In The Art of War, Sun Tzu wrote: “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
The same principle should be applied to cyber attacks in general, and destructive, computer killing malware in particular. To date, “wiper” malware has only been used a handful of times, but even though these types of attacks are less frequent, they are still a threat to businesses.
Organisations should seek to segment their most sensitive data on hardened networks and ensure that data is backed up off site and adequately protected.
An appropriately employed protective monitoring tool which alerts of possible breaches could be of use in this situation. It would enable an organisation to quickly identify a breach and then effectively minimise propagation of the malware by isolating the breach from the rest of the network.
The reporting mechanism and action plan should be robust though. If we look at what happened with the Target breach, it was the action lacking after the identification of the suspicious activity that enabled the breach to continue. We know that attempts will always be made to breach systems, but the speed and efficiency of detection, recovery and investigation are just as important as prevention.
Read more on this topic from the Computer Weekly Security Think Tank
How does the destructive software enter the organisation in the first place?
As with all malware it is usually introduced via a human element – be that clicking a link on an unsolicited email, connecting an unauthorised USB device to the company network or browsing insecure web pages.
The vulnerabilities could be summed up as poor hygiene, poor preventative measures and poor training.
People are frequently the cause of the problem – often it is inadvertent, but they are a threat nonetheless. If people are not educated in the risks of their behaviour, or made aware of correct policy and process, then they will continue to be a business risk.
Risk mitigation through security and business continuity
What do we mean by defending ourselves, by making our position unassailable?
In an age of connectivity, where everything we own is connected to everything else and the internet of things (IoT) is a very real part of our work and domestic lives, we can no longer build physical walls and batten down the hatches to protect ourselves and our systems against this kind of threat.
Unfortunately, and unsurprisingly, the threat has evolved from Sun Tzu’s ancient China and while it would be an amazing sight to gather vast armies and dig moats around our server rooms, the benefits are questionable.
Instead, we need to look at the nature of this threat and, more importantly, the vulnerabilities that exist in our own organisations that would allow this threat to manifest itself.
If people are not educated in the risks of their behaviour, or made aware of correct policy and process, then they will continue to be a business risk
Mike Gillespie, The Security Institute
Many of the recent major cyber attacks have been highly complex in nature, designed, undoubtedly, at great expense and with considerable resources, to target key areas of an organisation or an ICT system. But often the delivery mechanism is relatively simplistic.
Malware is often introduced, not by exploiting an obvious vulnerability in a technical system, but by exploiting a vulnerability in the people or processes that use and interact with that system.
So training and continuous education is massively important, but first internal policy and processes need to be tightened up. Then educate that policy throughout the organisation, from top to bottom. Anyone who touches a computer or device is a potential vulnerability, so make sure they know everything they need to know.
An untested plan is a waste of time. This applies to security and business continuity. On the one hand you need to know that your staff understand the threats and know how to be a part of the mitigation, but they also need to know there is a plan that will keep the business going – business as usual – as far as possible, and know their role in that too.
How well developed are most organisational business continuity plans (BCPs)?
BCPs are often seen as means of getting reduced business interruption insurance premiums. Yes, they can sometimes support a case for evidenced lower risk, but they are so much more than that.
A quality BCP that has been tested and regularly reviewed (and re-tested on a cyclical basis) will help with recovery, especially if integrated with an effective incident response process and with well-documented and rehearsed forensic readiness plans, so that backups and forensic evidence are available to minimise impact and the destructive force of an attack, as well as its ability to spread throughout the system or into other systems.
More importantly, it will give the people a plan and give them the confidence to respond to an attack and have the tools and the knowledge to deal with whatever is thrown at them.
One BCP that covers all aspects of an organisation or system may not be the most appropriate – the adage of a one-size-fits-all, in reality, does not fit anything! Not all information or system assets may have the same level of importance or criticality and, as such, may require a different level of response in the event of an attack.
Consideration should be given to basing a BCP on the following simple premise: Impact-driven, vulnerability-focused and threat-informed.
We need to be driven by the impact that such an attack would have on the organisation – no impact means we do not need to worry too much, big impact equals all hands to the pumps!
Similarly, we need to be aware of the nature of the vulnerabilities and how they could be exploited, and finally on the threat itself and how likely it is to target us and how that attack may take place.
This may seem like a lot of work, but aligning business continuity responses to the criticality of a system or asset will ensure a proportional and cost-effective response that will avoid the traditional knee-jerk reaction mentality that often follows on from a security incident.
It will help to control panic spending as suppliers try to tell organisations that they really need an incredibly expensive piece of hardware that will protect them from anything, when in reality they don’t actually need it.
Timely links into a warning advisory reporting point (Warp) can prove invaluable, both in terms of timely intelligence about an emerging threat, enabling an organisation to be better prepared, and as a means of sharing experiences about attacks as part of a community early warning system, not unlike the slightly older but equally effective line of beacons along a hilltop.
Greater use of Warp communities engenders co-operation and strengthens our defences as a community against a common enemy.
In essence then, prepare well, seek independent and expert advice, buy wisely, test your defences regularly and collaborate as a community.
Mike Gillespie is director of cyber research and security at The Security Institute.