© Copyright, Risk Masters, Inc. 2013. All rights reserved. 1 1 Recovering from a Cyber-Attack Why you need to prepare What you need to do
Oct 19, 2014
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 1 1
Recovering from a Cyber-Attack
Why you need to prepare What you need to do
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 2
RMI Cyber-Recovery: Executive Summary
Cyber-Attacks are a continuous threat – some might succeed How will you operate and recover following a successful attack?
The Problem
The Risks
Meeting obligations to your clients, suppliers and staff Financial and property losses Reputational losses Regulatory compliance
Increase the Cyber-Resilience of your Infrastructure Have a Cyber-Recovery Plan in addition to BCP/DR plans
The Strategy
Being Prepared
Organize Plan Transform Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 3
RMI Risk Masters, Inc.
The Problem
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 4
RMI The Cyber-Recovery Problem
Cyberattacks are a continuous threat, and some may succeed • How will you operate securely and
recover quickly following a successful attack?
• How will you mitigate the legal, regulatory, financial and operational risks of a successful attack?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 5
RMI Every Day You Are Under Attack
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 6
RMI
Your Defenses are Ready…
But How Secure Are
You?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 7
RMI Some Attacks Succeed…
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 8
RMI A Breach Leads to Many Risks
• Can you meet obligations to your clients, suppliers and staff?
• What would the financial and property losses be?
• And what about reputational losses?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 9
RMI Risk Masters, Inc.
The Risks
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 10
RMI Are you
prepared to operate and
recover?
Can you protect the privacy of
your staff and clients?
Can you meet your
obligations to your clients?
Will your insurance
cover you?
Does your BCP/DR plan
address Cyber-
Recovery?
When an Attack
Breaches Your
Defenses…
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 11
RMI A Breach Puts Privacy at Risk
• You have legal and contractual requirements to protect the privacy and confidential information of your staff and clients.
– Your business reputation may be compromised by the exposure of such information
• When you cannot trust your computer systems, how can you assure privacy and confidentiality?
Can you protect the privacy of
your staff and your clients?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 12
RMI A Breach Puts Delivery at Risk
• You have products and services to deliver every day – and your staff and clients depend on these.
• When you cannot trust your computer systems, how can you be sure that you can meet your commitments?
– What will be your liability for failing to do so?
Can you meet your
obligations to your staff
and clients?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 13
RMI A Breach Creates Financial Risk
Will your insurance
cover you?
Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had 100 million compromised customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking. But what about Sony’s insurance coverage? Sony’s insurer said the company did not have a cyber insurance policy. It said Sony’s policy only covered tangible losses like property damage, not cyber incidents.
Cyber Insurance—Mitigating Loss from Cyber Attacks Perspectives on Insurance Recovery Newsletter - 2012 The market is rapidly growing for insurance that is specifically meant to cover losses arising out of cyber attacks and other privacy and data security breaches. These policies are marketed under names like "cyber-liability insurance," "privacy breach insurance" and "network security insurance."
Costs may be high
Insurance is Complex
Insurance may not
Cover
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 14
RMI A Breach Needs to be Reversed
• A Cyber-Attack compromises your trust in your computer systems
– But BCP/DR recovers from loss of use of facilities, infrastructure, technology and physical resources
– Can you trust that your BCP/DR resources will be unexposed or survive a cyber attack?
Does your BCP/DR plan
address Cyber-
Recovery?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 15
RMI Risk Masters, Inc.
The Strategy
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 16
RMI A Strategy for Cyber-Recovery
• How can you increase the Cyber-Resilience of your infrastructure?
• Do you have a Cyber-Recovery Plan in addition to or as part of your BCP/DR plans?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 17
RMI
• Is your infrastructure Cyber-Resilient? – Is the affect of an attack contained by architectural
features and operational procedures that limit damage, or does the attack run freely?
• Is your BCP/DR plan Cyber-Resilient? – Will critical systems and communications that you
are relying on fail due to an attack? – Do support agreements (e.g: hosting, insurance)
cover cyber-recovery? • Does your BCP/DR address cyber-attacks?
