For Cyber Resilience Assume the Worst – Tim Holman writing for ComputerWeekly.com
Gone are the days where you could go out and spend your annual security budget on a set of brightly coloured firewalls that look good in racks. Here are the days where you have to satisfy yourself that all this kit you bought does what it says on the tin.
What might come as a surprise is that all the data sheets that were shoved down your throats when buying defensive equipment do not reflect how it operates in the real world. In a controlled lab environment, a firewall might well be able to withstand 1,000,000 SYN packets a second, but what the data sheet does not tell you is that all your valid TCP connections fall off the edge of the planet as well.
Start with the assumption that a cyber attack will be successful. Assume your critical systems will get taken down and attackers, once on the inside, are doing their very best to find ways to exfiltrate data from your systems.
Learn how to operate while there is a malicious individual actually on your network, and you will soon build up a picture of what an effective cyber defence plan will look like.
But do not stop there. Take time to test your systems. If a critical system goes out of the picture, what are your restore times like? How can you improve these?
You might want to brush the cobwebs off your business continuity plan and actually test it. In the age of virtualised systems, there is no excuse not to have already built up a production mirror that can be subject to regular penetration testing and disaster recovery scenarios. If you have a few terabytes of data in your backups that have accumulated over the years, bear in mind that if your hardware is a few years old, then it might take a few days to fully recover and restore a down system that has been down.
You might think that clustering and load balancing helps to get around this problem and leave you with the illusion that systems will never go down and or be compromised, but assume that is all gone too.
Proper cyber security resilience requires proper planning and proper testing. I will labour the point of implementing ISO 27001:2013 to ensure the confidentiality, integrity and availability of your information systems, as in most cases, this seems too much of a step ahead when companies do not even have the basics of running a highly available and resilient computer system right.
If you have not done so already:
1) Develop a business continuity plan, and test it.
2) Develop a high availability/resilience strategy.
3) Learn how to recover single points of failure, quickly.
4) See my last article on incident response planning.
5) Trust no-one. Always operate under the assumption that a hacker is living inside your network. Encrypt sensitive data and machine-to-machine communications.
6) Implement a vulnerability management programme. Ensure you are not vulnerable to the basic threats.
7) Use an event correlation engine to alert you of any suspicious activity.
8) Ensure data cannot leave your organisation. Use a HTTP/S proxy for all outbound comms. Disable “useful” tools such as PING, bearing in mind hackers can quite happily encapsulate data through ICMP and send it out of your organisation.
9) Do not just pay lip service to ISO 27001:2013, PCI DSS or other regulatory standards. Do them properly. If you do not truly understand them, employ a cyber security expert to help you.
10) Take out cyber insurance. If things go wrong, there are policies that pay up, but they have a funny habit of not paying up if you have neglected points 1 to 9 above.
Once you’ve built up resilience, do not call it a day. There are always improvements that can be made, and as an auditor, one of my pet hates are companies that have gone through all the effort of achieving ISO 27001 or PCI DSS validation, but then let it go to waste. These standards are here for a reason, namely to reduce your exposure to cyber security threats.