At the end of June 2017, an image shocked the minds of the cyber security and business continuity world. An open space, filled with workstations, all displaying the same screen: the NotPetya ransomware message. Even today, 90% of the crises managed by Wavestone CERT are caused by ransomware [1]. How, then, is it possible to begin investigations, reconstruction or enable the business to continue working if all workstations stop functioning? What strategy should be developed to integrate the workstation component into continuity plans, which until now have mainly addressed it from the point of view of disasters affecting buildings? 

Define the needs 

To begin with, it’s important to define the cyber scenario you want to protect yourself against. Is it a “total blackout” scenario, where the entire IS is unavailable? Or a basic Windows ransomware scenario where some Windows servers and workstations are compromised, but network equipment and Linux bricks are still functioning?   

Next, and based on the scenarios selected, it is necessary to segment the populations according to their needs: it is not possible to provide for an infinite number of workstations in a given period, and you need to know where to allocate the first workstations that will be made available. For example, we can distinguish between business-critical teams, whose activity cannot be interrupted for more than 4 hours, and less critical business activities, for which activity can be interrupted for 3 days with acceptable impacts for the company in crisis mode. Similarly, the IT and Cyber teams to be mobilized in the very first hours of a crisis to conduct investigations and begin reconstruction.   

Another point to consider is the minimum business functionality required for the rebuilt workstations to be useful. Some business populations use thick clients on their workstations, which can be complex to install and maintain. Likewise, certain professions need to interact with third parties for their vital activities, via dedicated VPNs or an IP whitelist. It is therefore essential to clearly define how many people have these needs, and in what timeframe, to define the technical solutions that can be implemented.   

We won’t necessarily propose the same solution to IT investigation and reconstruction teams – who need access to the internal network – as to business teams, who may have degraded modes of operation outside the company’s information system (IS) for the first few days of a crisis.  

When all is said and done, we tend to distinguish two clearly differentiated phases in the strategy for providing workstations in the event of a ransomware crisis: 

• A first phase during the very first days of the crisis, for a limited population, which will generally rely on solutions with the least possible adherence to the nominal Information System, in order to ensure critical business activities;  
• A second phase when investigations have progressed, with a massive workstation rebuild using the company’s master workstation, which will have been hardened beforehand by drawing lessons from past investigations.  

Adapting the solution to your context  

Several parameters need to be taken into account when planning your workstation rebuild strategy. One solution may work for one company but be unsuitable for another.   

For example, numerous security and access control measures have been put in place in recent years concerning access to the internal workstation network. NAC (Network Access Control) is increasingly widespread, and in recent buildings, Ethernet sockets accessible to each desk are tending to disappear. Office 365 access is restricted via conditional access, and VPN (Virtual Private Network) gateway authentication is based on a certificate on the workstation. When all these constraints exist, a BYOD (Bring Your Own Device) strategy for the first few days of a crisis cannot be the answer – at least not on its own.   

Also, the way in which workstations are managed is a determining factor and does not necessarily mean that the same technical solutions can be implemented for reconstruction. Generally speaking, there are two main approaches:  

• One, a so-called “historical” approach, with fleet management solutions based on classic architecture such as Microsoft System Center Configuration Manager (SCCM), which is the most widespread solution today.   

• Alternatively, a more “modern” approach (i.e. Modern Management) with Cloud-based fleet management solutions such as Microsoft Intune, which has been gaining ground in recent years. 

Reconstruction methodology also needs to be anticipated. There are two possible methods: restoration and reinstallation. Restoration represents a return to a previous state of the environment (OS and/or applications and/or data) thanks to a backup. Reinstallation, as the name implies, means rebuilding the workstation from scratch, losing local documents.   

In the case of workstations, the number of documents stored locally is generally fewer and is therefore a less critical issue. Most documents are now stored on file servers (NAS or Sharepoint) for shared work, or in the user’s personal OneDrive. As a result, users will be more inclined to reinstall workstations from scratch, rather than take the risk of restoring the system to a previous state, where the ransomware may already have been present but not yet activated. Especially as recent ransomware attacks local restore points [2].   

Choosing the reconstruction methods best suited to your strategy 

There are several different ways of providing workstations, depending on the situation and the formalization of needs discussed above. Here is a list of the main solutions we have encountered in the field, and our opinion on the advantages and disadvantages of each solution. 

• Building up a stock of emergency PCs 

A method often applied in conventional emergency plans (for building/site loss scenarios), crisis PCs are placed in Ergotron-type containers, ready for use in the event of a disaster. They are connected to the local network via the Ergotron, and automatically receive updates. Another strategy may be to rely on IT departments’ rolling stock of workstations, or to keep decommissioned workstations as backup stock.  

Our opinion: While this approach is well-suited to resilience scenarios such as the loss of a building/site, it presents a risk in the face of ransomware, as these PCs would be compromised in the same way as others, since they would be accessible and visible on the local network. These PCs would then have to be managed “off-line”, requiring a higher level of MCO (maintenance in operational condition), since the PCs would have to be manually switched on and updated regularly. What’s more, having unused, dormant equipment raises the question of optimizing resources and carbon footprint. This solution should be considered for a restricted population with a very low acceptable downtime. In addition, for populations using thick clients, it is possible to save time by pre-installing them on these dormant workstations. 

• The use of unmanaged PCs, via BYOD (Bring Your Own Device) or the use of “consumer PCs” purchased in the event of a crisis  

This strategy is generally associated with a “Total IT Blackout” scenario, in which the entire information system is considered compromised, and work must be carried out without any link to it. In this case, unmanaged workstations are used, either personal or mobilized in the event of a crisis via a contract with a supplier.     

Our opinion: the functionalities of this solution are limited, as the workstation has no access to the company VPN, and if NAC is deployed, when visiting the site, the PC will not have access to internal resources that are still functional. It can, however, be considered in conjunction with crisis measures that have been planned in advance and will enable the PC’s functionality to be improved (emergency NAC shutdown; temporary modification of O365 Conditional Access with Internet access; storage of business-critical data in a crisis Vault outside the IS, so that work can continue). In most cases, this solution will be reserved mainly for the business community, and possibly for the IT staff in charge of rebuilding – by coupling it with a return-to-site strategy and a lifting of the NAC, enabling physical access to the internal network. This remains a solution that can be highly effective when well anticipated and combined with the crisis measures mentioned above. 

• Nominal existence of workstations under another OS 

In the event of an attack specifically targeting Windows environments (most encountered in the field), the affected computers can be replaced by the solution running on another OS.   

Our opinion: this solution implies an MCO (Maintaining Operational Conditions) of at least two technologies and does not guarantee that users who normally work under Windows will be able to work under Linux or MacOS (non-compatible thick clients, etc.). It is, however, an entirely feasible solution for very specific populations, such as investigation teams. These teams generally prefer to use specific distributions such as Kali Linux, and these are the people who need to have access to the IS in the first hours of a crisis. 

• Remastering workstations on benches   

In the event of a crisis, the teams go to the various sites with mastering benches with their compromised PCs to be remastered. Even in the largest companies, run remastering benches have limited rebuild capacity (a maximum of a few hundred workstations/day per site). To increase this capacity, additional crisis remastering benches can also be provided as part of a contract with an external supplier.   

Our opinion: the remastering method in nominal mode on a bench requires careful preparation to be effective in the event of a crisis, given the volume of substations to be rebuilt. A plan must be drawn up to organize the return of many people to the site at the same time (distribution by site, communication to users on time slots, etc.), based on the remastering capacity of the benches per physical site. 

• Remastering workstations via USB keys   

In the event of a crisis, USB sticks prepared in advance (or to be generated during the crisis using a predefined procedure) with a Windows OS image are used to reinstall a new OS on the machine. This can be a blank Windows OS, or a company-specific image.   

Our opinion: this is a tried-and-tested method for crisis situations, which can save a lot of time if it is anticipated. You need enough USB sticks, with a recent Windows OS image, and a method for quickly cloning the sticks. You also need to define a way of distributing these keys to users (either before the crisis – but this makes updating the keys more complex, and there is a risk of losing them – or during the crisis, by going to an IT kiosk, as with the benches). It is also necessary to be able to boot on external media. If this functionality is blocked in the BIOS, this method cannot work, or at least not without a procedure to lift this restriction. This method can be combined with the use of benches to maximize the number of workstations to be remastered in parallel on site (some of the PCs run on the benches, while others launch the process via USB key). Similarly, if the workstation bootstrap has been compromised, a USB key with a blank Windows can be combined with Intune remastering at a later stage. 

• The use of crisis VDI (Virtual Desktop Infrastructure)   

Users connect to a remote virtual desktop via a browser. This solution must necessarily be combined with another (BYOD, consumer PC purchased for the occasion, or other) as a PC is required to connect to the remote VDI. VDIs can offer more or less advanced functionalities, depending on their link with the company’s IS (access to the internal network, pre-installation of thick clients, etc.).  

Our opinion: This system enables rapidly operational work environments, while limiting the risk of data leakage, since it is possible to prohibit copy/paste from the VDI to the host workstation. What’s more, by relying on VDIs in the cloud, you can achieve a high level of scale-up potential (from 1 VDI to 200 active VDIs very quickly in the event of a crisis). The main risk remains that the more the VDI infrastructure is correlated with the company’s IS, the greater the likelihood that it too will be compromised by the attack. In this case, relying solely on this solution is a risky gamble. Conversely, a VDI that is completely uncorrelated with the IS will function, but will offer limited functionality without any access to uncompromised parts of the company’s IS. 

• Re-mastering from the cloud via Intune 

The master deployed on workstations is externalized to Intune, a SaaS service hosted in the Microsoft cloud. At start-up or after a factory reset, the workstation asks the user to enter his or her Microsoft email address, thus identifying the user as a member of the company. This triggers the automatic download and installation of the master, with no further intervention required. There is one important prerequisite, however: the fleet must be natively managed via Intune to be able to use these methods. 

Our opinion: This is one of the most effective methods, particularly as it is possible to modify the image (in the event of compromise via a vulnerable protocol/patching flaw), then remotely launch a massive remastering of the compromised workstations from within Intune. It is also possible to carry out this self-service remastering on the user’s side, but a prerequisite will then exist: possession of the workstation’s BitLocker recovery key (or other encryption technology if applicable), if the workstation’s hard disk is encrypted as part of the workstation protection measures deployed by the company. For reasons of practicality on the day of the crisis, mass remastering launched from the Intune console is therefore preferable, as it avoids the BitLocker constraint. To do this, however, administrators must be guaranteed access to Intune – and Intune itself must not be compromised. Last but not least, if the ransomware destroys the workstation’s bootstrap, it won’t be possible to remaster it with Intune alone, and you’ll need to add the installation of a blank Windows on the workstation as a prerequisite (via a USB key, for example).  

It should be noted that there are also a few exceptional crisis situations in which, due to limited response and management resources, some organizations may choose to allow employees to work in degraded mode on compromised machines for a set period, if they are still operational. This may be the case, for example, when only office files have been encrypted, when the malware is passive and does not communicate with a Command and Control system, and by removing Internet access from workstations to prevent any remote takeover. 

