Cyber Security: Designing and Maintaining Resilience

Size: px
Start display at page:

Download "Cyber Security: Designing and Maintaining Resilience"


1 Cyber Security: Designing and Maintaining Resilience White paper presented by: Georgia Tech Research Institute Cyber Technology and Information Security Laboratory Dr. George A. Wright Chief Engineer Terrye N. Schaetzel Senior Research Engineer 1

2 Cyber Security: Designing and Maintaining Resilience The Landscape Our world is increasingly connected through sophisticated networks, internet portals for commerce, mobile devices, tablets, and other innovative tools providing opportunities for economic growth, innovation, and convenience. As businesses, governments, and individuals become more reliant on these connections, valued assets are increasingly accessible, and cyber security threats multiply. Cyber security breaches have broad impact: Consumers are subject to personal identity theft, fraud, and inferior counterfeit or pirated goods. Businesses risk losing intellectual property, corporate secrets, value brought by new innovations, reputation, and revenue through espionage and breaches. For a nation s broader economy, business and individual losses impact GDP, reduce economic growth and innovation, and result in a smaller tax base. For governments, espionage and cyber attacks threaten national security and diplomatic relations. Critical infrastructure that provides water, power, food supply, and healthcare are becoming more attractive targets for attacks. Interpol recently estimated that corporate cyber espionage alone has cost businesses more than 1 trillion USD (1). Cyber criminals are more sophisticated, targeted and better funded than ever. And crime follows monetization opportunities. There is an emerging correlation between the size of an organization and the type of data targeted. Credit card payments and authentication credentials tend to be typical targets within smaller organizations. Data of strategic significance, such as trade secrets and other intellectual property, are growing targets within larger organizations (2). On the other hand, the cost or risk of engaging in cyber crime is often very low relative to the pay-off. Attribution and chain of custody issues make prosecution by law enforcement difficult. In some cases, even when criminals are prosecuted successfully, the penalties are not significant enough to be a deterrent. The Challenge No matter what strategy is adopted, breaches will occur. It is nearly impossible to take advantage of our connectedness without being at risk. Defensive technologies such as firewalls, passwords, encryption, physical barriers, and authentication mechanisms are important to maintain but alone have not been effective in eliminating breaches or predicting where the next attack will occur. Their value as 2

3 stand-alone security measures will be of limited use in fighting increasingly sophisticated, innovative, and well-funded cyber criminals. The emerging challenge is to find more predictive methods of identifying threats, mitigating their impact, and managing an agile cyber security operation that will both creatively and effectively maintain protection. In tackling that challenge, it is important to recognize that: o It is not economical to protect every piece of data and every asset to the same extent. o A balance between the right to privacy with the need to protect nations, enterprises and individuals from intrusions must be negotiated. o Attribution and severe penalties for cyber crime must be more uniformly realized within the multi-national communities. The challenge is great and requires fresh ways to blend people, processes, technology, and shared data to protect societies from emerging threats to security. Designing a Resilient Enterprise What is resilience? Merriam-Webster s dictionary defines resilience (3) as: the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress an ability to recover from or adjust easily to misfortune or change For any individual or organization to thrive over a sustained period, some level of resilience is required. How does one build resilience in a rapidly changing environment where emerging threats are taking on increasing sophistication and severity? Premise one: Cyber security should be viewed and managed as a strategic activity that impacts the enterprise s most valued assets. In this discussion, an enterprise is defined as a unit of organization or activity. So a company, business, government entity, or not-for-profit organization may be an enterprise. Every enterprise has a mission and a need to maximize results towards that mission, whether it is social, economic, diplomatic, or otherwise. Strategic activities within the enterprise align with that mission, to facilitate its success. Cyber security is one of those strategic activities to be managed holistically as its effectiveness broadly impacts the enterprise s ability to carry out its mission. It impacts how we interact with customers, design new products, market services, manage operations, and set policies. It impacts the loyalty of those on which we rely. In a recent consumer privacy study conducted by PWC (4), 61% of those responding would stop using a company s products or services after a breach. The impact is real and immediate. 3

