Chapter 19
Information Asset Management for Cyber
Booz Allen Hamilton Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA
As Tom begins to piece together his company’s cyber risk management plan with Nathan, his chief risk officer (CRO), and Nasir, his crisis action officer, Tom recalls a recent news story of a major company crippled by a cyber attack. “That sounds bad,” Tom says, “but it would never happen to us. We perform regular security updates and are fully compliant with security requirements.” Nathan cautions, “Tom, compliance is only a small piece of an incredibly lethal and complex cybersecurity puzzle. What was good enough years ago leaves companies open for a crippling attack today.” Nasir chimes in, “Information is power. The more effectively our organization protects our own information assets and detect and respond to threats in a broad, holistic manner, the more likely we will be to keep sensitive information out of hackers’ hands.”
The Invisible Attacker
Holiday season is usually a time of plenty for North American retailers. But in December 2013, a giant retail company got a surprise worse than a stocking full of coal: the credit card information of 40 million customers had been stolen via point-of-sale (POS) systems in the company’s stores. An additional 70 million customer records containing names, addresses, phone numbers and e-mail addresses were also exposed.
This was no ordinary breach. Hackers began their assault by infiltrating the network of one of the company’s heating, ventilating, and air conditioning (HVAC) vendors. Like many large operations, this giant retail company used an outside vendor to monitor temperatures and energy consumption inside its stores. Whenever outages occurred, the HVAC vendor conducted troubleshooting and addressed issues remotely. This helped the giant retail company save money and increase energy efficiency—but it also created the perfect backdoor for hackers to begin their attack on the company’s network.
Once inside, hackers moved laterally through the company’s systems, seeking out vulnerabilities to gain access to ever-more-sensitive data. They eventually reached the POS system, where they installed malware—invisible to virus scanners—that gathered information with every swipe of a card in one of the company’s stores. The stolen data was stored on hacked servers throughout the world, and then sold on the Dark Web.
Attackers had access to the company’s network for more than two weeks. When customer data was exfiltrated across the Web, a computer security firm hired by the company alerted the security team at the company’s headquarters in Minneapolis.
Yet even after the alarm had been sounded, the company did not act soon enough. It believed itself to be compliant with latest security protocols, and thus had no reason to act. Only when the Department of Justice notified the company about the breach did it begin to investigate what had gone wrong. By then, it was too late: 70 million pieces of personal information had been exposed. And 46 percent of the company’s typical holiday profits were lost.
A Troubling Trend
While this company’s breach is one of the largest and most well known in recent years, it is far from the only company to be hit. Other large, multinational organizations have been the victims of cyber attacks, leading to millions in lost revenues and erosion of customer trust.
Frequent attacks across industries demonstrate that the cyber threat is real, and the impact to organizations substantial. Why, then, are so many companies behaving as though checking the basic requirement box is enough? The time for organizations to develop mature, detailed, and highly integrated plans to manage risk is now. These plans should be based on new frameworks and tools that can evolve as threats change and allow senior executives to conduct cost and risk trade-offs for their investments.
Organizations cannot control how or when a cyber attack will occur. They can, however, control the speed and effectiveness of their response.
Thinking Like a General
Cyber attacks may be new to major news headlines, but in reality, tactics like malware—and attacks like the one that took down the company in the example above—have existed for decades. The difference: these attacks once took place only between nations and militaries, the only entities with the funds and expertise to conduct cyber espionage.
Now, the problem has trickled down to organization-to-consumer organizations, and companies are ill-prepared to defend themselves. As in the example above, corporations often take a compliance-based approach to cybersecurity. They bring in accounting firms to conduct audits, and once they have satisfied all requirements, they consider their work complete. But every major company that has been hit has been technically compliant.
