Cyber Security and Corporate Due Diligence

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.realcleartechnology.com/articles/2015/11/18/cyber_security_and_corporate_due_diligence.html

The recent cyber-attack on the federal government’s Office of Personnel
Management, in which attackers obtained highly personnel information of
over 20 million people, highlights the seriousness of the cyber-security
challenge. However, the Sony attack which occurred earlier in the year is
actually far more noteworthy. The Sony event highlights that significant
risks are not limited simply to the embarrassment of victims and the loss
of sensitive information. Instead, this attack showed that companies which
do not adequately defend their networks carry a high risk of costly damage,
up to and including the complete destruction of the company.

While companies have certainly become sensitized to the legal risks
associated with network attacks and taken action to improve network
security, they have not adequately responded to the greater risk of severe
damage or total company loss due to a destructive cyber-attack. This stems
from a misunderstanding of the implication of successful data loss attacks
coupled with a miscalculation of the risk of a damaging attack.

What does it mean when a network is successfully attacked? It means that an
attacker gained entry to a network and subsequently gained sufficient
network access, or privilege, to advance the purposes of the attack.
Generally speaking, and especially when the victim network is poorly
defended, attackers can obtain very high privilege, easily and without
detection.

What does acquisition of privilege enable? The Sony attack, in addition to
Stuxnet andothers, clearly shows that hardware can be physically destroyed,
hard drives wiped, critical data modified, and control over the company
network lost. A compelling example of privilege-enabled destructive power
is an attack that preceded Sony at Saudi Aramco in late 2012. During this
attack, about 30,000 desktop hard drives were destroyed. Such destruction
is not necessarily limited to just desktop computers; critical network
management and data storage systems can also be damaged or destroyed.

Importantly, companies must anticipate that motivated attackers might take
actions to impede recovery from the attack. Recovery time and data loss are
the critical factors, since there are maximums for how long a company can
go without a functional IT system and for how much data loss it can
tolerate. If these maximums are exceeded, the company is destroyed. The
physical buildings will remain standing, but the business itself – along
with shareholder value – will evaporate.

Consequently, the implication of the rapidly growing number of reported
data loss attacks is this: Company networks remain highly vulnerable to
destructive attacks. Security sufficient to block or quickly detect
destructive attacks would also block less serious data loss attacks.

The knowledge and technology of cyber-attacks has proliferated, resulting
in increased hacking tool accessibility, sophistication, and ease of use.
This situation has enabled both “hacktivists,” those motivated to act on
specific grievances, and “jihadists,” those seeking to inflict damage on
enemies. Since the jihadists are globally distributed, attacks can
originate from around the world. Deterring these attacks by way of current
or future U.S. government offensive capability is unlikely.

The coupling of hacktivist and jihadist threats with obviously vulnerable
networks results in a very serious risk. Since the risk involves the
possibility of substantial damage (like with Sony), the consequence of
realizing the risk is enormous.

Assessment of this risk, then, boils down to an estimation of the
likelihood of a damaging attack. Destructive attacks on business networks
are not an everyday occurrence, so the likelihood of such an attack may
seem remote. Some destructive attacks, though, are not publicized. In
addition, attackers may have shifted their focus to critical
infrastructure, making the current likelihood somewhat higher. At a bare
and absolute minimum, the likelihood should be considered equivalent to
that of a natural disaster.

Regardless, responsible company management cannot simply ignore or accept
this risk on the basis that it is difficult to quantify. Companies have a
basic governance responsibility to shareholders, employees, partners,
customers, and society to ensure the recognition and mitigation of
destructive attack risk. Yes, there are certain highly-skilled attackers
capable of defeating virtually any defense. In spite of this, companies
that fail to implement effective cyber security are little more than low
hanging fruit for more numerous, but somewhat less capable, attackers.

Until effective cyber security is implemented, as evidenced by both mature
security practices and the absence of serious network breaches, the risk of
a destructive cyber-attack is not adequately mitigated.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!