03 June 2014
Businesses are still addressing cyber issues as they arise rather than anticipating risks and ensuring safeguards are in place
Cyber security encompasses a range of safeguards for businesses defending threats from anonymous assailants, rival organisations or foreign governments attempting to infiltrate systems, disrupt business or steal information.
With the engrained use of technology in everyday business, cyber risk is now a significant part of organisations’ risk profile. The key difference with this type of risk is that the landscape changes more rapidly than any other part of the business. It is no longer viable to put standard controls and safeguards in place and think that the organisation is covered.
This has been affirmed in stories that appear frequently in the media about businesses losing customer account details and confidential information being leaked. The ‘industry’ of cyber hacking has become so widespread that black markets have emerged, which trade in user credentials, credit card numbers and compromised computers to form ‘botnets’.
Even with all external access locked down, secured and encrypted, every employee, contractor or visitor has the potential to harvest data from an organisation’s systems. This has been made even easier by smart phones, tablets, Wi-Fi connections and bring your own device (BYOD) culture.
For most companies, the information may not be interesting enough to cause a Snowden-like incident, but a breach can nevertheless cause significant commercial, legal, regulatory or reputational damage to the business.
Although it is generally viruses and malware that grab headlines, a well-marketed discovery by security firm Codenomicon has made the ‘Heartbleed’ bug a visible example of why vigilance in cyber security is so important.
The Heartbleed bug affects OpenSSL, a popular open source variant of SSL. Before the bug was announced, few managers would have known if their organisation had any web facing servers securing connections using OpenSSL. With a robust risk and analytics system, information would have been available immediately. Enhancing this with automated alerts means that organisations would be immediately notified of the assets at risk.
This bug is particularly severe as it allows an attacker to gain access to the server and retrieve information not only about other users, but the keys used to encrypt the information in the first place. Even though a fix has been released, the complete remedy requires replacing these keys, at a cost, in case they have been compromised. Given that the bug has been silently present in systems for two years, it is unknown whether it had been found and exploited by attackers prior to Codenomicon’s discovery.
After initially high estimates of Heartbleed affecting up to two-thirds of all web sites, Netcraft responded saying this was more likely around 500,000 servers, given not all capable servers were using OpenSSL. This is still a significant number and has no doubt led to panicked conversations between management, IT and service providers, which has likely led to a review of their organisation’s cyber risk safeguards.
Heartbleed does not directly affect Windows-based servers, but larger Windows users face the additional problem that Microsoft ended their free support for its popular version XP on 7 April 2014.
Windows XP is now 13 years old and its longevity is a sign of its current stability. Microsoft estimates that up to 25% of all Windows machines use XP. The fact that this number has not significantly changed since a year ago, when the date for the end of support was officially announced, means many private and business users have failed to react to or don’t understand the increased risks.
Just as the Heartbleed bug took two years to discover before being fixed, something similar could happen to XP, but now there is no possibility of remedy unless customers are signed up for paid updates.
When organisations fail to plan effectively for technology changes, cyber risks increase significantly. Solid strategic planning is required and information is the key to the efficacy of the strategy. An effective risk management methodology toward cyber security includes key identified assets and long-term impacts affecting the organisation.
Any plan to address issues should be approached with three key things in mind – strategy, information and analytics.
A clear strategy and commitment by senior management is essential. Cyber security need not be a daily concern for management if the right frameworks, people and systems are in place.
Sound principles of IT and information security are a good starting point and although certification security standards such as ISO 27001 may not be for everyone, it should be considered as part of any business’ overarching framework. The journey required for this accreditation is one any organisation can take advantage of, by encouraging the planning and construction of a robust methodology and framework for the management of all the systems, people and processes involved. The documentation of the framework brings the benefits of transparency and immediacy across the organisation. Knowing the risks the business faces, the measures in place to reduce risks already and what could be done to improve areas of exposure means that senior managers can act more effectively.
For example, full details of the organisation’s assets can provide critical information for potential cyber risks. A server with a low residual financial value appearing to be at the end of its useful life may in fact play a very significant role, such as securing all traffic between the business and its customers. By properly documenting this server – why it is there, what software packages it uses and who has technical knowledge about it – the business will be fully prepared to leverage the information immediately and assess vulnerability when the next Heartbleed comes along.
Knowing why and how a process happens and where the responsibility and knowledge lie in the organisation, enables effective planning for a crisis.
Extracting key data
Information gathering is a large part of the improvement process for an organisation’s risk assessment strategy and does take some management. This can be supported by specialist software which helps to identify, sort, link and analyse all the information in an organisation.
Many organisations rely on static documents to store information, however, given the rate of change and amount of information available to be gathered, these quickly become out of date and inefficient to maintain. IT departments log vast amounts of information every day, from vulnerability scans, to access logs, errors and system warnings. When presented with an overwhelming amount of information it becomes extremely difficult to work through and almost impossible to apply proactively.
The unique problem that businesses face today is not in gathering data to assess, but the effective extraction of key information in a timely fashion. In the face of so much material, many businesses only use these trails of information when something goes wrong and they are looking for accountability and causation links. Effective analysis of this data can provide an additional layer of risk management, particularly for cyber security issues. Adding an analytics element to a risk management framework allows businesses to extract relevant information from the raw data so that critical areas of concern can be reviewed before risks eventuate. Further analysis can subsequently feedback to the overall improvement of the risk management strategy.
This proactive three-pronged approach to risk management is the most effective way to protect a business against cyber risks. The potentially far-reaching consequences of events such as the discovery of Heartbleed and Microsoft’s end of support for XP can be significantly reduced, if not avoided altogether, if effective risk management methodology is in place.
Paul Stokes is Chief Operating Officer of Wynyard Group