It is easy to second guess organizations after an attack as opposed to working with them on cybersecurity or information security initiatives. But this questioning can also offer some benefit, helping the security professionals learn what could have been done to defend the organization against the cyberattack. The following is a brief look at the attacks on Sony, Morgan Stanley and Anthem as a sample across the entertainment, financial and health insurance industries:
- Sony Pictures Entertainment (SPE) was the victim of a breach that exfiltrated more than 100 terabytes of data (47,000 records), after which large volumes of data were erased. Servers, networks and other infrastructure were rendered nonoperational.
- Morgan Stanley was the victim of an internal financial adviser who stole data on 350,000 clients using a reporting tool that gave him access to massive amounts of data on clients.
- Anthem suffered the disclosure of 80 million unencrypted customer and employee records accessed through stolen administrator credentials.
I would suggest that there are specific COBIT® 5 processes and practices that can be effective in halting or minimizing these types of attacks.
Evidently, there were weak processes in place to identify, assess and reduce IT-related risk (APO12 Manage Risk). Practically, there should have been a continuous collection of data for risk identification and threat analysis (APO12.01 Collect data). Organizations ought to collect data to understand evolving threats (including advanced persistent threats).
Organizations should conduct security assessments, vulnerability assessments and technical audits of their IT environment on a regular schedule (APO12.04 Articulate Risk). Reports from these assessments should be taken seriously with appropriate responses (APO12.06 Respond to risk). Key sources of threat intelligence and analysis (e.g., Financial Services-Information Sharing and Analysis Center) may not have been leveraged in the cases noted.
Security processes such as a formal information security management system (ISMS) should be established with clear scope, policies, organization, dedicated assets and technology (APO13.01 Establish and Maintain an ISMS). The organizations’ ISMSs may not have been fully developed.
A formal information security risk treatment plan should be defined with clear mapping of controls or security solutions against security-related risk (APO13.02 Information security risk treatment plan). Unencrypted personal information does not adhere to APO13.02.
Security services should be clearly aligned to risk (DSS05 Manage security services). It is possible that of the 7 technical practices in this COBIT 5 process, these victim organizations may have been lacking in the following areas:
- Malware defenses and network security controls as offered in next-generation firewalls. Further, intrusion detection systems may have been missing or dysfunctional (DSS05.01 Protect against malware, DSS05.02 Manage network security).
- Privileged access controls on systems administrators were weak and easily compromised by malicious actors (DSS05.04 Manage user identity), e.g., Weak access controls around sensitive information.
- Monitoring security events around the IT infrastructure was probably a major weak link (DSS05.07 Monitor the infrastructure for security-related events). This would include severity ratings and relevant indicators of compromise.
Read Fredric Greene’s recent Journal article:
“Selected COBIT 5 Processes for Essential Enterprise Security,” ISACA Journal, volume 2, 2015.