Responding to and recovering from sophisticated security attacks
IBM Global Technology Services IBM Security Services IBM Global Technology Services iWhite PaperResponding to—andrecovering from—sophisticatedsecurity attacksThe four things you can do now to help keep yourorganization safe
2 Responding to—and recovering from—sophisticated security attacksContents How severe? Sophisticated attacks can include: 2 Introduction • Stealing intellectual property • Confiscating bank accounts and other financial assets 3 Step 1: Prioritize your business objectives and set • Distributing malware on individual computers and your risk tolerance across systems 4 Step 2: Protect your organization with a proactive • Posting confidential business and/or customer security plan information online 7 Step 3: Prepare your response to the inevitable: • Damaging critical infrastructure a sophisticated attack 8 Step 4: Promote and support a culture of How frequent? A 2012 study of 2,618 business leaders and security awareness security practitioners in the United States, United Kingdom, 10 Get started now—before your company becomes a victim Germany, Hong Kong and Brazil found that they experienced12 For more information an average of 66 attacks per week, with organizations in Germany and the U.S. reporting the highest numbers: 82 and 79 per week, respectively. And in their 2012 mid-yearIntroduction report, IBM X-Force research and development teams notedLike so many other things in today’s world, cyber attacks— an upward trend in overall vulnerabilities, predicting a possiblealong with those who perpetrate them—are becoming more all-time high by the end of the year.2sophisticated every year. At the same time, IT resources aremoving outside the firewall and enterprises are distributing How costly? The average cost of recovering from a singletheir applications and data across multiple devices. It’s now cyber attack was estimated to be as much as nearly $300,000clear that simply protecting an organization’s perimeter is not by the organizations mentioned in the above 2012 study.3 Thatenough. These sophisticated attacks—which include advanced could amount to nearly $1 billion over the course of a year.persistent threats, or APTs—are bypassing traditional defenses. What’s more, we know that the people behind theseWe know all too well how major security incidents can affect sophisticated attacks are patient, long-term planners. They doa company’s data, networks and corporate brand. We also reconnaissance and target specific vulnerabilities. And they’reknow that sophisticated attacks, designed to gain continuous shifting their focus from exploitation to destruction.access to critical information or to cause damage in criticalinfrastructure, are becoming more severe, more frequent andmore costly.
IBM Global Technology Services 3In this paper we’ll discuss the four proactive steps that Identify those areas most vulnerable to attackyou can — and should —take now to help keep your Just as there are some things that are more important thanorganization safe: others to the security of your business, there are also some• Prioritize your business objectives and set your risk areas that are more vulnerable than others. This is not an tolerance exercise in finger-pointing or laying blame. Instead, it’s an• Protect your organization with a proactive security plan opportunity to see things as they are—so you can create a more• Prepare your response to the inevitable: secure environment overall. a sophisticated attack• Promote and support a culture of security awareness. Identify the specific types of attacks that pose the biggest threat Sophisticated attacks are designed to wreak as much havoc asStep 1: Prioritize your business objectives possible—typically resulting in the loss or misuse of criticaland set your risk tolerance data, the disruption of critical infrastructure, or both. That’sExperience over the past several years has made it clear that why you need to look at your company’s information and“security” is a relative term. Because no matter how much business critical systems from an attacker’s point of view. Andwe may want to create a completely and permanently secure then ask yourself how an attacker could do the most damage.enterprise and be done with it, reality dictates otherwise. Still,the growing threat of sophisticated attacks demands that we Identify those areas that would incur the greatest losstake seriously the business of securing our information and in the event of an attackprotecting our people and infrastructure. And that starts with This is where you come face to face with your biggestsetting priorities. nightmare. If you’re going to come up with a successful plan, you need to be able to see just how much devastation wouldDetermine what’s most important to the security of occur if an attack were to succeed in striking your businessyour business and why where it would hurt the most.This sounds fairly obvious. But taking the time to reallythink about your business objectives and discuss what’s mostimportant—and how much risk you’re willing to tolerate—will help lay a solid foundation for a security strategy that You need to look at yourmeets the unique needs of your entire organization. Once company’s information andyou’ve established this baseline, you’ll have taken a big stepin the right direction. business critical systems from an attacker’s point of view.
