BreachExchange mailing list archives
Cyber Security and Corporate Due Diligence
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 18 Nov 2015 19:51:06 -0700
http://www.realcleartechnology.com/articles/2015/11/18/cyber_security_and_corporate_due_diligence.html The recent cyber-attack on the federal government’s Office of Personnel Management, in which attackers obtained highly personnel information of over 20 million people, highlights the seriousness of the cyber-security challenge. However, the Sony attack which occurred earlier in the year is actually far more noteworthy. The Sony event highlights that significant risks are not limited simply to the embarrassment of victims and the loss of sensitive information. Instead, this attack showed that companies which do not adequately defend their networks carry a high risk of costly damage, up to and including the complete destruction of the company. While companies have certainly become sensitized to the legal risks associated with network attacks and taken action to improve network security, they have not adequately responded to the greater risk of severe damage or total company loss due to a destructive cyber-attack. This stems from a misunderstanding of the implication of successful data loss attacks coupled with a miscalculation of the risk of a damaging attack. What does it mean when a network is successfully attacked? It means that an attacker gained entry to a network and subsequently gained sufficient network access, or privilege, to advance the purposes of the attack. Generally speaking, and especially when the victim network is poorly defended, attackers can obtain very high privilege, easily and without detection. What does acquisition of privilege enable? The Sony attack, in addition to Stuxnet andothers, clearly shows that hardware can be physically destroyed, hard drives wiped, critical data modified, and control over the company network lost. A compelling example of privilege-enabled destructive power is an attack that preceded Sony at Saudi Aramco in late 2012. During this attack, about 30,000 desktop hard drives were destroyed. Such destruction is not necessarily limited to just desktop computers; critical network management and data storage systems can also be damaged or destroyed. Importantly, companies must anticipate that motivated attackers might take actions to impede recovery from the attack. Recovery time and data loss are the critical factors, since there are maximums for how long a company can go without a functional IT system and for how much data loss it can tolerate. If these maximums are exceeded, the company is destroyed. The physical buildings will remain standing, but the business itself – along with shareholder value – will evaporate. Consequently, the implication of the rapidly growing number of reported data loss attacks is this: Company networks remain highly vulnerable to destructive attacks. Security sufficient to block or quickly detect destructive attacks would also block less serious data loss attacks. The knowledge and technology of cyber-attacks has proliferated, resulting in increased hacking tool accessibility, sophistication, and ease of use. This situation has enabled both “hacktivists,” those motivated to act on specific grievances, and “jihadists,” those seeking to inflict damage on enemies. Since the jihadists are globally distributed, attacks can originate from around the world. Deterring these attacks by way of current or future U.S. government offensive capability is unlikely. The coupling of hacktivist and jihadist threats with obviously vulnerable networks results in a very serious risk. Since the risk involves the possibility of substantial damage (like with Sony), the consequence of realizing the risk is enormous. Assessment of this risk, then, boils down to an estimation of the likelihood of a damaging attack. Destructive attacks on business networks are not an everyday occurrence, so the likelihood of such an attack may seem remote. Some destructive attacks, though, are not publicized. In addition, attackers may have shifted their focus to critical infrastructure, making the current likelihood somewhat higher. At a bare and absolute minimum, the likelihood should be considered equivalent to that of a natural disaster. Regardless, responsible company management cannot simply ignore or accept this risk on the basis that it is difficult to quantify. Companies have a basic governance responsibility to shareholders, employees, partners, customers, and society to ensure the recognition and mitigation of destructive attack risk. Yes, there are certain highly-skilled attackers capable of defeating virtually any defense. In spite of this, companies that fail to implement effective cyber security are little more than low hanging fruit for more numerous, but somewhat less capable, attackers. Until effective cyber security is implemented, as evidenced by both mature security practices and the absence of serious network breaches, the risk of a destructive cyber-attack is not adequately mitigated.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyber Security and Corporate Due Diligence Audrey McNeil (Nov 20)