Similarly, when a breach occurs, most companies focus on fixing technical problems. They concentrate on finding and removing intruders, while ensuring that the lights remain on and causing minimal disruption. While these activities are important, the impact of a cyber breach can reverberate far beyond a company’s systems and organization operations. Depending on the intrusion, it also may create a customer problem, a legal problem, an operations problem, a policy problem, a lost-revenue problem, and a communications, public relations, regulatory, and brand reputation problem.
Traditional organization problem solving and planning approaches are no match for this new reality. A rapidly unfolding cyber crisis demands confident decision making and execution. To best defend themselves against attacks, organizations should think more like militaries. They must take a proactive approach to defense, continuously strengthening their safeguards while preparing themselves for the worst.
The Immediate Need—Best Practices
Military planners prepare for specific mission scenarios that require clear communications and precise coordination among numerous actors. In developing effective, integrated response plans that lead to successful crisis management, companies should follow three main principles:
-
Create a contingency plan and document it in a handbook.
Organizations should identify in advance what kind of cyber crises could occur. They should examine high-probability and/or high-impact scenarios and identify possible stakeholders who would be affected. This means analyzing how these potential scenarios could impact finances, operations, legal, and other activities, as well as investor relations, customer relations, regulatory affairs, and other external-facing entities. Once a company has mapped out possible scenarios and plans, they should create handbooks (or playbooks) that ensure a coherent, coordinated response.
-
Conduct war games to improve the plan and train staff.
War gaming can provide insights into anticipated cyber incidents and planned responses, helping organizations refine their plans and identify all the capabilities required for an effective response. Games should also include scenarios assuming a cyber incident is successful, which will orient the company into a physical response. Not all organizations will have the resources to create plans for every possible scenario. To make best use of resources, teams should conduct games based on situations that are most likely to occur or will inflict the most damage.
Response plans and playbooks should be exercised regularly, perhaps once per quarter, to ensure that responders understand their roles and have practice carrying them out. This is essential to a unified response when an incident occurs. Having a plan is not the same as being prepared. Training is essential.
-
Appoint a crisis action officer to create and execute plans.
Every company should have a single person or function responsible for preparing for and responding to cyber crises. This role can be called the crisis action officer or crisis executive. Too often, these functions are dispersed among different players. This leads to a lack of coordination in planning and preparation, and a lack of effective execution during a cyber crisis. A crisis action officer should understand how the technical aspects of a breach could impact the entire enterprise, including the risks it would pose. He or she should be specifically trained for the position and should have the ability to lead joint decision making by calling together various corporate functions.
A crisis action officer should not, however, share blame for contributing to a cyber crisis. This will allow him or her to focus efforts on guiding the company in the event of an attack. This individual would report directly to the CEO during a crisis and would be accountable for managing crises effectively.
Cybersecurity for the Future
Many companies have already implemented these steps. For those who have not, such actions should be considered an immediate priority.
But while these precautions may protect companies today, they are far from future-proof. As the technologies used to carry out cyber attacks increase in sophistication, the strategies organizations use to defend themselves must evolve as well. There are a number of cutting-edge approaches that organizations should begin to consider as they move toward true military-grade cybersecurity.
From Exploitation to Attack
Computer network operations is another concept that originated with the military and now has applications for organization. It refers broadly to actions that an entity takes to increase their own information security, while denying security to their enemies. It has three components: computer network defense (CND), computer network exploitation (CNE), and computer network attack (CNA).
CND is self-explanatory. CNE and CNA are more complicated. CNE refers to cyber espionage and is passive, while CNA refers to infiltrations that destroy or disrupt data or systems and is destructive. Until now, companies have prepared themselves primarily for exploitation: gathering of secure customer data, for example. Moving forward, they must begin to protect themselves against attack as well, putting contingencies into place for possible deletion or corruption of data.
Reimagining the Attack Surface
How exactly does CNA occur? That depends on an organization’s attack surface. An attack surface is the sum of all possible entry points to an environment. It can include software, hardware, firmware, networks, and people. Organizations can minimize their risk of attack by reducing the size of their attack surface, or the number of points of entry into their systems.
