What can I do about the Cyber threat?

Threats- whether they are cyber, physical, or natural; whether they are real or imagined - come in all flavors and varieties.  The reality of these threats for most people in the business world is that you can’t control them and often you won’t see them coming – even as they are realized. We are all about keeping you a going concern, so our approach is a balanced and diverse one.

Key in this philosophy is ensuring that your business has a complete plan.  This includes information security, physical security, technology disaster recovery, and business continuity planning all working in an integrated fashion. We are going to explore in the next few pages how this can be accomplished when the threat is a cyber threat (one coming at us through the

internet or any other form of technology.) To keep it simple, we are including viruses and malicious code as a cyber threat – even though purists would not necessarily agree with that position. We do so because many times that is a vehicle that can be exploited by the cyber threat and you need to be fully prepared for that situation.

Who or what is this threat? As we stated in the last paragraph, many of us have already experienced the pain and suffering caused by malicious code – viruses, worms, etc.

These can destroy data, slow down the network, steal data, and compromise confidential or private information. Any one of these threats is serious enough by itself, and a single threat or – worse yet – any combination of two or more can be confusing to any business. Another threat can be focused hacking done by disgruntled groups and activists, intentionally conducted by state sponsored groups as part of a governmental program, competitors and others in the global business world looking for an edge, etc. The level of sophistication is extremely high; there is even software available that can help novices use the same techniques as the professional hackers.

From a business perspective, cyber threats are very real and must be addressed.  What do we do? Often, we just tell our security professionals or our IT manager to make sure we have antivirus and internet security running on our systems and think we are protected from these types of threats. While important and helpful, that alone will not provide the protection you need in today’s intense cyber warfare battlegrounds, and that is the analogy that you should have in mind when approaching this topic.

It has become a war zone in the cyber space. You are trying to conduct your business affairs and the cyber criminals, terrorists or spies are doing their best to either prevent that from happening or profit from your systems and data. To counter this threat, you need to understand that your defenses may be broken in the future.  If they are, you must be able to limit damage, determine what was done, recover as quickly as possible, and update your defenses as needed.

What do these defenses look like? Antivirus and Internet and network security programs are just a beginning. We need to have access control and understand what data is being stored in the systems. Do we have privacy data (names, addresses, phone numbers, etc.), financial data (credit cards numbers, SSN, etc.), health information (HIPPA data, disease data, insurance data, etc.)? If we do, this information all has regulatory and statutory requirements to provide protection. It must be stored in a manner that would make it difficult to accidentally release, yet it must be accessible to our employees as needed to perform their jobs. This is not a trivial problem and needs to be part of the overall design and architecture of the data center. As much as we would like to be able to say, “here’s the exact way to do the design,” it isn’t that simple. A plan must be built that addresses the combination of the data you have to protect, the protection method(s) that work best for you, and your budget. Information security needs to be designed into the system and its components. As the threat sophistication increases, as the regulatory landscape changes, so too will your overall design need to change in order to remain updated and viable.

We need to be able to know if we are under attack and prevent attacks in progress.  For that, intrusion detection and network monitoring tools are needed. Again, this is not a trivial issue and is one that needs to be designed into our network and data center operations. Add-on programs may work, but often haven’t been installed in a manner that provides enough coverage or protection. It is important to spend the time to design the security into the operation; this approach will pay dividends.

All the security we put into our data centers will fail at some point. It is more than likely that we will miss a patch and let a vulnerability remain for a hacker to exploit or a new update from our software supplier will have a bug or hole in it; the reasons for the failures will be many, but how far it goes and what it damages can be controlled and managed. For instance, if we have private data encrypted, even if it has been compromised, it may not be usable to the hacker. If we segregate our network into subnets, just having network access will immediately or easily grant access to financial network subnet. These levels or layers of control are all part of a well-managed data center. Again, these things generally don’t happen by accident and require a plan and design to ensure proper implementation. This is where all the things we don’t really want to address - change management, splitting production, development and test environments, document control and management, and storage management - must come into the picture.  

Finally, when something does go wrong, we need to be able to limit the damage, isolate the situation, and recover our operations quickly and efficiently. We may not know how something was done to us, but we can determine the point of entry, restore our operations, lock down the weak spots and bring our systems back online to resume operations as quickly as we can, and definitely as quickly as we have determined we must. Our data center design must have ways to detect malicious code and not allow it to spread through the primary and backup sites.  We must also have a disaster recovery program in place that is tested and designed to recover the critical systems with an established set of priorities. (Note: one test is usually never enough testing. The number of changes to our systems and configurations mandate that we have a thorough and disciplined testing process if we hope to be able to recover when a problem is realized.)