4 Responding to—and recovering from—sophisticated security attacks Step 2: Protect your organization withOnline gaming / entertainment sites hacked, 100 million a proactive security plancustomer records compromised Now that you’ve established your priorities, it’s time to make your plans, get the right technology in place and putEstimated costs: $3.6 billion everything into action. This is where you take the steps to ensure that your company is aware of potential threats andVictim: Online gaming community and entertainment sites working proactively to defend itself against them—on an ongoing basis.What happened: An “external intrusion” to a gaming networkresulted in 70 million customer accounts being compromised, Create a proactive and informed approach toputting personal and credit card data at risk. The firm was IT securityforced to “turn off” online services during the investigation, Develop a security strategy with policies and technologiescausing public backlash and widespread negative press.A second hack in the entertainment division compromised designed to proactively protect the assets and information youadditional client data. identified as priorities in Step 1. Arming your organization to successfully manage against those vulnerabilities is anWhy it happened: Hackers allegedly were able to penetrate essential part of taking a proactive stance to security. And thenetwork security and gain access to unencrypted account and security policies you develop will lay the foundation for youruser data, and possibly some credit card data. information security management strategy. These policies should document your security requirements, processes andDamage done: In addition to widespread, negative public technology standards. There’s also a bonus to be had here: insentiment, the firm reportedly faced costs exceeding addition to helping you detect and eliminate vulnerabilities, a$171 million in lost business and response expense. The smart security strategy can also enhance business operations byfirm’s reported market capitalization fell by approximately reducing risk and decreasing IT security management costs.$3.6 billion, as the stock priced dropped 12 percent. Identify existing vulnerabilities and fix themLessons learned: It’s reported that one of the vulnerabilities This could involve a process as straightforward (but resourceexploited was known to the company. Firms should leveragea framework for managing risk associated with information intensive) as making sure every operating system on everyassets, as well as establish strong governance mechanisms to machine is up-to-date on security patches—and will stay thatsupport that framework. way. Other vulnerabilities are more difficult to detect and fix, such as weaknesses in business applications.Illustrative purposes only. The actual facts and damages associated withthese scenarios may vary from the examples provided. Estimated, basedon publicly available financial information, published articles.
IBM Global Technology Services 5Mediate against any existing threats And because the security landscape is continuing to changeAre you confident that you aren’t already the victim of a at an ever-increasing pace, it’s equally important that yousophisticated attack? Particularly pernicious attacks such implement policies for regular testing and review.as advanced persistent threats, or APTs, are designed toremain invisible for as long as possible, moving from one Take a smart approach to security intelligencecompromised host to the next, without generating identifiable How do you stay on top of all this—without sending yournetwork traffic. At the heart of every APT lies a remote IT department into a continual state of panic? Securitycontrol function, which enables criminals to navigate to intelligence and analytics tools can actively monitor andspecific hosts within target organizations, manipulate local correlate data activity across multiple security technologies,systems, and gain continuous access to critical information. offering you the visibility and insight into what’s going on inTo protect yourself, you need tools designed to detect remote your environment—to help you spot and investigate the kindcontrol communications between your system and the of suspicious activity that could indicate an attack is underway.criminal invader. They help reduce complexity by communicating with one common language across multi-vendor environments, while taking the strain off your IT department and potentially delivering both time and cost savings. It’s become more important than ever that you pay serious Develop governance procedures and assign ownership of risk attention to testing your Like most other things, your security programs and policies security policies, procedures and designed to defend against threats such as sophisticated attacks will only be as good as your organization’s ability to ensure that technologies for effectiveness. everyone is playing by the rules. So you need to have a plan in place for staying on top of the situation for the long term. That includes deciding who’s going to monitor and manage yourTest, test, and test some more security policies and how you’ll provide proof that your riskWith the emergence of sophisticated attacks comes the reality posture is being maintained. Make sure your security programthat one will strike your organization. It’s only a matter of has ownership and leadership assigned across critical businesstime. That’s why it’s become more important than ever that areas. By expanding accountability and awareness across keyyou pay serious attention to testing your security policies, areas of risk, you’ll create a heightened understanding andprocedures and technologies for effectiveness—especially enforcement of the security controls you’ve put in place.since doing so is a key element of legal and regulatory And that, in turn, will allow you to create a more securerequirements for due care and diligence. Failure to do so can business environment.mean that corporate officers are held liable for the results ofa security breach.
