DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Friday, 19 October 2018 16:25

DRJ Fall 2018 Q&A

Written by  STAFF REPORTS

Fall18 Logo RGB Horz FINAL

 

1. Can you provide real world examples of ransomware policies? What recommendations can you offer companies to develop an effective policy?

[ZEESHAN KAZMI] Have a very solid backup policy and make it part of your BC requirements right after life safety and communications. Do not recommend paying ransom, being affected by ransom is a symptom of poor EPP (end point protection) and data protection.

[Mark Eggleston] I do not recommend a specific policy for this scenario. I do recommend following containment steps prescribed in a more generic malware response or CSIRT policy. Effective policy statements should include an executive decision on whether ransom should be paid or not, that latter being the recommended answer, highly contingent upon your organizations trust in backup integrity and availability. As with many such responses, prevention should be in place to include (a) limiting RBAC (role-based access control) so only those who must have access to file shares, have it to limit the spread of ransomware. DOJ offers some policy statements here: https://www.justice.gov/criminal-ccips/file/872771/download or if you must have such a specific policy a simple one exists here: https://www.pcc.edu/about/policy/information-technology/it-01180.html

2. How important is holding cybersecurity exercises and method used to engage senior management if never held before.

[ZEESHAN KAZMI] As important as BC tabletop, should be a scenario within BCP. Engage execs by having a one-pager state of global risk or BC report out and look for sponsorship to present a 30 min with 30 min Q&A to get them to ask questions, which ends up being alignment sessions between executives and with BC teams.

[Mark Eggleston] Cyber table tops are paramount and we have made them a mainstay in our table tops for the last several years. We embrace putting our CCT (Command Center Team) in their own room and the discussion on whether to pay or not pay a ransom is always an interesting discussion.

3. What is industry best practice for mitigating insider threat?

[ZEESHAN KAZMI] Some suggestions are to start working on data classification and handling, lead it into implementation of DLP (data loss protection) and PAM (privileged account management). The outcomes from all systems logs, including DLP and PAM should go to UEBA (user entity behavior analysis) behavior analytics, which can tell you insider risks. Set hard policies on handling sensitive data, do not leave it to chance on helpdesk and normal operational security assignment processes or external vendor SSAE16.

[Mark Eggleston] I Agree on DLP and PAM as integral insider threat detection and recovery tools to employ. I’ve seen two approaches whereby this initiative is owned by HR with heavy consultation with legal or using existing tools and techniques for threat hunting. For example, we use our UEBA products with some limited success to find suspicious activity. We’ve had more success using our data at rest DLP to find password credential files and other sensitive documents on open shares – the last place they should be found! Encourage your teams to use existing tools and work harder with your support vendors to find “good dirt” – artifacts of policy violations as described.

4. BC pros are often not trained cyber experts but are seen as overall “resilience” planners. Who should be responsible for a comprehensive cyber resilience plan?

[ZEESHAN KAZMI] BC should lead ORM (operational risk management) or ERM (enterprise risk management) in succession if possible, as leaders. Demand for the cyber plan from CISO and team to integrate into BC. CISO will need to demand from Infrastructure and Applications teams. All if this requires tone and direct messaging from C-level on down to work.

[Mark Eggleston] BC should embrace their expertise, experience and specialization in building cyber resilience plans. Having them take the lead to develop these plans makes perfect sense. However, effective BC pros take a consultative approach and leverage best practices to build and test plans to ensure resilience and recovery. As such, the cyber security folks will be the SME (subject matter experts) on containment, forensics and mitigation techniques. BC will provide expertise around plan format, risk acceptance and formalizing roles and responsibilities.

5. Can you elaborate more regarding external vendor due diligence for cyber testing

[ZEESHAN KAZMI] Google has a vendor vetting checklist that will illuminate the considerations. You can treat it like insurance and legal, demand SSAE16. But if insurance is not the goal and some guarantees are required then spend the money, talent, and have internal resources to protect highly valuable assets. Not everything can be recovered through legal/insurance.

[Mark Eggleston] I’ve found that testing results are more important than the actual plans, as it help us gain assurances in an external vendor’s commitment (e.g. “do as you say” comes to mind here). Depending upon your organization’s reliance upon the external vendor, full testing of that dependency should be completed, once the recovery and resiliency plans are complete.

6. Does AWS provide sufficient vulnerability assessment, or is a CASB still needed?

[ZEESHAN KAZMI] You need a CASB (cloud access security broker) no matter what to see people's use of various systems and movement of data. AWS security is as good as the person who is managing cyber, infra, ops, and apps. Usually these are different roles and lack of coordination exists for the risks introduced by running processes into someone else's infrastructure and over internet connected systems.