4 Findings from a recent survey conducted by IBM (5) indicated that organizations most able to handle or avoid security breaches had some unique characteristics: o Security leaders had a strategic voice in the enterprise; o Cyber security was not viewed as an IT issue but as an enterprise wide responsibility; o Security budgets were managed at a senior level; o Security was considered early in the design of new products and services; o Measurement and accountability were part of the security design; o A culture of proactively protecting the enterprise existed. As a strategic decision, cyber security becomes the charge of the enterprise as a whole and is considered through a risk versus investment lens rather than simply a as technology purchase. Organizations don t typically have the resources to protect every asset and some assets do not warrant as much protection as others. At the same time, organizations cannot afford to take an ad hoc approach to security. A holistic systems approach is useful for creating an analysis and decision-making framework for addressing this complex problem. Using this method, the enterprise identifies the most valued assets, prioritizes their importance, identifies where each faces vulnerability, and then designs a plan to achieve the greatest protection for the most valued assets given the available level of investment. This method forces trade-offs to be made based on the mission and strategy. Priorities established at the enterprise level allow for a more coordinated, resilient protection plan. Premise two: Designs and plans for cyber security should be data driven to move from reactive to predictive responses. Shared intelligence among countries and organizations is critical. Understanding the nature of any risk one faces is the first step towards mitigating that risk. Currently, there are a number of tools available for gathering data on attempted and successful intrusions, malware (types, formats, and frequencies), network activity and patterns, etc. The amount of data collected can quickly become voluminous. So it s true value in predicting future threats come from real-time data analysis and correlation of large data sets. The Titan malware analysis system developed by Georgia Tech Research Institute (GTRI) is an example of such a tool. Titan analyzes approximately 100,000 unique malware samples per day, ranging over the entire spectrum of threat severity levels. These samples are analyzed and the resulting data gathered are used to determine the nature and behavior of these threats on both sample-by-sample and aggregate levels. This volume of threat data is collected from numerous organizations worldwide in an anonymous manner. Anonymity provides protection for participating organizations and facilitates the development of shared threat intelligence. Titan is able to extract information about malware based on network information gathered from malware samples that have been run in the Titan automated virtual 4

5 environment. Such information provides insight into typical hosting patterns for various malware resources. According to data gathered from recent malware samples, significant hosting locations include the United States, Russia, and China, as well as many developed and developing Western countries (see Figure 1). Figure 1: Geolocation of destination IP addresses which malware samples accessed during recent runs in the Titan automated virtual environment. Most organizations collect data internally, representing one data source. Increasingly, organizations are combining their selected data with that of other trusted public and private sources, discovering that the predictive value of broader based data analytics increases exponentially. As the Titan example demonstrates, analysis of larger data sets reveals correlations and patterns of current threats that a single source simply cannot. Additionally, it allows emerging threat vectors and command and control mechanisms to be quickly identified so that each participating organizations may adjust security measures to mitigate these threats and protect precious assets. This collaborative approach to sharing data has barriers to overcome: 1. It is human nature to hide vulnerabilities rather than to reveal them. Demonstrating the specific value derived from sharing security data may garner participation. 2. Each nation has laws governing disclosure of data breaches and, as is expected, laws are not consistent between nations. For example, United States law requires organizations to disclose of certain data breaches but laws in many European countries do not require such disclosure (6). What may be acceptable and expected disclosure in one country may not be so in another, creating another barrier to sharing data between countries. 3. A level of distrust may exist amongst those considering collaboration, fearing that data may expose trade secrets and vulnerabilities may diminish their 5

