IoD Big Picture Spring 2013

Transcription

1 IoD Big Picture Spring 2013

2 SNAPSHOT Cyber security is a corporate-level risk that all boards, in both the private and public sectors, need to own directly. The cyber threat applies to all, regardless of size or location. The incidents described in the media are just a snapshot of what is going on. On average, 33,000 malicious s a month are blocked at the gateway to the Government Secure Intranet. The volume of e-crime and attacks on industry continue to be disturbing. Attempts are made to steal British intellectual property (IP) in a range of industries, not just in defence and security. Basic information risk management can stop up to 80% of the cyber attacks seen today, but experience suggests that few organisations get it right. 10 key steps to cyber security are outlined, suggesting a range of controls organisations should consider to protect their most important information, data and IP from cyber attack. Countering the cyber threat to business Recent media reports of high-profile security breaches and industrial-scale corporate espionage have blasted cyber security onto the front pages. No longer simply the preserve of IT departments or even of chief information officers (CIOs), the simultaneous benefits and vulnerabilities inherent in digital networks thrust cyber security onto the board agenda. This is a corporate-level risk which boards across the private and public sector need to own directly. We now take for granted the transformative power of the internet. We have come to expect access on demand any time, any place, anywhere even if three years ago none of us had held an ipad. In the same way that our daily lives are increasingly reliant on cyber technologies, our business processes also hinge upon them. Neglecting the integrity of your systems and their data is an existential threat. I know that the IoD has been conducting research among its members in this area, and the findings make compelling reading. THREAT ASSESSMENT Countering the cyber threat to business Sir Iain Lobban, Director of GCHQ, outlines the scale of the cyber threat facing businesses and outlines 10 key steps to improving organisations online security. So what does the threat look like? I read increasingly well-informed commentary in the media. But GCHQ's cutting-edge technology adds a unique perspective on the issue, illuminating the threats in cyberspace. And I have to say that the incidents I see described in the media are just a snapshot of what is going on. Cyberspace is contested every day, every hour, every minute, every second. From GCHQ s vantage point, we have seen significant disruption to government systems from malware picked up accidentally from the internet but also from deliberate attacks. On average, 33,000 malicious s a month are blocked at the gateway to the Government Secure Intranet they contain sophisticated malware, often sent by highly capable cyber criminals or by state-sponsored groups. And a far greater number of s, comprising less sophisticated malicious s and spam, is blocked each month. That's why cyber security is at the top of my agenda, as we seek to protect the UK s national and economic security.

3 IoD Big Picture Spring 2013 But why should cyber be at the top of your agendas as directors? I can tell you that in the course of our intelligence and security mission, we become aware of theft of intellectual property on a massive scale, compromises of commercial data and disruption of key networks. The volume of e-crime and attacks on industry continue to be disturbing. I can attest to attempts to steal British intellectual property in a range of industries. This is not just an issue for the defence and security sectors; it's much broader. Professional services firms, for example, should be aware that their proprietary client information represents an increasingly attractive target. One of the key problems remains the fact that it may not be immediately obvious to an organisation that it has been targeted. Data can be copied without any sign that it has happened. The risk of not acting now is that, by the time you realise your defences have been breached, it will be too late and the damage will have been done. Directors would not sanction physical premises being left unlocked and the windows left wide open for anyone to walk in and have a nose around. Boards need to apply the same standards to protecting their cyberspace. As technology becomes ever more affordable and available, it is open to a wide range of threat actors states, criminals and hackers to mount attacks which put at risk many millions of pounds of investment on a daily basis. If these attacks are left unchecked, they could have a devastating impact on the future earning potential of companies and the economic well-being of nations. Cyber security is not just an issue for governments it s for companies and citizens too and it goes to the heart of our economic well-being and national interest. The UK economy is built to a significant degree on intellectual capital and services and, to flourish, a knowledge economy needs to maintain the integrity of its data. On a daily basis I see attempts to penetrate systems around the world. The cyber threat applies to us all, regardless of size or location. Many of the systems we are trying to protect extend across national boundaries, but the threat is not limited to multinational organisations. Over half of IoD members organisations export goods or services internationally, but even where a company doesn t have a footprint or partnership overseas, the commercial systems it depends upon will almost certainly have some base in other countries. OPPORTUNITIES AMIDST THE THREATS Incidents described in the media are just a snapshot of what is going on. Cyberspace is contested every second of every day. I m sure the internet will continue to be an engine for growth, commerce and social development a great opportunity for firms in the UK. If the UK is seen to be a safe place to do business, we can attract more inward investment. We also have some cyber security organisations based in the UK which could become world leaders in supplying the cyber security market place. GCHQ has a unique role to play here in the supply and demand. We can support a growing UK cyber security industry. We can showcase the best practice in the public sector, certify firms in the UK as competent at defined government standards and accredit individuals through professional bodies. We can promote product assurance that enables different procurement models in the public sector.