To sum up, what are the success factors for an office environment resilience strategy? 

There’s no such thing as a “magic” solution for every situation, and every solution meets the need to get a workstation up and running again, but the choice of the best solution depends on several parameters specific to each organization. To ensure an effective strategy, it is important to :  

• Segment the company’s different populations to prioritize the provision of workstations, and propose solutions adapted to the specific needs of each one. 
• Diversify and adapt solutions. Focusing on a single solution can prove dangerous if it fails. The aim is to have a toolbox of technical solutions, which the crisis unit can choose to activate or not, depending on the exact nature of the crisis encountered. 
• Test solutions: whatever solutions and strategies are implemented to rebuild workstations, they must always be accompanied by planned tests. A solution that is not used regularly is a solution that may not work in the event of a crisis. Whenever possible, therefore, the backup solution should be used on a day-to-day basis to remaster PCs, or if VDIs are involved, they should be used on a regular basis. If this is not possible, the solution should be integrated into a business and/or IT continuity test plan, so that it can be tested in real-life conditions at least once a year. 

The solutions most frequently used in the field include mass remastering on the bench, building up a stock of crisis workstations, using Cloud solutions such as Intune and virtual desktops such as VDI coupled with BYOD. But these solutions, taken one by one, may not be enough, because as mentioned in the principle of diversification, putting all your eggs in one basket can cause problems. We could, for example, imagine a crisis where access to the Intune console is impossible and/or the Intune image itself has been altered by the attack. In this case, having a fallback solution such as external VDI or remastering via USB key is essential.  

[1] https://fr.wavestone.com/fr/insight/cyberattaques-en-france-le-ransomware-menace-numero-1/  

[2] https://attack.mitre.org/techniques/T1490/  

Cet article Cyber Resilience: how to define the best strategy for digital workplace recovery  est apparu en premier sur RiskInsight.

On 17 April, the ANSSI published the first doctrinal documents concerning remediation, which is defined as the project to regain control of a compromised information system. These documents are the fruit of the Agency’s experience in supporting victims of security incidents. 

This corpus consists of three sections: strategic section, an organisational section, and a technical section. Currently, the technical section focuses on the remediation of tier 0 of the Active Directory1, or core of trust. This section will be supplemented with additional documents in the future to enhance its content.  

The approach proposed by ANSSI (E3R) is divided into 3 stages: 

1. Containment of the attacker 
2. Evicting the intruder from the heart of the IS 
3. Eradicating the adversary’s strongholds 

These stages are illustrated by 3 typical remediation scenarios, each with increasing ambition levels based on the urgency of the restart and the costs incurred by the long-term damage resulting from the attack: 

1. Restore vital services as quickly as possible 
2. Regain control of the IS 
3. Seize the opportunity to prepare for long-term control of the IS 

The publication of this corpus is a timely step in the reflections and projects currently being carried out by many public and private players, with a view to strengthening their resilience in the face of a successful cyber-attack that would compromise or even destroy their Information System on a massive scale. 

In practice, the time required to establish a proven remediation system extends over several years for most players, rather than just months. This timeframe may be out of sync with the evolving threat landscape and the regulatory deadlines imposed on certain entities.  

There are several reasons for this, which vary from one player to another. However, there are three key factors which contribute to this variation:  

1. Awareness of cyber risk is growing; however, many decision-makers still lack adequate understanding. Balancing immediate priorities with long- term preparation in the face of potential compromises often leads to difficult decisions regarding the allocation of valuable human and financial resources.  
2. The interruption of an organisation’s activities following an IT disaster has historically been dealt with using Disaster Recovery Plans. Their advantages and limitations in terms of remediation are still poorly understood within organisations: 
   1. Depending on the recovery principles adopted, they may offer advantages in terms of IS recovery sequencing know-how (similar to an electrical shutdown/restart), capabilities for unitary and grouped reconstruction, restored data resynchronisation and reconciliation, among others.
   2. Remediation efforts can leverage this know-how, provided it has not been lost because of the adoption of new solutions (e.g., active/active backup) or when a ‘debt’ in terms of maintaining operational conditions and DRP exercises has built up. 

Nonetheless, these plans also have significant limitations. Their architecture relies on technical interconnections and data replication with backup infrastructures, which can inadvertently propagate compromises. Furthermore, while their relevance is proven in a deterministic context (where a given disaster corresponds to a given solution and plan), their effectiveness becomes much less certain when confronted with the diverse characteristics and possibilities of evolving cyber attacks  

This calls for a hybrid approach involving operational, DRP and cyber resilience players. This can be facilitated or hindered depending on the governance that has been put in place between these populations. 

To accelerate the necessary rise in maturity of players on the subject of IS remediation following a cyber-attack, several approach can be considered. Outlined below are four potential strategies, and the subsequent information will provide a more detailed explanation and elaboration for each approach. 

1. Helping decision-makers to understand the specific nature of cyber risk; 
2. Anchoring “compromise by design” in everyday life; 
3. Have several remedial options at your disposal; 
4. Sharing and capitalising on feedback. 

Helping decision-makers understand the specific nature of cyber risk 

 The vast majority of players do not totally rule out the possibility of being vulnerable to a successful cyber-attack that would paralyse their activities through the logical destruction of their IT assets. 

On the other hand, a significant proportion of players have not yet grasped the fact that their existing IT backup resources are rarely adapted to the specific characteristics of this type of attack. A cyber-attack can jeopardise the availability and non-compromise of operating and administrative resources, right down to the workstations of those involved in IS recovery. The timeframe for remediating an Information System (IS) that has suffered extensive destruction due to a cyber-attack is typically considerably longer compared to the recovery time communicated to the business in the event of a physical disaster. 

A number of players have not yet fully assessed the impact of the cyber threat on their ecosystems, for example: 

• If their first-tier IT service providers (outsourcer, cloud service provider, etc.), or even higher-tier providers, are themselves affected by a successful destructive attack; 
• If a player is the victim of a cyber-attack, whether proven successful or not, its partners who have knowledge of the attack will be able to isolate it unilaterally for protection purposes. 

The awareness of an organisation’s decision-makers of the cyber risk, its systemic implications and the impact on its business must be developed. In the financial sector, the DORA regulations, or their equivalents in certain non-European countries, as well as the stress tests announced by the European Central Bank for 2024, should contribute to this. 

For many decision-makers, too many technical words are used to describe the risk of cyber destruction. Unlike compliance issues such as the RGPD, which can be understood by the uninitiated, this risk is perceived as a matter for technical experts. Nevertheless, the subject is increasingly being addressed at executive committee level, for example through the presence of the CISO on the Executive Committee and/or through external speakers with experience in acculturating senior management. 

Anchoring “compromise by design” in everyday life 

By considering the possibility of an IS compromise that could result in its destruction and incorporating this perspective from project design to operational activities, the resilience capabilities of the IS can be significantly bolstered.  

From the earliest stages of a project, the business units can be called upon to identify and evaluate, with the support of the technical teams, cyber-resilient design solutions. These may include: 

• To use suppliers of nominal solutions that are technically independent of the organisation’s IS, so that its activities are not based exclusively on it’s IS; 
• To host and operate backup solutions outside the organisation’s IS; 
• Use cyber-resilient architecture models based on an on-premises catalogue or hosted in the Cloud. They are also designed to allow their resilience to be tested while limiting the impact of tests on production; 
• Designing projects that enable operation in degraded mode via : 
  • Periodic extraction of business data in office format, outsourced and protected in an external file storage service; 
  • The ability for applications (and services such as restoration) to operate without certain cross-functional services such as the AD authentication repositories via local backup accounts, etc;  
• Drawing up downgraded business procedures based on downgraded IS resources such as those defined above. 

In addition, the appropriateness of certain practices, although incompatible with the objectives of standardisation and industrialisation, can be considered at the technical design stage, in particular: 

• Encouraging diversity of technologies to limit the exploitation of a vulnerability. 
• Limiting the dependency of applications on cross-functional information systems, so that they can be rebuilt and made operational more quickly. 

During the acceptance phase, business operations in degraded mode and the ability to rebuild an application can be systematically tested before going into production. This test can be reviewed if necessary for each major change. It should be reiterated periodically through exercises that will enable remediation capabilities to be tested and enhance the skills of the various operational players. 

Moving beyond the project phase, the integration of asset reconstruction practices into Business As Usual (BAU) operations enables better mastery of these practices. This, in turn, benefits a larger number of participants in the event of remediation, for example; 

• Reconstruction, once or twice a year, using non-IS resources (e.g., Cloud services or off-line resources), of workstations used for administrative tasks and/or critical activities; 
• Reconstruction, once a year, of infrastructures essential to the recovery of the IS (e.g., restoration infrastructures, core of trust, virtualisation base, etc.), to be determined on the basis of the threat and risk analysis; 
• Development of CI/CD practices on a daily basis, particularly in Cloud environments, in order to automate the recreation of servers to apply changes to them, such as version upgrades or patches. 

Finally, keeping the IS map (including its interconnections with partners and the Internet) and its interdependencies up to date daily is a key factor in remediation, which must be supported by appropriate processes, tools (cyber-resilience) and controls. 

Having several remediation options at your disposal 

Given the difficulty of predicting the course of a cyber-attack and the evolution of its impact in advance, the preparation of a plan requires a balance to be struck between two excesses: 

• Developing reconstruction solutions tailored to too few attack scenarios, with the inherent risk of deadlock, 
• Or, on the contrary, seek to cover all possible scenarios, at the cost of a significant loss of efficiency. 

An updated risk analysis of possible attack scenarios, based on a threat watch, makes it possible to prioritise those to be covered, such as those with the highest probability of success and the greatest impact in the context of the organisation.  

This analysis makes it easier to identify the assumptions that will be used as inputs to the development of plans. For example ; 

• Just a year ago, planning for the industrialised reconstruction of the virtualisation layer of physical servers did not appear to be a necessity for most players, but it has now been identified as essential. 
• The destruction of Cloud resources through the compromise of access to the tenant (master accounts or API access) or even the compromise of the Cloud provider itself, appears to be a new risk that needs to be considered in the Cloud resilience strategy of several players. 

Once the working hypotheses have been chosen or ruled out (e.g., the types of components and technologies impacted, the residual capacities of the malicious code once its means of interacting with the attacker have been cut off, etc.), it is possible to assess the relevance of the various possible means of reconstruction and to prioritise the work more effectively. The following are possible means of reconstruction.  

• Restore systems and/or business data from backups, if necessary, in an isolated environment (e.g., from snapshots, offline or “immutable” backups); 
• Cleaning up restored environments that may have already been compromised when they were backed up (e.g., Using antivirus software for office files and systems that may have been compromised, using an EDR on systems that have been restarted in an isolated environment, or using solutions that can clean up the backed-up image of a virtual server directly); 
• Reinstallation of compromised technical layers (e.g., OS, middleware, etc.); 
• Replenishment of virtual infrastructures (e.g., Terraform, etc.); 
• Strategies and solutions that can cover both the risk of a conventional disaster and a cyber disaster (e.g., a backup IS that is independent of the nominal IS, with business data refreshed by a device that maintains technical watertightness). 

