Planning in an attack-ridden landscape: Continuity planning
Planning in an attack-ridden landscape: Continuity planning

With apologies to English songwriters Anthony Newley and Leslie Bricusse, it's a new dawn, a new breach…

Considering the current climate, are organizations changing the way they do business, assessing their vulnerabilities, taking stock of and protecting the crown jewels, and getting prepared for the time when/if the network does get breached, damage will be minimized and operations will not be crippled indefinitely?

Well, some appear to be doing so. The onslaught of cyberattacks have caught the attention of the C-suite in all sectors alerting them to the importance of warding off potential threats.

Staffing and investment levels for state-of-the-art IT security planning are slowly rising, and not a minute too soon, concur IT security experts.

“It's a pattern that we're brought in almost always after there's a problem, rather than before,” says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based research think tank dedicated to advancing privacy and data protection practices. “The problem at least gets them to think more seriously about the issue. Board members start to worry that [the event] will damage their legacy or they might have personal liability.” 

Continuity planning

Sol Cates, CSO, Vormetric 

Chris Coleman, CEO, Lookingglass 

Gene Fredriksen, CISO, PSCU 

Ron Gula, CEO and CTO, Tenable Network Security 

James Knight, CEO, Beta Unlimited 

Larry Ponemon, chairman, Ponemon Institute 

Raj Samani, CTO, EMEA, McAfee/Intel Security 

Tom Smith, VP, Gemalto

A sea change is occuring altering perspectives on who is accountable with a dawning recognition that risk falls on the board and the business, not just the security team and the CISO, agrees Raj Samani, London-based VP and CTO at McAfee EMEA, part of Intel Security. 

Samani points out that a board will recognize the future ROI benefit in beefing up security when alerted to the potential of a three to five percent sales decline following a data breach. 

Further, marketing, PR, legal and all other departments need to be involved in breach response to ensure business continuity, which should be laid out in an existing crisis plan that anticipates unwanted eventualities. 

“The awareness level has gone way up,” says Tom Smith, VP of business development and strategy at Gemalto. A 2015 report on cybersecurity from the global digital security company, found 89 percent of IT pros surveyed reported “some impact from recent security breaches,” of which approximately half raised concerns, while 40 percent were actually re-evaluating or changing policies. 

As a best practice, predictive models should be deployed, says Gene Fredriksen, CISO for PSCU, a Saint Petersburg, Fla.-based provider of PCI transaction clearance for more than 800 credit unions.“Rather than running around with your pants on fire playing Whack-A-Mole, [you] at least have an idea on what your emphasis should be.” Too often organizations just focus on warding off inbound attacks, Fredriksen says, “getting only half the picture.” Potential inside threats within your infrastructure must be vigilantly monitored. For example, an unauthorized connection from a company computer to a command-and-control server in China is a pretty huge red flag that the machine needs to be shut down. “Once you understand where the bad guys are coming from, you can start to be proactive,” he says.

Monitoring a company's computers is not about “Why is Wayne spending so much time on Facebook? It's why is Wayne's computer always transferring all this data over DNS and returning all these DNS query responses in the middle of the night?,” points out Chris Coleman, CEO of Lookingglass, an Arlington, Va.-based cyber threat intelligence management firm.

Inside breaches typically involve an employee copying data from an office workstation, agrees James Knight, owner of New York-based company Beta Unlimited, which provides Mac-based forensics. “External hacks wouldn't login into a file server to copy files, but gets at the files through some sort of security hole.” For clients looking to protect sensitive data, Knight writes “a script to alert when multiple files are opened from one IP address in quick succession, which usually indicates a copy is happening.”