cyber crisis - RiskInsight

Preparing for a Cyber Crisis

Nick Prescot — Thu, 13 Jun 2019 08:21:12 +0000

The number of cyber-attacks is increasing at an unprecedented rate with no two being the same. We sat down with Nick Prescot (Senior Manager, UK Cybersecurity practice) to discuss cyber crisis management and some key considerations to help C-level executives prepare for a cyber-attack.

What do we mean by Cyber Crisis Management?

Cyber crisis management encompasses 3 key areas:

Firstly, there is the cyber resilience side of things. You can liken this to an elastic band – how far it stretches is representative of how much a business can take away from its day-to-day operations in the face of a cyber-attack, how much redundancy is in place and how many layers of triage exist. High availability businesses with a strong resilience strategy for example, may be able to deal with 1-2 incidents at the same time before operations are compromised.
Secondly, you’ve got the actual cyber response element. This is about the ability to detect and respond to the cyber-attack as quickly and effectively as possible. Well-established cyber playbooks covering a variety of incidents and scenarios will allow you detect, react and respond accordingly. They will help answer key questions such as: how do you detect the bad guys actually getting in? … and what do you do once they’re in?
Finally, there’s cyber recovery. This occurs post-crisis and looks at how a business returns its IT estate to BAU operations. Cyber recovery is all about having a strategy to rebuild on the assumption that everything has gone (e.g. ‘earth-scorched’ scenario). For example, some organisations have pre-stored copies of critical information in a secure vault to allow them to rebuild and restore as necessary.

How can C-level executives understand and make sure they’re prepared for those attacks?

Simply, prepare for the worst; not too distant from that saying in the military of…train hard and fight easy. A key message for top management in any organisation is that an effective response starts way before the attack might occur. Have those crisis management plans in place, test, refine and test again. Know likely attack-scenarios and build flexibility into your plans to ensure that they are not too dogmatic in their application and still allow you to respond to the real-time threat.

C-level executives need to have a pragmatic and robust security posture, making sure that they practice table-top exercises and run red-team tests on a routine basis.

We’ve found that the real effectiveness of running simulation exercises, comes when you mix the cyber and the real world together. For example, previously we’ve helped a global insurer understand what they might do if the crisis team’s situation room was suddenly unavailable due to terrorist attack (… an extreme example of course).

On a similar note, top management must prepare for the ‘n+1’ type scenarios. For example, many crisis response plans assume there is still email access, but what if this has been knocked out as part of the cyber-attack? In this situation, one solution may be to use a predefined WhatsApp network to call, message and share information. I’ve even worked with a couple of companies who have their business continuity plans on WhatsApp.

Additionally, C-level executives need to take a pragmatic look at what information they’re really looking to protect; is it financial, personal, employee-related? Notably, for an increasing number of organisations, their operations are not dependent on the bricks and mortar of the office but making sure that there is availability and flow of information e.g. by moving infrastructure to the cloud and improving their digital workplace can help run the business remotely.

What critical information can your business not function without? I think a lot of companies, from a crisis management perspective, never really answer that question unfortunately.

Given their high positions with organisations, C-level executives will likely come under scrutiny for their external response. This is important in the fast-paced world of social media, in which hackers will socialise the attack before they do. For example, with the 2017 Equifax breach, their communications were delayed (breach discovered on July 29^th but wasn’t publicly announced until September 7^th), often confused at times (some information about the severity of the attack muddling previous versions), and their apology lacked customer empathy (more corporate than sincere). Here, you can see how imperative it is to have a robust crisis communications strategy as the way senior management respond and react publicly will be scrutinised to the n^th degree; it should be transparent, consistent and accurate.

Although there are many different crisis management strategies out there, the key takeaway for top management is that rigorous preparation, testing and refinement of your cyber crisis management capability will go a long way when the time comes to use it for real.

Cet article Preparing for a Cyber Crisis est apparu en premier sur RiskInsight.

Cyber-resilience: bend without breaking (2/2)

Gérôme Billois — Mon, 30 Oct 2017 11:43:42 +0000

The first article was about vulnerabilities in Business Continuity Plans (BCP) and an overview on recent major cyber attacks that paralyzed a significant amount of an Information System (IS). This second article introduces some leads and means to improve cyber-resilience strategy.

