Contenu connexe
Similaire à Preparing to recover from a cyber attack
Similaire à Preparing to recover from a cyber attack (20)
Preparing to recover from a cyber attack
- 2. Cyber-Recovery: Executive Summary
RMI
The Problem
Cyber-Attacks are a continuous threat – some might succeed
How will you operate and recover following a successful attack?
The Risks
Meeting obligations to your clients, suppliers and staff
Financial and property losses
Reputational losses
Regulatory compliance
The Strategy
Increase the Cyber-Resilience of your Infrastructure
Have a Cyber-Recovery Plan in addition to BCP/DR plans
Being Prepared
Organize
Plan
Transform
Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
2
- 3. RMI Risk Masters, Inc.
The Problem
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
3
- 4. The Cyber-Recovery Problem
RMI
Cyberattacks are a continuous threat,
and some may succeed
• How will you operate securely and
recover quickly following a successful
attack?
• How will you mitigate the legal,
regulatory, financial and operational
risks of a successful attack?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
4
- 5. Every Day You Are Under Attack
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
RMI
5
- 8. A Breach Leads to Many Risks
RMI
• Can you meet obligations to your
clients, suppliers and staff?
• What would the financial and
property losses be?
• And what about reputational
losses?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
8
- 9. RMI Risk Masters, Inc.
The Risks
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
9
- 10. RMI
Are you
prepared to
operate and
recover?
Does your
BCP/DR plan
address
CyberRecovery?
Will your
insurance
cover you?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
When an
Attack
Breaches
Your
Defenses…
Can you
protect the
privacy of
your staff and
clients?
Can you meet
your
obligations to
your clients?
10
- 11. A Breach Puts Privacy at Risk
Can you
protect the
privacy of
your staff and
your clients?
RMI
• You have legal and contractual
requirements to protect the privacy
and confidential information of your
staff and clients.
– Your business reputation may be
compromised by the exposure of
such information
• When you cannot trust your computer
systems, how can you assure privacy
and confidentiality?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
11
- 12. A Breach Puts Delivery at Risk
Can you meet
your
obligations to
your staff
and clients?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
RMI
• You have products and services to
deliver every day – and your staff
and clients depend on these.
• When you cannot trust your
computer systems, how can you be
sure that you can meet your
commitments?
– What will be your liability for
failing to do so?
12
- 13. A Breach Creates Financial Risk
Costs may
be high
Will your
insurance
cover you?
Insurance
may not
Cover
Insurance
is Complex
RMI
Sony is still awaiting the final tally for losses related to its
data breaches earlier this year. At last count, it had 100
million compromised customer accounts, and Sony
anticipated the debacle would cost $200 million. With 58
class-action suits in the works, that may be wishful
thinking.
But what about Sony’s insurance coverage? Sony’s insurer
said the company did not have a cyber insurance policy.
It said Sony’s policy only covered tangible losses like
property damage, not cyber incidents.
Cyber Insurance—Mitigating Loss from Cyber Attacks
Perspectives on Insurance Recovery Newsletter - 2012
The market is rapidly growing for insurance that is specifically
meant to cover losses arising out of cyber attacks and other
privacy and data security breaches. These policies are marketed
under names like "cyber-liability insurance," "privacy breach
insurance" and "network security insurance."
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
13
- 14. A Breach Needs to be Reversed
Does your
BCP/DR plan
address
CyberRecovery?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
RMI
• A Cyber-Attack compromises
your trust in your computer
systems
– But BCP/DR recovers from loss of
use of facilities, infrastructure,
technology and physical resources
– Can you trust that your BCP/DR
resources will be unexposed or
survive a cyber attack?
14
- 15. RMI Risk Masters, Inc.
The Strategy
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
15
- 16. A Strategy for Cyber-Recovery
RMI
• How can you increase the CyberResilience of your infrastructure?
• Do you have a Cyber-Recovery
Plan in addition to or as part of
your BCP/DR plans?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
16
- 17. Are You Prepared to Respond?
RMI
• Is your infrastructure Cyber-Resilient?
– Is the affect of an attack contained by architectural
features and operational procedures that limit
damage, or does the attack run freely?