They can also reduce the connectedness of various parts of their networks using firewalls and encryption, reevaluating which employees have access to what data, and using real-time monitoring for anomalies. These changes will help organizations not only stop hackers in their tracks but reduce the mean time between threat detection and remediation. In the case of recent attacks, weeks passed before the attack surface was modified. Today, updates should occur in minutes or seconds.
OODA: Observe, Orient, Decide, and Act
Another way organizations can begin to protect themselves from CNA is by taking a lesson from Air Force pilots. During the Korean War, pilot John Boyd observed that U.S. F-16s lagged behind Russian MIG-15s in speed and maneuverability. Yet the American planes consistently bested their opponents in dogfights, in part because of their use of what Boyd called the OODA loop. The OODA loop is a decision making cycle that consists of four parts: observe, orient, decide, and act. If an individual or organization can continually evolve and move through this cycle faster than a competitor can, they can disrupt the enemy’s own OODA loop, and can often win despite other disadvantages.
The concept of the OODA loop has frequently been applied to organization decision making, and will be especially useful for minimizing threats in the emerging cybersecurity landscape. Instead of waiting for attacks to occur, companies can attempt to thwart would-be hackers by staying one step ahead, constantly adapting and refining their networks and security protocols.
New Opportunities for Network Agility
Companies will be able to close their OODA loops by making changes to the attack surface of their software environments in real time. The advent of software-defined networks (SDNs) will make this easier than ever. A step away from reliance on hardware-based routers and switches, SDNs will allow network administrators to constantly monitor and change attack surfaces as necessary based on identified threats.
In this way, today’s security operations centers (SOC) will evolve into true command-and-control centers for operations. While the command-and-control model gives ultimate decision-making authority to the commander, this approach relies heavily on joint decision making among all the relevant functions to ensure realistic evaluation of options, collaborative action planning, and a high probability of success.
Time to Act
The cyber reality companies now face is daunting to say the least. But organizations cannot allow themselves to be paralyzed by fear. Nor can they continue to tell themselves “it will never happen to us.” Cyber attackers are becoming more sophisticated—and more destructive—every day. The time is now for all organizations to modernize their information security operations and prepare themselves for a future filled with even more advanced threats.
Conclusion
The following cyber risk management statement represents those organization capabilities CEO and board expect to be demonstrated in terms of information asset management for the future.
About Booz Allen Hamilton
Booz Allen Hamilton has been at the forefront of strategy and technology for more than 100 years. Today, the firm provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe. Booz Allen partners with public- and private-sector clients to solve their most difficult challenges through a combination of consulting, analytics, mission operations, technology, systems delivery, cybersecurity, engineering, and innovation expertise.
With international headquarters in McLean, Virginia, the firm employs more than 22,500 people globally and had revenue of $5.41 billion for the 12 months ended March 31, 2016. To learn more, visit www.boozallen.com/international (NYSE: BAH).
About Christopher Ling
An executive vice president at Booz Allen Hamilton, Christopher Ling leads the firm’s international organization providing a range of services to the public and commercial/private sectors of several countries (services include: strategy and policy, digital, strategic innovation and software development, technology and analytics, operations, human capital and learning, and engineering services).
Prior to leading the international organization, Mr. Ling led the cyber organization across the full spectrum of capabilities, including computer network exploit, computer network attack, and computer network defense. He has developed new and innovative cyber capabilities, which leverage lessons learned from the national intelligence community for application to commercial organizations, focusing on cyber maturity models, predictive intelligence, and network emulations.
Mr. Ling specializes in developing high-level strategies to innovate and improve intelligence support to operations, focusing on quantifying investments to create new value and improve capabilities. He has 25 years of experience managing intelligence and information technology system concept definition, trade analyses, requirements, modeling, and simulations at both the programmatic and the detailed technical levels.