Preparing to recover from a cyber attack

Recovering from a
Cyber-Attack

© Copyright, Risk Masters, Inc. 2013. All rights reserved.

Why you need to prepare
What you need to do
1
1

Cyber-Recovery: Executive Summary

RMI

The Problem
 Cyber-Attacks are a continuous threat – some might succeed
 How will you operate and recover following a successful attack?
The Risks





Meeting obligations to your clients, suppliers and staff
Financial and property losses
Reputational losses
Regulatory compliance

The Strategy

 Increase the Cyber-Resilience of your Infrastructure
 Have a Cyber-Recovery Plan in addition to BCP/DR plans
Being Prepared





Organize
Plan
Transform
Validate


2

RMI Risk Masters, Inc.

The Problem

3

The Cyber-Recovery Problem

RMI

Cyberattacks are a continuous threat,
and some may succeed
• How will you operate securely and
recover quickly following a successful
attack?
• How will you mitigate the legal,
regulatory, financial and operational
risks of a successful attack?

4

Every Day You Are Under Attack


RMI

5

Your Defenses
are Ready…


But How
Secure Are
You?
RMI

6

Some Attacks Succeed…


RMI

7

A Breach Leads to Many Risks

RMI

• Can you meet obligations to your
clients, suppliers and staff?
• What would the financial and
property losses be?

• And what about reputational
losses?

8


The Risks

9

RMI

Are you
prepared to
operate and
recover?

Does your
BCP/DR plan
address
CyberRecovery?

Will your
insurance
cover you?

When an
Attack
Breaches
Your
Defenses…

Can you
protect the
privacy of
your staff and
clients?

Can you meet
your
obligations to
your clients?
10

A Breach Puts Privacy at Risk

Can you
protect the
privacy of
your staff and
your clients?

RMI

• You have legal and contractual
requirements to protect the privacy
and confidential information of your
staff and clients.
– Your business reputation may be
compromised by the exposure of
such information
• When you cannot trust your computer
systems, how can you assure privacy
and confidentiality?


11

A Breach Puts Delivery at Risk

Can you meet
your
obligations to
your staff
and clients?


RMI

• You have products and services to
deliver every day – and your staff
and clients depend on these.
• When you cannot trust your
computer systems, how can you be
sure that you can meet your
commitments?
– What will be your liability for
failing to do so?

12

A Breach Creates Financial Risk
Costs may
be high

Will your
insurance
cover you?
Insurance
may not
Cover

Insurance
is Complex

RMI

Sony is still awaiting the final tally for losses related to its
data breaches earlier this year. At last count, it had 100
million compromised customer accounts, and Sony
anticipated the debacle would cost $200 million. With 58
class-action suits in the works, that may be wishful
thinking.
But what about Sony’s insurance coverage? Sony’s insurer
said the company did not have a cyber insurance policy.
It said Sony’s policy only covered tangible losses like
property damage, not cyber incidents.

Cyber Insurance—Mitigating Loss from Cyber Attacks
Perspectives on Insurance Recovery Newsletter - 2012
The market is rapidly growing for insurance that is specifically
meant to cover losses arising out of cyber attacks and other
privacy and data security breaches. These policies are marketed
under names like "cyber-liability insurance," "privacy breach
insurance" and "network security insurance."


13

A Breach Needs to be Reversed

Does your
BCP/DR plan
address
CyberRecovery?


RMI

• A Cyber-Attack compromises
your trust in your computer
systems
– But BCP/DR recovers from loss of
use of facilities, infrastructure,
technology and physical resources
– Can you trust that your BCP/DR
resources will be unexposed or
survive a cyber attack?

14


The Strategy

15

A Strategy for Cyber-Recovery

RMI

• How can you increase the CyberResilience of your infrastructure?
• Do you have a Cyber-Recovery
Plan in addition to or as part of
your BCP/DR plans?


16

Are You Prepared to Respond?

RMI

• Is your infrastructure Cyber-Resilient?
– Is the affect of an attack contained by architectural
features and operational procedures that limit
damage, or does the attack run freely?
• Is your BCP/DR plan Cyber-Resilient?
– Will critical systems and communications that you
are relying on fail due to an attack?
– Do support agreements (e.g: hosting, insurance)
cover cyber-recovery?
• Does your BCP/DR address cyber-attacks?
– Are your policies and procedures aligned with
assurances of safety, or are you backing up the
attacker to restore it during your recovery?