4 Countering the cyber threat to business We want to see cyber security turn into intelligent demand too so that organisations know what to ask for in the cyber security market place. We aim to help boards see protection against cyber attack as a critical investment, not an overhead. Working in partnership with the Cabinet Office, the Department for Business, Innovation and Skills and the Centre for the Protection of National Infrastructure, GCHQ has therefore developed best practice guidance to help the private sector safeguard valuable assets, such as personal data, online services and intellectual property, from cyber attack. The pages which follow summarise the key stages to better cyber security. Don't gamble with your business's future. So much can be done to strengthen defences through a series of rigorous steps to understand what you ve got to lose and what it is worth. There may be some way still to go in raising awareness of the cyber threat and ensuring good security practice is sufficiently embedded, but more and more directors recognise the challenges and opportunities. Cyber security is a risk that boards should be treating as a critical agenda item. The threat is real and growing. Be a hard target. 10 STEPS TO CYBER SECURITY The responsibility to manage your organisation s cyber risks starts and stops at board level. Basic information risk management can stop up to 80% of the cyber attacks seen today. However, experience suggests that few organisations get this right. Ask yourselves the following key questions: Have you identified your organisation s key information assets and the impact it would have on your organisation if they were compromised or your online services were disrupted? Have you clearly identified the key threats to your organisation s information assets and set an appetite for the associated risks? Are you confident that your organisation s most important information is being properly managed and is safe from cyber threats? GCHQ is aware of theft of IP on a massive scale. The volume of attacks on industry continues to be disturbing. If the answer to any of those questions is no or don t know, read on. The degree to which each of the 10 steps detailed below is relevant to a particular business or organisation will inevitably vary. So will the degree of implementation that may be required: some suggested measures will only be feasible or appropriate for large organisations with dedicated security resources and teams. But it is likely that there will be elements of every step that are pertinent to all organisations, regardless of size, and all directors reading this article are strongly encouraged to review their organisation s security procedures in light of the guidance. Collectively, the recommended actions represent a good foundation for effective information risk management. It is about getting the basics right taking them will make a tangible difference to your vulnerability to cyber attack.

5 IoD Big Picture Spring 2013 BOX 1: Information Risk Management Regime The following security controls should be considered: Establish a governance framework that enables and supports information risk management across the organisation, with ultimate responsibility for risk ownership residing at board level. Determine the organisation s risk appetite, as for any other risk. Agree the level of information risk the organisation is prepared to tolerate in pursuit of its business objectives and communicate it. Maintain the board s engagement with information risk by making the risks to information assets from a cyber attack a regular board agenda item. Produce supporting policies. The board should create and own an overarching information risk policy, setting out the information risk management strategy for the organisation as a whole. Adopt a lifecycle approach to information risk management to ensure security controls remain appropriate as the components of risks change over time. Apply recognised standards of security management good practice, and implement physical, personnel, procedural and technical measures. Educate users and maintain their awareness as all users have a responsibility to manage the risks to ICT and information assets. Provide appropriate training and refresh it regularly. Promote a risk management culture that is organisation-wide, driven by corporate governance from the top down. Step 1: Information Risk Management Regime Risk is an inherent part of doing business, and must be managed proportionately and appropriately. Organisations should apply the same degree of rigour to assessing the risks to their information assets as they would to legal, regulatory, financial or operational risks. An information risk management regime should be embedded across the organisation, actively supported by the board and senior managers, and communicated broadly. A lack of effective information risk management and governance may lead to any of the following: Increased exposure to risk: without effective risk governance processes it is impossible for the board to understand the risk exposure of the organisation. Missed business opportunities: whilst an overly open approach to information risk may expose the organisation to unacceptable risks, an overly cautious approach may lead to missed business opportunities. Ineffective policy implementation: without effective risk management and governance processes, the board will not have confidence that its stated policy is being implemented. Box 1 sets out the recommended actions to mitigate the risks.