This assessment should lead to the development of a “catalogue” of remediation methods, the application of which should be contextualised at the time of the attack. As a complement to each reconstruction solution in the catalogue, the identification of an alternative – perhaps less industrialised – solution will enable us to deal more effectively with the vagaries of the attack context. 

Sharing and capitalising on feedback 

To gain maturity and efficiency in remediation more quickly, market players benefit from capitalising on the experience of others. 

This may involve capitalising on: 

• Studies, such as the body of doctrine published by ANSSI; 
• Direct exchanges with peers or via third parties; 
• Working groups in which its ecosystem of partners will be represented if possible. 

The feedback to be sought can relate to the specificity of the cyber context in remediation but also to more traditional aspects linked to the reconstruction of an IS such as: 

• The methods and approaches used; 
• Proven market solutions (beyond promises);  
• Performance achieved (reconstruction times)  
• Costs;  
• Logistical and HR aspects (similar to crisis management);  
• More functional aspects such as data reconciliation, following different restoration points and lost flows with third parties. 

Other articles on the subject of remediation :

Surviving an Active Directory compromise: key lessons for improving the rebuilding process

Cyber-attacks: what are the risks for backups and how can you protect yourself?

Active Directory rebuild: approaches to quick Active Directory recovery

Next on https://www.riskinsight-wavestone.com/ : workstation remediation

Cet article  « Compromise by design » or how to anticipate a destructive cyber attack est apparu en premier sur RiskInsight.

Dashboards and KPIs that convey concrete messages and calls for action are often what drives the success of operational resilience initiatives.

Operational resilience brings together and harmonises multiple disciplines that were previously managed in silos: business continuity, IT and disaster recovery, incident and crisis management (IT, business and cyber), cyber defence, third party management, and operational risk management.

In order to coordinate and orchestrate these disciplines effectively to establish an accurate picture of the overall resilience, companies need to analyse their data in relation to these topics. This requires a complete mapping of critical services (Important Business Services), their dependencies (business processes, applications, suppliers, teams, buildings, etc.) and testing.

To make this possible, there is a real need for tools and automation. This is also why we are seeing more end-to-end solutions for operational resilience management emerging in the market, from specialist vendors such as Fusion Risk Management, Castellan to non-specialist ones, such as ServiceNow.

What are the challenges in the field?

Depending on the company’s maturity, each stage of the process may pose challenges or difficulties.

Challenge 1: Data Model

The operational resilience data model must be created in consideration of Important Business Services and their respective dependencies. Preferably, an organisation would reuse existing inventories (e.g. CMDB, supplier inventories, BIAs, HR systems, etc.) and run workshops to leverage on the knowledge of their business representatives and IT experts, suppliers, etc. The challenge stems from the need to rationalise all the elements into a format that enables data analysis. This means that even if one starts with Excel, it is important to firstly define the precise rules (common referencing system, one piece of information per line, etc.).

Challenge 2: Identifying gaps

Once this mapping is carried out, companies need to identify threats linked to the end-to-end service and existing resilience capabilities to mitigate them. These capabilities can be specific to a dependency or broader. This allows the creation of indicators that show resilience gaps. Overall, there can be two types of gaps:

1. A dependency with insufficient contingency plans

This can be identified in the initial analysis, through existing controls, or through testing.

Example: A person wants to withdraw cash. Normally, this service is available through an ATM. Several elements are necessary for ‘normal’ service to function properly:

• Physical ATM itself
• Customer authentication system via their bank card
• Customer account management software provided by a third party to check the balance

The following threats may affect this service:

• Major IT loss (whether or not caused by a cyberattack)
• Loss of the software provider
• Physical incident affecting the ATM

We shall assume that 4 hours is the period before the inability to withdraw cash becomes an intolerable source of harm to the customer – which is also known as the impact tolerance). With this context in mind, the bank needs to consider the following questions to identify resilience gaps:

• Recovery Time Objective (RTO): In the event of a computer loss, can the ATM and authentication system be brought back online within 4 hours according to their RTO? Has it been tested?
• Exit plan: In the event of a major breakdown or bankruptcy of the account management software provider, is there an alternate provider the bank can turn to for delivering the service without intolerable delay? Alternatively, is there a way to bring the activities in-house?
• Contingencies: Is there a degraded process for dispensing cash, for example, by replacing a faulty ATM? What are the dependencies for this process? Can it be done without an IT system?

Once these gaps have been identified, you can then calculate resilience scores for individual components.

2. Absence of a core resilience capability

A range of operational resilience capabilities is needed in every organisation, which includes business and IT continuity, third party management, cyber defence, disaster recovery and crisis management. We have identified a list of 50 generic core capabilities, linked to the most common threats, and are deploying this framework with our clients to measure the overall operational resilience maturity level.

Examples of key capabilities include:

• Crisis management: alternative communication channel
• Disaster recovery: Cyber vault
• Third party management: Crisis SLAs with third parties
• Business and IT continuity: degraded processes without IT
• Cyber defence: emergency authentication procedure

Challenge 3: Governance

Finally, governance is required to ensure that operational resilience data is maintained up to date, such that accurate reporting can be delivered to aid decision-making in the right forums. For instance, any initiatives to remediate identified resilience gaps requires management buy-in and funding, and management can only make the right decision and prioritise initiatives based on what is being reported on official reports.

Finally, what should be measured? 

The underlying question in MI is: how well is your organisation prepared to withstand a major incident?

• Are the dependencies identified?
• Are the necessary documentations in place?
• Are the threats known?
• Are controls in place to indicate a gap?
• Are the company’s employees prepared to respond and minimise the operational impact of a major incident?

What are customers’ expectations?

As of today, through supporting our clients in their Operational Resilience program, we have identified three common themes with regards to our clients’ expectations around operational resilience projects:         

1. Clients need help with creating an inventory and rationalising multiple sources with various data formats to be incorporated into the data model.
2. Clients regularly require support with creating reporting. This can be in the form of designing useful KPIs that can be translated into actionable items and a driver for decision-making process, or creating dashboards in data visualisation tools such as PowerBI.
3. There is an increasing demand for sourcing and deployment of operational resilience tools. Wavestone can help companies find the right tool that suits their needs via:
   • Performing a benchmark
   • Gathering requirements and specifications through workshops with future users
   • Creating an RFP and a suitable scoring mechanism to evaluate vendors

In fact – a great example showcasing our expertise around this particular area around helping our clients with sourcing and the deployment of operational resilience tools would be Wavestone’s second edition of the Operational Resilience Tooling Panorama – it captures the main market players across a range of topics such as emergency notifications, resilience management (mapping, testing, dashboards), crisis management and business or cyber incident simulation (cyber range). The radar is also built to encompass a wide spectrum of players – from disruptive innovators to traditional players, and from start-ups to large organisations.  

Any final advice for readers?

For French clients who have not yet launched an operational resilience program, there are two pieces of advice:

• As soon as the mapping is done, you need to think about how to store the data (i.e. the data model). Excel may not be sufficient as a tool to ensure the sustainability of the model
• Do not hesitate to re-use what your company already has in terms of business and IT continuity, third party management, cyber defence, IT reconstruction and crisis management.

Cet article MI and tooling at the heart of operational resilience management, Roxane Bohin interview est apparu en premier sur RiskInsight.

Identification and mapping of key processes

Let’s start with a definition from the regulator: the European Central Bank defines cyber-resilience as the ability to protect oneself and to quickly resume activities in the event of a successful cyber-attack. This definition has led many companies to adopt a 360° vision on the topic (prevention, crisis management, reconstruction, business continuity, etc.) through the prism of a concrete cyber-attack on key business processes. The novelty lies above all in the fact that all the analysis is focused on critical business chains, even though it is still necessary to know them. Identifying and mapping key processes is often the most complex part of a Cyber Resilience Program. Unfortunately, there is no systematic method: a list drawn up by the Risk Department, a decision by the Director of Operations, recycling of business impact analyses (BIA), criteria established during regulatory audits, etc. One thing is certain, this list cannot be drawn up by the cybersecurity team in its own corner and requires the involvement of the business lines as early as possible in the process.

Analyzing the cyber-resilience of a business chain: the A.R.M. method

The cyber-resilience of a business chain can be improved by acting on several parameters: 1/ avoidance of the attack, 2/ rapid reconstruction, 3/ maintenance of business activity during the attack. As a result, many companies have structured their Cyber Resilience Program around 3 indicators: A (AVOID), R (RECOVER) and M (MAINTAIN), making it possible to target one threat at a time. Of course, most current initiatives are working on Ransomware scenarios (Ryuk, Maze, Sodinokibi, etc.).

A – AVOID

The first step is to assess the level of resistance of business chains to the feared cyber threats. The ATT&CK Framework is increasingly used here and this indicator can simply correspond to the percentage of techniques used by the attacker against which the business chain is protected (for example, the chain is protected against 60% of the attack techniques used by the ransomware groups of the moment). The level of assurance required differs from one company to another: even if most companies still work via self-declaration, it is possible to integrate a review of evidence or Redteam audits into the approach to make the results more reliable.

R – RECOVER

The second step requires assessing the reconstruction time of the business chain in the event of an attack (for example, the chain can be reassembled in 9 hours after a ransomware attack). This time can obviously be different from one attack to another: destruction often restricted to Microsoft systems, possibility to use backups or not, integrity checks necessary after reconstruction, etc. This requires a detailed analysis of the impacts of each attack studied. Be careful, when mapping, it is necessary to consider the reconstruction of ALL the assets impacted by the attack. It is often observed that a few specific assets can double or triple the overall reconstruction time. Here again, the level of insurance required differs from one company to another: it is possible to work on paper, but the real reconstruction test is clearly the best option for reassurance.

R – MAINTAIN

The last step requires assessing the ability of the business lines to work in a degraded mode before returning to normal. This is a purely business indicator, which obviously differs from one sector and chain to another: it can be a question of transactions, reception of parcels or number of passengers depending on the sector and the chosen chain. To calculate it, it is necessary to work with the business on the assumption of long-term unavailability of the critical chain and to evaluate the percentage of the activity that can be delivered in another way. To understand the approach in a theoretical, and deliberately provocative way: does a business process vulnerable to a cyberattack, but whose activity can be maintained without an IS for a few days, really need to increase investments in cybersecurity? This is the type of topic that a Cyber Resilience Program must be able to arbitrate.

Most Cyber Resilience Strategies and Programs on the market obviously embrace this recurring assessment phase, adding over the years cyber threats and business chains to be analyzed. At the same time, they are managing a series of cybersecurity, IT and business projects to increase the level of resilience. The most mature Programs also maintain catalogs of solutions to speed up the process and improve the scoring of the various business lines (data safes, standardized backups, market partnerships, shared business fallback solutions, etc.).

