Symantec 2010 cip_study_global_data

20
SYMANTEC 2010 CRITICAL INFRASTRUCTURE PROTECTION STUDY Symantec 2010 Critical Infrastructure Protection Study Global Results October 2010

description

 

Transcript of Symantec 2010 cip_study_global_data

Page 1: Symantec 2010 cip_study_global_data

SY

MA

NT

EC

20

10

CR

ITIC

AL

INF

RA

ST

RU

CT

UR

E P

RO

TE

CT

ION

ST

UD

Y

Symantec 2010 Critical Infrastructure Protection Study

Global Results October 2010

Page 2: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

2

CONTENTS

Executive Summary ......................................................................3

Methodology .................................................................................4

Finding 1: The threat of attack is real ............................................5

Finding 2: Industry is a willing partner with Government ...............6

Finding 3: There is room for readiness improvement ....................7

Key Recommendations .................................................................8

Appendix ..................................................................................... 10

Page 3: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

3

EXECUTIVE SUMMARY

Cyberattacks have been a fact of life for companies for decades. But there exists a special class of attack: Cyberattacks that are initiated by terrorists or foreign governments with specific political goals in mind. For example, the Stuxnet worm that targeted energy companies around the world represents a recent example of a threat designed to spy on and reprogram industrial control systems. Many countries are pursuing Critical Infrastructure Protection (CIP) initiatives aimed at working with industry to address these threats.

Page 4: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

4

METHODOLOGY

Applied Research performed a telephone survey in August 2010. The survey included 1,580 private businesses that are in industries that are considered critical infrastructure providers. The respondents are from 15 countries worldwide, with companies ranged from 10 employees to more than 10,000. The median company had between 1,000 and 2,499 employees. Confidence level is 95 percent +/- 2.5 percent. We focused on six key critical infrastructure segments:

Energy

Banking & Finance

Communications

IT

Healthcare

Emergency services

Page 5: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

5

FINDING 1:

The threat of attack is real

The threat of attacks with a specific political goal in mind is real. Companies are being targeted by specific political attacks, and the attacks are becoming increasingly frequent and costly. The Stuxnet worm that targeted energy companies around the world is a recent example of a threat designed to spy on and reprogram industrial control systems. Symantec found that half (53 percent) of all firms said they suspected or were pretty sure they had experienced an attack waged with a specific political goal in mind. In fact, of those hit, the typical company reported being hit 10 times in the past five years. Banking and finance were most likely to report they had been attacked and expect to be hit by politically-minded attacks in the future, while IT was the least likely. One IT director of a mid-sized energy company remarked, “We’ve had people attempt to break in and retrieve documentation, especially the shared material between the oil companies in our library. We had to take some dramatic actions to be able to cut them off.” Forty-eight percent suspect or are pretty sure they will be attacked in the future, and 80 percent believe the frequency of such attacks is either staying constant or increasing. Furthermore, the attacks are serious, with respondents estimating that three in five (59 to 61 percent) attacks were somewhat to extremely effective. In North America, 74 to 77 percent of the companies surveyed reported that attacks were effective. The attacks were also reported more effective in small businesses versus large enterprises. The average cost of these attacks was $850,000 in total.

Page 6: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

6

FINDING 2:

Industry is a willing partner with Government

Industries are more than willing to cooperate with their government in Critical Infrastructure Protection (CIP). Companies are both aware of and engaged in government CIP programs, and their attitudes about the programs are markedly positive. Nearly all (90 percent) have engaged with their country’s CIP programs to at least some degree, with 56 percent being significantly or completely engaged. The energy sector has the highest significantly/completely engaged levels at 83 percent, while IT showed the lowest at 49 percent. The respondents are upbeat about CIP programs as well. Two-thirds (65 percent) say their attitude is somewhat to significantly positive. Companies in Latin America responded with the highest somewhat-to-significantly positive attitude (76 percent). Given a list of terms, respondents most frequently choose “accepting,” “appreciative” and “enthusiastic” to describe their reactions to their country’s CIP plans. An IT manager in a mid-sized energy company noted, “I think it’s great for government to give the private sector a hand in handling these types of attacks.” Finally, two-thirds (66 percent) say they are somewhat to completely willing to cooperate with their government on CIP.

Page 7: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

7

FINDING 3:

There is room for readiness improvement

Though companies are willing to work with government in CIP programs, there is still room for improvement in readiness. As we saw in Finding One, respondents are suffering frequent and effective attacks and are incurring real costs. We asked the companies to rate their level of preparedness against the following common attack vectors:

- Attempt to steal electronic information - Attempt to alter or destroy electronic information on networks - Attempt to shut down or degrade computer networks - Attempt to manipulate physical equipment through control

network Only one-third (28 to 33 percent) felt “extremely prepared” against the attacks. Thirty-six to 41 percent said they felt “somewhat prepared,” while 31 percent (across all types of attack) felt less than somewhat prepared. An IT director for a medium-sized banking and finance company stated, “Major holes exist in our electric Web across the United States, and it wouldn't take much for hackers to get in and shut it down.” When it came to specific safeguards, the top five safeguards that respondents felt had less than a high state of readiness were the following:

- Security training - Awareness and appreciation of threat by executive management - Endpoint security measures - Security response - Completed security audit

Page 8: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

8

RECOMMENDATIONS

To Ensure Resiliency Against Critical

Infrastructure Cyberattacks:

Develop and enforce IT policies and automate compliance processes. By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.

Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organization. Utilize encryption to secure sensitive information and prohibit access by unauthorized individuals.

Authenticate identities by leveraging solutions that allow businesses to ensure only authorized personnel have access to systems. Authentication also enables organizations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure.

Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.

Ensure 24x7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organizations to adopt more cross-platform and cross-environment tools, or standardize on fewer platforms.

Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.

Page 9: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

9

For Government to Promote Critical

Infrastructure Protection:

Governments should continue to make resources available to establish critical infrastructure programs.

o The majority of critical infrastructure providers confirm that they are aware of critical infrastructure programs.

o Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programs.

Governments should partner with industry associations to develop and disseminate information to raise awareness of CIP organizations and plans. Specific information should include how a response would work in the face of a national cyberattack, what the roles of government and industry would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency.

Governments should emphasize that security alone is not enough to stay resilient in the face of today’s cyberattacks. In addition, critical infrastructure providers and enterprises in general should also ensure that their information is stored, backed up, organized, prioritized, and that proper identity and access control processes are in place.

Page 10: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

10

APPENDIX

All questions included.

Page 11: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

11

Page 12: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

12

Page 13: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

13

Page 14: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

14

Page 15: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

15

Page 16: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

16

Page 17: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

17

Page 18: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

18

Page 19: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

19

Page 20: Symantec 2010 cip_study_global_data

Symantec 2010 Critical Infrastructure Protection Study - Global: October 2010

20