[Mark Eggleston] Leading CASBs actually have full integration into IaaS (Infrastructure as a Service) like AWS, for example see: https://www.netskope.com/platform/netskope-for-aws That being said, your dependence and risk assessment results should ultimately guide your organizations decision to procure additional technology here.

7. Any security concern replicating data for DR from one cloud provider region to another using the cloud provider’s network backbone

[ZEESHAN KAZMI] Ensure it is encrypted at the level that is acceptable and with chain of custody that is required for your business assurance. Provider backbone may cost.

[Mark Eggleston] Agree with ZEESHAN KAZMI. Wouldn’t hurt to have legal review the contracts to ensure your two disparate cloud providers will play nice if needed.

8. Was this session about risk management and resiliency or cyber security?

[ZEESHAN KAZMI] The intersection of risk management, resiliency, and cyber security.

[Mark Eggleston] All three! The attention, funding and resources given to cyber present unique opportunities for BC to take the lead given their expertise. We encourage BC to be less modest here on their expertise, as cyber talent is hard to find and my fear is many CISOs may be overlooking the value of BC professionals can add to their program.

9. What is industry best practice to mitigate insider threats?

[ZEESHAN KAZMI] See above

[Mark Eggleston] Here is a resource: https://www.forbes.com/sites/ericbasu/2013/08/07/fbi-5-best-practices-for-combatting-the-insider-threat-in-your-business/#4abe18aa49d5

10. It seems that a lot of the drj exhibitors are data recovery software. What should someone look for to vet these out?

[ZEESHAN KAZMI] Ans: client references and appropriate chain of custody controls, Law Enforcement (e.g. FBI, CIA) connections.

[Mark Eggleston] Agree with Zee. Prior to going to market, I recommend putting your top 3 requirements to paper an include a paragraph on the “why” and do not waver in ensuring your selected vendor meets all requirements. Speaking with research firms such as Gartner to proactively obtain vendors strengths and weaknesses is also beneficial.

11. What are first steps an organization should take to connect BC and Cyber, especially in a global organization?

[ZEESHAN KAZMI] Ans: common threat and risk terminology and Risk Rubric for rating; then do a BCP table top with a cyber incident of high likelihood.

[Mark Eggleston] I’d recommend in this order: (a) secure executive support after showing the value of convergence from Ponemon study and Chris Duffy’s (PUT LINK HERE) and my presentation on Sunday, (b) ensure the senior management of both programs have met to establish ground rules and expectations and key areas of ROI/opportunity and (c) have full teams whiteboard these opportunities and establish the metrics so you can circle back with executive teams to show the success of your initiative!

12. Thoughts on working with a company’s mfg. or service vendors to ensure proper cyber security processes are in place to protect continuity of supply (Exp.Maersk)

[ZEESHAN KAZMI] Ans: See the external vendor due diligence above. Maersk seems to have had slower governance decision making, hygiene issues on end point protection, and backup gaps (AD controllers unrecoverable). Look for complacency, ask for DR test results.

[Mark Eggleston] I’d recommend obtaining there security scorecard to begin with, in lieu of or in tandem with your own assessment of that vendor. A sampling of such vendors include BitSight, SecurityScorecard or FICO.

13. IT and the business units often have different data classifications. How do you get them to synergize when neither is willing to adapt to the others?

[ZEESHAN KAZMI] Ans: it needs to be driven through BCP office or ERM via Legal. Top executive sponsorship is required, bottom up is not successful when there are unreconcilable differences.

[Mark Eggleston] This would be a red flag for me and this needs to be an enterprise policy set at the top. Data Classification policy should define data classifications (suggest no more than 3-4) and the required controls around them. Data Owners are responsible to declare this classification and security should be responsible to house the master classifications or all data sources/applications across the enterprise. Agreed upon data classification is foundational to an effective data governance program.

14. What is the avg life expectations of the firewall hardware before their effectiveness is found?

[ZEESHAN KAZMI] Ans: For EOL (End of Life) 5 year or when CPU/Interface are flooded. For security, have a proof of concept for 3 months and perform a destructive pen test on it.

[Mark Eggleston] agree that most hardware appliances have a 5 year lifecycle and can be as short as three years. For those with legacy FWs contemplating replacement, a NGFW (next generation firewall) is recommended to get advanced, integrated security controls.

15. What are some key metrics that help you manage some of the key threats that you mentioned earlier?

[ZEESHAN KAZMI] Ans: #Data breaches with material loss cost; Productivity hours lost total due to incidents; Patch % per platform dimensions (server, workstations, Network); Backup % on-site and backup % off-site replica.

[Mark Eggleston] meantime to recover, phishing susceptibility (# of users who clicked on the phishing campaign, # of users reporting phishing), most secure email gateways also provide good metrics to get a good view on what is hitting your email domain.

