<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://deloitte.wsj.com/cio/2018/11/19/using-the-cia-triad-to-boost-cyber-resilience/">https://deloitte.wsj.com/cio/2018/11/19/using-the-cia-triad-to-boost-cyber-resilience/</a></div><div dir="ltr"><br></div><div dir="ltr"><div class="gmail-column gmail-at8-col8 gmail-at12-col7 gmail-at16-col9 gmail-at16-offset1" style="margin:0px 0px 0px 80px;padding:0px;border:0px;outline:0px;font-size:10px;vertical-align:baseline;background:transparent;width:720px;max-width:100%;float:left;min-height:1px;box-sizing:border-box;color:rgb(51,51,51)"><div class="gmail-module" style="margin:0px 10px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;box-sizing:border-box"><div id="gmail-wsj-article-wrap" class="gmail-article-wrap" style="margin:0px 0px 50px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent"><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">Enterprises are no strangers to business continuity and disaster recovery practices, but today’s threat landscape bears little resemblance to the one for which most traditional approaches were designed. Cyber incidents such as ransomware and SQL injection attacks are now increasingly commonplace, leaving numerous organizations exposed and without updated plans for recovery.</p><div id="gmail-realtor" class="gmail-wsj-body-ad-placement" style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent"></div><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">Many businesses need new ways to stay secure, vigilant, and resilient in this digital era. Ironically, a potentially useful tool toward that end is one of the oldest concepts in information security: the <a href="https://en.wikipedia.org/wiki/Information_security#Key_concepts" style="margin:0px;padding:0px;vertical-align:baseline;background:transparent;color:rgb(134,188,37);text-decoration-line:none;outline:none">CIA triad</a>.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px"><span style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:600;font-style:inherit;vertical-align:baseline;background:transparent">Three Fundamental Goals</span></p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">The <em style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:inherit;vertical-align:baseline;background:transparent">CIA</em> in the classic triad stands for confidentiality, integrity, and availability—all of which are generally considered core goals of any security approach. Today, the model can be used to help uncover the shortcomings inherent in traditional disaster recovery plans and design new approaches for improved <a href="https://deloitte.wsj.com/cio/2018/10/07/quantum-dawn-iv-building-resilience-in-financial-services/" style="margin:0px;padding:0px;vertical-align:baseline;background:transparent;color:rgb(134,188,37);text-decoration-line:none;outline:none">business resilience</a>.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px"><span style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:600;font-style:inherit;vertical-align:baseline;background:transparent">Confidentiality. </span>A loss of confidentiality means sensitive information or systems have potentially been accessed or stolen by unauthorized bad actors. This may include intellectual property, personally identifiable information, or protected health information, breaches of which can result in significant fines. Once discovered, it is often difficult to weigh the financial impacts of shutting down critical revenue-generating systems against the effects of ongoing malicious activity. For that reason, many organizations believe they have no choice but to turn off these applications and services with little to no warning.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">Existing recovery practices typically don’t incorporate a process for gracefully shutting down breached environments. In the meantime, investigating, removing, and then certifying services as ready for reintroduction into the network can take a long time, often leaving businesses struggling to cope. Customers, meanwhile, are left to their own devices to find replacement products and services.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">One leading approach can be to develop a rapid impact analysis process that details the decision-making procedure, stakeholders, authorities, and information sources to be included in planning the graceful shutdown of critical services. It considers the effects of system isolation and shutdown while exploring additional potential remediation activities. The intent is to enhance the ability to conduct scenario planning while estimating and reducing the impact of shutting down key services before action is taken. The challenge is to limit engagement to a select few decision-makers and balance the consideration of impacts with the need for quick action. As with any cyber incident, avoiding analysis paralysis is critical.