6 reputation. Understanding the qualifications of collaborators will influence an entity s willingness to share data. 4. The balance of privacy and disclosure is difficult to navigate. For these reasons, the concept of gaining additional protection through sharing vulnerabilities may be counter-intuitive. But it offers significant promise for the future. These same concepts may be applied to an international level. Trans-Atlantic data sharing between governmental security and law enforcement agencies provides opportunities for more robust threat intelligence, greater protection, and more collaboration in mitigating attacks. The Titan example, where 100,000 malware samples amass daily, also demonstrates that data collection, storage, and analysis quickly become voluminous. Big data offers a wealth of opportunities as sophisticated analytics improve decision-making. At the same time, technological investment is required to store data, insure its quality and integrity, and turn it into usable information in real-time. Research that is currently being conducted on handling big data will play a pivotal role in cyber security. Whether using one or multiple sources of data, the most value is derived from realtime analysis. Furthermore, analyses that differentiate targeted attacks and from the botnets and other threats, are key in cyber operations. Much research is being conducted on effective visualization techniques, converting many disparate sources of data in one readily comprehendible presentation. This is a fundamental requirement for daily cyber operations staff to make use of valuable analysis only when data is converted into actionable information can it be used to improve protection. Maintaining Enterprise Resilience Once priorities are set and investment decisions are made, the cyber security operations structure must be able to effectively implement and administer protection plans. Agility and flexibility are hallmarks of an effective cyber security operation, meeting daily demands while addressing vulnerabilities and emerging threats. Premise three: The cyber security operations structure should be agile and flexible to adjust to the most recent data collected on emerging threats. An agile organization is able to provide the right people with the right information at the right time to manage daily activities and remain vigilant. The following factors contribute to agility by blending people, processes, technology, and data: o Easy access to real-time, actionable security data; 6

7 o Flexible technology design where networks may be segmented and easily reconfigured based on threats or intrusions; o Clearly defined roles and responsibilities of security administrators individuals understand job requirements, and workflows; o Methods for overcoming bureaucracy through appropriate decision making authority allowing individuals to implement some decisions locally while escalating others appropriately; o An up-to-date incident response plan; o Mechanism for implementing security changes based on new data; o Culture of innovation, cooperation, and responsibility. Policies, compliance standards, workflows, and established processes guide daily operations. But real-time, actionable data will drive security operations decisions in a resilient enterprise. Advanced data visualization techniques, previously mentioned, allow administrators to monitor daily activities while recognizing the nuances of abnormal behaviors. If an abnormality is detected, a flexible network design allows the administrator to quickly respond, limiting potential damage by segmenting and reconfiguring impacted network portions based on intrusion characteristics. Some organizations have built their own Information Security Operations Centers (ISOC) to serve as mission control for defending their networks. ISOCs typically employ a professional staff trained to use data collection tools to quickly diagnose and respond to abnormal activity. They provide a line of defense for the organization while also using tools to predict new threats. Georgia Tech Research Institute s ISOC also serves as an incubator for prototyping new technologies to address emerging cyber threats and share threat data. Speed of detection and response are critical when trying to limit the damage caused by a breach. When a problem is detected, defined operational workflows, clear roles and responsibilities, policies, decision-making authority, and adequate training guide an administrator s response. Research indicates that organizations with a well-defined incident response plans are better able to respond effectively to a breach. Plans outline procedures for minimizing damage or loss, collecting data on the incident, preserving evidence, mitigating the vulnerability on a temporary or permanent basis, and communicating the incident within the organization. Both NIST and ENISA provide guidance on creating effective incident response plans (7, 8). Updating security plans is a continuous process. Internal and external data sources provide a wealth of information for the enterprise to remain predictive and aware of new sophisticated technique employed by cyber criminals. An ever-changing security plan incorporates innovative techniques and tools to reduce exploitation opportunities. Security professionals must stay current, updating certifications and skills sets, to effectively maintain this pace of change. 7

8 Premise four: Create a culture of responsibility for security. Cyber security is the responsibility of the enterprise rather than a single team. As such, building a culture that supports security standards compliance, teaches its members how to recognize abnormal behavior (e.g., phishing attacks) is vital. Furthermore, organizations must reward participation in security programs (9). People are the eyes and ears of the daily operations, providing broad situational awareness and proactive protection at all levels of the enterprise. This responsibility extends to governments, law enforcement agencies, and societies as well. The missing links in the chain of responsibility often involve attribution of criminal activity to an individual or group and resulting prosecution/penalties for these crimes. The nature of the internet makes it difficult to identify who is behind an attack. If the attacker is identified, law enforcement often has limited resources to direct towards prosecution of these acts and laws often do not match penalties with the severity of crime. Until both are addressed, cyber criminals have few reasons to curtail activities. Recommendations Despite our efforts, cyber crime will continue. However, innovative approaches to this complex problem will enable us to predict emerging threats, better protect our economies and citizens, and minimize the damage from cyber attacks. These recommendations provide guidance for designing and maintaining enterprise resilience: Elevate cyber security to a strategic role as it impacts the enterprise s most valued assets. o Consider cyber security as a risk verses investment decision, not simply a technology purchase. Achieve a greater level of protection by sharing data with trusted partners in industry, in government, and across borders. Allow real-time data be the driver for building and adapting security strategies. o Design operational workflows and procedures to support these decisions. o Design flexible, resilient networks that quickly adapt to new threats. Create a culture of widespread responsibility for cyber security. Balance privacy and protection when drafting security policies. o Keep front of mind the privacy rights as well as expectations of protection of those being served by the enterprise. 8