6 Countering the cyber threat to business BOX 2: Secure Configuration The following security controls should be considered: Develop policies to update and patch systems, such as using the latest versions of operating systems, browsers and applications, and using automated patch management and software update tools. Create and maintain hardware and software inventories, to identify any unauthorised hardware or software. Use automated tools to create and maintain inventories of every device and application used by the organisation. Lock down operating systems and software by creating a baseline security build for workstations, servers, firewalls and routers. Remove or disable any services, functionality or applications not required by the business. Conduct regular vulnerability scans by using automated scanning tools against all networked devices at least weekly, and remedy any vulnerability within an agreed time frame. Disable unnecessary input/output devices and removable media access, assessing business requirements for user access to devices such as MP3 players and smart phones, and disabling functionality that is not needed (e.g. USB ports, floppy/cd/dvd/card media drives). Implement white-listing and execution control, maintaining a list of authorised applications and preventing the installation of unauthorised software and applications. Limit user ability to change configuration by providing users with the minimum system rights and permissions needed to fulfil their role. Step 2: Secure Configuration Establishing and actively maintaining the secure configuration of ICT systems is a key security control. By putting in place policies and processes to develop secure baseline builds and manage the ongoing functionality of all ICT systems, organisations can greatly improve their security. Unnecessary functionality should be removed or disabled, and ICT systems should be patched against known vulnerabilities. ICT systems that are not locked down, hardened or patched will be particularly vulnerable to an easily preventable attack. Risks include: Unauthorised changes to systems: an attacker could make unauthorised changes to ICT systems or information, compromising confidentiality, availability and integrity. Exploitation of unpatched vulnerabilities: attackers (using malware) will attempt to exploit unpatched systems; many successful attacks are enabled by exploiting a vulnerability for which a patch had been issued some months previously. Exploitation of insecure system configurations: an attacker could exploit a system that has not been locked down or hardened to compromise systems and information. Increases in the number of security incidents: caused by an organisation s lack of awareness of its vulnerabilities and the availability (or not) of patches and fixes. Box 2 sets out the recommended actions to mitigate the risks.

7 IoD Big Picture Spring 2013 BOX 3: Network Security The following security controls should be considered: Police the network perimeter, inspecting all traffic at the perimeter and limiting access to network ports. Install firewalls to form a buffer zone against the untrusted external network. Prevent malicious content by deploying anti-virus and malware checking solutions to examine inbound and outbound data at the network perimeter, as well as anti-virus and malware protection deployed on internal networks. Protect the internal network by preventing direct connections between internal systems and untrusted external networks. Segregate network assets, identifying, grouping and isolating critical business information assets. Secure wireless devices by only allowing them to connect to trusted wireless networks. Protect internal IP addresses to prevent them being exposed to external networks. Monitor the network using intrusion monitoring tools and regularly audit activity logs. Test the security controls by conducting regular penetration tests and undertaking simulated cyber attack exercises. Step 3: Network Security Organisations can prevent attacks designed to compromise their ICT systems and the information stored by them by developing appropriate approaches to risk management and by applying commensurate security controls. Your organisation s networks need to be protected against both internal and external threats, with the degree of protection governed by the organisation s risk appetite and security policies. Those that fail to protect their networks are subject to a number of risks: Leakage of sensitive information: poor network design could be exploited by both internal and external attackers, leading to the loss of sensitive information and compromises in confidentiality and integrity. Import and export of malware: failing to erect appropriate boundary security controls could result in the compromise of business systems and the accidental release of malware to business partners. Denial of service: networks connected to untrusted networks (such as the internet) are vulnerable to denial of services attacks. Damage or defacement: attackers that successfully compromise the network can damage internal and externally facing systems, such as defacing websites. Box 3 sets out the recommended actions to mitigate the risks.