As we have seen, a cyber-resilience strategy involves multiple skills: the cybersecurity department to select threats and assess the robustness of chains, the business lines to select critical chains and work on business continuity, IT and the Business Continuity Plan (BCP) for crisis management and assessment of reconstruction capacities. The best solution is to host this type of Program directly at the Operations Department level, in order to influence all these channels. However, these Programs are currently structured at the level of the CISO or the Risk Management Department. The key in this case is to deploy effective governance that allows all stakeholders to remain within their area of expertise.

Cet article Cyber-resilience, an opportunity to bring cybersecurity and business closer together est apparu en premier sur RiskInsight.

La couverture des risques dans la durée

Le durcissement des équipements

En complément d’une architecture et d’un outillage d’administration sécurisés, il convient d’élever le niveau de sécurité de chaque équipement en appliquant un principe de strict nécessaire. Un guide de durcissement générique peut être créé et adapté à chaque technologie identifiée lors de la cartographie du SI Industriel. Celui-ci permet de remédier à une partie des vulnérabilités présentes au niveau des configurations et des systèmes.

L’utilisation de solutions complémentaires peut également apporter un surplus de sécurité :

• Les antivirus connectés au réseau ou non (impliquant une mise à jour manuelle) vont couvrir les postes industriels contre les virus les plus communs ;
• La mise en place de règles strictes sur les pare feux locaux des machines va empêcher les communications, et donc intrusions, sur les ports inutilisés, et filtrer l’origine des flux en fonction des protocoles utilisés, permettant de mieux détecter des tentatives d’attaques ;
• Des solutions de gestion des comptes administrateurs locaux (par exemple LAPS pour Windows) peuvent enfin permettre de gérer les comptes administrateur natifs des postes de manière centralisée et individualisée.

Il arrive cependant qu’il ne soit plus possible de durcir un équipement du fait de sa vétusté, il faut alors travailler avec le Métier sur la gestion de l’obsolescence des équipements, sur leur éventuel remplacement et en dernier recours sur les capacités à les isoler du reste du SI. Des bloqueurs de configuration pourront également permettre, sur des postes vétustes, de restreindre l’installation et l’utilisation de composants à ceux uniquement nécessaire.

Il est important de rappeler que le SI Industriel souffre de certaines vulnérabilités, mais est avant tout l’outil de production du Métier. Le dialogue avec ces équipes est donc primordial à la compréhension de l’utilisation qu’ils en font afin de résoudre ces vulnérabilités en limitant les conséquences au maximum pour le métier.

Le maintien en conditions de sécurité

Lorsque les équipements atteignent le bon niveau de sécurité, il faut prévoir son maintien dans le temps. Différents scénarios de gestion des correctifs de sécurité ou « patchs » peuvent être définis pour répondre également aux besoins du Métier (disponibilité, intégrité) et synchronisés avec la maintenance industrielle :

1. Intégration dans les processus nominaux d’exploitation (par exemple : les processus de qualification / qualité d’une installation peuvent imposer que les équipements soient à jour). La mise à jour et l’administration des équipements tireront ainsi profit des arrêts industriels d’autant plus si une re-certification est nécessaire.

2. Préparation d’un processus de mise à jour « à chaud » en cas de faille de sécurité critique et d’un processus d’isolation préventive d’une ligne de production le temps que le procédé puisse être interrompu ;
3. Identification des équipements redondants ou périphériques sur lesquels une intervention avec simple information des responsables de sites est possible.

Afin de mettre en place ces process de patch, la cartographie réalisée précédemment doit faire apparaître un inventaire précis des équipements devant inclure :

• L’identification des équipements, leur type, localisation et nombre ;
• Les procédés industriels pour lesquels ils sont utilisés et la criticité associée ;
• Le système d’exploitation/lefirmware, les outils et la configuration ainsi que la mention des versions déployées ;
• Les besoins en termes de cybersécurité au regard des procédés supports ;
• La disponibilité de redondance, de mise en tampon des données et de cold spare ;
• La fréquence de patch requise et l’historique de patch.

Le maintien du niveau de sécurité ne se base pas uniquement sur l’application de correctifs de sécurité sur les équipements. Il convient également de :

• Définir le processus de mise à jour des solutions de sécurité installées sur les équipements coupés du réseau ;
• Installer des solutions de nettoyage de média amovibles qui restent très présents sur les sites industriels – certains produits ont l’avantage d’être portables et donc d’analyser le média pendant le déplacement à l’intérieur du site industriel ;
• Assurer la sauvegarde des configurations des équipements et leurs intégrations au DRP afin de garantir une remise en route post-incident qui réponde aux besoins de disponibilité ;
• Mettre en place un suivi de l’IAM[1] Industriel afin d’avoir un contrôle d’accès physique et logique robuste. Cette action permettra aussi d’automatiser de nombreuses actions fastidieuses de revue de comptes parfois encore faites à la main.

La détection des incidents de cyber sécurité

Les mesures citées précédemment permettent de réduire la probabilité d’occurrence des risques et donc d’augmenter la disponibilité des équipements pour le Métier. Il faut néanmoins se préparer au pire et avoir les outils nécessaires à la détection d’un incident pour le remédier au plus vite et garantir un temps d’interruption réduit au maximum.

La mise en place de la détection

La première étape à réaliser est l’activation des fonctions IDPS[2] sur les équipements réseaux afin d’assurer un premier stade de détection et potentiellement de blocage automatique.

Il s’agit ensuite d’assurer la collecte d’informations en déployant un concentrateur sur site. Les logs des équipement réseaux et serveurs pourront ainsi être envoyés aux SIEM[3] existants ou dédiés dans lesquels se feront corrélation et détection. Les SOC[4] et CERT[5] peuvent alors réaliser les opérations d’analyse, de détection et éventuellement de réaction sur incident en se basant sur des scénarios classiques.

L’anticipation de risques spécifiques

Cependant, la détection basée sur des scénarios classiques n’apportera que peu de valeur aux métiers. La prise en compte de l’ensemble des sources (PC, Linux, UNIX…) et la mise en place de sondes dédiées aux SI Industriels capables de s’interfacer avec des systèmes SCADA peut permettre d’améliorer le système de détection. Toutefois, ces solutions peuvent s’avérer coûteuses.

L’élément clé consistera ici à assurer une montée en maturité et en valeur incrémentale et rapide du SOC.

Se préparer à la remédiation

Pour finir, la détection d’un incident ne pourra aboutir à une remédiation efficace que si le Métier est inclus. Tout comme pour les mises à jour d’équipements, il convient donc de revoir les procédures d’arrêt d’urgence avec les utilisateurs du SI Industriel. La formalisation d’un Plan de Réponse à Incident permet de planifier les actions à mener en cas d’incident cyber-industriel.

Des exercices de gestion de crise dédiés au SI Industriel doivent également être menés pour assurer une préparation optimale des équipes et mettre en lumière les éventuels manques.

Une approche progressive et participative garantira le succès de la démarche

La mise en conditions de sécurité d’un SI Industriel est un chantier complexe qui ne peut être faite qu’avec le Métier. Il convient donc de travailler avec lui de manière progressive et participative sur chacun des chantiers suivants :

• Prendre connaissance de son SI Industriel en réalisant une cartographie en priorisant les éléments les plus critiques ;
• Mitiger les risques sur le SI Industriel en mettant en place l’état de l’art de l’architecture réseau sécurisée et définir les processus d’administration – les SI de Sûreté, par leur criticité, devront faire l’objet d’une attention particulière ;
• Atteindre un niveau de sécurité adéquat par le durcissement et le maintien en conditions de sécurité des équipements dans le temps – des discussions pourront notamment avoir lieu avec les fournisseurs et constructeurs d’équipements ;
• Mettre en place les outils nécessaires à la détection d’incident de sécurité, qui peuvent avoir une influence sur la production, et définir les processus de réaction.

Toutes ces actions ne peuvent pas toujours être menées en parallèle. La définition d’une feuille de route claire va permettre la priorisation des différentes actions pour pouvoir maitriser les coûts et maximiser l’apport pour le Métier.

Si ce vaste chantier est souvent initialisé en central, l’enjeu reste de pouvoir embarquer les sites, parfois répartis dans le monde entier, pour assurer une sécurité pérenne dans le temps. Nous observons, en général, une démarche en deux temps :

1. Un programme cybersécurité pluriannuel (souvent 3 ans) pour un budget de 10 à 15 millions d’euros visant à :

• Réaliser l’inventaire des SI Industriels ;
• Élever le niveau de sécurité du parc existant par la mise en place de protections souvent périmétriques et de filtrage ainsi que la remédiation des vulnérabilités les plus critiques – la définition de procédures est ici nécessaire ;
• Faire émerger un premier réseau de coordinateurs cybersécurité locaux ;

2. La création d’une filière cybersécurité industrielle et de la gouvernance associée réunissant :

• Le cadrage des activités clés à piloter par les acteurs locaux ;
• La construction participative d’outils pour aider ce réseau de responsable locaux à opérer les activités de cybersécurité sur le contenu ;
• La construction des moyens de pilotage de la montée en maturité et de gestion du changement (matrices de maturité, outils de modélisation budgétaire par site, définition d’indicateurs de pilotage, services centraux consommables par les sites…).

La mise en place de la gouvernance peut démarrer après le programme et tirer ainsi profit du premier réseau de correspondants sensibilisés à la cybersécurité bâti par le programme.

Une fois construite, il s’agit ensuite de l’animer et de piloter la progression des sites et des systèmes industriels à la fois en termes de niveau de sécurité et de niveau de maturité.

Cette animation réunit en général :

• Un réseau responsables cybersécurité locaux de 0,5 à 2 ETP[6] par site en charge de réaliser les projets, d’implémenter les activités récurrentes de cybersécurité, d’améliorer continuellement la sécurité et de reporter ;
• Une équipe centrale de 3 à 10 ETP pilotant globalement et appuyant les responsables locaux notamment en termes d’expertise.

[1] IAM i.e. Identity and Access Management.

[2] IDPS i.e. Introduction Detection and Prevention Systems.

[3] SIEM i.e. Security Incident and Event Management.

[4] SOC i.e. Security Operation Center.

[5] CERT i.e. Computer Emergency Response Team.

[6] Ces chiffres peuvent varier significativement en fonction de la taille de l’entreprise et du nombre de sites locaux, il s’agit d’une moyenne observée dans de grandes organisations internationales que Wavestone accompagne.

Cet article Saga (3/3) – Retours d’expérience et bonnes pratiques pour protéger et maintenir en condition de sécurité des SI Industriels est apparu en premier sur RiskInsight.

Consequently, organisations are looking for ways to become cyber-resilient and thus limit the impacts of such attacks. Besides this, more regulations related to cyber-resilience are emerging and pushing organisations to take appropriate action; particularly when incentivised by the threat of exposure to possible sanctions and fines for non-compliance.

How is the UK regulatory framework developing on this topic? What have we learned from recent major cyberattacks? How should organisations prepare to react promptly and effectively in case of such attacks?