17

Cyber-Resilience: Mitigating a Breach

RMI

• Traditional cyber-defense is built as
a “fortress perimeter”
– Networks were not designed to
be cyber-resilient
– Cyber-defenses (e.g.: barriers,
detection) were added to existing
networks
• Fortress defenses are limited
– They do not readily keep up with attackers
– They encumber users (access controls, BYOD limits)
• Networks can be designed with cyber-resilience

18

Components of Cyber-Resilience

RMI

• Segmentation: Distinct and critical services that need
to be secured are isolated in multiple secure zones
with air-gaps and sterile zones
• Hardening: Applications and infrastructure are
Internet-hardened
• Dispersal: Public facing services and non-proprietary
content may be hosted in public clouds, while sensitive
content may be secured in distinct protected zones and
content accessed only through secure transactions.
• Synchronization: Operational activities (e.g.: releases,
imaging, builds, backup, versioning, retention) are
synchronized with integrity validation processes
(quarantine, virus scanning/cleansing, etc…)


19

Segmentation - Example

RMI

Implementing a network as separate and distinct networks that
are secured from each other provides organic resilience


20


Being Prepared

21

Being Prepared for Cyber-Recovery

RMI

Your checklist for Cyber-Recovery
 Organize
 Plan
 Transform
 Validate


22

RMI

Organize

Validate

Planning
for CyberRecovery

Plan

Transform

23

Planning for Cyber-Recovery

RMI

Develop an organizational structure
to lead recovery activities before
and after an attack
Organize


24


Plan


RMI

• Assess current state of readiness
– Review prevention and recovery plans
– Evaluate operational integrity
– Test readiness and effectiveness
• Design cyber-resilience into your
infrastructure and operating model
– Bulkheads, compartments, isolation
– Align operating cycles (e.g.: backup)
with processing that establishes trust
in your infrastructure
• Develop a recovery plan
25


Transform

RMI

• Implement the changes necessary
to achieve
– Cyber-resilience
– Cyber-recoverability


26


RMI

• Test your plan
 Randomly test components throughout
the year
 Periodically test large-scale integrated
components, and the whole system

Validate

• During your tests...
 Recognize that systems are under attack
 Contain the damage, prevent its spread,
remove the agents
 Restore trusted software and data from
a trusted image.
 Manage the consequences, minimize its
impact, communicate effectively

27

A Recovery - Example
Corporate IT Data Center (HQ)

RMI

Response Activities to Hacker Attack

To Plant
IT Network

1

6
1

3

4

Virus/Trojan
Signature
from Vendor

Symantec
Bare Metal
Restore Server

Corporate IT “Gold Network”

6

Recovery Time from Trojan Attack

NOTE: This Illustration assumes a Trojan attack whose
presence remains latent for seven (7) days.

2
Day “0”
Trusted
Backup

Once a signature is delivered, Client must run a job to scan
image backups chronologically backward in order to
identify a “trusted image” from which infected servers can
be restored.
Corporate IT will restore infected server(s) from trusted
image backups and resume IT services.

4

5

6

Client must wait on vendor distribution of a virus signature
that will permit inspection of backups for possible infection.

Firewall

Firewall

EMC
VNX
(image storage)

When corruption has been identified, operators will take
action to isolate the problem.

5

2

2

Virus or Trojan Horse sits in a latent state after being
planted by the intruder. This corruption may not manifest
itself for days, weeks or even months after infection.

3

Storage

Corporate IT has establish an isolated network in HQ that
will resist external intrusion and perform daily chronological
images backups for critical system and application servers.

2

System/Application Servers

3

Undetected Latent Threat

4
5
6
1

2

3

4


5

6

7

8

9

10

11

12

13

14

Expected
Recovery Time
(in calendar days)

28

Preparing to recover from a cyber attack

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Preparing to recover from a cyber attack

Similar a Preparing to recover from a cyber attack (20)

Último

Último (20)

Preparing to recover from a cyber attack