8 Countering the cyber threat to business BOX 4: Managing User Privileges The following security controls should be considered: Establish effective account management processes, managing and reviewing user accounts from creation and modification to eventual deletion when a member of staff leaves. Unused or dormant accounts e.g. for temporary staff should be removed. Limit the number and use of privileged accounts, as well as minimising privileges for all users and providing administrators with normal accounts for business use. Monitor all users, with particular monitoring of access to sensitive information and the use of privileged account actions, such as the creation of new accounts, changes to passwords or the deletion of accounts and audit logs. Establish policies and standards for user identification and access control, including for the quality and lifecycle of passwords. These should ideally be machine-generated and randomised. Set up a personnel screening process, with all users undergoing preemployment screening to a level commensurate with their access to sensitive information. Limit access to the audit system and the system activity logs to preserve the integrity of the content. Educate users and maintain their awareness without exception, all users should be aware of the organisation s policies regarding acceptable account usage and their responsibility to adhere to security policies. Step 4: Managing User Privileges It is good practice for organisations to manage the access privileges users have to ICT systems and the information held. All users should only be provided with the privileges they need to do their job: the principle often referred to as Least Privilege. A failure to manage user privileges appropriately may result in an increase in the number of deliberate and accidental attacks: Misuse of privileges: ICT systems can be deliberately or accidentally damaged by authorised users misusing their privileges, leading to a loss of the confidentiality, integrity or availability of the system or information held. Increased attacker capability: attackers using a compromised user account will, if allowed, return and reuse it on numerous occasions, or sell the access to others. They will particularly seek to gain access to root or administrative accounts. Negating established security controls: where attackers have privileged access they can make changes to security controls or delete audit logs to attempt to cover their tracks. Box 4 sets out the recommended actions to mitigate the risks.

9 IoD Big Picture Spring 2013 BOX 5: User Education and Awareness The following security controls should be considered: Produce a user security policy as part of the organisation s overarching security policy, covering acceptable use of ICT. Establish a staff induction process, ensuring that new users (including contractors and third party users) are aware of their personal responsibility to comply with the organisation s security policies. Maintain user awareness of the cyber risks faced by the organisation, for example via regular refresher training. Support the formal assessment of Information Assurance skills, encouraging staff in security roles to develop and formally validate their skills. Carry out pre-employment screening and background security checks commensurate with the individual s role and access to sensitive information. Monitor the effectiveness of security training through formal feedback. Promote an incident reporting culture to encourage staff to voice their concerns. Establish a formal disciplinary process, making staff aware that any abuse of security policy will result in disciplinary action. Step 5: User Education and Awareness Employees use of ICT brings risks, so it is critical for all staff to be aware of their personal security responsibilities. Security training and awareness can increase levels of expertise and knowledge, and foster a securityconscious culture. Organisations without user security policies, or that do not train users in good security practices, will be vulnerable to many of the following risks: Unacceptable use: without a clear policy users may compromise sensitive commercial information, resulting in legal or regulatory sanction or reputational damage. Removable media and personal devices: unless clearly communicated otherwise, staff may use their own removable media or connect their personal device to the organisation s infrastructure. This could lead to the import of malware. Incident reporting: the impact of any incident could be compounded if users do not report incidents promptly. Security operating procedures: users not trained in the secure use of the organisation s ICT systems may accidentally misuse them. External attack: users remain the weakest link in the security chain and will always be a primary focus for a range of attacks. A successful attack may only require one user to open an with malicious content. Box 5 sets out the recommended actions to mitigate the risks.

