4 strategies to help CIOs prepare for cyberattacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itworld.com/security/416664/4-strategies-help-cios-prepare-cyberattacks

Cyberattacks threaten all of us. White House officials confirmed in March
2014 that federal agents told more than 3,000 U.S. companies that their IT
deployments had been hacked, according to The Washington Post. Meanwhile,
Bloomberg reports that the Securities and Exchange Commission (SEC) is
looking into the constant threats of cyberattacks against stock exchanges,
brokerages and other Wall Street firms.

These attacks are going to happen, no matter what you do. Here, then, are
four strategies to help you deal with cyberattacks and the threats they
pose.

1. Have a Cyberattack Disclosure Plan

Many industries are regulated by state, local and federal governments and
have specific rules about what must be disclosed to consumers during a
cyberattack. This is especially true of the healthcare and financial
verticals, where sensitive customer information is involved.

Sometimes in the wake of an attack, though, or even while an attack is
still happening, the evolving situation can be murky enough that disclosure
rules get broken -- or, at the very least, the disclosure process is
delayed or confused. For that reason, it's important to plan ahead and
develop an action framework when events that trigger a disclosure response
occur.

Here are some considerations:

Understand the applicable regulatory framework. For publicly traded
companies, the SEC generally has disclosure guidelines and timeframes. For
financial institutions, the Office of the Comptroller of the Currency (OCC)
and the Federal Deposit Insurance Corporation (FDIC) handle this on the
federal side. State regulations vary.

Engage your communications team. These employees are professionals who have
developed relationships with media and other external stakeholders. They
can help you control the messaging and disclosures that you're required to
make, as well as advise on the timing and breadth of those statements.

Coordinate with the required departments. Most CIOs coordinate with the
individual IT teams responsible for the area under attack -- as well as
outside contractors and vendors helping with the mitigation and recovery,
and applicable government agencies, to keep the disclosure plan on track.
Identify key personnel ahead of time and make sure roles and next actions
to carry out disclosure plans are known.

2. Understand What Targets Cybercriminals Value

cybercrime, cyberattack

The real question about cyberattacks isn't when they occur. Attackers
constantly invent new ways to do everything, connectivity to the Internet
is becoming more pervasive, and it's easier and cheaper than ever to
acquire a botnet to do your bidding if you are a malfeasant. Cyberattacks
will happen to you -- tonight, next week, next month or next year.

The real question about cyberattacks is where they will occur. Traditional
attacks have really gone after most of the low-hanging fruit, such as
payment information (witness the recent Target breach) or just general
havoc-wreaking, such as the Syrian Electronic Army's distributed denial of
service (DDoS) attacks. Many attacks have been motivated by political or
moral issues, or they've been relatively simple attempts to harvest payment
information to carry out low-level fraud.

Future attacks could have more significant ramifications, though, including
the attempt to retrieve more dangerous identity information such as Social
Security numbers. In a recent panel discussion at the Kaspersky
CyberSecurity Summit, Steve Adegbite, senior vice president of enterprise
information security oversight and strategy at Wells Fargo, hinted that
attackers may well be attempting to penetrate where the data is -- implying
that new cloud technologies and data warehouses, as well as weaknesses in
emerging technologies embraced by larger companies, could well be future
targets for attackers.

Where cyberattacks will occur also pertains to the location of your
enterprise. Threats in the United States will have a different profile than
threats in Europe. Location matters in this equation. Take some time with
your team to assess where cyberattacks are likely to be directed across
your enterprise. Understand what may now be at an increased risk of attack,
especially relative to the past.

3. Lobby for Budget to Defend Against, Mitigate Cyberattacks

IT budgets are no goldmine. CIOs have been used to having to do more with
less for a long time now. If you've sung the praises to your management
group about how you can save money by, for example, moving to the cloud or
consolidating and virtualizing many servers, you might find yourself with
reduced budgets and reduced headcounts -- right as the storm of
cyberattacks threatens you. This isn't a preferred position.

Unfortunately, cyberattacks aren't only damaging. They're expensive, not
only in terms of the cost of services being down but also the expense
directly attributable to mitigating and defending them. Vendors with
experience in reacting in real time to cyberattacks and mitigating their
effects are tremendously expensive, both at the time of the event and
hosting data during periods of inactivity in order to be prepared if and
when an attack occurs. Purchasing the hardware and software necessary to
properly harden your systems is expensive. This is an important line item,
an important sub area, in your budget for which you need to account.
Consider it insurance on which you will almost certainly collect.

Also, look for products and technologies rated at EAL 6+, or High
Robustness, which is a standard the government uses to protect intelligence
information and other high-value targets.

Bottom line: Don't cannibalize your budget for proactive IT improvements
and regular maintenance because you've failed to plan for a completely
inevitable cyberattack.

4. In the Thick of an Attack, Ask for Help

When you're experiencing an attack, you need good information you can rely
on. Others have that information. In particular, look for the following:

Join information-sharing consortiums that can help you monitor both the
overall threat level for cyberattacks and the different patterns that
attack victims have noticed. For example, the National Retail Federation
announced a new platform to share information and patterns that aim to
arrest the data breaches the industry has recently suffered. Financial
services companies have set up an informational network, and other
regulated industries often have a department of the governmental regulatory
body that can serve as a contact point to help prevent this kind of illegal
activity.

Develop a relationship with vendors with expertise on cyberattacks. It may
be tempting to try to rely only on in-house resources and talent, both as a
way to control costs and protect valuable information about your
infrastructure, but many vendors and consulting companies have worked
through multiple cyberattacks and have tremendous experience under their
belts. Hiring one of these companies may well stop a cyberattacks before it
does serious harm.

Using the security technology you have in place, understand what readings
are important and what may well be just noise. In an effort to impress and
appear complete, many software vendors monitor every little thing under the
sun and spin up a multitude of readings that can mask or inadvertently
dilute the notifications of serious problems. Use your technology wisely
and understand what notifications refer to high-value targets so you can
act earlier in the attack lifecycle.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!