– Are your policies and procedures aligned with assurances of safety, or are you backing up the attacker to restore it during your recovery?
Are You Prepared to Respond?
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 18
RMI
• Traditional cyber-defense is built as a “fortress perimeter” – Networks were not designed to
be cyber-resilient – Cyber-defenses (e.g.: barriers,
detection) were added to existing networks
• Fortress defenses are limited – They do not readily keep up with attackers – They encumber users (access controls, BYOD limits)
• Networks can be designed with cyber-resilience
Cyber-Resilience: Mitigating a Breach
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 19
RMI
• Segmentation: Distinct and critical services that need to be secured are isolated in multiple secure zones with air-gaps and sterile zones
• Hardening: Applications and infrastructure are Internet-hardened
• Dispersal: Public facing services and non-proprietary content may be hosted in public clouds, while sensitive content may be secured in distinct protected zones and content accessed only through secure transactions.
• Synchronization: Operational activities (e.g.: releases, imaging, builds, backup, versioning, retention) are synchronized with integrity validation processes (quarantine, virus scanning/cleansing, etc…)
Components of Cyber-Resilience
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 20
RMI
Implementing a network as separate and distinct networks that are secured from each other provides organic resilience
Segmentation - Example
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 21
RMI Risk Masters, Inc.
Being Prepared
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 22
RMI Being Prepared for Cyber-Recovery
Your checklist for Cyber-Recovery Organize Plan Transform Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 23
RMI
Planning for Cyber-Recovery
Organize
Plan
Trans-form
Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 24
RMI Planning for Cyber-Recovery
Develop an organizational structure to lead recovery activities before
and after an attack Organize
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 25
RMI Planning for Cyber-Recovery
• Assess current state of readiness
– Review prevention and recovery plans
– Evaluate operational integrity
– Test readiness and effectiveness
• Design cyber-resilience into your infrastructure and operating model
– Bulkheads, compartments, isolation
– Align operating cycles (e.g.: backup) with processing that establishes trust in your infrastructure
• Develop a recovery plan
Plan
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 26
RMI Planning for Cyber-Recovery
• Implement the changes necessary to achieve
– Cyber-resilience
– Cyber-recoverability
Trans-form
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 27
RMI Planning for Cyber-Recovery
• Test your plan Randomly test components throughout
the year Periodically test large-scale integrated
components, and the whole system
• During your tests... Recognize that systems are under attack Contain the damage, prevent its spread,
remove the agents Restore trusted software and data from
a trusted image. Manage the consequences, minimize its
impact, communicate effectively
Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved. 28
RMI
1
2
3
4
Virus or Trojan Horse sits in a latent state after being
planted by the intruder. This corruption may not manifest
itself for days, weeks or even months after infection.
Corporate IT has establish an isolated network in HQ that
will resist external intrusion and perform daily chronological
images backups for critical system and application servers.
When corruption has been identified, operators will take
action to isolate the problem.
Once a signature is delivered, Client must run a job to scan
image backups chronologically backward in order to
identify a “trusted image” from which infected servers can
be restored.
Response Activities to Hacker Attack Corporate IT Data Center (HQ)
Corporate IT “Gold Network”
Firewall
System/Application Servers
To Plant IT Network
Firewall
Symantec Bare Metal
Restore Server
EMC VNX
(image storage)
1
3 5
Corporate IT will restore infected server(s) from trusted
image backups and resume IT services.
4
Client must wait on vendor distribution of a virus signature
that will permit inspection of backups for possible infection.
5
6
Virus/Trojan Signature
from Vendor
Recovery Time from Trojan Attack
Expected Recovery Time (in calendar days)
1 2 3 4 5 6 7 8 9 10 11 12 13 14
NOTE: This Illustration assumes a Trojan attack whose presence remains latent for seven (7) days.
3
2
4
5
6
Storage
2
6
Undetected Latent Threat Day “0” Trusted Backup
6
2
A Recovery - Example