Strengthening crisis management

Cyber crises are specific: they are often long (several weeks) and sometimes difficult to grasp (what has the attacker been able to do? For how long? What is the impact?). Often, affected external parties such as lawyers, authorities, suppliers, and sometimes even clients themselves are not well-prepared on the subject matter. Thus, it is necessary to adjust existing plans that have not been designed to cater to the cyber threat aspects.

Even if they is an operational player in cyber crisis management, the CIO should not be over-utilized in either the investigation or the defense measures if it is detrimental to overall production and recovery. Anticipation of these kinds of measures is vital to the recovery effort. It is necessary to clearly identify the teams which need to be mobilized to respond to the crisis in a timely manner, and to organize the parallel interventions on both the investigation and the construction of the defense plan.

Beyond the organizational point of view, the CIO will have to ensure that they also have the investigation tools (mapping, search for attack signature, independent crisis management IS, capability to analyze unknown malware, etc.), remediation tools (Capabilities to rapidly deploy technical corrections, fragmentation of the IS to save what could be saved, IS surveillance toolkit) and reconstruction tools (access to backup, access to minimal documentation, capabilities to deploy workstation) required to understand the position the attacker took in the IS, to repel it and to ensure it doesn’t return.

Writing a crisis management guide that defines the essential steps, the macro-level responsibilities, and the key decision points can be done as an added bonus. With that, it is essential to conduct crisis exercises to ensure readiness for when one actually occurs.

Here is a functional integrity control chain :

Rethinking continuity plans

Continuity plans have to evolve to adapt to cyberthreats. Sometimes, this means they may have to be completely rebuilt.

There are many possible solutions that can cover all types of continuity plans.

The user recovery plan, for example, can evolve to integrate USB keys containing an alternative system which could be used in case of logical destruction of employee workstations. Some organizations have also decided to provision an allotted number of workstations directly with their suppliers to have them delivered quickly in case of physical destruction.

The IT continuity plan, on the other hand, can include new solutions which could be efficient in the event of a cyberattack. The most publicized one aims to build “non- similar facilities” by duplicating an application without using the same software, operating system, or production teams. It is an extreme solution, very costly and difficult to maintain, but one that is considered for specific, critical applications in the financial industry – most notably, payment system infrastructure.

Other less complex solutions such as adding functional integrity control in the business process have also been considered. The concept relies on the implementation of regular controls, at various levels and at different places within the application chain (“multi-level controls”). This enables quick detection of attacks. An alert could be raised in case of an interaction with technical layers, such as a modification of a value directly inside a database, without passing through regular business workflows (via graphical interfaces), for example. In another case, these mechanisms can also be applied to infrastructure systems by reconciling admin account creation request tickets with the number of accounts really in the system.

As a more intermediate complexity level solution, it is possible to implement a “floodgate”, or as a system and network isolation zone. This floodgate – for example, the industrial IS – can be activated in the event of an attack and could isolate the most sensitive systems from the rest of the IS.

These, often major, evolutions must be part of an existing recovery strategy review so that one can assess their vulnerability and the interest of deploying new cyber-resilience solutions, particularly on the most critical systems. The evolution of Business Impact Analysis (BIA) to include this dimension can be a key first step.

Without cybersecurity, cyber-resilience is nothing

Implementing these new cyber-resilience measures requires significant efforts. Note that these efforts can be wasted if both these recovery solutions and the regular systems are not already appropriately secured and under detailed surveillance. The CISO is the key player to ensure that these often started but rarely finalized initiatives come to fruition. Help from the Risk Manager (RM), or the Business Continuity Manager (BCM) if such a position is in place, will be valuable. It is widely acknowledged today that it is impossible to secure a system 100%, which means that organizations have to accept the inevitability of an attack occurring, at which moment the RM or the BCM will make full use of their role.

Protect, detect, respond, remediate, and rebuild. These are the pillars of a strong cyber-resilience program which can only be attained if the BCM and the CISO roles combine their full range of capabilities and work hard, hand-in-hand!

Cet article Cyber-resilience: bend without breaking (2/2) est apparu en premier sur RiskInsight.