10 Countering the cyber threat to business BOX 6: Incident Management An organisation s business profile will determine the type and nature of incidents that may occur. A risk-based approach considering all business processes should therefore be used to shape incident management plans: Obtain senior management approval and backing the board must understand the risks and benefits of incident management, resource it appropriately, and lead delivery. Establish an incident response and disaster recovery capability by developing and maintaining incident management plans with clear roles and responsibilities, testing them regularly. Provide specialist training to the incident response team. Define the required roles and responsibilities of those who will handle ICT incidents. Establish a data recovery capability and a systematic approach to the backup of corporate information. The ability to recover archived data should be tested. Test the incident management plans regularly. Collect and analyse post-incident evidence to identify and remedy the root cause. Conduct a lessons learned review by logging the actions taken during an incident and reviewing performance. Step 6: Incident Management Security incidents are inevitable and will range in their business impact. All organisations will experience an information security incident at some point. However, establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and reduce any financial impact. Organisations failing to implement effective capabilities risk the following: A major disruption of business operations: failure to realise an incident has occurred, and to manage it effectively, may compound its impact. Continual business disruption: organisations failing to address the root cause of incidents could be exposed to consistent and damaging business disruption. Failure to comply with legal and regulatory reporting requirements: incidents resulting in the compromise of sensitive information covered by mandatory reporting controls not adhered to could lead to legal or regulatory penalties. Box 6 sets out the recommended actions to mitigate the risks.

11 IoD Big Picture Spring 2013 BOX 7: Malware Prevention Develop and publish corporate policies covering the acceptable and secure use of the organisation s systems, addressing the business processes vulnerable to malware. Establish anti-malware defences across the organisation, agreeing an approach to managing the risks from malware for each business area. Scan for malware across the organisation, protecting all host and client machines with anti-virus solutions that actively scan for malware. Manage all data import and export, scanning all information supplied to or from the organisation for malicious content. Blacklist malicious websites, ensuring that the perimeter gateway blocks access. Establish malware defences based on multiple defensive layers. The following controls are considered essential to manage the risks from malware: Deploy anti-virus and malicious code checking solutions to scan objects at the perimeter, on internal networks and on host systems. Deploy content filtering capability on all external gateways to stop attackers delivering malicious code to the common desktop applications used by the user. Install firewalls on the host and gateway devices. If possible, disable Windows scripting, Active X, VBScript and JavaScript, and disable the auto run function on removable media. Regularly scan every network component and apply security patches. Apply the secure baseline build to every network device and mobile platform. User education and awareness establish clear operating procedures for corporate desktops. Step 7: Malware Prevention Any information exchange risks exposure to malicious code and content (malware) which could seriously damage the confidentiality, integrity and availability of an organisation s ICT. Malware infections can result in disruption to business services, unauthorised exports of sensitive information and financial loss. Opportunities for the import of malware include: still the primary path for internal and external information exchange. Can be used for targeted or random attacks (phishing) through file attachments that release their payload when the file is opened, or redirect to websites with malicious content. Web browsing and access to social media: uncontrolled, can provide opportunities for an attacker to direct malicious content to an individual user or lead to the download of content from a compromised or malicious website. Removable media and personal devices: malware can be transferred to an organisation s ICT system through the use of unapproved media or the initial connection of a personal device. Box 7 sets out the recommended actions to mitigate the risks.

12 Countering the cyber threat to business BOX 8: Monitoring Countering the cyber threat to business 87 Establish a monitoring strategy and policy based on an assessment of the risks and taking into account previous security incidents and attacks. Monitor all ICT systems, ensuring that all networks and host systems (e.g. clients and servers) are monitored, potentially through the use of Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Solutions. Monitor network traffic continuously to identify unusual activity or trends that could indicate an attack or compromise of data. Monitor all user activity, generating audit logs able to identify the user, the activity that prompted the alert and the information they were trying to access. Fine-tune monitoring systems so that they only collect relevant logs, events and alerts. Inappropriate collection of monitoring information could be costly, breach data protection and privacy legislation, and hinder the detection of real attacks. Ensure there is sufficient storage, as monitoring can generate vast quantities of data. Train the security personnel on the deployment of monitoring capability and the analysis of security alerts, events and accounting logs. Align the incident management policies so that processes are in place to respond to incidents detected by monitoring. Ensure that monitoring capabilities are tested and that lessons from security incidents are learned. Step 8: Monitoring Monitoring ICT activity allows organisations to detect attacks and react to them appropriately, whilst providing a basis upon which lessons can be learned to improve the overall security of the business. Without the ability to monitor effectively, organisations will not be able to: Detect attacks: either those originating from outside the organisation or attacks as a result of deliberate or accidental insider activity. React to attacks: so that an appropriate response can be taken to prevent or minimise the resultant impact of an attack. Account for activity: the organisation will have an incomplete understanding of how its ICT systems or information are being used. Box 8 sets out the recommended actions to mitigate the risks.

