Preparing to recover from a cyber attack

© Copyright, Risk Masters, Inc. 2013. All rights reserved. 1 1

Recovering from a Cyber-Attack

Why you need to prepare What you need to do

© Copyright, Risk Masters, Inc. 2013. All rights reserved. 2

RMI Cyber-Recovery: Executive Summary

Cyber-Attacks are a continuous threat – some might succeed How will you operate and recover following a successful attack?

The Problem

The Risks

Meeting obligations to your clients, suppliers and staff Financial and property losses Reputational losses Regulatory compliance

Increase the Cyber-Resilience of your Infrastructure Have a Cyber-Recovery Plan in addition to BCP/DR plans

The Strategy

Being Prepared

Organize Plan Transform Validate


RMI Risk Masters, Inc.

The Problem


RMI The Cyber-Recovery Problem

Cyberattacks are a continuous threat, and some may succeed • How will you operate securely and

recover quickly following a successful attack?

• How will you mitigate the legal, regulatory, financial and operational risks of a successful attack?


RMI Every Day You Are Under Attack


RMI

Your Defenses are Ready…

But How Secure Are

You?


RMI Some Attacks Succeed…


RMI A Breach Leads to Many Risks

• Can you meet obligations to your clients, suppliers and staff?

• What would the financial and property losses be?

• And what about reputational losses?



The Risks


RMI Are you

prepared to operate and

recover?

Can you protect the privacy of

your staff and clients?

Can you meet your

obligations to your clients?

Will your insurance

cover you?

Does your BCP/DR plan

address Cyber-

Recovery?

When an Attack

Breaches Your

Defenses…


RMI A Breach Puts Privacy at Risk

• You have legal and contractual requirements to protect the privacy and confidential information of your staff and clients.

– Your business reputation may be compromised by the exposure of such information

• When you cannot trust your computer systems, how can you assure privacy and confidentiality?

Can you protect the privacy of

your staff and your clients?


RMI A Breach Puts Delivery at Risk

• You have products and services to deliver every day – and your staff and clients depend on these.

• When you cannot trust your computer systems, how can you be sure that you can meet your commitments?

– What will be your liability for failing to do so?

Can you meet your

obligations to your staff

and clients?


RMI A Breach Creates Financial Risk

Will your insurance

cover you?

Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had 100 million compromised customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking. But what about Sony’s insurance coverage? Sony’s insurer said the company did not have a cyber insurance policy. It said Sony’s policy only covered tangible losses like property damage, not cyber incidents.

Cyber Insurance—Mitigating Loss from Cyber Attacks Perspectives on Insurance Recovery Newsletter - 2012 The market is rapidly growing for insurance that is specifically meant to cover losses arising out of cyber attacks and other privacy and data security breaches. These policies are marketed under names like "cyber-liability insurance," "privacy breach insurance" and "network security insurance."

Costs may be high

Insurance is Complex

Insurance may not

Cover

http://topics.nytimes.com/top/news/business/companies/sony_corporation/index.html?inline=nyt-org


RMI A Breach Needs to be Reversed

• A Cyber-Attack compromises your trust in your computer systems

– But BCP/DR recovers from loss of use of facilities, infrastructure, technology and physical resources

– Can you trust that your BCP/DR resources will be unexposed or survive a cyber attack?

Does your BCP/DR plan

address Cyber-

Recovery?



The Strategy


RMI A Strategy for Cyber-Recovery

• How can you increase the Cyber-Resilience of your infrastructure?

• Do you have a Cyber-Recovery Plan in addition to or as part of your BCP/DR plans?


RMI

• Is your infrastructure Cyber-Resilient? – Is the affect of an attack contained by architectural

features and operational procedures that limit damage, or does the attack run freely?

• Is your BCP/DR plan Cyber-Resilient? – Will critical systems and communications that you

are relying on fail due to an attack? – Do support agreements (e.g: hosting, insurance)

cover cyber-recovery? • Does your BCP/DR address cyber-attacks?