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px"><span style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:600;font-style:inherit;vertical-align:baseline;background:transparent">Integrity. </span>Cyberattacks continue to evolve, and criminals are increasingly using integrity-based attacks such as <a href="https://deloitte.wsj.com/cio/2017/11/03/prepare-for-ransomware-wannacry-petya-and-beyond/" style="margin:0px;padding:0px;vertical-align:baseline;background:transparent;color:rgb(134,188,37);text-decoration-line:none;outline:none">ransomware</a> as a way of disrupting businesses. For bad actors, these are a lucrative business: The WannaCry attacks of 2017, for instance, are <a href="https://www.csoonline.com/article/3196400/data-breach/wannacry-fallout-the-worst-is-yet-to-come-experts-say.html" style="margin:0px;padding:0px;vertical-align:baseline;background:transparent;color:rgb(134,188,37);text-decoration-line:none;outline:none">estimated </a>to have cost companies roughly $10 million in ransom. Little wonder that ransomware attacks grew by <a href="https://gb.press.f-secure.com/2018/05/02/ransomware-gold-rush-looks-finished-but-threat-remains/" style="margin:0px;padding:0px;vertical-align:baseline;background:transparent;color:rgb(134,188,37);text-decoration-line:none;outline:none">over 400 percent</a> in volume that year.</p><div id="gmail-unruly" class="gmail-wsj-body-ad-placement" style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent"></div><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">Ransomware is lucrative because it is effective; it is effective because redundant backup solutions are a widespread component of many recovery programs. But whereas backup systems are typically designed to protect against a physical event, ransomware attacks the integrity of a company’s computer system, not its physical operation. Backup systems are affected along with production environments, essentially transforming them into a cyber liability. The more aggressive the replication they use, the quicker the attack is propagated, leaving backups corrupted.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">In response, many leading companies are now employing air-gapped data vaults for recovery from such attacks. These off-network, clean areas are used to securely pull and retain multiple copies of critical data, applications, and core services. By ensuring that production environments do not connect directly to them, organizations can keep their recovery systems safe and get back to business more quickly.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px"><span style="margin:0px;padding:0px;border:0px;outline:0px;font-weight:600;font-style:inherit;vertical-align:baseline;background:transparent">Availability. </span>Finally, availability is the core focus of many traditional recovery and continuity practices, which emerged primarily to preserve it when a physical outage occurs. The two most frequently used metrics are recovery time objective, which measures the loss of processing ability, and recovery point objective, which measures the loss of data. The goal is to determine an acceptable amount of loss and then design solutions that ensure recovery within that guideline.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">One common problem is that this approach assumes recovery can begin immediately or shortly after the disruption occurs. In fact, cyberattacks must typically be investigated before recovery efforts can begin; in the meantime, critical applications and business data may be unavailable and unable to be recovered. Existing continuity solutions often rely on manual workarounds to sustain the business while it works toward recovery, but as time drags on over the course of extended cyber-incident response and investigation periods, fatal flaws (unsustainable work schedules, for example) often emerge.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">One tactic that can help is pivoting from detailed workaround procedures to agile solutions and processes that instead tap the creativity and ingenuity of employees. Rather than relying on scripted actions, workers can be empowered to navigate a variety of potential cyberattack scenarios using decision support systems that provide a framework for effective decision-making. Coupled with the use of automation and flexible computing capabilities, these systems can equip employees with the tools to transform and sustain affected areas of the business. Practicing through cyber war-gaming exercises can further promote refinement of the processes and technologies while giving employees the confidence they need to take decisive action in serving customers through all phases of a real cyberattack.</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px;text-align:center">*****</p><p style="margin:0px 0px 17px;padding:0px;border:0px;outline:0px;font-size:17px;vertical-align:baseline;background:transparent;font-family:Helvetica,Arial,sans-serif;line-height:27px">The threats facing organizations’ systems and data today are a far cry from those of yesteryear, and traditional recovery processes often can’t keep up. By examining their current approach through the lens of the classic CIA triad and then modernizing accordingly to preserve confidentiality, integrity, and availability, CIOs and other leaders can help their companies stay secure, vigilant, and resilient in the face of today’s ever-evolving cyber risks.</p></div></div></div><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>