Cyber-resilience in the UK – An increasingly restrictive regulatory framework

NIS Regulations, the first implementation of cyber-resilience principles in UK law

Following the European Union directive on the security of Networks and Information Systems (NIS directive) and despite Brexit, the NIS Regulations came into force in the UK on 10th May 2018. This regulation has marked a clear shift of the regulators’ role from a helpful supportive party to a more restrictive one.

As per this regulation, Operators of Essential Services (OES) and Digital Service providers (DSP) must consider cyber-security measures to manage the security of their systems and facilities, their existing processes and procedures to handle security breaches and maintain business continuity.

OES, who had to register to their Competent Authority (CA – i.e. regulator identified for sector) by the 20th August 2018, are considered as more critical than the DSPs in the event of an attack; and hence why they face much stricter requirements. Therefore, OES are subject to audits conducted by their CA’s. These controls will assess organisations against the 14 security principles outlined in the Cyber-assessment framework published by the UK National Cyber Security Centre (NCSC).

If there is non-compliance with the NIS Regulations, organisations are now exposed to sanctions that can go from notices for further information to monetary penalties (up to a maximum of £17 million).

DSP’s will not be audited, they will only face enquiries in case of incident. They have also been given more time to register to their CA with a deadline of the 1st November 2018. For organisations falling into the OES / DSP scope, not registering is considered as a blatant violation of the NIS Regulations, and could lead to severe disciplinary action.

Cyber-resilience regulation for the UK financial sector

Financial services have always been considered as ‘one-step-ahead’ when it comes to Cyber-resilience. Therefore, this market is a good indicator of the future trends related to this topic.

Surprisingly, the Banking and Financial Market infrastructure sectors are not listed as OES by the NIS Regulations – as opposed to the NIS Directive (the EU text) that includes these two sectors.

However, on 5th July 2018, the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) quickly reacted by publishing a Discussion Paper on the UK financial sector’s operational resilience.

This initiative gave Financial Services organisations until 5^th October to report on their exposure to risks and how they respond to outages.

One of the key aspects highlighted in this paper is the notion of cyber-tests. The structure of the paper clearly sets out the cyber-resilience aspects that will be tested by the regulators across the full incident lifecycle management: Preparation, Recovery, Governance and Communication.

Future of cyber-testing: the use of Red-Teaming by the regulators?

The notion of cyber-resilience testing has also been put forward in the new testing framework published by the European Central Bank (ECB) in May 2018: the Threat Intelligence-based Ethical Red Teaming (TIBER) EU Framework. The objective of this framework is to facilitate an approach towards intelligence-led tests which mimic the tactics, techniques and procedures of real hackers posing a genuine threat.

Even if the UK regulators are not obliged to implement this framework, it could give them some ideas to use these types of tests across all industries (like they did for the NIS Directive).

We expect that failing these tests will expose financial services organisations to sanctions in a similar vein as the Financial stress tests conducted in the last couple of years.

Cyber-resilience – Wavestone’s lessons learned

Organisations affected by major cyberattacks cannot continue to use their IT as normal and must fully or partly stop them to clean or rebuild them. Indeed, in some cases, attackers destroy critical parts of the IT infrastructure whilst in other cases, they penetrate and propagate the IT system for weeks to steal data or corrupt internal systems (Advanced Persistent Threat), thus causing a loss of confidence in the IT system.

For an organisation, to be cyber-resilient means being able to maintain vital activities in a downgraded mode in the event of a major cyberattack, while taking actions to quickly regain confidence in the IT system to be able to operate it as usual.

At Wavestone, we have developed strong expertise in supporting major cyber-crisis and cyber-resilience programmes. You will find below what we have learned on the topic, and in particular the 3 key aspects we recommend working on to become cyber-resilient.

Business Continuity Plans and Disaster Recovery Plans need to be reworked to face cyberthreats

Today’s Business Continuity Plans and Disaster Recovery Plans aim to respond to scenarios like a pandemic or a datacentre physical destruction, but many have been built without taking into account major cyberattack scenarios and the possible loss of confidence in the organisation’s IT that could result from such cyberattacks.

Within an organisation, ‘everyday’ IT and ‘backup/recovery’ IT systems are close in many ways, especially to facilitate their operability. As a result, in the event of a major cyberattack, the recovery systems will most likely be compromised at the same time as the ‘everyday’ IT systems, for 3 main reasons:

• Replication systems could copy the malware between the main IT estate and the recovery systems; or
• Attackers could exploit the administration infrastructure, common across both normal and recovery systems, to propagate within both; or
• Finally, even if the recovery systems are fully isolated, attackers could still exploit vulnerabilities present within both. Then, triggering your recovery systems would open the door for the malware to spread.

 1. Prepare to contain the attack when it occurs

Cyber-crises are specific:

• They last a long time (several weeks)
• They are difficult to understand (what have the attackers been able to do? For how long? What are the impacts? etc.)
• They involve third-parties who are often unprepared on the topic (lawyers, authorities, suppliers, clients, etc.)

Therefore, current crisis management processes must be supplemented to cater for the various cyber threat aspects. In particular, it is necessary to carry out the organisational and technical actions below to contain the attack when it occurs.

Organisational actions

• Identify the necessary people to call upon during a crisis (management, forensic experts, IT department, business continuity staff, HR, communication team, etc.) and specify their roles and responsibilities, as well as what needs to be done to allow them to be rapidly mobilised when necessary
  • For instance, during the crisis, the IT department will have to prioritise its actions between the investigation, the definition and implementation of the defence plan, and business-as-usual (BAU) operations
• Define processes that allow quick decisions from operational teams for threat containment (systems shutdown, floodgate activation, etc.), without waiting for a decision from the Crisis Management Team (CMT)
• Define appropriate processes to enable investigation activities and defence-plan-related activities in parallel, and to ensure 24/7 operations over a long time via rotations (logistics, HR, etc.)

Technical actions

• Identify backup communication tools outside of normal IT to safely manage the crisis (alternative mail, website to oversee the decisions, directory, etc.), as the usual communication tools may be unavailable or no longer trusted
• Make sure you have adequate investigation means to analyse and understand the attack (sufficient, safe and searchable logs, capability to analyse unknown malware, technical and functional cartography, detection processes based on business processes knowledge, etc.)
• Define floodgates in your network to be able to limit the attack propagation by isolating the most sensitive systems from those already compromised
• Make sure you have the right tools to protect the parts of the IT estate which are still safe once the threat has been isolated (quick patch deployment, etc.)

That being so, it is essential to regularly test the cyber-crisis management process via crisis exercises using ambitious and realistic scenarios.

2. Prepare to work without your IT

Business teams need to learn how to work in a downgraded mode without IT to simulate it being unavailable or untrustworthy for a few days or weeks. This may seem a bit extreme, but is what impacted organisations had to overcome in 2017, so better being prepared than sorry.

At least, business teams should ask themselves the following key questions to define processes and tools accordingly:

• Can we work with manual workarounds? (paper, cash, etc.)
  • If not, how can we interrupt our business activities in a controlled manner?
• What data do we need? (client contracts, contractors or suppliers lists, business data, etc.)
• What alternative tools do we need? (phones, applications like WhatsApp, applications like Gmail, etc.)

As for the cyber-crisis management process, these alternative ways of working must be tested to ensure the continuity of essential activities in the event of a major cyberattack

3. Prepare to rebuild your IT

If the cyberattack is a destructive one or important parts of the IT estate cannot be cleaned of a malware infection, there may be a need to rebuild some workstations, applications or infrastructure to maintain vital business activities. This must be anticipated, and processes and tools must be defined and implemented accordingly.

Regarding workstations, a user-friendly package (USB key and documentation) can be created to allow end-users to rebuild their workstations themselves. Besides, mobile backup servers can be used to restore users’ data (drop-shipping), in case the network bandwidth is not sufficient to remotely restore it for example.

Regarding applications and infrastructure, the key to success relies on two points:

• Rebuilding must be prioritised according to business needs, which must be defined beforehand; and
• Architectures must be standardised as much as possible to help automate and simplify their deployment in case they need to be rebuilt.

Do not forget standard cybersecurity measures, without which cyber-resilience cannot be reached

Implementing measures to address the 3 aforementioned cyber-resilience aspects will help you improve your cyber-resilience, but it is not sufficient. Efforts to do so must go hand-in-hand with efforts to ensure the appropriate protection and monitoring of your IT systems. Hopefully, this will help you avoid having to trigger these plans in the first place. So, keep up the hard work!

Cet article Cyber-resilience lessons learned: the latest UK developments est apparu en premier sur RiskInsight.

Find out more about cybersecurity trends with Wavestone’s CISO radar.

C for Cyber-resilience

Wannacry and NotPetya have demonstrated a malware’s ability to destroy whole sections of information systems in a few hours, with hundreds of millions of dollars of damage for the companies caught out. Until then, this destructive threat was usually considered theoretical. 2018’s going to have to be the year for large companies to define their cyber-resilience strategies. Two main types of action are expected. The first aims to limit the occurrence of this type of attack with, for the most advanced, a focus on securing suppliers. It’s important to note that NotPetya was initially spread by duping a third-party software provider (MeDoc) which became a Trojan horse that easily entered the information system. This is an attack technique to be considered today when assessing the threat. The second type of action aims at managing a cyber-crisis and particularly how to prepare to rebuild the information system at speed in case of a successful attack.

C for Compliance

This cannot not have eluded anyone working in the field: 25^th May, 2018 will be D-day for compliance with EU personal data regulations. Are we going to see a surge of investigation or the first data leakage notifications straight away? Might we have to wait a few months? Either way, 2018 will be strongly marked by compliance projects. Beyond GDPR and sector-specific texts such as PSD2, it’s the arrival of the NIS directive, its transposition into each countries law and the upcoming identification of the concerned companies that will take on the regulatory focus. This subject, essentially European but transposed nationally, may also have significant impacts on the location of certain digital services. In fact, since the security rules and requirements could vary between European countries, it’ll be necessary to watch out in case “cybersecurity dumping” starts to appear.

C for Cognitive

Artificial intelligence has certainly been the buzzword of 2017. But in the field, machine learning technologies have already proven themselves and brought tangible results. This is especially true for combatting fraud via digital channels. Given the volumes and responsiveness requirements, these technologies provide solutions where conventional methods have reached their limit. Authentication management is another domain that could benefit from these advances with the implementation of a system that’s biometric and/or that dynamically adapts the level of requirements according to the user’s actions. However, these technologies are not yet fully mature on cybersecurity surveillance topics but 2018 should see some major advances in this area. And without waiting for end-to-end automated solutions to arrive straight off, carrying out some early tests on artificial intelligence’s contribution to incident management and resolution could help open up the subject.

C for C-Level

2017 has marked a real change of dimension in the relationship between cybersecurity and the C‑suite. In almost 25% of French CAC 40 firms, massive security programmes are in place with investments above €50m. These programmes are followed directly by the top management. It’s a real change of posture for the information security, which will have to show the actions carried out with these budgets in 2018 have been effective. And the task isn’t simple in the security context where talented staff are hard to come by then retain, but also where one flaw replaces another and strategy can be challenged by a major incident. Plenty educational work and a demonstration of risk control will be expected. For those who have not yet crossed the C-suite threshold, the current context has never been so conducive for highlighting this subject. Certainly incidents, with more and more media attention and ever greater financial impacts, can help. But it is mainly benchmarking investments made by other large groups that can be a catalyst. 2018 will be an opportunity for many to obtain the funding needed to set up a serious programme to transform cybersecurity.

