Responding to and recovering from sophisticated security attacks

IBM Global Technology Services i

Responding to—and recovering from—sophisticated security attacksThe four things you can do now to help keep your organization safe

IBM Global Technology ServicesWhite Paper

IBM Security Services

2 Responding to—and recovering from—sophisticated security attacks

Contents 2 Introduction

3 Step 1: Prioritize your business objectives and set your risk tolerance

4 Step 2: Protect your organization with a proactive security plan

7 Step 3: Prepare your response to the inevitable: a sophisticated attack

8 Step 4: Promote and support a culture of security awareness

10 Get started now—before your company becomes a victim

12 For more information

IntroductionLike so many other things in today’s world, cyber attacks—along with those who perpetrate them—are becoming more sophisticated every year. At the same time, IT resources are moving outside the firewall and enterprises are distributing their applications and data across multiple devices. It’s now clear that simply protecting an organization’s perimeter is not enough. These sophisticated attacks—which include advanced persistent threats, or APTs—are bypassing traditional defenses.

We know all too well how major security incidents can affect a company’s data, networks and corporate brand. We also know that sophisticated attacks, designed to gain continuous access to critical information or to cause damage in critical infrastructure, are becoming more severe, more frequent and more costly.

How severe? Sophisticated attacks can include:• Stealingintellectualproperty• Confiscatingbankaccountsandotherfinancialassets• Distributingmalwareonindividualcomputersand

across systems• Postingconfidentialbusinessand/orcustomer

information online• Damagingcriticalinfrastructure

How frequent? A 2012 study of 2,618 business leaders and security practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil found that they experienced an average of 66 attacks per week, with organizations in Germany and the U.S. reporting the highest numbers: 82 and 79 per week, respectively. And in their 2012 mid-year report, IBM X-Force research and development teams noted an upward trend in overall vulnerabilities, predicting a possible all-time high by the end of the year.2

How costly? The average cost of recovering from a single cyber attack was estimated to be as much as nearly $300,000 by the organizations mentioned in the above 2012 study.3 That could amount to nearly $1 billion over the course of a year.

What’s more, we know that the people behind these sophisticated attacks are patient, long-term planners. They do reconnaissance and target specific vulnerabilities. And they’re shifting their focus from exploitation to destruction.

IBM Global Technology Services 3

In this paper we’ll discuss the four proactive steps that you can—and should—take now to help keep your organization safe:• Prioritize your business objectives and set your risk

tolerance• Protect your organization with a proactive security plan• Prepare your response to the inevitable:

a sophisticated attack • Promote and support a culture of security awareness.

Step 1: Prioritize your business objectives and set your risk toleranceExperience over the past several years has made it clear that “security” is a relative term. Because no matter how much we may want to create a completely and permanently secure enterprise and be done with it, reality dictates otherwise. Still, the growing threat of sophisticated attacks demands that we take seriously the business of securing our information and protecting our people and infrastructure. And that starts with setting priorities.

Determine what’s most important to the security of your business and whyThis sounds fairly obvious. But taking the time to really think about your business objectives and discuss what’s most important—and how much risk you’re willing to tolerate— will help lay a solid foundation for a security strategy that meets the unique needs of your entire organization. Once you’ve established this baseline, you’ll have taken a big step in the right direction.

Identify those areas most vulnerable to attackJust as there are some things that are more important than others to the security of your business, there are also some areas that are more vulnerable than others. This is not an exercise in finger-pointing or laying blame. Instead, it’s an opportunity to see things as they are—so you can create a more secure environment overall.

Identify the specific types of attacks that pose the biggest threatSophisticated attacks are designed to wreak as much havoc as possible—typically resulting in the loss or misuse of critical data, the disruption of critical infrastructure, or both. That’s why you need to look at your company’s information and business critical systems from an attacker’s point of view. And then ask yourself how an attacker could do the most damage.

Identify those areas that would incur the greatest loss in the event of an attackThis is where you come face to face with your biggest nightmare. If you’re going to come up with a successful plan, you need to be able to see just how much devastation would occur if an attack were to succeed in striking your business where it would hurt the most.

You need to look at your company’s information and business critical systems from an attacker’s point of view.


