2014 made it clear that cybercrime affects everyone. From retailers to banks, consumer goods companies and health care, there isn't an industry left untouched by cybercriminals looking to disrupt, steal or embarrass. So what has to change? The recent Sony attack and countless other examples point to the need for board members and executives to consider cybersecurity under the concept of risk management and business resilience.
After all, when it comes to business resilience, most cybersecurity practitioners traditionally think of continuity or disaster recovery. However, in today's online world the term "availability" does not just apply to systems with an IT function. It also applies to the people, processes and technology that drive brand equity. In short, business resiliency is an organization's ability to recognize and weather a cyber storm, to be in a position to reduce the organization's exposure to harm and, most importantly, to quickly pivot when necessary.
The legal and liability landscape is also shifting to a business resilience state of operation as more members of the board, risk committees and risk executives are becoming accountable for business resilience -- either through regulatory efforts or litigation with consumers, shareholders, regulators and business partners after a breach.
Regulators and insurers don't expect companies to be immune to risk, but due diligence and due care is expected to mitigate cyber risks, which requires complete context around the risks they face. This includes high level understanding of who may target you (Actor), what they are after (Target), any consequences if they succeed (Effect), and how they would commit the cybercrime (Practice). Let's illustrate those elements using the Sony attack:
Actor: Hacktivism' with Nation-State sponsorship
Groups like the Guardians of the Peace (GOP) and the Syrian Electronic Army represent an interesting new trend: hacktivism with nation-state sponsorship. These groups use many tactics typical of hacktivists (data leaks, website defacement, etc.) but are directly and/or indirectly supported by a nation state. In Sony's case, it looks like GOP (and whomever is ultimately responsible) used malware, data destruction and data leaks to disrupt and destroy.
While response actions made by Sony are not fully disclosed, examples of indicators and countermeasures companies in a similar situation could have considered include:
- Increased discussion and/or threats of attacks on social media or underground channels
- Attempts to launch distributed denial-of-service attacks
- Defacement of the public facing websites
- Threats or actions that expose and organizations' stolen information
- Increase situational awareness of geopolitical and social impacts of an organization's actions
- Know what assets within an organization have the potential to trigger a negative response from a hacktivist or nation-state actor
- Understand and pre-plan for cyber, brand and public relations consequences
- Deploy anti-phishing technologies
Key Lessons for the Risk Executive: Broaden the sphere of knowledge to the risk landscape beyond what has traditionally been an IT-based discipline. Too often organizations fall into the trap of looking at only the bits and bytes, but it is critical to understand who is attacking you and why. Remember, cyber-attacks are conducted by humans who are driven by a desire to have your data. Monitor social media accounts or statements of groups that may pose a threat. Take extortion threats seriously. The malicious actor who breached Sony is said to have sent executives an email three days prior to the initial leaks.
Targets: Employee data, IP, documents and email
While financial breaches and stolen payment card data dominate the news, most organizations have a plethora of other data cybercriminals want. In the case of Sony, employees had their personal information stolen, including banking information, passport and Social Security numbers and medical records. Intellectual property was also compromised, including several unreleased movies, scripts and television programs. Company documents were also apparently stolen, including thousands of passwords to various services and large amounts of email.
It's worth noting that theft of non-public data, even if it's not highly confidential, can lead to problems. In Sony's case, the leaked internal email led to reputation damage and other potential complications for future projects.
- Cybercriminals and hacktivists will often sell stolen data on the underground or leak it via social media
- Court cases continue to define the extent of protections like cyber insurance around data that is stolen and/or leaked
- Stay attuned to the threat landscape and what data is being targeted at organizations similar to yours
- Don't store excess data
- Classify all of your data and understand the level of protection required by both the law and your organization's risk tolerance
- Understand that less protected data like email may be targeted and used to damage an organization's brand
- Train employees on the levels of protection around various data types so they don't accidentally expose critical data in an unsafe way
Key Lessons for the Risk Executive:Classify major systems of record that, if breached, could cause a large amount of digital harm to your organization, such as systems that house personal information, health records, credit card numbers and intellectual property, and pre-plan Incident and breach response actions.