C for Confidence

Trust in digital has become a key asset for many brands. This trust is increasingly expected by customers who are growing more sensitive to such issues. This confidence is built through transparency and the ability to manage one’s own data. New solutions are appearing, particularly in customer identity management (CIAM). But this trust is also a way stand out in digital and get ahead of the game. Some major brands have understood this and use this argument to differentiate themselves not only from close competitors but also from the Net giants against whom they regularly have to defend their traditional territory. Today we’re still lacking simple symbols of this trust, such as a certification or a label, but perhaps 2018 will see work underway in France and the rest of Europe move in that direction.

C for Customer

For a few years, cyber strategies have focused on securing data. But with the advent of digital transformation, CISOs need to change their posture and put customers at the heart of their thinking. Adopting a “client-centric” strategy will help to shed light on the real contributions that the cyber-security sector brings in providing of new services and protecting customers’ interests.

Without a doubt, 2018’s going to be a key year for cybersecurity and digital trust. A year when we’ll have to reinvent the ways we work in order to win high-level support whilst getting some return on security investments, especially the client-related ones. Society as a whole is increasingly aware and attentive to cyber security issues. Let’s take advantage, to turn this context into an opportunity!

Cet article The 6 Cs for Cybersecurity in 2018 est apparu en premier sur RiskInsight.

Learn more on http://bit.ly/wavestone-cyber-resilience

Cet article NotPetya: 5 months later, what are the impacts? est apparu en premier sur RiskInsight.

Strengthening crisis management

Cyber crises are specific: they are often long (several weeks) and sometimes difficult to grasp (what has the attacker been able to do? For how long? What is the impact?). Often, affected external parties such as lawyers, authorities, suppliers, and sometimes even clients themselves are not well-prepared on the subject matter. Thus, it is necessary to adjust existing plans that have not been designed to cater to the cyber threat aspects.

Even if they is an operational player in cyber crisis management, the CIO should not be over-utilized in either the investigation or the defense measures if it is detrimental to overall production and recovery. Anticipation of these kinds of measures is vital to the recovery effort.  It is necessary to clearly identify the teams which need to be mobilized to respond to the crisis in a timely manner, and to organize the parallel interventions on both the investigation and the construction of the defense plan.

Beyond the organizational point of view, the CIO will have to ensure that they also have the investigation tools (mapping, search for attack signature, independent crisis management IS, capability to analyze unknown malware, etc.), remediation tools (Capabilities to rapidly deploy technical corrections, fragmentation of the IS to save what could be saved, IS surveillance toolkit) and reconstruction tools (access to backup, access to minimal documentation, capabilities to deploy workstation) required to understand the position the attacker took in the IS, to repel it and to ensure it doesn’t return.

Writing a crisis management guide that defines the essential steps, the macro-level responsibilities, and the key decision points can be done as an added bonus. With that, it is essential to conduct crisis exercises to ensure readiness for when one actually occurs.

Here is a functional integrity control chain :

Rethinking continuity plans

Continuity plans have to evolve to adapt to cyberthreats. Sometimes, this means they may have to be completely rebuilt.

There are many possible solutions that can cover all types of continuity plans.

The user recovery plan, for example, can evolve to integrate USB keys containing an alternative system which could be used in case of logical destruction of employee workstations. Some organizations have also decided to provision an allotted number of workstations directly with their suppliers to have them delivered quickly in case of physical destruction.

The IT continuity plan, on the other hand, can include new solutions which could be efficient in the event of a cyberattack. The most publicized one aims to build “non- similar facilities” by duplicating an application without using the same software, operating system, or production teams. It is an extreme solution, very costly and difficult to maintain, but one that is considered for specific, critical applications in the financial industry – most notably, payment system infrastructure.

Other less complex solutions such as adding functional integrity control in the business process have also been considered. The concept relies on the implementation of regular controls, at various levels and at different places within the application chain (“multi-level controls”). This enables quick detection of attacks. An alert could be raised in case of an interaction with technical layers, such as a modification of a value directly inside a database, without passing through regular business workflows (via graphical interfaces), for example. In another case, these mechanisms can also be applied to infrastructure systems by reconciling admin account creation request tickets with the number of accounts really in the system.

As a more intermediate complexity level solution, it is possible to implement a “floodgate”, or as a system and network isolation zone. This floodgate – for example, the industrial IS – can be activated in the event of an attack and could isolate the most sensitive systems from the rest of the IS.

These, often major, evolutions must be part of an existing recovery strategy review so that one can assess their vulnerability and the interest of deploying new cyber-resilience solutions, particularly on the most critical systems. The evolution of Business Impact Analysis (BIA) to include this dimension can be a key first step.

Without cybersecurity, cyber-resilience is nothing

Implementing these new cyber-resilience measures requires significant efforts. Note that these efforts can be wasted if both these recovery solutions and the regular systems are not already appropriately secured and under detailed surveillance. The CISO is the key player to ensure that these often started but rarely finalized initiatives come to fruition. Help from the Risk Manager (RM), or the Business Continuity Manager (BCM) if such a position is in place, will be valuable. It is widely acknowledged today that it is impossible to secure a system 100%, which means that organizations have to accept the inevitability of an attack occurring, at which moment the RM or the BCM will make full use of their role.

Protect, detect, respond, remediate, and rebuild. These are the pillars of a strong cyber-resilience program which can only be attained if the BCM and the CISO roles combine their full range of capabilities and work hard, hand-in-hand!

Cet article Cyber-resilience: bend without breaking (2/2) est apparu en premier sur RiskInsight.

When confronted with a major cyber attack, whether destructive or leading to a loss of trust in vital systems, the first reaction of a majority of companies is to activate their business continuity plan (BCP). This strategic element of resiliency is enacted  to ensure the organization’s survival against disasters whose magnitude causes computing resources, communication infrastructures, buildings, and possibly even users to be unavailable.

Yet major cyber attacks, have not been taken into account when developing most BCPs, even though they can be as destructive in scale as either Wannacry or NotPetya, or, more often, lead to a loss of trust in the basic components of the infrastructure (network, access control, inventory, etc.). By Focusing on an availability agenda, organizations fail to address the issue arising from the simultaneous destruction or the loss of confidence in Information System (IS) caused by cyber attacks.

Moreover, these IS continuity plans are frequently intimately linked to the resources they protect and are equally affected by the attacks. For over a decade, continuity processes (either user fallback or IT recovery) have adopted principles of infrastructure pooling and “hot” recovery to cope with both rapid business recovery and the need for better operability.

In effect, this « proximity » between the regular IS and its recovery counterpart makes continuity plans vulnerable to cyber attacks.

What vulnerabilities in business continuity systems?

As an example, various dedicated and connected recovery stations of fallback sites were contaminated by NotPetya and were useless for the remediation.

Legacy « cold » recovery/emergency plans (often consisting  of activating a recovery system in case of incident) concern fewer and fewer applications, and the remaining ones are often secondary.

Unfortunately, when dealing with a deep compromise of systems, backups often onboard malevolent elements such as malwares, base camps, or modifications meticulously operated by attackers beforehand, due to the fact that intrusions go undetected for long period of time (detection often happens hundreds of days following the initial infection). Not to mention that the continuity of the backup systems themselves is often neglected. During the management of the NotPetya crisis, the backup management servers were also destroyed. Restoring them took several days, due to their complexity and nested nature within the information system; an ActiveDirectory was necessary to launch the restorations while the ActiveDirectory backup was a prerequisite to rebuild it.

The same findings hold for industrial IS. Industrial digital systems are resilient against technical breakdowns or anticipated mechanical incidents. However, they were rarely designed with the consideration of the possibility of human malice and as a result often lack advanced security systems. To compound on this, industrial IS has lifecycles of several decades which expose them to old vulnerabilities. Finally, the independence of control channels from the digital systems which they oversee is not always implemented.

Two illustrated major attack scenarii

Logical destruction or the unavailability of a large chunck of an Information System

Made real by attacks from true-false ransomware, Wannacry and NotPetya. This type of attack causes mass unavailability of services due to the encryption of data files and/or the operating system. The companies affected by this attack (Merck, Maersk, Saint Gobain, Fedex… as well as Sony Pictures and Saudi Amramco) lost up to 95% of their Information Systems (tens of thousands of computers and servers) in a timeframe that often lasts less than an hour. At the start of such crisis, the situation is highly difficult since there is no longer any means of communication or exchange mechanism within the affected company, including ISD. Victims have outlined losses of several hundred of million euros following these attacks.

A compromise and loss of confidence in Information Systems

It concerns a targeted attack does not challenge the proper functioning of the system. Rather, it aims to give attackers access to all of the company’s information systems (email and messaging, files, business applications, etc.) allowing them to steal the identity of any employee and carry out actions in their name. The attackers may then extract any type of data or carry out business actions which require several successive validations. These attacks affected a large number of companies across all sectors incurring massive fraud as a result, including the bank of Banglasdesh. These attacks also affected financial and payment data theft as was the case for several distribution groups in the United States including Target and Home Depot. The situation at the start of the crisis is complex since there is no confidence in the Information System and there is considerable uncertainty about what the attacker could do and their motives. It involves quietly investigating until being able to remove the attacker and rebuild a secure system. Victims affected by these attacks have also reported financial impacts worth several hundred million euros.

Cet article Cyber-resilience: bend without breaking (1/2) est apparu en premier sur RiskInsight.

Muscler la gestion de crise

Les crises cyber sont des crises particulières : souvent longues (plusieurs semaines), parfois difficiles à cerner (qu’a pu faire l’attaquant ? depuis combien de temps ? quels sont les impacts ?) et impliquant des parties externes elles-mêmes souvent peu préparées sur ce sujet (avocats, huissiers, autorités, fournisseurs, voire les clients…). Il est donc nécessaire d’ajuster les dispositifs existants qui n’ont pas été conçus pour intégrer la dimension cyber.

Acteur opérationnel de la gestion de la crise cyber, la DSI ne doit pas être sur-mobilisée sur l’investigation et la défense au détriment de la production et du secours. Cet aspect constitue un point d’anticipation important à ne pas négliger. Il s’agira donc d’identifier clairement les équipes à mobiliser sur la crise et d’organiser les interventions parallèles d’investigation et de construction de plan de défense.

Au-delà de l’aspect organisationnel, il faudra s’assurer de disposer également de l’outillage d’investigation (cartographie, recherche de signature de l’attaque, SI de gestion de crise indépendant, capacité d’analyse de malware inconnu…), d’assainissement (capacité de déploiement rapide de correctifs ou de « vaccin », isolation en urgence de portions non touchées du SI, isolation réseau…) et de reconstruction (accès rapide aux sauvegardes, accès aux documentations minimum de reconstruction, support des fournisseurs clés sur le SI, capacité à réinstaller massivement des postes de travail…) requis pour comprendre la position de l’attaquant, stopper sa propagation et faire repartir au plus vite l’activité.

La définition d’un guide de gestion de crise, définissant les étapes structurantes, les responsabilités macroscopiques et les points de clés de décision sera un plus. Et parce qu’il est primordial de s’exercer en amont afin d’être prêt le jour où il faut faire face à la crise, la réalisation d’exercice de crise sera un bon révélateur de la situation réelle.

Repenser les dispositifs de continuité

Les dispositifs de continuité doivent également évoluer pour s’adapter aux menaces cyber. Les solutions possibles sont nombreuses et peuvent toucher tous les types de dispositifs de continuité. Le plan de reprise utilisateur peut intégrer par exemple la mise à disposition de clés USB avec un système alternatif. Les collaborateurs pourraient l’utiliser en cas de destruction logique de leur poste de travail.

Certains établissements ont fait le choix de provisionner des volumes de postes de travail de remplacement directement avec leurs fournisseurs de matériel afin de les délivrer rapidement en cas de destruction physique.

Le plan de continuité informatique peut inclure de nouvelles solutions pour être efficace en cas de cyberattaque. La plus emblématique vise à construire des chaînes applicatives alternatives. Il s’agit de « dupliquer » une application sans utiliser les mêmes logiciels, systèmes d’exploitation et équipes de production. C’est une solution extrême, très coûteuse et difficile à maintenir, mais qui est envisagée pour certaines applications critiques dans le monde de la finance (notamment les infrastructures de paiement à caractère systémique).

D’autres solutions moins complexes sont envisagées. Il s’agit par exemple de l’ajout de contrôle fonctionnel d’intégrité dans le processus métier. Son concept repose sur la réalisation de contrôles réguliers, à différents niveaux et à différents endroits dans la chaîne applicative (« multi-level controls »). Ceci permet de détecter rapidement des attaques qui toucheraient par exemple les couches techniques (modification d’une valeur directement dans une base de données) sans avoir été réalisées par les actions métier classiques (via les interfaces graphiques). Ces mécanismes peuvent aussi s’appliquer aux systèmes d’infrastructures, par exemple en réconciliant les tickets de demande de création de compte d’administration avec le nombre de comptes réellement dans le système.

D’un niveau de complexité intermédiaire, il est possible d’envisager la définition de zone d’isolation système et réseau (« floodgate ») que l’on peut activer en cas d’attaques et qui vont isoler les systèmes les plus sensibles du reste du SI. Le SI industriel pourra, à ce titre, constituer à lui seul, une de ces zones d’isolation vis-à-vis du reste du SI.

Ces évolutions, souvent majeures, doivent s’inscrire dans une revue des stratégies de secours existantes afin d’évaluer leur vulnérabilité et l’intérêt de déployer des nouvelles solutions de cyber-résilience, en particulier sur les systèmes les plus critiques. L’évolution des Business Impact Analysis (BIA) pour inclure cette dimension est certainement une première étape clé.

Sans cybersécurité, la cyber-résilience n’est rien

Implémenter ces nouvelles mesures de cyber-résilience nécessite des efforts importants. Des efforts qui seront vains si ces solutions de secours et les systèmes nominaux ne sont pas eux-mêmes déjà sécurisés correctement et surveillés avec attention. Le RSSI est l’acteur clé pour faire aboutir ces démarches souvent entamées mais rarement finalisées. L’aide du Risk Manager (RM) – ou, s’il est désigné, son Responsable du Plan de Continuité d’Activité (RPCA) – sera alors un plus. Il est aujourd’hui communément acquis qu’il est impossible de sécuriser des systèmes à 100%, il faut donc accepter la probabilité d’occurrence d’une attaque et c’est à ce moment-là que le RM ou son RPCA prendra tout son rôle.

Cet article est issu de notre focus “Cyber-résilience : plier pour ne pas rompre“.

Cet article Cyber-résilience : plier pour ne pas rompre (2/2) est apparu en premier sur RiskInsight.

Face à une cyberattaque majeure, qu’elle soit destructive ou qu’elle entraîne une perte de confiance dans les systèmes clés, le premier réflexe pour une majorité d’entreprises est d’activer le plan de continuité d’activité (PCA). Celui-ci est un élément majeur de la stratégie de résilience des organisations ; afin d’en assurer la survie lorsque surviennent des sinistres d’ampleur entraînant l’indisponibilité de ressources informatiques, d’infrastructures de communication, d’immeubles voire de collaborateurs.

Or les cyberattaques majeures, destructives comme Wannacry ou NotPetya ou provoquant une perte de confiance dans les infrastructures (réseau, gestion des accès, gestion du parc…) comme les attaques ciblées en profondeur (APT), n’ont pas été prises en compte lors de l’élaboration de la majorité des PCA. Ces derniers, focalisés sur un enjeu de disponibilité, n’appréhendent pas les problématiques de la destruction simultanée et de la perte de confiance dans le SI induites par les cyberattaques.

En effet, les dispositifs de continuité du SI, le plus souvent liés aux ressources qu’ils protègent, sont également affectés par ces attaques. Depuis plus de dix ans, les dispositifs de continuité (utilisateurs ou informatiques) ont adopté les principes de mutualisation des infrastructures et de secours « à chaud » à la fois pour répondre aux exigences de reprise rapide et d’une meilleure exploitabilité. De fait, cette « proximité » entre le SI nominal et son secours rend vulnérables les dispositifs de continuité aux cyberattaques.

Quelles vulnérabilités pour les dispositifs de continuité ?

À titre d’exemple, lors d’une intervention de crise suite à l’attaque NotPetya, l’idée d’utiliser les postes de secours présents sur le site de repli a très rapidement été évoquée. Malheureusement ceux-ci avaient été détruits de la même manière que les sites nominaux car ils partageaient les mêmes systèmes de gestion de parcs et les mêmes vulnérabilités. Les investissements et les efforts investis dans les dispositifs de continuité ont semblé à ce moment très vains.

Enfin, les sauvegardes, établies sur une base souvent quotidienne, constituent pour la plupart des organisations le dispositif de dernier recours pour reconstruire le SI.

Malheureusement, en cas de compromission en profondeur, du fait de l’antériorité de l’intrusion (souvent plusieurs centaines de jours avant sa détection), ces sauvegardes embarquent de fait les éléments malveillants : malwares, camps de base, mais aussi les modifications déjà opérées par les attaquants. De plus, la continuité en tant que telle des systèmes de sauvegarde est souvent négligée. Lors de gestion de crise sur NotPetya, les serveurs gérant les sauvegardes ont eux-mêmes été détruits. Les restaurer a pris plusieurs jours vu leur complexité et leur imbrication dans le SI (nécessité de disposer d’un ActiveDirectory pour lancer des restaurations alors que la sauvegarde de l’AD était nécessaire pour le reconstruire, reconstruction de l’index des bandes de sauvegardes détruit avec le reste…).

S’agissant des SI industriels, les constats sont tout aussi manifestes. Les systèmes numériques industriels sont résilients à des pannes techniques ou des incidents mécaniques anticipés. En revanche, ils n’ont que rarement intégré, dès leur conception, les potentialités d’une malveillance humaine et ne disposent souvent pas de mécanismes de sécurité avancés. Du reste, leur cycle de vie long (plusieurs dizaines d’années) les expose à l’exploitation de vulnérabilités parfois anciennes. Enfin l’indépendance des chaînes de contrôle (Systèmes Instrumentés de Sécurité, cf. encadré ci-après) vis-à- vis des systèmes numériques qu’elles supervisent n’est pas toujours appliquée.

Des scénarios d’attaques majeures illustrés par des attaques récentes

La destruction logique ou l’indisponibilité d’une grande partie du système d’information.

Concrétisé par les attaques de vrai-faux rançongiciels Wannacry et NotPetya, ce type d’attaque entraîne une indisponibilité massive du fait du chiffrement des fichiers de données et/ou du système d’exploitation. Les sociétés touchées par ce type d’attaque (Merck, Maersk, Saint Gobain, Fedex… mais aussi Sony Pictures ou Saudi Aramco) ont perdu jusqu’à plus de 95% de leurs systèmes d’information (des dizaines de milliers d’ordinateurs et de serveurs) en un délai souvent inférieur à 1h. La situation au démarrage de la crise est très difficile car il n’y a plus aucun moyen de communication et d’échange au sein de l’entreprise, y compris au sein de la DSI. Les victimes ont communiqué sur des pertes de plusieurs centaines de millions d’euros suite à ces attaques.

La compromission et la perte de confiance dans le système d’information

Il s’agit d’attaques ciblées qui ne remettent en pas en cause le bon fonctionnement du système mais qui visent à donner aux attaquants l’accès à l’ensemble des systèmes de l’entreprise (messagerie, fichiers, applications métiers…), leur permettent d’usurper l’identité de n’importe quel employé et de réaliser des actions en leur nom. Les attaquants peuvent ainsi exfiltrer tout type de données ou réaliser des actions métiers demandant plusieurs validations successives. Ces attaques ont touché de très nombreuses entreprises dans tous les secteurs avec comme conséquences des fraudes massives, comme celles ayant touché la banque du Bangladesh, ou des vols de données financières et de paiements comme celles ayant touchés plusieurs groupes de distribution aux Etats-Unis dont Target ou encore Home Depot. La situation au démarrage de la crise est complexe en raison d’une conjugaison de plusieurs éléments aggravants : perte de confiance dans le système d’information et flou grandissant sur les actions et objectifs. Il s’agit alors d’investiguer discrètement jusqu’à pouvoir déloger l’attaquant et reconstruire un système sain. Les victimes touchées par ces attaques ont fait état d’impacts financiers de plusieurs centaines de millions d’euros.

Cet article est issu de notre focus “Cyber-résilience : plier pour ne pas rompre“.

Cet article Cyber-résilience : plier pour ne pas rompre (1/2) est apparu en premier sur RiskInsight.

Le cyberespace, talon d’Achille de l’Europe

En l’absence de sécurité suffisante, cette dépendance des États comme des entreprises peut rapidement se transformer en talon d’Achille. Elle peut en effet offrir à des individus, des organisations ou des États la possibilité de voler des secrets industriels ou des données en grande quantité, de détourner des fonds ou, pire, de détruire le potentiel économique ou de survie d’un État.

À titre d’exemple, en 2015 au Royaume-Uni, 90% des grandes entreprises et 74% des petites entreprises ont subi une cyberattaque. Par ailleurs – en guise d’illustration des conséquences financières atteignables – la cyberattaque subie par Talk Talk lui a couté au total plus de 75 millions d’euros. Enfin, la cyberattaque contre la centrale électrique ukrainienne démontre parfaitement le caractère potentiellement destructeur pour les États des cyberattaques contre leurs infrastructures critiques.

Face à un cyberespace qui est autant créateur de richesses que source de menaces, comment l’Union européenne prépare-t-elle sa cyber protection ?

