Sh*t Happens (Managing The Impact of Cyber Security Incidents).
If the past 12 to 18 months have taught us anything, it is that there is a certain inevitability associated with the ‘bad guys’ gaining access to data.
The days of doing what you thought was enough in terms of protecting your most vital data with a ‘hard outer layer’ are over. The goal posts have been moved by a number of factors, for instance ‘hacktivism, terrorism and some more political in nature.
Blurring Threat Surface
Information and Cyber security has always been about some simple maths based on how valuable your data is and what percentage of that value you’re willing to spend on protecting said data. Most organisations, public and private sector, focus the majority of their security budget on preventative measures such as the good ol’ firewall. The problem is that whereas in the past this was maybe enough to hold off casual hackers, the threat surface has been blurred by more determined groups or individuals, often acting for well-funded criminal or state sponsors. In addition, the exploitation of vulnerabilities has become more accessible by publicly available and ‘point and click’ based tools – a ‘script kiddies’ playground if you like.
Getting The Basics Right
It is not all doom and gloom however and organisations should not simply ‘down tools’ when dealing with the impact of cyber security incidents, it is more a matter of getting the basics right (still having a decent set of front line controls) and realigning resources to place a little more emphasis on detecting and managing a compromise and the potential impact.
In essence there is a need to look at the balance of preventative, detective and corrective measures (stopping, finding and recovering). In most organisations, this balance will be weighted in favour of the first line of defence and preventative measures such as firewalls and Anti malware products. This doesn’t mean that organisations should spend less on such ‘traditional’ security controls, more that they should not look to spend the equivalent of Greece’s national debt to purchase the next perimeter security appliance.
The neglected siblings of the information security space are often protective monitoring (e.g. logging, auditing and alerting) and incident management. One should also not underestimate the part that press liaison has to play within the incident management regime.
Being able to identify key assets/data and related functionality to access said data can result in an understanding of activities or actions that can be monitored and alerted upon, so that urgent actions can be taken to limit and therefore manage the impact of cyber security incidents.
Consider a business critical database that contains customer records comprised of personal data. Establishing key facts such as what the standard operating hours (for gaining access) are and the amount of data viewable within a single transaction will allow you to define thresholds (or acceptable behaviour), variations or exceptions to these thresholds can then be logged and crucially alerted upon, in order to contain or limit suspected data breaches. Data Leakage Prevention (DLP) Technology deployed in the right places can also constrain access to (and export of) business critical data.
The Information obtained from effective logging and monitoring can then also be used to inform those involved in dealing with the press and conveying the appropriate message in a timely and accurate manner in order to retain confidence, particularly where your customers are the public. This is crucial, as more often than not, the length of time taken to establish the root cause or extent of a data breach coupled with the accuracy of press briefings, is a good pointer towards understanding the maturity (and effectiveness) of an organisations logging/auditing and monitoring regime.
At the end of the day s*it happens, and if someone has sufficient capability and motivation, they will get in; organisations need to start thinking about how they can reduce and therefore manage the impact of cyber security incidents and ultimately (manage) the spread of the brown stuff.