13 IoD Big Picture Spring 2013 BOX 9: Removable Media Controls Produce a corporate policy to control the use of removable media for the import and export of information. Limit the use of removable media where use is unavoidable, organisations should limit the types of media that can be used, together with the users, systems and types of information that can be stored or transferred on removable media. Scan all removable media for malware with anti-virus solutions. Any media brought into the organisation should be scanned for malware by a stand alone scanner before any data transfer takes place. Audit media regularly so that individuals are accountable for its secure use. Encrypt the information held on the media, using encryption proportionate to the value of the information and the risks posed to it. Lock down access to media drives by default and only allow access to approved, authorised devices. Monitor systems to detect and react to the unauthorised use of removable media. Actively manage the reuse and disposal of removable media to ensure previously stored information will not be accessible. Step 9: Removable Media Controls Using removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. It is good practice to carry out a risk/benefit analysis of the use of removable media and to apply appropriate and proportionate security. Those failing to control and manage the import and export of information using removable media could face the following risks: Loss of information: the physical design of removable media can result in it being misplaced or stolen, potentially compromising the information stored on it. Introduction of malware: uncontrolled use of removable media will increase the risk from malware if the media can be used on multiple ICT systems. Information leakage: some types of media retain information after user deletion, which could lead to an unauthorised transfer of information between systems. Reputational damage: a loss of sensitive data can attract media attention and erode customer confidence. Financial loss: the loss or compromise of sensitive information could subject the organisation to financial penalties. Removable media should only be used to store or transfer information as a last resort. Risks may be reduced by taking the steps outlined in Box 9.

14 Countering the cyber threat to business BOX 10: Home and Mobile Working Assess the risks and create a mobile working policy that determines aspects such as the process for authorising off-site working, the type of information that can be stored on devices, encryption and incident reporting. Educate users and maintain their awareness to ensure all users are capable of operating mobile devices securely. Protect data at rest by minimising the amount of data stored on a mobile device to that which is needed to fulfil the business activity being delivered off-site. Encrypt data. Protect data in transit if users are working remotely the connection back to the corporate network will probably use an untrusted public network such as the internet. The device and the information exchange should be protected by an appropriately configured Virtual Private Network (VPN). Review incident management plans. Mobile working attracts significant risks; security incidents will occur even when users follow the security procedures. Plans should be sufficiently flexible to deal with a range of incidents. Ideally, technical processes should be in place to disable a lost device remotely and deny it access to the main network. Step 10: Home and Mobile Working Mobile working offers great business benefits but, in extending the security boundary to the user s location, also presents risks that will be challenging to manage. Organisations should establish risk-based policies to cover all types of mobile devices and flexible working, and plan for an increase in the number of security incidents. Mobile working entails the transit and storage of information outside the organisation s secure infrastructure, perhaps to devices with more limited security features or the use of devices in public places. The following risks could be realised: Loss or theft of the device: mobile devices are attractive and valuable, and often used in open view. There are therefore highly vulnerable to being stolen. Being overlooked: some users will have to work in public open spaces where they are vulnerable to being observed. Loss of credentials: if usernames and passwords are stored with a device used for remote working, and it is lost or stolen, the attacker could compromise the organisation s ICT systems. Tampering: attackers may target mobile devices left unattended and insert malicious software or hardware, allowing them to monitor all user activity. Box 10 sets out the recommended actions to mitigate the risks.

15 IoD Big Picture Spring 2013 NEXT STEPS The technical level of cyber attacks is growing exponentially. What was considered a sophisticated cyber attack only a year ago might now be incorporated into a downloadable and easy to deploy internet application, requiring little or no expertise to use. You can never be totally safe from cyber threats. Risks will, at times, become reality. However, this article has identified some practical steps which you, as leaders, can take to improve the protection of your networks and the information carried on them. Don t let cyber security become the agenda put it on the agenda. Further resources The full set of GCHQ s Cyber Security Guidance for Business documents is available on the GCHQ website: The Centre for the Protection of National Infrastructure s Top 20 Critical Controls for Effective Cyber Defence provides additional information on a range of quick wins through advanced technical measures:

16 Countering the cyber threat to business