The worst happens. What next?
The aftermath of a breach
The information security industry spends around £40 billion pa on prevention and detection, but once a system is breached only about £1 billion pa is then spent on clean-up crews and the like for remediation comments John Bruce, CEO of Co3, talking to SC Magazine UK, declaring: “It's a system out of balance.”
It's not just spending, but also planning that is lacking, as Alan Calder, founder and executive chairman, IT Governance Ltd, tells SC Magazine UK: “We expect that robust defences will protect us from attacks, and fail to prepare for when a breach does occur. What organisations should be aiming for is cyber resilience – the ability to respond to and recover from cyber-attacks. However effective you may think your outward-facing defences are, today's cyber attacker will find a way in – and, if you have made no preparations for responding to a breach, you will suffer severe damage.”
And you are more likely to be breached than not.
Gov.co.uk reports that last year 81 percent of large corporations and 60 percent of small businesses reported a cyber breach. And the Verizon 2014 Data Breach Investigation Report shows that in 2013 there were 63,437 known cyber incidents, caused mostly by hacking and malware. In the first half of 2014, more than 375 million customer records had been stolen or lost as a result of 559 breaches world-wide according to the SafeNet Breach Level Index (BLI) – which was before the alleged 1.2 billion password credentials stolen in the August CyberVor hack. And one in five organisations have experienced an APT (Advanced Persistent Threat) attack according to the ISACA 2014 APT survey.
Calder describes cyber resilience as ensuring that the threat is countered at each stage and advises: “To begin, an information security regime protects the organisation's information from a host of threats and mitigates vulnerabilities. This is expanded through the application of cyber risk controls, which can be drawn from a multitude of sources depending on your organisation's needs and practices. When an attack is identified – which will happen sooner if your controls are rigorous – your incident response procedures kick in, isolating the attack surface, quarantining systems, and preserving security for areas as yet unaffected. With the attack neutralised or stalled, business continuity plans can be invoked to minimise ongoing damage and returning the organisation to full functionality as quickly as possible.”
In his Black Hat 2014 talk entitled, “The State of Incident Response,” security guru Bruce Schneier, CTO of Co3 Systems, agreed that hackers will invariably breach networks, but says it is what comes next that really matters. Schneier proposed a four-step approach: observe, contextualise, decide, and act.
Chris McIntosh, CEO of security and satellite communications company ViaSat UK tells SC: “Following a breach organisations need to swiftly identify the cause of the breach and mitigate the threat as soon as possible. Attackers will generally go for the weakest point in a system, whether this is a back-door to the network or through a member of the organisation. Ensure all passwords are changed immediately, that all sensitive data is moved to an encrypted device and that all points of the network can be trusted and can ensure any vulnerabilities are closed off and that attacks do not continue unnoticed.”
McIntosh also notes that: “Resolving the immediate vulnerabilities following a breach is not the end of the story - organisations need to put best practice in place to protect data and ensure a similar attack does not happen again. This is especially true if they are to avoid costly fines and undertakings from organisations such as the Information Commissioner's Office. The ‘three p's' of process, people and planning are essential in forming a robust cyber-security strategy. At the same time, best practice precautions are useless if nobody follows them: education is key if workers are to put this into practice and understand the importance of protecting the data of the organisation and its customers.”
Everyone agrees you need a plan of action, and there are playbooks out there from the likes of Sans, but Jay Isaacson, director of product management for Credit Union Protection at CUNA Mutual Group notes that: “It's not enough to have a plan, you have to test the plan too. NCUA examinations now will include an assessment of a credit union's ability to assess and mitigate cyber security risks and respond to cyber security incidents.” Isaacson suggests assembling a data security incident response team and naming a chief security officer.
Jimmy (Azeem) Bashir, a principal consultant CISO at Fujitsu, certainly agrees, noting, “People don't know how to lead incident management response. If a virus outbreak happens – who is in charge? What do you do? It's all well and good if you've outsourced to a specialist, but if you've got it in-house, what do you do, who leads it? Is it the head of IT, the CISO, the services director, the chief exec? Who makes the decision to shut the network down for example? Can you get hold of the right people? Is that structure even set up? Have you tested it out? Do you actually do dry runs?”
John Bruce, CEO of Co3 Systems, also endorses dry runs, telling SC: “Some say, ‘We don't get many attacks' and so don't do it. Some large companies are not equipped to manage incidents despite spending a lot on prevention.
Bruce adds: “We encourage an attack-type exercise to build in institutional capacity, ‘muscle memory', build a competency that improves every time you practice it. And there's an analogue for process too. Simulate what you are going to face. Generally security teams are working flat out. And generally the person who picks up the ticket does something different from the last guy. And that's no way to build institutional capacity. If the fire brigade was like that, most of London would have burnt down by now. They have drills and are taught the right way to carry out their tasks. And yet in security we've never provisioned the users with that capability.
“But you have to drill good habits. It's tough to find the time to drill, but in the cyber world, we primarily learn by experience – (adding that drilling and automating that knowledge is preferable).”
Bashir points out that you also need to be prepared for the fact that, “an incident can happen at any time,” and described to SC how testing should reflect that reality.