– Are your policies and procedures aligned with assurances of safety, or are you backing up the attacker to restore it during your recovery?

Are You Prepared to Respond?


RMI

• Traditional cyber-defense is built as a “fortress perimeter” – Networks were not designed to

be cyber-resilient – Cyber-defenses (e.g.: barriers,

detection) were added to existing networks

• Fortress defenses are limited – They do not readily keep up with attackers – They encumber users (access controls, BYOD limits)

• Networks can be designed with cyber-resilience

Cyber-Resilience: Mitigating a Breach


RMI

• Segmentation: Distinct and critical services that need to be secured are isolated in multiple secure zones with air-gaps and sterile zones

• Hardening: Applications and infrastructure are Internet-hardened

• Dispersal: Public facing services and non-proprietary content may be hosted in public clouds, while sensitive content may be secured in distinct protected zones and content accessed only through secure transactions.

• Synchronization: Operational activities (e.g.: releases, imaging, builds, backup, versioning, retention) are synchronized with integrity validation processes (quarantine, virus scanning/cleansing, etc…)

Components of Cyber-Resilience


RMI

Implementing a network as separate and distinct networks that are secured from each other provides organic resilience

Segmentation - Example



Being Prepared


RMI Being Prepared for Cyber-Recovery

Your checklist for Cyber-Recovery Organize Plan Transform Validate


RMI

Planning for Cyber-Recovery

Organize

Plan

Trans-form

Validate


RMI Planning for Cyber-Recovery

Develop an organizational structure to lead recovery activities before

and after an attack Organize



• Assess current state of readiness

– Review prevention and recovery plans

– Evaluate operational integrity

– Test readiness and effectiveness

• Design cyber-resilience into your infrastructure and operating model

– Bulkheads, compartments, isolation

– Align operating cycles (e.g.: backup) with processing that establishes trust in your infrastructure

• Develop a recovery plan

Plan



• Implement the changes necessary to achieve

– Cyber-resilience

– Cyber-recoverability

Trans-form



• Test your plan Randomly test components throughout

the year Periodically test large-scale integrated

components, and the whole system

• During your tests... Recognize that systems are under attack Contain the damage, prevent its spread,

remove the agents Restore trusted software and data from

a trusted image. Manage the consequences, minimize its

impact, communicate effectively

Validate


RMI

1

2

3

4

Virus or Trojan Horse sits in a latent state after being

planted by the intruder. This corruption may not manifest

itself for days, weeks or even months after infection.

Corporate IT has establish an isolated network in HQ that

will resist external intrusion and perform daily chronological

images backups for critical system and application servers.

When corruption has been identified, operators will take

action to isolate the problem.

Once a signature is delivered, Client must run a job to scan

image backups chronologically backward in order to

identify a “trusted image” from which infected servers can

be restored.

Response Activities to Hacker Attack Corporate IT Data Center (HQ)

Corporate IT “Gold Network”

Firewall

System/Application Servers

To Plant IT Network

Firewall

Symantec Bare Metal

Restore Server

EMC VNX

(image storage)

1

3 5

Corporate IT will restore infected server(s) from trusted

image backups and resume IT services.

4

Client must wait on vendor distribution of a virus signature

that will permit inspection of backups for possible infection.

5

6

Virus/Trojan Signature

from Vendor

Recovery Time from Trojan Attack

Expected Recovery Time (in calendar days)

1 2 3 4 5 6 7 8 9 10 11 12 13 14

NOTE: This Illustration assumes a Trojan attack whose presence remains latent for seven (7) days.

3

2

4

5

6

Storage

2

6

Undetected Latent Threat Day “0” Trusted Backup

6

2

A Recovery - Example

Preparing to recover from a cyber attack

Economy & Finance

rmi risk masters

bcpdr plans

risk masters

trojan attack

bcpdr plan

rights reserved

continuous

address cyber