Effects: Data stolen/leaked, downtime, financial Loss
The effects from the Sony breach impacted everyone, from executives to employees. Confidential information was leaked online and several Sony employees are now suing the company as a result of the breach. Since news of the attack, Sony's stock prices has also dropped dramatically.
- Spike in data read volume
- Suspicious system file changes
- Unusual authentication and network traffic
- Monitor activity to catch spikes or abnormalities
- Control access by having increased controls like two-factor authentication on important data and services
- Encrypt data to protect it even after it is stolen
- Backup all important data
Key lessons for the Risk Executive:Ensure you have both an Incident Response (IRP) Plan as well as a Breach Response Plan (BRP) and they should be separate and distinct. Stages of transition from IR to BR should have identifiable decisions points contained within by role and level of authority. In many cases, organizations are introducing more liability to the organization by their actions post-breach in addition to harm caused by the breach itself.
Decision Point Focus in IR and BR Plans
Incident Response (Technical Effort): Detection - Analysis - Containment Eradication
Breach Response (Harm To): Legal - Partners - Customers- Regulators - Press/Media Employees
Practices: Unauthorized access, malware
The malware that is supposed to have been used in the Sony attack known as Destover or WIPER deletes and overwrites hard drives, destroys data and makes it extremely difficult and costly, if not impossible, to recover information using standard forensic methods. Specific numbers have not been publicly released, but the cost to Sony in hardware, software and data could be immense.
While the delivery mechanism of the malicious payload has not been publically released, it could come down to poorly managed access and privilege controls that allowed insiders unnecessary and dangerous levels of access to the corporate network. Physical access controls, sensitive data classification policies, data encryption and remote backups can all contribute to business resilience in an attack.
- Strange or altered device behavior (unprecedented slowness, erratic cursor etc.)
- Changes in network traffic and/or speed could point to data exfiltration or theft
- Increases in phishing and spam email levels may mean a targeted attack is underway
- Employees accessing physical or digital assets at odd times or outside their assigned areas of responsibility may mean stolen credentials stolen or insider theft
- Train employees to notice and report unusual events or device behaviors
- Monitor network traffic for irregularities in source, destination, and volume
- Keep software patched and updated
- Train employees to avoid and report phishing attempts, and follow up regularly with
Key Lessons for the Risk Executive:Take a hard look at what IT services should be operated in-house versus outsourced. By the time data-wiping malware or ransomware is detected, it is often too late to recover data. The least expensive and most reliable method to protect company data is to keep a regularly-updated remote backup or shift to a cloud provider. Core business applications such as email, HR/Payroll (ERP), user storage and other services of a similar nature can usually be outsourced to a trusted service provider hosted in the cloud that is cost effective.
Define and Manage
Adversaries are almost always after two capabilities: privilege escalation and freedom of movement. The challenges with denying both of these lies directly with corporate culture and how it relates to user convenience. The challenge is identifying the best position between secure and usable. Here's how to strike that balance:
- Engage in an honest discussion with business executives on the topic of secure versus usable and define what "well positioned" looks like for the organization based on internal and external liabilities.
- Conduct a data governance and threat assessment with a focus on business resilience. Attacks cannot always be prevented, and some level of resilience must be planned in the event of a successful assault. Joseph Demarest, assistant director of the FBI's cyber division, said of the Sony attack, "the malware that was used would have slipped or probably gotten past 90% of net defenses that are out there today in private industry and [likely] challenged even state government."
- Lastly, regardless of organizational size or regulatory requirement, establish a risk committee that has oversight of business resilience risks and make "cyber" a focal pillar of the overall enterprise risk management program reporting to the board.
Having a business resilience plan that includes cyber will not only save money on impacting events, but will also allow business to resume much more quickly than if data is lost or compromised.
Meyer is Chief Security Strategist at SurfWatch Labs, a cyber risk intelligence company. Prior to joining SurfWatch Labs, he was CISO at Washington Metropolitan Transit Authority, one the largest public transportation systems in the United States, and Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command, one of the Navy's premier engineering and acquisition commands. He may be reached at firstname.lastname@example.org