6 Responding to—and recovering from—sophisticated security attacksDemonstrate and document the value of your securityinvestments Customer data stolen from retailer over 18+ months; at leastThere’s no getting around the fact that your organization will 45 million records liftedneed to find the necessary room in its budget for creatingand maintaining an effective security program. And because Estimated costs: Up to $900 millionit’s very difficult to quantify value in terms of the attacksthat didn’t take place, it’s a good idea to maintain ongoing Victim: Nationwide discount retailercommunications about what you’re doing and why it’simportant. By reporting significant activities that have or could What happened: Apparently 45 million customer credit andhave penetrated critical systems and data, for example, you debit card numbers were stolen from the company’s systems,can demonstrate the value of security technology investments, although the true number of records stolen is difficult to determine, given the duration and nature of the incident. Thisidentify gaps, stop attacks in progress, uncover streamlining data was sold to criminals and then used to make fraudulentopportunities, and inspire confidence in your approach. purchases. Why it happened: The company reportedly collected 49% and stored unnecessary and excessive amounts of personal information for too long and relied on outdated encryption technology to defend the data. Hackers apparently gained initial access into the central database of IT executives say they’re challenged by through unsecure wireless connections in retail stores. an inability to measure the effectiveness The company was subsequently found to be in violation of of their current security efforts.4 payment industry standards. Damage done: This is reported to be the largest breach of its kind to get widespread media coverage. In addition to lawsuits,Review everything to ensure that there are no gaps or hefty fines, and remediation costs, the damage to reputationunnecessary overlaps and other indirect costs is immeasurable.When you’re working as a group, but taking individualresponsibility for specific aspects of a plan, it’s easy to make Lessons learned: Regular, periodic re-evaluation ofthe mistake of assuming that someone else has covered infrastructure and information risks is required as changingsomething that you haven’t. Likewise, it’s just as easy for threats and technologies can render previously acceptablemore than one person to cover the same thing. So do a final protections obsolete.check for clarity and completeness—making sure that you’ve Illustrative purposes only. The actual facts and damages associated withincluded provisions for security intelligence, analytics and these scenarios may vary from the examples provided. Estimated, basedmonitoring, for example—to reduce unnecessary complexity on publicly available financial information, published articles.and spending, and looking for opportunities to simplifyongoing monitoring, management, and real-time decisionmaking across technologies.
IBM Global Technology Services 7Step 3: Prepare your response to theinevitable: a sophisticated attack Having the resources or skillsOnce you’ve implemented your security policies, proceduresand technologies to the best of your ability, it’s time to address needed to actively respond to andhow you’re going to handle a breach if and when it should investigate security incidents is keyoccur. In fact, as one analyst recently observed, “Most large to reducing their impact.enterprise security administrators and chief informationsecurity officers understand that it is not a matter of if, butwhen their organization will experience a breach.” 5 It’s clear that having access to the resources or skills neededDevelop a detailed and coordinated response plan to actively respond to and investigate security incidents isAn organization needs a unified, cross-company policy and key to reducing their impact. If your reputation is critical toprocess for managing its response to an incident. If you already your ability to conduct business, and you find that the naturehave a plan in place, have you tested your plan and determined of your business may heighten your risk to sophisticatedits effectiveness lately? attacks, you might want to consider employing ongoing threat monitoring and management. This approach uses technologyYour incident response plan should specify how to stop an designed to improve defense, automate incident response andattack, identify what (if anything) was compromised, and conduct forensic analysis across a broad range of threats.calculate the financial and reputational impact. It shouldalso offer guidelines for communicating with employees, any Take a consistent approach to assigning responsibility across the organizationindividuals whose information may have been compromised Accept the fact that virtually all organizations will fall victimand the media. to a sophisticated attack of some sort, at some time. MakeEnsure you have access to the resources and tools sure your incident response plan specifies who will need to doneeded to respond quickly what—and how everyone will share information. CoordinationThe longer it takes to resolve an attack, the more damage it’s across the enterprise is key to effective detection, remediationlikely to do, and the more it’s likely to cost. What’s more, and containment. It’s important that everyone involved has aabout 78 percent of those senior executives responding to a role to play—and knows what that role is. Determine whichrecent IBM-sponsored survey on reputational risk say they steps each stakeholder will take to prepare his or her arearecover from relatively minor incidents (such as a website to help reduce the occurrence—and limit the extent—ofoutage) in less than six months. But it takes longer to recover sophisticated attacks.from reputational damage due to cybercrime—partly becauseit can be harder tosell the message that the problem has beenentirely fixed.6