Online gaming / entertainment sites hacked, 100 million customer records compromised

Estimated costs: $3.6 billion Victim: Online gaming community and entertainment sites What happened: An “external intrusion” to a gaming network resulted in 70 million customer accounts being compromised, putting personal and credit card data at risk. The firm was forced to “turn off” online services during the investigation, causing public backlash and widespread negative press. A second hack in the entertainment division compromised additional client data. Why it happened: Hackers allegedly were able to penetrate network security and gain access to unencrypted account and user data, and possibly some credit card data. Damage done: In addition to widespread, negative public sentiment, the firm reportedly faced costs exceeding $171 million in lost business and response expense. The firm’s reported market capitalization fell by approximately $3.6 billion, as the stock priced dropped 12 percent. Lessons learned: It’s reported that one of the vulnerabilities exploited was known to the company. Firms should leverage a framework for managing risk associated with information assets, as well as establish strong governance mechanisms to support that framework. Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.

Step 2: Protect your organization with a proactive security planNow that you’ve established your priorities, it’s time to make your plans, get the right technology in place and put everything into action. This is where you take the steps to ensure that your company is aware of potential threats and working proactively to defend itself against them—on an ongoing basis.

Create a proactive and informed approach to IT securityDevelopasecuritystrategywithpoliciesandtechnologiesdesigned to proactively protect the assets and information you identified as priorities in Step 1. Arming your organization to successfully manage against those vulnerabilities is an essential part of taking a proactive stance to security. And the security policies you develop will lay the foundation for your information security management strategy. These policies should document your security requirements, processes and technology standards. There’s also a bonus to be had here: in addition to helping you detect and eliminate vulnerabilities, a smart security strategy can also enhance business operations by reducing risk and decreasing IT security management costs.

Identify existing vulnerabilities and fix them This could involve a process as straightforward (but resource intensive) as making sure every operating system on every machine is up-to-date on security patches—and will stay that way. Other vulnerabilities are more difficult to detect and fix, such as weaknesses in business applications.


Mediate against any existing threats Are you confident that you aren’t already the victim of a sophisticated attack? Particularly pernicious attacks such as advanced persistent threats, or APTs, are designed to remain invisible for as long as possible, moving from one compromised host to the next, without generating identifiable network traffic. At the heart of every APT lies a remote control function, which enables criminals to navigate to specific hosts within target organizations, manipulate local systems, and gain continuous access to critical information. To protect yourself, you need tools designed to detect remote control communications between your system and the criminal invader.

It’s become more important than ever that you pay serious attention to testing your security policies, procedures and technologies for effectiveness.

Test, test, and test some moreWith the emergence of sophisticated attacks comes the reality that one will strike your organization. It’s only a matter of time. That’s why it’s become more important than ever that you pay serious attention to testing your security policies, procedures and technologies for effectiveness—especially since doing so is a key element of legal and regulatory requirements for due care and diligence. Failure to do so can mean that corporate officers are held liable for the results of a security breach.

And because the security landscape is continuing to change at an ever-increasing pace, it’s equally important that you implement policies for regular testing and review.

Take a smart approach to security intelligenceHow do you stay on top of all this—without sending your IT department into a continual state of panic? Security intelligence and analytics tools can actively monitor and correlate data activity across multiple security technologies, offering you the visibility and insight into what’s going on in your environment—to help you spot and investigate the kind of suspicious activity that could indicate an attack is underway. They help reduce complexity by communicating with one common language across multi-vendor environments, while taking the strain off your IT department and potentially delivering both time and cost savings.

Develop governance procedures and assign ownership of risk Like most other things, your security programs and policies designed to defend against threats such as sophisticated attacks will only be as good as your organization’s ability to ensure that everyone is playing by the rules. So you need to have a plan in place for staying on top of the situation for the long term. That includes deciding who’s going to monitor and manage your security policies and how you’ll provide proof that your risk posture is being maintained. Make sure your security program has ownership and leadership assigned across critical business areas. By expanding accountability and awareness across key areas of risk, you’ll create a heightened understanding and enforcement of the security controls you’ve put in place. And that, in turn, will allow you to create a more secure business environment.


Demonstrate and document the value of your security investmentsThere’s no getting around the fact that your organization will need to find the necessary room in its budget for creating and maintaining an effective security program. And because it’s very difficult to quantify value in terms of the attacks that didn’t take place, it’s a good idea to maintain ongoing communications about what you’re doing and why it’s important. By reporting significant activities that have or could have penetrated critical systems and data, for example, you can demonstrate the value of security technology investments, identify gaps, stop attacks in progress, uncover streamlining opportunities, and inspire confidence in your approach.