16. There are a lot of folks that do not want to share their personal cell and/or email. How do you mitigate this?

[ZEESHAN KAZMI] Ans: should be voluntarily for life safety notifications, has to be led by HR and Dean (for educational institutions) as an employee outreach and safety benefit. It's messaging.

[Mark Eggleston] We do not display personal mobile in our directory (although it is there and hidden). These numbers are needed in our environment for both crisis communication and multi-factor authentication (MFA). We have HR manage the opt-out process, as we want to encourage maximum use of these numbers. To date opt-outs have only been one person who later decided to get back in.

BCI EMERGENCY COMMUNICATIONS STUDY - https://www.thebci.org/resource/emergency-communications-report-2017.html

17. What are some alternate business processes do you recommend to be implemented during a cyber breach to maintain data integrity?

[ZEESHAN KAZMI] Ans: ideally use classification and encryption ahead with secure areas; if breach has happened already then use off channel secure messaging (wickr) and computers not on breached network corporate environment with out of band systems specifically stood up for the incident (secure eroom, incident war room). Using any prior solutions can lead to disclosure by someone still using the solution from breached computer.

[Mark Eggleston] I’d recommend (a) use paper if at all possible, (b) use downtime procedures in plan, (c) leverage power of your third parties if at all possible – what can they do for you? Reciprocal agreements in place?

18. What kind of advice do you have on disclosure after a cyber breach?

[ZEESHAN KAZMI] Ans: follow state and federal laws on disclosure, GDPR if applicable. Also have external counsel advise on details to disclose to federal/state and/or customers or insurance. For customers looking for details, have prepared script and disclose over phone. Ensure PR and corporate communications are involved at every step.

[Mark Eggleston] pre-planning here is paramount and scripts and processes should be escrowed in your planning software. We have captured CEO videos, press releases and website text of prior large breaches where response has been applauded by legal and security experts – such as Primera and Anthem hacks. Beyond learning from those already deemed to have great responses, get a firm on retainer to guide your response here – simply too much to lose otherwise. Encourage credit freezes over credit monitoring, but your cybersecurity policy should cover these expenses, regardless. You do already have a cyberpolicy, right?

19. Can you speak more on attack vectors? Also, can you explain the factors associated to the CASB risk scores previously mentioned?

[ZEESHAN KAZMI] Ans: Anywhere there is a convergence of external to internal inflection point, the network and identity controls there will have first attack vectors. Secondly if you checked the inflection points then the application you have allowed, those stacks may have vectors. Have these heavily pen tested, weekly patched, and IDAM integrated, 2FA, and logged.

[Mark Eggleston] Attackers take the path of least resistance and those tactics which costs them the least amount of time and money. Email is that path because it is a largely trusted platform and social engineering works.

Security scorecard vendors such as BitSight, SecurityScorecard and FICO offer proprietary solutions which score all vendors/companies based upon publicly available information and existing protocols used. At least one leading CASB vendor leverages these scores to rate the risk of where your users are sending data, given you excellent situational awareness on the risk of who receives your data. Cool, eh?

20. Do vendors share their plans or consider it confidential?

[ZEESHAN KAZMI] Ans: Mostly confidential but you can ask for SSAE16 and DR test output results.

[Mark Eggleston] I’d say this is largely variable, but the stronger your partnership is, the more likely the vendor may securely disclose their full plan. I’ve seen full plans in about 30% of the time. Your MSA (Master Services Agreement) should include mutual confidentiality or NDA terms which would allow this. Other summary reports from third party assessors are equally as valuable.

21. How do tie together the Security people and the BC people?

[ZEESHAN KAZMI] Ans: see above on first steps. ERM program is helpful after first steps.

[Mark Eggleston] see aforementioned three step process. Your initial meetings should be spent strengthening rapport, so focus on the ROI of the synergy – reduced breach costs, assistance to an overloaded security team, focus on resiliency and of course the incredible organizational awareness that BC brings to the table, beyond IT awareness.

22. Should BC and CSIRT jointly speak to the executives and Board?

[ZEESHAN KAZMI] Ans: BC should lead and ensure business terms and impact was clear, taxonomy is not confusing, and risks are prioritized between cyber and non-cyber with common rubric.

[Mark Eggleston] For this specific use case, only if asked. Typically boards do not want the specifics of CSIRTs, but assurances of the outcomes, which is better left to the c-suite IMHO.

23. Do you have cyber liability insurance as part of your risk management portfolio? Have you used it?

[ZEESHAN KAZMI] Ans: Yes, not used due to high deductible and generally good internal security hygiene.

[Mark Eggleston] Absolutely. Should be reviewed annually, as this is an evolving practice and reliable numbers on incidents and costs are still very much maturing. Have not used and my hope is that we never will. However, chance of occurrence in my industry (healthcare) seem to indicate we will use it at some point.

