Steven J. Ross, CISA, CISSP, MBCP
As I have said in several recent articles,1 cyberattacks have become a reality with which global businesses must deal. In the recent past, banks across the US have suffered denial-of-service attacks, for which a hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters claimed credit.2 In other countries, RasGas, a leading producer of liquefied natural gas was hit with a virus3 and Aramco, in Saudi Arabia, had 30,000 computers wiped clean by the Shamoon virus, which replaced data with images of a burning American flag.4 US Secretary of Defense Leon Panetta has warned that his country—and, by extension, the rest of the world—is facing the possibility of a “cyber-Pearl Harbor” and is increasingly vulnerable to foreign computer hackers who could dismantle the US’s power grid, transportation system, financial networks and government.5
In fact, emerging cyberattacks against the US’s critical infrastructures are rapidly outstripping the ability of security and risk management professionals to maintain high availability and uptime assurances. Where in the past increased threats have prompted security and risk managers to heighten the intensity of backup and replication arrangements and move to near-instantaneous recovery capability, a traditional recovery approach ironically may be exactly the wrong solution for an advanced cyberattack—and might dramatically lengthen eventual recovery time for the IT infrastructure—perhaps far beyond typical recovery scenarios. Although national infrastructures are the current targets of advanced cyberattacks, these issues readily apply to general, nondefense enterprises as well, as attacks grow more sophisticated, stealthy and more broadly focused on economic espionage threats.
Many organizations focus their security systems to detect and prevent malicious penetration of their information technologies. They have also built robust disaster recovery capabilities in case their data centers are destroyed. In many organizations, the information security and disaster recovery functions occupy separate silos. Cyberattacks (and the even more frightening possibility of all-out cyberwar) expose organizations to the possibility of major systems disruptions and loss of data; functional separation between information security and disaster recovery could multiply the exposure. Most organizations are completely unprepared for this, even after spending significantly on disaster recovery preparedness.
It is a truism that all engineered products will fail if given enough time. That is often expressed as the mean time to failure (MTTF), which every engineer hopes will be very long and that the mean time to repair (MTTR) will be very short, if and when failure does occur. Simply put, software fails—purchased and in-house developed software, software as a service (SaaS) and other cloud implementations. Hardware fails, which is why preventive maintenance is so important. Information security systems are also engineered products and they too will fail over time, especially given the stress of dedicated, malicious attacks that are motivated more by a desire to harm the systems’ owners than to disclose private information or commit fraud. If that were not worrisome enough, there is evidence that cybermalware has been embedded within chips at time of manufacturing—with an attack essentially built-in before the hardware is even delivered.
Without understating the need to prevent successful attacks, consideration must be given to the possibility that the attackers may be shrewder or more patient than the defenders and that sooner or later the walls surrounding information systems will prove too low or too flimsy to prevent damage—perhaps catastrophic damage. It is at this point that disaster recovery plans— traditionally based on the transfer of data, hardware, software and networks to a backup location—prove insufficient. If a primary location has been brought down, there is no benefit to bringing up the failed systems elsewhere; the attacker will just strike again. (In fact, the infection or flaw may already be buried deep within software and data. So-called recovery at a backup site will only bring the problem along with it.)
Traditional disaster recovery planning is not applicable because recovery times following a cyberattack cannot always be controlled and recovery points are only as meaningful as the trust an organization can place in its backups. Applying the techniques of traditional disaster recovery to a security system failure is likely to be counterproductive. Instead, it is necessary to carry out several steps:
Recovering from such an unfortunate event as a cyberattack requires both organizational and technical plans consistent with the most up-to-date guidance from international and local computer emergency response teams (CERTs). There needs to be an organizational structure to guide an organization through recovery and a plan for the steps to take.
In other disruptive events, a rather senior level of management must determine that a crisis exists and then deploy funds, personnel, material and skills to respond. In a cyberattack, those entrusted with dealing with the problem must have the authority to initiate emergency actions immediately, only then notifying senior management of what has occurred. Simply put, cyberattacks roll out with such blinding speed that waiting for approval from above may undermine the very response that is needed.
While the specific steps for recovering from a cyberattack are necessarily driven by the particular circumstances of an attack, it is patently foolish to wait until it occurs to plan for recovery. Fortunately, many organizations have already developed plan components that can be adapted for the circumstances of a cyberattack.
The unique element in cyberattack recovery is a recovery in place plan (RPP). As noted, existing disaster recovery plans are unlikely to be effective in the circumstances of a cyberattack. However, few, if any, organizations have plans for the recovery of all or a great percentage of their systems at the same time, under hostile circumstances. But almost all have processes, documented or not, for server configuration, storage allocation and network redirection, among others. These can be built upon to plan for rapid recovery from a cyberattack, beginning with a “bare metal” restore of the most critical systems and then rolling forward to trusted images of the data and software.
It is important to recognize that recovery from a cyberattack is a repair of a failed system and to recognize the consequences of that failure, more than restoration, following a disaster. The MTTR can be shortened only with a combination of skilled individuals merging the disciplines of IT systems architecture and support, information security, and disaster recovery.
1 Starting with “The Train of Danger,” ISACA Journal, vol. 5, 20112 Strohm, Chris; Eric Engelman; “Bank Cyber Attacks Enter Fifth Week as Hackers Adapt to Defenses,” Bloomberg, 18 October 2012, www.bloomberg.com/news/2012-10-18/bank-cyber-attacks-enter-fifth-week-as-hackers-adapt-to-defenses.html3 Fineren, Daniel; “UPDATE 1—Qatar’s RasGas Hit by Computer Virus,” Reuters, 30 August 2012, http://in.reuters.com/article/2012/08/30/qatar-rasgas-idINL6E8JUD1K201208304 Perlroth, Nicole; “In Cyberattack on Saudi Firm, US Sees Iran Firing Back,” New York Times, 24 October 2012, www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all5 Bumiller, Elizabeth; Thom Shanker; “Panetta Warns of Dire Threat of Cyberattack on US,” New York Times, 11 October 2012, www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all
Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.