[BreachExchange] Using the CIA Triad to Boost Cyber Resilience

[Inga Goddijn]

https://deloitte.wsj.com/cio/2018/11/19/using-the-cia-triad-to-boost-cyber-resilience/

Enterprises are no strangers to business continuity and disaster recovery
practices, but today’s threat landscape bears little resemblance to the one
for which most traditional approaches were designed. Cyber incidents such
as ransomware and SQL injection attacks are now increasingly commonplace,
leaving numerous organizations exposed and without updated plans for
recovery.

Many businesses need new ways to stay secure, vigilant, and resilient in
this digital era. Ironically, a potentially useful tool toward that end is
one of the oldest concepts in information security: the CIA triad
<https://en.wikipedia.org/wiki/Information_security#Key_concepts>.

Three Fundamental Goals

The *CIA* in the classic triad stands for confidentiality, integrity, and
availability—all of which are generally considered core goals of any
security approach. Today, the model can be used to help uncover the
shortcomings inherent in traditional disaster recovery plans and design new
approaches for improved business resilience
<https://deloitte.wsj.com/cio/2018/10/07/quantum-dawn-iv-building-resilience-in-financial-services/>
.

Confidentiality. A loss of confidentiality means sensitive information or
systems have potentially been accessed or stolen by unauthorized bad
actors. This may include intellectual property, personally identifiable
information, or protected health information, breaches of which can result
in significant fines. Once discovered, it is often difficult to weigh the
financial impacts of shutting down critical revenue-generating systems
against the effects of ongoing malicious activity. For that reason, many
organizations believe they have no choice but to turn off these
applications and services with little to no warning.

Existing recovery practices typically don’t incorporate a process for
gracefully shutting down breached environments. In the meantime,
investigating, removing, and then certifying services as ready for
reintroduction into the network can take a long time, often leaving
businesses struggling to cope. Customers, meanwhile, are left to their own
devices to find replacement products and services.

One leading approach can be to develop a rapid impact analysis process that
details the decision-making procedure, stakeholders, authorities, and
information sources to be included in planning the graceful shutdown of
critical services. It considers the effects of system isolation and
shutdown while exploring additional potential remediation activities. The
intent is to enhance the ability to conduct scenario planning while
estimating and reducing the impact of shutting down key services before
action is taken. The challenge is to limit engagement to a select few
decision-makers and balance the consideration of impacts with the need for
quick action. As with any cyber incident, avoiding analysis paralysis is
critical.

Integrity. Cyberattacks continue to evolve, and criminals are increasingly
using integrity-based attacks such as ransomware
<https://deloitte.wsj.com/cio/2017/11/03/prepare-for-ransomware-wannacry-petya-and-beyond/>
as
a way of disrupting businesses. For bad actors, these are a lucrative
business: The WannaCry attacks of 2017, for instance, are estimated
<https://www.csoonline.com/article/3196400/data-breach/wannacry-fallout-the-worst-is-yet-to-come-experts-say.html>to
have cost companies roughly $10 million in ransom. Little wonder that
ransomware attacks grew by over 400 percent
<https://gb.press.f-secure.com/2018/05/02/ransomware-gold-rush-looks-finished-but-threat-remains/>
in
volume that year.

Ransomware is lucrative because it is effective; it is effective because
redundant backup solutions are a widespread component of many recovery
programs. But whereas backup systems are typically designed to protect
against a physical event, ransomware attacks the integrity of a company’s
computer system, not its physical operation. Backup systems are affected
along with production environments, essentially transforming them into a
cyber liability. The more aggressive the replication they use, the quicker
the attack is propagated, leaving backups corrupted.

In response, many leading companies are now employing air-gapped data
vaults for recovery from such attacks. These off-network, clean areas are
used to securely pull and retain multiple copies of critical data,
applications, and core services. By ensuring that production environments
do not connect directly to them, organizations can keep their recovery
systems safe and get back to business more quickly.

Availability. Finally, availability is the core focus of many traditional
recovery and continuity practices, which emerged primarily to preserve it
when a physical outage occurs. The two most frequently used metrics are
recovery time objective, which measures the loss of processing ability, and
recovery point objective, which measures the loss of data. The goal is to
determine an acceptable amount of loss and then design solutions that
ensure recovery within that guideline.

One common problem is that this approach assumes recovery can begin
immediately or shortly after the disruption occurs. In fact, cyberattacks
must typically be investigated before recovery efforts can begin; in the
meantime, critical applications and business data may be unavailable and
unable to be recovered. Existing continuity solutions often rely on manual
workarounds to sustain the business while it works toward recovery, but as
time drags on over the course of extended cyber-incident response and
investigation periods, fatal flaws (unsustainable work schedules, for
example) often emerge.

One tactic that can help is pivoting from detailed workaround procedures to
agile solutions and processes that instead tap the creativity and ingenuity
of employees. Rather than relying on scripted actions, workers can be
empowered to navigate a variety of potential cyberattack scenarios using
decision support systems that provide a framework for effective
decision-making. Coupled with the use of automation and flexible computing
capabilities, these systems can equip employees with the tools to transform
and sustain affected areas of the business. Practicing through cyber
war-gaming exercises can further promote refinement of the processes and
technologies while giving employees the confidence they need to take
decisive action in serving customers through all phases of a real
cyberattack.

*****

The threats facing organizations’ systems and data today are a far cry from
those of yesteryear, and traditional recovery processes often can’t keep
up. By examining their current approach through the lens of the classic CIA
triad and then modernizing accordingly to preserve confidentiality,
integrity, and availability, CIOs and other leaders can help their
companies stay secure, vigilant, and resilient in the face of today’s
ever-evolving cyber risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181120/5a04105b/attachment.html>