8 Responding to—and recovering from—sophisticated security attacks Step 4: Promote and support a culture ofPayment processor suffers intrusion into core business, security awarenessaffecting 130 million customers The job of securing an enterprise’s network continues to grow infinitely more complex as information pours in fromEstimated costs: Up to $500 million thousands of devices and through scores of public web-based services. One study reports that 91 percent of enterprise smartVictim: Payment processor phone users connect to corporate email, but only one in three is required to install mobile security software.7 In suchWhat happened: Around 130 million customer credit and debitcard numbers were stolen from a payment processing system, an environment, access is easy for everyone involved—resulting in fraudulent transactions. including criminals.Why it happened: Malicious software was apparently inserted Create and support a risk-aware culture throughoutinto the processing system and used to collect in-transit, your organizationunencrypted payment data while it was being processed by It’s time to expand the mission of enterprise security, fromthe firm during the transaction authorization process. Card the tech staff and their machines to every person within thedata included card numbers, expiration dates, and certain company, and everyone who does business with it. Since eachother information from the magnetic stripe on the back of the person poses a potential breach, each one must also representpayment card. a piece of the solution. In the end, success hinges upon promoting and supporting a risk-aware culture, where theDamage done: This was a large, visible breach that also importance of security informs every decision and procedurereceived widespread media coverage. The firm reportedly at every level of the company. That means secure procedurespaid in excess of $140 million in direct costs related to legal for data need to become second nature, much like locking thejudgments, settlements, and fees. And the company’s market door behind you when you leave home.capitalization reportedly dropped by nearly half a billion dollarsin the three months following the event. Ensure that each employee knows what to do The process of changing a company’s culture can beLessons learned: Direct, forthright crisis response minimizedclient defection. The information shared and leveraged from an enormously challenging. But if you start by taking stepsindustry standards association strengthened the company’s to communicate the real importance of helping to improvesecurity posture, allowing it to eventually recover its loss in security and teach everyone how to recognize and reportmarket value. possible security problems, you will be heading in the right direction.Illustrative purposes only. The actual facts and damages associated withthese scenarios may vary from the examples provided. Estimated, basedon publicly available financial information, published articles.
IBM Global Technology Services 9Our security essentialsAt IBM, we are constantly striving to find the balance between that’s running, be confident that it’s current, and have improving the way we do business and the need to control risk. a system in place to install updates and patches asThe company’s comprehensive response includes technology, they’re released.process and policy measures. It involves 10 essential practices. 6. Control network access—Companies that channel 1. Build a risk-aware culture—where there’s simply zero registered data through monitored access points will have a tolerance, at a company level, when colleagues are far easier time spotting and isolating malware. careless about security. Management needs to push this change relentlessly from the very top down, while also 7. Security in the clouds—If an enterprise is migrating certain implementing tools to track progress. IT services to a cloud environment, it will be in close quarters with lots of others—possibly including scam 2. Manage incidents and respond—A company-wide effort artists. So it’s important to have the tools and procedures to implement intelligent analytics and automated response to isolate yourself from the others, and to monitor capabilities is essential. Creating an automated and unified possible threats. system will enable an enterprise to monitor its operations— and respond quickly. 8. Patrol the neighborhood—An enterprise’s culture of security must extend beyond company walls, and establish best 3. Defend the workplace—Each work station, laptop or smart practices among its contractors and suppliers. This is phone provides a potential opening for malicious a similar process to the drive for quality control a attacks. The settings on each device must all be subject to generation ago. centralized management and enforcement. And the streams of data within an enterprise have to be classified and routed 9. Protect the company jewels—Each enterprise should carry solely to its circle of users. out an inventory of its critical assets—whether it’s scientific or technical data, confidential documents or clients’ private 4. Security by design—One of the biggest vulnerabilities in information—and ensure it gets special treatment. Each information systems comes from implementing services priority item should be guarded, tracked, and encrypted as if first, and then adding security on afterwards. The only the company’s survival hinged on it. solution is to build in security from the beginning, and to carry out regular tests to track compliance. 10. Track who’s who—Companies that mismanage the “identity lifecycle” are operating in the dark and could be vulnerable5. Keep it clean—Managing updates on a hodgepodge to intrusions. You can address this risk by implementing of software can be next to impossible. In a secure meticulous systems to identify people, manage their system, administrators can keep track of every program permissions, and revoke them as soon as they depart.
