By B.K. DeLong
The ever increasing list of breaches appearing on the Open Security Foundation’s DataLossDB Web site as well as companies being targeted by the AntiSec movement made up of groups including recently-raided Anonymous, AnonOps, TeaMp0isoN, and now-dormant LulzSec continues to show that no organization is immune to successful penetration from cyberthreats.
In this case, the examples are more extreme- military contractor Booz Allen Hamilton recently had the emails and passwords of 90,000 servicemen & women posted to the Web, biotech giant Monsanto had employee PII leaked, a massive theft of PII from Sony causing it to shutdown the PlayStation Network (PSN) for 3 weeks and company stock to drop 16% throughout the process., a public of usernames & passwords for members of FBI-affiliated industry organization Infragard while even the U.S. Senate and CIA were targeted for successful attacks.
In spending the last several years talking to senior information security executives and professionals, the focus always seems to be about securing the network or (in the case of virtualization and migration to cloud-based offerings) critical digital assets wherever they may be. Everyone wanted to have discussions around the latest on what was working and what was not strategy-wise.
When the topic of incident response would come up, it was usually with regard to compliance mandate and the least amount of investment was put into something that was often not quantifiable – for if it were, the belief seemed to be that it was admitting poor risk posture.
Michael Tiffany, Chief Architect at Recursion Ventures pointed out in a recent panel talk at the Potomac Institute alongside former CIA Director Gen. Michael Hayden that “good incident response also raises the defensive bar in that the uncertainty involved in attack raises its cost. Defensive technologies like firewalls are easy to obtain, analyze, and understand. Moreover, attackers usually know when they have succeeded,” explains Tiffany.
“In contrast, it’s much harder to analyze and understand an organization’s incident response plans and capabilities. In practice, this alters the risk/reward equation in the defending organization’s favor,” says Tiffany. “For an example, look at attacks from the APT or other advanced threats, which take a long time to build up capabilities to breach layered defenses one by one. They are an attractive option for people looking to reach a large but well-protected prize.”
“Well-developed incident response/recovery plans and procedures raise the chances of detection and counter-action at some point after a layered attack has commenced but before the final defensive layer has been breached and the prize obtained (the RSA breach comes to mind as a good example),” points out Tiffany. “That raised risk of detection may increase the real risk of getting caught, or, more likely, it may increase the perceived cost of the attack from the attacker’s perspective, because of the heightened chance that the entire effort is blown before yielding anything worthwhile. Therefore investing more money into response and recovery can strongly improve an organization’s risk posture.”
By not being prepared when a security event occurs, companies and organizations are setting themselves up for massive amount of time, resource and overall monetary spend in both response and recovery. Once a true incident is finally detected, there’s the necessary forensics that may need to happen at great haste depending on industry regulation to ensure a fast response. If the organizational network, services, servers and applications are slowed or shut down in any way during this process, getting them back online in a timely manner is critical to business continuity and profitability to mitigate the loss against the spend on the incident response itself.
After the details are ascertained and law enforcement begins any relevant investigation, the additional internal IT response must occur to shore up defenses where the attackers got in and mitigate any future similar means of exploiting weaknesses.
Finally, regulatory requirements with regard to state and industry breach or information loss reporting need to be responded to, often in a specific, often limited amount of time after the event is discovered.
What it comes down to is doing a truly holistic risk assessment that takes into account the following:
● Organizational critical business assets
● The asset value to the company
● What it presently costs to secure those assets
● What would happen if those assets were –
● Lost (regarding reporting requirements/card reissuing)
● Stolen (intellectual property and competitor being faster-to-market), or
● Taken Offline (an e-commerce Web site or any company that relies on network access to get anything done)
● What it would cost the company in both incident response and business continuity/disaster recovery should something happen to those assets.
Then knowing that there is a strong chance that true, full security is rapidly becoming illusory, if the cost of asset compromise becomes greater than the defense of the asset or the asset itself, far more steps need to be taken within the company to be prepared for any eventuality of an incident occurring.
Some things that can be done to mitigate this habitual rut include:
1. Make sure you have solid incident response and business continuity and disaster recovery (BCDR) plans and conduct a business impact assessment (BIA) – this will help determine potential costs and timelines should something occur, giving a starting point for reduction of risk and spend. Read the “Incident Response Fundamentals” blog series from Rich Mogull and Mike Rothman of Securosis to get a strong baseline for what should be within your initial plan.
2. Collect metrics at all levels – technical, operational, and managerial – in an effort to enumerate the risks and their cost to be able to communicate it effectively to company management.
3. Work to show company management why proactive spending can result in cost-savings in the immediate, short and long-term and bolstering the organizational risk posture in this way will save the company a lot of money should something happen- like an insurance policy but better.
4. Work to implement both incident response and BCDR plans, run drills within the scope of several scenarios making use of any internal Red Team/Blue Teams or an external 3rd party company skilled in testing such preparedness. This will ensure organizational readiness being in-line with plan expectations and that it is realistic based on organizational needs.
5. Investigate the variety of offerings on the market such as the data loss SaaS management platform from start-up Co3 Systems and the various cloud-based BCDR solutions from companies such as IBM, Iron Mountain and Asigra. Be sure to not only research what you read in industry publications and analyst reports but talk to your peers who are utilizing these services or who have gone through proof of concepts (PoCs) already and made a selection for the best possible insight on what’s working and what’s not.
What it comes down to is companies and organizations moving out of the mindset that preparing for the possibility that an incident will occur is tantamount to admission of weakness. Not doing so is proving for organization after organization to be costly both monetarily and reputation-wise as well as heavily damaging to their risk posture. Companies need to also understand that just because they don’t believe they fit within a high-profile target or risk matrix does not mean they will not be attacked.
The AntiSec movement has little logic to who they are going after and just like the breaches that are occurring on a daily basis, the smaller ones that aren’t driven by attention seekers are not high-profile as recently written up in the Wall Street Journal – it was the same when so-called “script kiddies” were defacing Web sites. The high-profile attackers would go after the big targets like Microsoft, the U.S. Senate, Oracle, Amazon.ca and other large sites and others would go after whole hosting providers, taking out over 100-200 small, unknown Web sites at a time.
Never think you’re immune because if attackers can get into the high profile targets, there’s always a chance someone can get into your network or access your critical assets. Be prepared and ready when they do, lowering the cost of response and recovery in the process.
B.K. DeLong is an independent security consultant based in the Boston area.