· Share This
It is Isaca’s view that businesses of all shapes and sizes should regularly and consistently perform threat and vulnerability analyses of their critical business processes, core and sensitive data assets, and associated information infrastructure to help them evaluate and manage risks associated with them.
Destructive attacks tend to be more obvious and serve to promote a position of the attacking party rather than attempt to gain access to or exploit data.
This does not make them any less dangerous –and given recent events, their likelihood of occurrence should be considered fairly reasonable.
To counteract these attacks, organisations should have consistent, mature and regularly exercised security monitoring capabilities and incident response plans that use the input from the threat and vulnerability analysis to identify attack behaviour as early as possible, and then effectively respond to them if they are successful.
Early warning and effective preparation can help to minimise the impact of attacks.
From a business continuity perspective, organisations should also consider options of replicating key data assets and capabilities on systems that are not mirrors of each other and, in fact, operate on completely different operating systems, applications, networks, and storage solutions.
This will reduce the ability for the attack to affect all of an organisation’s data and computing assets with the same attack methods and capabilities.
John Pironti is a risk advisor at Isaca and president of IP Architects
Security Think Tank: Mitigation strategies for data-wiping malware
· Share This
While data-wiping malicious software – malware – is not new, the FBI was moved in December 2014 to issue a flash alert to US businesses, writes Peter Wenham. This alert highlighted the new malware that not only deletes files on an infected PC, but also overwrites the MBR sector of the PC’s hard drive, making it impossible for the PC to boot. Recovery is time-consuming and costly, either requiring the disinfection of the MBR followed by a re-imaging of the drive; or installing a new hard drive and re-imagining. For the smaller company the likely case would be re-building a PC’s hard drive from scratch. Note that, in all cases, any data on a PC’s hard drive at the time of infection would be lost.
Mitigation strategies are twofold – prevention, and recovery should the worst happen. The recovery strategy is the easier, requiring that all PCs are regularly backed up (monthly, with weekly deltas being recommended, and daily deltas if you have the resources); and that all company data is backed up (weekly, with daily deltas) – preferably with a copy held on an off-line resource, (old-fashioned tape drives come to mind, or DVDs/Blurays for the smaller business).
The key is being able to recover company data that is no older than one or two days from a clean resource.
The prevention strategy is a bit more complex. Training staff is an obvious first step – and do not forget management and directors – plus regularly reminding people not to open files from unknown sources or files received unexpectedly. A more difficult concept is to get people to the point where they look and think about a website address: Does it look right? Why I might I want to go to that site? And so on.
A second part of the strategy is not giving people local administrator access to their PC. Make sure staff access profiles on the company network are set for minimum privilege – the cleaner does not need Power User – and that the files that can be accessed are appropriate for a persons function. Nobody – and that includes senior managers and directors – should be given access to all company files except backup mechanisms and system administrators. System administrators should have two network IDs, a standard user account for day-to-day use and a system administrator account for system maintenance.
Finally, there is the technical aspects of the prevention strategy. Operating systems and application software should be up-to-date and maintained, as should antivirus software and backup mechanisms for servers and PCs. Maintained infrastructure includes firewalls and antispam and antivirus mechanisms on the companies email – there are a number of companies offering these services, either for in-house use or via the internet. Logging should be in place and preferably to a dedicated servers that requires a unique “auditor” account to access.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.