Saturday, May 20, 2017

Board of Directors: 4D Strategy Revisited...

The Board of Directors are convening this week and there is an item back on the agenda, we haven't seen for sometime:

Recovery Time Objective (RTO) Recovery Point Objective (RPO)

These Business Continuity (BC) and Disaster Recovery (DR) parameters are being addressed for good reason.  WannaCry and the impending Tsunami of cyber worms attacking our critical infrastructure across the globe.

Designing a resilient and fault-tolerant architecture for your Operational Risk Management (ORM) strategy shall focus on critical assets and the impact of unidentified single points of failure.  Implementing a highly available IT infrastructure and resilient applications to quickly respond to major incidents or a disaster scenario is vital in our 24x7x365 operations.

Beyond a revisit to the ability to recover from a sudden disaster, the Board of Directors may be asking Senior Management about the global standard for Information Security:  ISO 27001:
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
 More importantly for organizations who may say to themselves, "well we are safe because we are in the cloud" is the standard ISO 27017:

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

- additional implementation guidance for relevant controls specified in ISO/IEC 27002;

- additional controls with implementation guidance that specifically relate to cloud services.


As an example, Amazon Web Services Cloud Compliance enables customers to leverage their utilization of ISO 27001 standards.  Yet there are shared responsibilities  that you must be aware of within the shared responsibility model when it comes to the relationship with your organization and AWS:

While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.


So what?

If you retain ownership and control over your content within a cloud implementation architecture, what about answers to these highly relevant questions:
  1. What does our organization need to comply with the laws pertaining to privacy and data protection?
  2. Who will have access to content?
  3. Where will storage of content be located physically /  geographically?
  4. How will the content be secured both physically and virtually?
So in this environment of shared responsibility let us ask a simple question.  Who is accountable for the configuration of the AWS provided security group firewall?  This is an area of your responsibility including all operating system, network and firewall configurations.

The Board of Directors needs to revisit Business Continuity Planning and Disaster Recovery with the CIO and all IT stakeholders at your organization, including ISP's and any third party infrastructure suppliers.

Why?

The "Business" is in many cases out of "Synch" with the Information Systems / Data Management / Privacy / Security side of the enterprise.  The WannaCry issues may not impact your organization directly because you have already patched or your systems and are beyond the vulnerabilities of this Operating System specific threat.

Where the business is heading in the next six to nine months with mergers, acquisitions and even consolidation, will impact your overall enterprise architecture. The business pace of change will most likely be months even years ahead, of where the IT infrastructure is today and it must become more resilient.

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion

You must create the culture and the due diligence to see that your IT strategy becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective.  These "4D" lessons should put you on the way to creating a more survivable business.