10 Responding to— and recovering from—sophisticated security attacks small amounts of key personal data from public social media sites, attackers have been able to use clever social engineering Build a risk- Control network aware culture access “tricks” to gain unrestricted access to targeted accounts. They have even bypassed two-factor authentication by convincing Manage incidents Security in the mobile providers to relocate a user’s voicemail. So it’s not and respond clouds a matter of whether your company will become a victim, but when. In fact, 61 percent of the senior executives who Defend the Patrol the workplace neighborhood participated in IBM’s recent study on reputational risk and IT said that data breaches, data theft and cybercrime posed the Security by Protect the greatest threat to their companies’ reputations.8 design company jewels Keep it clean Track who’s who It’s not a matter of whether your company will become a victim, but when.Figure 1. Ten essential practices: A successful security program strikes a balancethat allows for flexibility and innovation while maintaining consistent safeguards thatare understood and practiced throughout the organization. It’s okay to seek help It’s easy to feel overwhelmed when you consider what itGet started now—before your company takes to protect your organization from sophisticated attacks.becomes a victim There’s a lot to talk about, think about and worry about. ButIBM X-Force reported just over 4,400 new security you just need to take it one step at a time. And you don’t needvulnerabilities for the first half of 2012. Assuming that this to go it alone.trend continued throughout the rest of the year, the totalprojected vulnerabilities would likely surpass the record of IBM Security Services consultants can help you plan,nearly 9,000, set in 2010. In addition, the rate of unpatched implement and manage virtually all aspects of your securityvulnerabilities for the first half of 2012 was the highest that strategy. They’re senior security professionals who haveIBM X-Force had seen since 2008. honed their skills in both the public and private sectors, working in corporate security leadership and consulting,Many organizations have had to deal with the fallout caused investigative branches of government, law enforcement,by password and personal data leaks. And these attacks have and research and development.become increasingly sophisticated. For example, by obtaining
IBM Global Technology Services 11In addition to offering consulting services, IBM has helped toset the standard for accountability, reliability and protection What would a Security Health Scan find at your company?in managed security services since 1995. These services are Here are sample Security Health Scan findings for severaldesigned to help you enhance your information security types of organizations, showing the average number ofposture, lower your total cost of ownership and demonstrate vulnerabilities found after just one of three consecutivecompliance by outsourcing the monitoring and management of weekly scans. It’s not a surprise to see that even the mostyour security operations to IBM, regardless of device type or secure companies can find they have significant exposures,vendor, on a 24x7x365 basis or as needed. sometimes on multiple fronts. In today’s dynamic business environment, where boundaries no longer exist, you’re more than likely to find at least some vulnerabilities and exposures.IBM Managed Security Services can provide the securityintelligence, expertise, tools and infrastructure you need tohelp secure your information assets from Internet attacks University Insurance companyaround the clock, often at a fraction of the cost of in-house Severe Severesecurity resources. 106 86Begin with a complimentary Security Health Scan Moderate ModerateBy now you’re probably starting to think about how 7 11vulnerable your company may be. You can get a glimpse witha complimentary Security Health Scan from IBM Security Critical CriticalServices. Here’s how it works: IBM will scan up to 10 IP 23 17addresses or a web domain of your choosing once a week forthree weeks, at no charge. You’ll receive a detailed analysis Virtual hosting/ City governmentof the vulnerabilities that are found—classified by their level web hosting provider Severe Severeof severity—along with step-by-step instructions on how 112 112to remediate them. What’s more, for the duration of yourscanning period you’ll have access to the IBM Managed ModerateSecurity Services Virtual Security Operations Center portal 20and all the intelligence and threat information it provides. Moderate Critical 20 38 Critical 9