This cyber threat thing may seem a bit overwhelming. If you look at the full scope - going form nothing to being fully prepared - it is overwhelming.  However, as it is with many things in business and especially continuity planning, we build our defenses and resiliency processes over time in iterative processes and with a sequence of many smaller steps. What many of us often forget to do is determine the end goal; from there, we can have a designed approach and build process to achieve that end goal. Without understanding where you need to be and what it should look like when you get there, this cyber threat program may end up costing too much and still be full of holes and gaps that do not provide the level of protection we need.  That is why cyber security is one of those programs where having some external help really makes good sense and is cost effective.

The external view point will be able to more easily see the forest of your entire system rather than just the trees of each part of your system. The top down view enables a layered security and protection approach to be built and designed, then the tree level focus can be used to implement the design on each application or server in your enterprise. If you have no security and protection, can you build it over a multi-year period – yes, but you must also realize what risks you are accepting for your enterprise during an extended building period.

Assuming a start from scratch approach, are there things you must have right away?  We say yes. You need a good firewall system, antivirus and anti-malware at a bare minimum. You must have at least a rudimentary wall established to keep the outside world from running through your systems. Credentials for users should be a next step. That is the user id and password that most of us must use when accessing systems. Dividing the information and applications into areas and partitioning those areas makes it harder for a hacker to have total systems access after they break into one portion of the network. (Can you see how a plan and roadmap is important yet?) You also need policies for updating and patching your applications and operating systems as new holes and problems are being discovered, which happens on a regular basis. Without a patch management process, you will be vulnerable to attacks.

Beyond those basic steps you can look at intrusion prevention and intrusion detection, but each approach and tool available really needs to be modeled and designed into your architecture to be effective. Yes – you need a plan and design by this point.  That design also needs to be integrated in some other components of your overall cyber threat management program. That will include your disaster recovery (DR) plans for the technologies and systems that support your business and a continuity program to keep your business functioning not only through an attack, but afterwards as well.

While some may wish to argue the point, we have found that for many businesses the disaster recovery planning is the easier of the two plans to put into place. It is true that the methods to recovery are fairly well established once you have a system design and architecture that meets your operational requirements; however, to build just the DR plan would be a mistake. Just as you need layers of cyber security, the continuity of operations should also be layered. Technology may not be the only thing that fails or it may not recover in the time frames you want.  The technology may not have all the data ready for you to use when you try to get it restarted.  Leaving the cyber realm, the real world disasters (natural and man-made) must be in your planning as well. Continuity planning includes and cannot be complete until both the technology and the business plans are working together harmoniously. In this discussion, we are not going into the emergency response and crisis management components that a robust continuity program must also include because we are trying to limit the focus to the cyber threat and the IT implications.  

Interestingly enough, the more high availability and zero downtime requirements you have, the more likely a cyber threat can bring your business to a stand-still. In most technology designs, when you have high availability requirements, the design includes redundancy and real-time mirroring of data. This design will propagate the problem throughout the high availability architecture very quickly. This is where the quandary strikes home. To be ready and available for most types of threats we have on a daily basis – equipment failures, power failures, and infrastructure failures - we need to design for our data to be in many places simultaneously and be replicated on a transaction by transaction basis. In regards to a cyber threat, that design can help spread the problem almost instantly through-out the technology. Are we advocating not to

use these highly available techniques and processes?  Absolutely not!  These are essential elements of the design architecture. What we are saying is that your design needs to understand that one of these cyber threats would require us to recover in other ways that can restore us to a point before the attack began, yet retain as much of our data as possible.  We also need to have a process in place for rebuilding any data that may be missing. As you are probably realizing, the recovery design is not any easier than the architecture and design of the systems; and both need to be worked on together so the actual operation will function as required.

If you do all these things and have a well-designed technology operation that includes access control, security, change management, patch management, firewalls, intrusion detection, a designed DR and BCP program, will you be fully protected? NO, but you will be able to recognize the problem unfolding, limit your losses and stop the event, recover your technology and be able to continue your business as you work your way back from the cyber event.

Our parting advice: No matter what your plan is, you have to exercise it to keep it current and updated in order for it to work as designed.

Contributors: Fred Klapetzky, CISSP: Dawn Moyer, CBCP