your response team together.”

It is very hard for organizations following a breach to recover reputation-wise. The brand almost always suffers damage from not only a customer perspective, but also business partners. “Reputational cost is difficult to measure, and because it isn't measurable insurance won't cover it,” notes Ponemon, admitting that what's missing from his firm's company's cost of analysis model is “long-term reputational effect.” He believes a landmark judicial award involving a class-action suit resulting from a data breach is likely to occur soon that will determine an organization's exposure. 


Health care: Unexpected breaches 

Just because an organization is regulatory compliant doesn't necessarily mean your enterprise is secure. Just ask Anthem and Premara Blue Cross.

Larry Ponemon, chairman and founder of the Ponemon Institute, believes that even though Anthem had a strong security posture, it still couldn't stop a recent breach. “No one would have expected that the records could have been exposed,” he says.

Chris Coleman, CEO of Lookingglass, an Arlington, Va.-based cyber threat intelligence management firm, points out that while health care historically has invested in IT security, it didn't believe it could be a major target. “Obviously that's changed over the past year.”

He thinks that a sector like health care might have thought as long as they were compliant with HIPAA, it was a safe. “The problem with that is that it narrowly focuses an organization to become checkbox compliant.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.