Entre hétérogénéité, volonté d’harmonisation et désir de coopération

Aujourd’hui, l’Europe de la cybersécurité repose essentiellement sur des États européens qui avancent en ordre dispersé lorsqu’il s’agit de se prémunir contre les cybermenaces ; il existe en effet une forte hétérogénéité entre les pays membres dans leur sensibilité et leur niveau de préparation en matière de cybersécurité, et peu d’initiatives associant deux ou plusieurs États sont mises en œuvre.

Sans surprise, la question de la cybersécurité se pose avec plus d’acuité aux principales puissances économiques et militaires européennes, qui ont le plus d’intérêt et le plus de capacités financières et technologiques pour se prémunir contre les menaces venues du cyberespace.

Avec le Royaume-Uni et l’Allemagne, la France fait partie de ces États, créant dès 2008 l’ANSSI , l’autorité étatique dédiée à la cybersécurité, et se dotant dès 2013 d’un cadre juridique imposant aux Opérateurs d’Importance Vitale de protéger leurs systèmes d’importance vitale (article 22 de la loi de programmation militaire). À cela s’ajoute la mise en œuvre de moyens civils et militaires dédiés à la protection contre les cybermenaces.

Outre-Rhin nous pourrions par exemple citer une loi adoptée en 2015 visant à accroître la cybersécurité des OIV allemands, ainsi que la coopération étroite qui lie l’ANSSI et son homologue allemand, le BSI (Bundesamt für Sicherheit in der Informationstechnik), depuis plus de cinq ans.

Outre-Manche le gouvernement britannique a annoncé en 2015, 1,9 milliards de livres sur cinq ans pour renforcer la cybersécurité du pays.
Depuis quelques années, et face aux enjeux économiques que représente la cybersécurité pour la communauté européenne, les autorités de l’Union entendent participer davantage à la protection contre les cybermenaces, notamment en harmonisant la législation.

Depuis 2005, la Convention de Budapest , conçue par le Conseil de l’Europe, fournit par ratification à tout pays une trame et des outils juridiques leur permettant de mieux se prémunir contre la cybercriminalité.

Par ailleurs, la directive Network and Information Systems (NIS), prochainement adoptée, harmonisera automatiquement à l’échelle européenne les obligations des opérateurs de services essentiels (dénomination issue de la directive NIS) pour la protection de leurs systèmes d’information. Dans le même temps le futur règlement européen sur la protection des données personnelles devrait accroître la maîtrise des organisations sur les données qu’elles collectent, traitent et stockent, et donc limiter les conséquences des cyberattaques en terme de fuite.

Enfin, il a été annoncé par la Commission européenne lors du FIC 2016 que la cybersécurité fera, dans un avenir proche, de plus en plus partie des textes européens à portée sectorielle.

La directive NIS définit en outre une gouvernance européenne de la cybersécurité, inédite et résolument tournée vers la coopération entre les instances européennes (Commission européenne, ENISA – Agence Européenne chargée de la sécurité des réseaux et de l’information -, CERT-EU – Computer Emergency Response Team -)  et entre les États membres.

Deux nouveaux organes seront donc créés :

• Un groupe de coopération chargé de soutenir et de faciliter la coopération stratégique entre les États membres, notamment à travers l’échange d’informations et de bonnes pratiques. Ce groupe réunira la Commission européenne, l’ENISA et les représentants des États membres.
• Un réseau de CSIRTs (Computer Security Incident Response Team), regroupant le CERT-EU et le CSIRT de chaque État membre dont l’existence est rendue obligatoire par la directive. Il est chargé de promouvoir la coopération opérationnelle entre les États membres. L’ENISA assurera le secrétariat de ce réseau et la Commission européenne aura un statut d’observateur.

Des défis qui appellent une volonté politique commune

Ces initiatives européennes – complémentaires des initiatives des États les plus avancés en matière de cybersécurité – sont évidemment salutaires, mais ne doivent pas faire oublier les défis, politiques et économiques, que l’Europe devra dépasser afin de disposer d’une cybersécurité efficace et assurant sa cyber résilience.

Au défi que pose la coopération de 28 États membres s’ajoute la question des moyens qui permettront sa mise en œuvre effective, tant au niveau stratégique qu’opérationnel. Nul doute que les États déjà en avance pérenniseront leurs efforts. Mais quid des autres États, les plus nombreux : mobiliseront-ils les moyens suffisants pour se protéger ? La problématique des moyens se pose aussi au niveau de la gouvernance européenne : à titre d’exemple le budget de l’ENISA est de seulement 10,1 millions d’euros. Ce budget est-il réellement à la hauteur des enjeux ?

Par ailleurs, comment envisager une Europe de la cybersécurité sans une véritable industrie européenne de la cybersécurité ? De l’aveu de la Commission européenne, l’offre européenne est encore trop fragmentée et portée par des acteurs qui n’ont pas encore atteint une taille suffisante, portant préjudice à leur compétitivité face aux multinationales, américaines notamment. Mais une industrie suffisamment puissante économiquement, sachant produire des produits et services européens, est aussi un enjeu de souveraineté. À l’heure de la compétition économique mondiale, peut-on bâtir une Europe de la cybersécurité avec du matériel et des services chinois ou américains ?

On ne peut que saluer les efforts que compte produire l’Europe en matière de cybersécurité dans les prochaines années. Stimulé par des cybermenaces toujours plus nombreuses, ce projet pourra-t-il s’appuyer sur une volonté politique et des actions communes et durables ? Ou bien la dynamique européenne lancée s’essoufflera-t-elle faute d’une volonté politique commune suffisante, laissant les États membres en ordre dispersé au sujet de la cybersécurité, à l’image de l’Europe de la sécurité ou de la défense ?

Cet article L’Europe de la cybersécurité : peut-on y croire ? est apparu en premier sur RiskInsight.

Les cyberattaques mettent en lumière les limites de la résilience actuelle et des plans de continuité d’activité

La continuité d’activité est souvent présentée comme un des éléments majeurs de la stratégie de résilience des organisations. Ainsi, face à des sinistres d’ampleur entraînant l’indisponibilité de ressources informatiques, d’infrastructures de communication, d’immeubles voire de collaborateurs, les organisations se sont dotées de plans de continuité d’activité (PCA) de manière à assurer leur survie.

Or les cyber-attaques, dans leur forme moderne, n’ont pas été prises en compte lors de l’élaboration de la majorité des PCA. Ces derniers focalisés sur un enjeu de disponibilité, n’appréhendent pas la problématique de perte de confiance dans le SI induite par les cyber-attaques.

De plus, les dispositifs de continuité du SI, le plus souvent intiment liés aux ressources qu’ils protègent, sont également affectés par ces attaques. En effet, depuis plus d’une décennie, les dispositifs de continuité (repli utilisateurs ou secours informatique) ont adopté les principes de mutualisation des infrastructures et de secours « à chaud » à la fois pour répondre aux exigences de reprise rapide des métiers et au besoin d’une meilleure exploitabilité. De fait, cette « proximité » entre le SI nominal et son secours rend vulnérables les dispositifs de continuité aux cyber-attaques. A titre d’exemple, les postes de secours dédiés et connectés des sites de repli sont aujourd’hui très souvent exposés aux mêmes risques de contamination (et destruction) que les postes nominaux.

Les historiques plans de reprise/secours « à froid » (consistant souvent à activer les systèmes de secours en cas d’incident) concernent désormais de moins en moins d’applications, et il s’agit souvent d’applications secondaires.

Enfin, les sauvegardes, établies sur une base souvent quotidienne, constituent pour la plupart des organisations le dispositif de dernier recours pour reconstruire le SI. Malheureusement, du fait de l’antériorité de l’intrusion (souvent plusieurs centaines de jours avant sa détection), ces sauvegardes embarquent de fait les éléments de compromission : malwares, camps de base, mais aussi les modifications déjà opérées par les attaquants.

La gestion de crise et les dispositifs de continuité doivent être repensés

Les crises cyber sont des crises particulières : souvent longues (plusieurs semaines), parfois difficiles à cerner (qu’a pu faire l’attaquant ? depuis combien de temps ? quels sont les impacts ?) et impliquant des parties externes (autorités, fournisseurs…) eux-mêmes souvent peu préparés sur ce sujet. Ces éléments démontrent qu’il est nécessaire d’ajuster les dispositifs existants. Un des thèmes vise à anticiper des astreintes et des rotations des personnels clés. Au-delà de l’aspect interne, il faudra s’assurer de disposer également des expertises en SSI (investigation numérique, méthode d’attaque…) et de l’outillage de recherche et d’assainissement requis pour comprendre la position prise par l’attaquant dans un SI toujours plus grand et dont les frontières sont de plus en plus difficiles à déterminer. Et parce qu’il est primordial de s’exercer en amont afin d’être prêt le jour où il faut faire face à la crise et anticiper certaines réponses, la réalisation d’exercice de crise sera un bon révélateur de la situation réelle.

Dans ce contexte, les dispositifs de continuité doivent également évoluer, voire être complètement repensés. Les solutions possibles sont nombreuses, nous pouvons citer en particulier la construction de chaînes applicatives alternatives (non similar facilities), visant à « dupliquer » une application sans utiliser les mêmes logiciels, systèmes d’exploitation et équipes de production. Il s’agit là d’une solution ultime, envisagée pour certaines applications critiques dans le monde de la finance. D’autres solutions, moins complexes, comme l’ajout de contrôle fonctionnel d’intégrité dans le processus métier pour détecter rapidement une attaque (multi-levels controls) ou encore la définition de zone d’isolation système et réseau (floodgate) sont possibles.

Ces évolutions, souvent majeures, doivent s’inscrire dans une revue des stratégies de secours existantes afin d’évaluer leur vulnérabilité et l’intérêt de déployer des nouvelles solutions de cyber-résilience, en particulier sur les systèmes les plus critiques. L’évolution des Business Impact Analysis (BIA) pour inclure cette dimension est certainement une première étape clé.

Sans cybersécurité, la cyber-résilence n’est rien

Implémenter ces nouvelles mesures de cyber-résilience nécessite des efforts importants. Des efforts qui seront vains si ces solutions de secours et les systèmes nominaux ne sont pas déjà sécurisés correctement et surveillés avec attention. Le RSSI est l’acteur clé pour faire aboutir ces démarches souvent entamées mais rarement finalisées. L’aide du Responsable du Plan de Continuité d’Activité (RPCA) sera alors un plus ! Il est aujourd’hui impossible de sécuriser des systèmes à 100%, il faut donc accepter la probabilité d’occurrence d’une attaque et c’est à ce moment-là que le RPCA prendra tout son rôle.

Protéger, détecter, réagir, assainir et reconstruire, voilà donc les piliers d’une cyber-résilience solide. Cyber-résilience qui ne pourra être atteinte que si le RPCA et le RSSI travaillent main dans la main !

Cet article Cyber-résilience : allier les forces du RPCA et du RSSI pour franchir une nouvelle étape est apparu en premier sur RiskInsight.