• Is your BCP/DR plan Cyber-Resilient?
– Will critical systems and communications that you
are relying on fail due to an attack?
– Do support agreements (e.g: hosting, insurance)
cover cyber-recovery?
• Does your BCP/DR address cyber-attacks?
– Are your policies and procedures aligned with
assurances of safety, or are you backing up the
attacker to restore it during your recovery?
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
17
- 18. Cyber-Resilience: Mitigating a Breach
RMI
• Traditional cyber-defense is built as
a “fortress perimeter”
– Networks were not designed to
be cyber-resilient
– Cyber-defenses (e.g.: barriers,
detection) were added to existing
networks
• Fortress defenses are limited
– They do not readily keep up with attackers
– They encumber users (access controls, BYOD limits)
• Networks can be designed with cyber-resilience
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
18
- 19. Components of Cyber-Resilience
RMI
• Segmentation: Distinct and critical services that need
to be secured are isolated in multiple secure zones
with air-gaps and sterile zones
• Hardening: Applications and infrastructure are
Internet-hardened
• Dispersal: Public facing services and non-proprietary
content may be hosted in public clouds, while sensitive
content may be secured in distinct protected zones and
content accessed only through secure transactions.
• Synchronization: Operational activities (e.g.: releases,
imaging, builds, backup, versioning, retention) are
synchronized with integrity validation processes
(quarantine, virus scanning/cleansing, etc…)
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
19
- 20. Segmentation - Example
RMI
Implementing a network as separate and distinct networks that
are secured from each other provides organic resilience
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
20
- 21. RMI Risk Masters, Inc.
Being Prepared
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
21
- 22. Being Prepared for Cyber-Recovery
RMI
Your checklist for Cyber-Recovery
Organize
Plan
Transform
Validate
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
22
- 24. Planning for Cyber-Recovery
RMI
Develop an organizational structure
to lead recovery activities before
and after an attack
Organize
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
24
- 25. Planning for Cyber-Recovery
Plan
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
RMI
• Assess current state of readiness
– Review prevention and recovery plans
– Evaluate operational integrity
– Test readiness and effectiveness
• Design cyber-resilience into your
infrastructure and operating model
– Bulkheads, compartments, isolation
– Align operating cycles (e.g.: backup)
with processing that establishes trust
in your infrastructure
• Develop a recovery plan
25
- 27. Planning for Cyber-Recovery
RMI
• Test your plan
Randomly test components throughout
the year
Periodically test large-scale integrated
components, and the whole system
Validate
• During your tests...
Recognize that systems are under attack
Contain the damage, prevent its spread,
remove the agents
Restore trusted software and data from
a trusted image.
Manage the consequences, minimize its
impact, communicate effectively
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
27
- 28. A Recovery - Example
Corporate IT Data Center (HQ)
RMI
Response Activities to Hacker Attack
To Plant
IT Network
1
6
1
3
4
Virus/Trojan
Signature
from Vendor
Symantec
Bare Metal
Restore Server
Corporate IT “Gold Network”
6
Recovery Time from Trojan Attack
NOTE: This Illustration assumes a Trojan attack whose
presence remains latent for seven (7) days.
2
Day “0”
Trusted
Backup
Once a signature is delivered, Client must run a job to scan
image backups chronologically backward in order to
identify a “trusted image” from which infected servers can
be restored.
Corporate IT will restore infected server(s) from trusted
image backups and resume IT services.
4
5
6
Client must wait on vendor distribution of a virus signature
that will permit inspection of backups for possible infection.
Firewall
Firewall
EMC
VNX
(image storage)
When corruption has been identified, operators will take
action to isolate the problem.
5
2
2
Virus or Trojan Horse sits in a latent state after being
planted by the intruder. This corruption may not manifest
itself for days, weeks or even months after infection.
3
Storage
Corporate IT has establish an isolated network in HQ that
will resist external intrusion and perform daily chronological
images backups for critical system and application servers.
2
System/Application Servers
3
Undetected Latent Threat
4
5
6
1
2
3
4
© Copyright, Risk Masters, Inc. 2013. All rights reserved.
5
6
7
8
9
10
11
12
13
14
Expected
Recovery Time
(in calendar days)
28