Review everything to ensure that there are no gaps or unnecessary overlapsWhen you’re working as a group, but taking individual responsibility for specific aspects of a plan, it’s easy to make the mistake of assuming that someone else has covered something that you haven’t. Likewise, it’s just as easy for more than one person to cover the same thing. So do a final check for clarity and completeness—making sure that you’ve included provisions for security intelligence, analytics and monitoring, for example—to reduce unnecessary complexity and spending, and looking for opportunities to simplify ongoing monitoring, management, and real-time decision making across technologies.

Customer data stolen from retailer over 18+ months; at least 45 million records lifted

Estimated costs: Up to $900 million Victim: Nationwide discount retailer What happened: Apparently 45 million customer credit and debit card numbers were stolen from the company’s systems, although the true number of records stolen is difficult to determine, given the duration and nature of the incident. This data was sold to criminals and then used to make fraudulent purchases. Why it happened: The company reportedly collected and stored unnecessary and excessive amounts of personal information for too long and relied on outdated encryption technology to defend the data. Hackers apparently gained initial access into the central database through unsecure wireless connections in retail stores. The company was subsequently found to be in violation of payment industry standards. Damage done: This is reported to be the largest breach of its kind to get widespread media coverage. In addition to lawsuits, hefty fines, and remediation costs, the damage to reputation and other indirect costs is immeasurable. Lessons learned: Regular, periodic re-evaluation of infrastructure and information risks is required as changing threats and technologies can render previously acceptable protections obsolete. Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.

49%of IT executives say they’re challenged by an inability to measure the effectiveness of their current security efforts.4


Step 3: Prepare your response to the inevitable: a sophisticated attack Once you’ve implemented your security policies, procedures and technologies to the best of your ability, it’s time to address how you’re going to handle a breach if and when it should occur. In fact, as one analyst recently observed, “Most large enterprise security administrators and chief information security officers understand that it is not a matter of if, but when their organization will experience a breach.”5

Develop a detailed and coordinated response planAn organization needs a unified, cross-company policy and process for managing its response to an incident. If you already have a plan in place, have you tested your plan and determined its effectiveness lately?

Your incident response plan should specify how to stop an attack, identify what (if anything) was compromised, and calculate the financial and reputational impact. It should also offer guidelines for communicating with employees, any individuals whose information may have been compromised and the media.

Ensure you have access to the resources and tools needed to respond quicklyThe longer it takes to resolve an attack, the more damage it’s likely to do, and the more it’s likely to cost. What’s more, about 78 percent of those senior executives responding to a recent IBM-sponsored survey on reputational risk say they recover from relatively minor incidents (such as a website outage) in less than six months. But it takes longer to recover from reputational damage due to cybercrime—partly because it can be harder tosell the message that the problem has been entirely fixed.6

Having the resources or skills needed to actively respond to and investigate security incidents is key to reducing their impact.

It’s clear that having access to the resources or skills needed to actively respond to and investigate security incidents is key to reducing their impact. If your reputation is critical to your ability to conduct business, and you find that the nature of your business may heighten your risk to sophisticated attacks, you might want to consider employing ongoing threat monitoring and management. This approach uses technology designed to improve defense, automate incident response and conduct forensic analysis across a broad range of threats.

Take a consistent approach to assigning responsibility across the organizationAccept the fact that virtually all organizations will fall victim to a sophisticated attack of some sort, at some time. Make sure your incident response plan specifies who will need to do what—andhoweveryonewillshareinformation.Coordinationacross the enterprise is key to effective detection, remediation and containment. It’s important that everyone involved has a roletoplay—andknowswhatthatroleis.Determinewhichsteps each stakeholder will take to prepare his or her area to help reduce the occurrence—and limit the extent—of sophisticated attacks.


Payment processor suffers intrusion into core business, affecting 130 million customers

Estimated costs: Up to $500 million Victim: Payment processor What happened: Around 130 million customer credit and debit card numbers were stolen from a payment processing system, resulting in fraudulent transactions. Why it happened: Malicious software was apparently inserted into the processing system and used to collect in-transit, unencrypted payment data while it was being processed by the firm during the transaction authorization process. Card data included card numbers, expiration dates, and certain other information from the magnetic stripe on the back of the payment card. Damage done: This was a large, visible breach that also received widespread media coverage. The firm reportedly paid in excess of $140 million in direct costs related to legal judgments, settlements, and fees. And the company’s market capitalization reportedly dropped by nearly half a billion dollars in the three months following the event. Lessons learned: Direct, forthright crisis response minimized client defection. The information shared and leveraged from an industry standards association strengthened the company’s security posture, allowing it to eventually recover its loss in market value. Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.

