CIOs at the heart of tackling cyber vulnerabilities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.co.uk/insight/security/cios-at-heart-of-tackling-cyber-vulnerabilities/

Cyber security is edging up boardroom agendas, as senior executives
increasingly recognise the serious operational, financial and reputational
impact a data breach may inflict on an organisation. From Bank of England's
Operation Waking Shark 2, which aimed to expose vulnerabilities in the
City's critical infrastructure, to the launch of a Government-backed
national Computer Emergency Response Team (CERT), a mainstay of its £650
million National Cyber Security Strategy, the battle against cybercrime is
being fought on multiple fronts.

It is a battle in which CIOs have a crucial role to play. Organisations are
seeking greater preparedness but the approach to tackling such
vulnerabilities requires equal measures of prevention and preparation for a
response - to use a real world analogy, corporates need to take steps to
prevent a fire, as well as prepare to deal with a conflagration.

A key step is one that sounds simple, but is all too rarely done: conduct
an audit of the IT and physical security system.  A security assessment,
like a financial audit, should be carried out by an outside team without a
stake in the existing IT infrastructure. The team will be looking to
understand the organisation's threat profile and vulnerabilities.

Organisations should determine in advance of an incident what the chain of
command will be for the incident response team. A specific executive should
be nominated to lead the internal team and the external lawyers and IT
consultants should be designated in advance.

However, as with any security system, there is no fool-proof way to prevent
a cyber attack and preparing a response strategy is essential. A greater
focus is, therefore, required on how such threats can be tackled more
effectively.

After a hacking is discovered, one immediate goal of team will be to
determine whether to notify law enforcement. This is not a simple decision.
A hacking or data breach may require a different response compared to other
types of crime. In particular, incidents triggered by outsiders are likely
to present a much steeper challenge to law enforcement, as the perpetrators
could be thousands of miles away and using proxy servers to hide both their
location and identity, greatly limiting law enforcement's effectiveness.

Moreover, law enforcement will have trouble determining the scope of the
incident - what was actually taken - without detailed knowledge of the
corporate IT infrastructure. Most businesses prefer to avoid giving law
enforcement the necessary level of unfettered access to their networks,
which is required for them to conduct the investigation.

In my experience, most companies faced with this situation conduct a
private investigation before notifying law enforcement, with three factors
often driving this decision:

1. Sophisticated computer hackers rarely advertise their presence. As
initial evidence may be confusing or hard to interpret, it is not always
immediately clear whether any laws have been broken.

2. Hackers do not leave detailed lists of what they stole. Only painstaking
reconstruction of a hacker's activities through sophisticated computer
forensics can determine the scope of the offence. This forensic examination
requires nearly unlimited access to secret corporate data and restricted
networks, which most organisations do not want to grant to law enforcement,
unless legally required.

3. It is much easier to control the public relations and communications
strategy if the extent of the problem is known before going public. By
handing the investigation over to the authorities, control over the timing
and content of any public notification would be lost. This could prove a
public relations disaster, especially since the public often blames the
corporate victim for failing to prevent the incident, regardless of the
facts.

Cyber risks are likely to escalate in a hyperconnected world and CIOs must
work with fellow executives to develop a strategy to mitigate such threats.
This requires a well-developed and regularly tested rapid response plan,
ready for activation at the first signs of a breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!