9 Policy Implications and Incentives Creating policy to mitigate cyber threats while preserving privacy and limiting government intervention to a comfortable level is a tricky balancing act. But there are opportunities to influence future preparedness through forward thinking policy development. Investment in Innovation will be a critical step to maintaining security and competitiveness on a global scale while limiting damage from espionage and other cyber criminal activity. The following areas are important targets for investment as their correlation with threat prediction, rapid detection, and damage control makes these especially valuable opportunities. Real-time threat detection and data analysis tools many tools exist today but their level of sophistication and widespread adoption must continue to grow to provide more comprehensive protection. Big Data to effectively compile and correlate large volumes of data, new technologies and algorithms will be required. Visualization tools related to big data opportunities are visualization techniques: creative visual presentations of data that quickly differentiate warning signs from normal operating behaviors. Emerging technologies that contribute to resilience, more robust protection, and attribution of cyber crimes. Data Sharing: As real-time data analysis for decision-making is a pillar for future cyber security strategies, breaking down barriers for security data sharing amongst trusted partners is a necessary next step in predicting and mitigating emerging threats. Policies may provide incentives for participation, define disclosure boundaries and rules of engagement between enterprises and nations, and encourage and create networks of trusted partners. Governments may choose to merely facilitate such activities as policy and funding issues may limit taking on a more direct leadership role. Diplomatic policies that encourage trans-atlantic data sharing and cooperation will allow partnering nations to better leverage limited resources while achieving greater protection. The internet is designed to be borderless. Policies that allow for intelligence sharing across borders are critical. Law Enforcement: Laws governing cyber crime and resources to prosecute criminals are inadequate to address the attacker s sophistication and the damage caused. Many agencies, such as the FBI and Europol, appropriately focus priorities on child protection, terrorism, and counter-intelligence, with limited budgets to achieve their missions. However, the loss of industry s intellectual property and trade secrets will also have a lasting and severe economic impact on these nations. Future policies should focus on: 9

10 Revised laws to match damage from criminal activity with penalties imposed; Additional resources to fight cyber crime that impacts economic sustainability. Developing an Educated Cyber Workforce: The need for skilled professionals and technicians to address cyber security continues to grow. However, demand for these individuals exceeds the supply and the problem is projected to grow in the future. Policies may provide incentives for students to select cyber education paths and create broader awareness for the opportunities that exist in this growing industry. Retraining workers from declining industries may also represent an opportunity to meet future demands. Supporting Cyber Hygiene: Creating access to security tools and best practices will be important to fighting cyber crime for individuals, enterprises, nations, and the world. Connectedness requires that security solutions be broadly implemented to be effective. Policies may influence access to these tools, provide education on their use, create incentives for use and compliance with standards, and create a culture of responsibility for security. Privacy, Reporting, and Government s Role: Several broader policy issues that govern our collective approach to cyber security have large implications for the future: The right to privacy by the individual and the enterprise when should collective security interests and protection be more important than individual privacy rights? The roles government should play in cyber security Reporting requirements for security breaches Lack of consistency in laws and requirements between nations and severity of penalties. These are complex and sometimes controversial policy issues but incentives established by new policies may have far reaching influence on the level of protection and the approaches we can take to protecting individuals, enterprises and nations from cyber crime of the future. 10