Step 4: Promote and support a culture of security awarenessThe job of securing an enterprise’s network continues to grow infinitely more complex as information pours in from thousands of devices and through scores of public web-based services. One study reports that 91 percent of enterprise smart phone users connect to corporate email, but only one in three is required to install mobile security software.7 In such an environment, access is easy for everyone involved—including criminals.

Create and support a risk-aware culture throughout your organizationIt’s time to expand the mission of enterprise security, from the tech staff and their machines to every person within the company, and everyone who does business with it. Since each person poses a potential breach, each one must also represent a piece of the solution. In the end, success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures for data need to become second nature, much like locking the door behind you when you leave home.

Ensure that each employee knows what to doThe process of changing a company’s culture can be enormously challenging. But if you start by taking steps to communicate the real importance of helping to improve security and teach everyone how to recognize and report possible security problems, you will be heading in the right direction.


that’s running, be confident that it’s current, and have a system in place to install updates and patches as they’re released. 6. Control network access—Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware. 7. Security in the clouds—If an enterprise is migrating certain IT services to a cloud environment, it will be in close quarters with lots of others—possibly including scam artists. So it’s important to have the tools and procedures to isolate yourself from the others, and to monitor possible threats. 8. Patrol the neighborhood—An enterprise’s culture of security must extend beyond company walls, and establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago. 9. Protect the company jewels—Each enterprise should carry out an inventory of its critical assets—whether it’s scientific or technical data, confidential documents or clients’ private information—and ensure it gets special treatment. Each priority item should be guarded, tracked, and encrypted as if the company’s survival hinged on it. 10. Track who’s who—Companies that mismanage the “identity lifecycle” are operating in the dark and could be vulnerable to intrusions. You can address this risk by implementing meticulous systems to identify people, manage their permissions, and revoke them as soon as they depart.

Our security essentialsAt IBM, we are constantly striving to find the balance between improving the way we do business and the need to control risk. The company’s comprehensive response includes technology, process and policy measures. It involves 10 essential practices. 1. Build a risk-aware culture—where there’s simply zero tolerance, at a company level, when colleagues are careless about security. Management needs to push this change relentlessly from the very top down, while also implementing tools to track progress. 2. Manage incidents and respond—A company-wide effort to implement intelligent analytics and automated response capabilities is essential. Creating an automated and unified system will enable an enterprise to monitor its operations— and respond quickly. 3. Defend the workplace—Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must all be subject to centralized management and enforcement. And the streams of data within an enterprise have to be classified and routed solely to its circle of users. 4. Security by design—One of the biggest vulnerabilities in information systems comes from implementing services first, and then adding security on afterwards. The only solution is to build in security from the beginning, and to carry out regular tests to track compliance. 5. Keep it clean—Managing updates on a hodgepodge of software can be next to impossible. In a secure system, administrators can keep track of every program


Figure 1. Ten essential practices: A successful security program strikes a balance that allows for f lexibility and innovation while maintaining consistent safeguards that are understood and practiced throughout the organization.

Get started now—before your company becomes a victimIBM X-Force reported just over 4,400 new security vulnerabilities for the first half of 2012. Assuming that this trend continued throughout the rest of the year, the total projected vulnerabilities would likely surpass the record of nearly 9,000, set in 2010. In addition, the rate of unpatched vulnerabilities for the first half of 2012 was the highest that IBM X-Force had seen since 2008.

Many organizations have had to deal with the fallout caused by password and personal data leaks. And these attacks have become increasingly sophisticated. For example, by obtaining

small amounts of key personal data from public social media sites, attackers have been able to use clever social engineering “tricks” to gain unrestricted access to targeted accounts. They have even bypassed two-factor authentication by convincing mobile providers to relocate a user’s voicemail. So it’s not a matter of whether your company will become a victim, but when. In fact, 61 percent of the senior executives who participated in IBM’s recent study on reputational risk and IT said that data breaches, data theft and cybercrime posed the greatest threat to their companies’ reputations.8

It’s not a matter of whether your company will become a victim, but when.

It’s okay to seek helpIt’s easy to feel overwhelmed when you consider what it takes to protect your organization from sophisticated attacks. There’s a lot to talk about, think about and worry about. But you just need to take it one step at a time. And you don’t need to go it alone.

IBM Security Services consultants can help you plan, implement and manage virtually all aspects of your security strategy. They’re senior security professionals who have honed their skills in both the public and private sectors, working in corporate security leadership and consulting, investigative branches of government, law enforcement, and research and development.

Build a risk- aware culture

Manage incidents and respond

Defend the workplace

Security by design

Keep it clean

Patrol theneighborhood

Protect thecompany jewels

Track who’s who

Security in theclouds

Control networkaccess


In addition to offering consulting services, IBM has helped to set the standard for accountability, reliability and protection in managed security services since 1995. These services are designed to help you enhance your information security posture, lower your total cost of ownership and demonstrate compliance by outsourcing the monitoring and management of your security operations to IBM, regardless of device type or vendor, on a 24x7x365 basis or as needed.

IBM Managed Security Services can provide the security intelligence, expertise, tools and infrastructure you need to help secure your information assets from Internet attacks around the clock, often at a fraction of the cost of in-house security resources.

Begin with a complimentary Security Health ScanBy now you’re probably starting to think about how vulnerable your company may be. You can get a glimpse with a complimentary Security Health Scan from IBM Security Services. Here’s how it works: IBM will scan up to 10 IP addresses or a web domain of your choosing once a week for three weeks, at no charge. You’ll receive a detailed analysis of the vulnerabilities that are found—classified by their level of severity—along with step-by-step instructions on how to remediate them. What’s more, for the duration of your scanning period you’ll have access to the IBM Managed SecurityServicesVirtualSecurityOperationsCenterportaland all the intelligence and threat information it provides.

What would a Security Health Scan find at your company?Here are sample Security Health Scan findings for several types of organizations, showing the average number of vulnerabilities found after just one of three consecutive weekly scans. It’s not a surprise to see that even the most secure companies can find they have significant exposures, sometimes on multiple fronts. In today’s dynamic business environment, where boundaries no longer exist, you’re more than likely to find at least some vulnerabilities and exposures. University Insurance company Virtual hosting/ City government web hosting provider

Severe 106

Moderate 7

Critical 23

Severe 86

Moderate 11

Critical 17

Severe 112

Moderate 20

Critical 38

Severe 112

Moderate 20

Critical 9


SEW03029-USEN-00

©CopyrightIBMCorporation2013 IBM Global ServicesRoute 100Somers, NY 10589U.S.A.

Produced in the United States of AmericaFebruary 2013All Rights Reserved

IBM, the IBM logo, ibm.com and X-Force are trademarks or registered trademarksofInternationalBusinessMachinesCorp.,registeredinmanyjurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyrightandtrademarkinformation” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.

THEINFORMATIONINTHISDOCUMENTISPROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,INCLUDINGWITHOUTANYWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDANYWARRANTYORCONDITIONOFNON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.

1PonemonInstituteLLC,The Impact of Cybercrime on Business: Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil sponsored by Check Point Software Technologies, May 2012.2 IBM X-Force 2012 Mid-year Trend and Risk Report, September 2012.3 See note 1 above.4 Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized,acommissionedstudyconductedbyForresterConsultingonbehalf of IBM Global Technology Services, May 2012.5 Blog post: “Okay, Breaches Are Inevitable: So Now What Do We Do?” by PaulaMusich,CurrentAnalysis,July20,2012.6 IBM Global Technology Services, Reputational risk and IT, September 2012.7KasperskyLabs,EnterpriseMobileSecuritySurvey,December2010.8 See note 6 above.

Please Recycle

For more informationTo learn more about how IBM Security Services can help you reduce costs and increase your protection against sophisticated threats, please contact your IBM representative or IBM Business Partner, or visit the following website:ibm.com/services/security

To sign up for a complimentary Security Health Scan, visit:ibm.com/security-scan

http://www.ibm.com/legal/us/en/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

http://itcblogs.currentanalysis.com/2012/07/20/okay-breaches-are-inevitable-so-now-what-do-we-do/

http://www.ibm.com/services/security

http://www.ibm.com/security-scan

Responding to and recovering from sophisticated security attacks

Technology

Transcript of Responding to and recovering from sophisticated security attacks