Cyber-resilience: bend without breaking (1/2)

Gérôme Billois — Mon, 30 Oct 2017 10:52:00 +0000

Successive cyber attacks, Wannacry and NotPetya, have highlighted the limits of current resilience and business continuity plans, as well as the full capacity of cyberthreats to cripple Information Systems. The affected organizations paid a high price. What can we learn? What actions can we take to prepare for major cyberattacks? How can we ensure cyber-resilience?

When confronted with a major cyber attack, whether destructive or leading to a loss of trust in vital systems, the first reaction of a majority of companies is to activate their business continuity plan (BCP). This strategic element of resiliency is enacted to ensure the organization’s survival against disasters whose magnitude causes computing resources, communication infrastructures, buildings, and possibly even users to be unavailable.

Yet major cyber attacks, have not been taken into account when developing most BCPs, even though they can be as destructive in scale as either Wannacry or NotPetya, or, more often, lead to a loss of trust in the basic components of the infrastructure (network, access control, inventory, etc.). By Focusing on an availability agenda, organizations fail to address the issue arising from the simultaneous destruction or the loss of confidence in Information System (IS) caused by cyber attacks.

Moreover, these IS continuity plans are frequently intimately linked to the resources they protect and are equally affected by the attacks. For over a decade, continuity processes (either user fallback or IT recovery) have adopted principles of infrastructure pooling and “hot” recovery to cope with both rapid business recovery and the need for better operability.

In effect, this « proximity » between the regular IS and its recovery counterpart makes continuity plans vulnerable to cyber attacks.

What vulnerabilities in business continuity systems?

As an example, various dedicated and connected recovery stations of fallback sites were contaminated by NotPetya and were useless for the remediation.

Legacy « cold » recovery/emergency plans (often consisting of activating a recovery system in case of incident) concern fewer and fewer applications, and the remaining ones are often secondary.

Unfortunately, when dealing with a deep compromise of systems, backups often onboard malevolent elements such as malwares, base camps, or modifications meticulously operated by attackers beforehand, due to the fact that intrusions go undetected for long period of time (detection often happens hundreds of days following the initial infection). Not to mention that the continuity of the backup systems themselves is often neglected. During the management of the NotPetya crisis, the backup management servers were also destroyed. Restoring them took several days, due to their complexity and nested nature within the information system; an ActiveDirectory was necessary to launch the restorations while the ActiveDirectory backup was a prerequisite to rebuild it.

The same findings hold for industrial IS. Industrial digital systems are resilient against technical breakdowns or anticipated mechanical incidents. However, they were rarely designed with the consideration of the possibility of human malice and as a result often lack advanced security systems. To compound on this, industrial IS has lifecycles of several decades which expose them to old vulnerabilities. Finally, the independence of control channels from the digital systems which they oversee is not always implemented.

Two illustrated major attack scenarii

Logical destruction or the unavailability of a large chunck of an Information System

Made real by attacks from true-false ransomware, Wannacry and NotPetya. This type of attack causes mass unavailability of services due to the encryption of data files and/or the operating system. The companies affected by this attack (Merck, Maersk, Saint Gobain, Fedex… as well as Sony Pictures and Saudi Amramco) lost up to 95% of their Information Systems (tens of thousands of computers and servers) in a timeframe that often lasts less than an hour. At the start of such crisis, the situation is highly difficult since there is no longer any means of communication or exchange mechanism within the affected company, including ISD. Victims have outlined losses of several hundred of million euros following these attacks.

A compromise and loss of confidence in Information Systems

It concerns a targeted attack does not challenge the proper functioning of the system. Rather, it aims to give attackers access to all of the company’s information systems (email and messaging, files, business applications, etc.) allowing them to steal the identity of any employee and carry out actions in their name. The attackers may then extract any type of data or carry out business actions which require several successive validations. These attacks affected a large number of companies across all sectors incurring massive fraud as a result, including the bank of Banglasdesh. These attacks also affected financial and payment data theft as was the case for several distribution groups in the United States including Target and Home Depot. The situation at the start of the crisis is complex since there is no confidence in the Information System and there is considerable uncertainty about what the attacker could do and their motives. It involves quietly investigating until being able to remove the attacker and rebuild a secure system. Victims affected by these attacks have also reported financial impacts worth several hundred million euros.

Cet article Cyber-resilience: bend without breaking (1/2) est apparu en premier sur RiskInsight.