11 References 1. Interpol. (2013). Cybercrime. Retrieved from Data Breach Investigations Report conducted by the Verizon RISK Team (2012). Retrieved from 3. Merriam-Webster Dictionary. (2013). Retrieved from 4. Changing the Game: Key findings from the PWC Global State of Information Security Survey 2013 (2013). Retrieved from 5. Finding a Strategic Voice: Insights from the 2012 IBM Chief Information Security Officer Assessment (2012). Retrieved from 6. Bilby, E. (2012, December 17). EU could make firms disclose network security breaches. Reuters. Retrieved from 7. U.S. Department of Commerce, National Institute of Standards and Technology (2012). Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology (Special Publication , Revision 2). Retrieved from 8. European Network and Information Security Agency. (2006, May). A Step-By- Step Approach On How To Set Up A CSIRT. Retrieved from 9. European Network and Information Security Agency. (2012, December). Consumerization of IT: Risk Mitigation Strategies Responding to the Emerging Threat Environment. Retrieved from 11

12 Appendix 1 Additional Resources 2012 Data Breach Investigations Report conducted by the Verizon RISK Team (2012). Retrieved from Cordes, J. (2011, June). An Overview of the Economics of Cybersecurity and Cybersecurity Policy. (Report GW-CSPRI ). The George Washington University Cyber Security Policy and Research Institute, Washington, D.C., USA. website De Crespigny, M. (2012, July 10). Building a Resilient Cyber Response. Infosecurity Magazine. Retrieved from European Network and Information Security Agency. (2012, August). Cyber Incident Reporting in the EU: An overview of security articles in EU legislation. Retrieved from European Network and Information Security Agency. (2012, September). ENISA Threat Landscape Responding to the Evolving Threat Environment. Retrieved from Georgia Tech Information Security Center and Georgia Tech Research Institute. (2012). Emerging Cyber Threats Report Atlanta, GA, USA. Website United Kingdom Minister for the Cabinet Office and Paymaster General. (2012, December). Written Ministerial Statement Progress on the UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World. Retrieved from World Economic Forum. (2012, March). Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World Principles and Guidelines. Retrieved from 12

13 Appendix 2 Georgia Tech Cyber Security Capabilities Georgia Tech Research Institute s (GTRI) Cyber Technology and Information Security Laboratory conducts applied research focused on cyber threats and countermeasures, secure multi-level information sharing, resilient command and control network architectures, reverse engineering, vulnerability identification, and high performance computing and analytics. CTISL engineers develop and apply cutting edge technologies in computing, network architectures, signal and protocol analysis, network forensics, malware analysis, and reverse engineering (hardware and software) to solve the tough problems. Georgia Tech Information Security Center (GTISC) invents and evaluates key innovative user-centric security technologies and policies. The center educates future researchers, policy makers, and information security leaders as well as working professionals in the most up-to-date methods for securing information systems. The center also provides a trusted set of resources and a safe haven where individuals and industrial, academic, and government organizations can access, understand, and evaluate issues related to new technologies and policies. Georgia Tech College of Computing offers two Master of Science degree programs in Information Security. Both allow students to select a technology or policy focus of study. Titan is a community-driven threat intelligence framework for malicious software analysis and threat intelligence sharing. Titan was developed by GTRI and allows users to perform varieties of analyses across millions of malware samples. Actionable intelligence disseminates quickly among community participants to ensure rapid reaction to emerging threats. Through Georgia Tech Professional Education, both GTRI and GTISC researchers conduct non-degree educational courses on a broad range of cyber security topics. These courses are aimed at helping working professionals in industry and government to maintain the most up-to-date skills and knowledge to tackle information security challenges. 13

14 Appendix 3 European Union Sources of Cyber Security Expertise and Research ENISA European Network and Information Security Agency European Cybercrime Centre at Europol EU-US Joint Working Group on Cyber Security and Cyber Crime UCD Centre for Cybersecurity and Cybercrime Investigation EU Joint Research Center Global Cyber Security Center World Economic Forum Eight Academic Centers of Excellence for Cyber Security Research in the UK include: Queen s University Belfast Institute of Electronics, Communications and Information Technology Royal Holloway, University of London University of Bristol Lancaster University Imperial College University of Oxford University College London University of Southampton Many other universities also have research organizations focused on cyber security topics. 14