24. How do you get C-Suite buy in on cyber security training?

[ZEESHAN KAZMI] Ans: Show the risk in business terms for cyber, make a clear case for BC and Cyber integration, and have a qualified partner perform a maturity assessment.

[Mark Eggleston] There are two methods to employ here – quantitative and qualitative. For quantitative, the strongest and clearest indicator is % of your users to phishing susceptibility. Many firms will work to phish your workforce for free (and there are free tools available to do this yourself if you choose to). In my industry (healthcare), 20-30% is the expected rate. Assuming this is your first time and your workforce education is limited you should expect your company to come in higher. All executives should aim to have this % in the single digits, which targeted anti-phishing campaigns and education done right will deliver. The other method, qualitative is based upon your desire to improve “the human firewall” – your employees security IQ to know how to not just spot a phish, but embody a culture of confidentiality. Your executives should want to ensure your entire workforce values customer privacy – and use it as a market differentiator.

25. How does the BCP professional in their organization get an invite to the IT cyber security tabletop sessions?

[ZEESHAN KAZMI] Ans: The BC should be part of a risk management/legal risk or CRO (Chief Risk Officer) mandate to ensure Cyber is integrated into BC/CM, not the other way.

[Mark Eggleston] Invite? They should LEAD it! BC has deep expertise here. IT has technical response around blocking and tackling. If this isn’t abundantly clear, encourage decision makers, that BC will ensure a rewarding scenario is not only executed, but resiliency plans are improved as a result.

26. Can the BCM team take the role as a strategic driver for development and implementation of an organization’s cybersecurity roadmap?

[ZEESHAN KAZMI] Ans: yes, that's most effective.

[Mark Eggleston] Absolutely, BC has this competency ‘down pat’. Bring it!

27. How do you start a Risk Committee?

[ZEESHAN KAZMI] Ans: Get sponsorship from CRO or risk function and produce report of current state of risk, then have a pilot meeting and share joint interest statements, then ask to be sponsored for establishing a ORM/ERM committee. You will need executive sponsorship and support for this.

[Mark Eggleston] I’d recommend first identifying the executive stake holder here – could be ERM, ORM, BC or exist elsewhere and solicit that person’s thoughts to ensure support and no redundancy. Also, don’t be afraid to start smaller and demonstrate your success. For example, we had and “IT security Committee” and “ERM committee” to focus on select enterprise risk in groups. Also chaired a “Privacy and Security Council” and “BCP Steering Committee”. All of these committees are cross-functional and comprised of various stakeholders coming together for a specific categorization of risk. Once an approach which is effective and efficient has demonstrated risk reduction, you can parlay that committee (or chairperson) onto bigger and better things.

28. Do vendors allow another company to conduct a vulnerability assessment or perform penetration testing?

[ZEESHAN KAZMI] Ans: Yes, mostly only from external public source but you must notify.

[Mark Eggleston] Agree with Zee. Informed consent and sign-off must be obtained. The only difference between an ethical hacker and a cybercriminal is permission. The key here is to get this right into the MSA (Master Services Agreement) so that you reserve the right to conduct routine vulnerability assessments and penetration testing with appropriate notice. If vendors do not agree, you can still leverage this into a persuasive argument for getting full copies of their most recent vulnerability test results.

29. If a company cannot provide a copy of the DR plan or results but will show them and have a discussion does that affect their assessment /score?

[ZEESHAN KAZMI] Ans: Not necessarily, depends if it is required by you for the type and criticality or business process or data with them. Also low score doesn't mean no business, just caution internally on exposure.

[Mark Eggleston] You will need to set what constitutes or provides ‘assurances’ for your organization. I have accepted a webinar to review testing results or even a third party providing an overall rating. Having the actual document is always preferred, but very understandable why some companies to not want their vulnerabilities disclosed.

30. Do you recommend BC and Cyber partner together?

[ZEESHAN KAZMI] Ans: Yes see above.

[Mark Eggleston] Absolutely.

31. Are suppliers actually giving you a full copy of their BCP or DRP? Or are you asking for a summary of their plans?

[ZEESHAN KAZMI] Ans: Summaries and results outcome suffices. Again, based on critically of data and/or business process you may decide no external vendor processing.

[Mark Eggleston] Agree with Zee. I’ve gotten anywhere from full copies with home phone numbers – copies with redacted information – excerpts – summary statements. Ultimately, your organization must declare what constitutes assurances here.

32. Some companies are nervous to do cyber security table tops. They don’t want to send the wrong message to their business and partners.

[ZEESHAN KAZMI] Ans: It must be done, the breach is well known "when, not if" scenario. The message to business and partners is that it is equivalent to natural disasters and must be prepared for.

[Mark Eggleston] Say what? Security by obscurity is never a good choice. Any company who stress tests likely scenarios gets a “+1” in my book. Perhaps your vendor has something to hide?

Useful Link:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies