Are You Ready To Defend Your Club and Yourself? Cyber Threats to Clubs Are Real - Part Four

10_14_14_1
Controlling the technical risks
Before you undertake the task of addressing today’s advanced threats, make sure you first tackle the basics. Evaluate your baseline security system, including patching, access control, segregation of duties, inventory and asset control. In essence, don’t try to build the roof before you’ve laid the foundation. While some attackers do have the capability to deliver highly advanced attacks, all attackers will gladly take advantage of a five-year-old vulnerability or trivial configuration mistake that you somehow overlooked.

Once the basics are in place, you can begin to evaluate whether your environment is equipped to handle today’s threatening environment. The primary concept to keep in mind is that you will fail. Your goal is to fail gracefully, which means that you should aim to identify the failure quickly, respond effectively and get back to normal working order as soon as possible.

While the historical focus for information security specialists has been on preventative controls (i.e. making sure the bad thing doesn’t happen), modern threats are specifically designed to bypass these defenses. Clubs should continue to heavily invest in traditional measures such as anti-virus and patching solutions, but they need to expand their capabilities within the detective (i.e. security monitoring) and corrective (i.e. incident response) areas.

10_14_14_2

For security monitoring, the concept is simple. Log everything, bring it together and have the capability to make sense of it. Verizon’s 2010 Data Breach Investigative Report showed that 87 percent of their customers had the evidence in their logs that they had been breached, but those customers simply did not have the technology or skill set to understand what they were seeing.

In order to avoid being part of this statistic, organizations should consider building out their capability to perform some level of automated log analysis. There are a variety of Security Information and Event Management (SIEM) solutions built specifically for this purpose. Commercial tools such as ArcSight, enVision, QRadar and many others are very popular, but can be expensive. Similar functionality can be deployed more economically using open source tools such as OSSIM and Security Onion, or free versions of commercial tools such as Splunk.

Be aware, however, that no matter which tool set you choose, the process will not be as simple as plug and play. Security monitoring tools are meant to help you detect deviations from the norm, which means the tool must first be taught what is normal for your network. This tuning process can take anywhere from a few weeks to a few months depending on the size and complexity of the environment.

10_14_14_3

What’s in your plan?
While deploying a robust monitoring capability is a great first step, it will not do you much good if you cannot effectively respond to the events that are detected. With this in mind, the logical next step is to flesh out a formal incident response program for your club. Some businesses may have a plan, but these are commonly a few pages long, with some vague wording about the IT folks performing an investigation and a couple of phone numbers users should call if their system seems to be acting oddly. In today’s complex threat environment, plans need to be far more complete, and more importantly, all key stakeholders need to be thoroughly trained in the role they are expected to play. This can occur through classroom training, table-top exercises or even live breach simulations.

Keep in mind that the key stakeholders include far more than your IT staff. Ask yourself:
•    Do we have a plan for the public relations aspect of the event?
•    What if we have to notify individuals, law enforcement or the media?
•    Do we have pre-planned templates for letters to the members and public statements?
•    Is our legal team experienced in these matters or should we retain external counsel that specializes in these issues?

Scenario planning 

To avoid getting caught by surprise, clubs should pre-plan as many scenarios as possible. For example:

•    Have detailed playbooks for the most common types of events:
o    Virus or worm outbreaks
o    Live hacker on the network
o    Denial of service attacks
o    Social engineering campaigns
•    Plan for worst case scenarios
o    What if internal sensitive data is exposed?
o    What if member data is exposed?
o    What if the breach or infection cannot be contained?
o    What if business critical systems are breached and can’t be taken offline?
•    Plan for various outcomes
o    What if we have to rebuild a significant number of systems?
o    What if we have to rebuild critical systems from backups?
o    What if we have to fail over to our disaster recovery site?
o    How will we run the process if we want to find the responsible party and take legal action? How will we run the process if we don’t?

As you can see, the process can get complex very quickly. Thinking through the various scenarios beforehand will help keep you on a pre-planned path and out of a panicked response mode.

10_14_14_4

Consider an insurance policy
Lastly, make sure you understand what level of coverage you have within your organization’s general policy, if any, for adverse cyber events. A good policy should protect the organization against typical issues such as data loss or theft, malware outbreaks, physical equipment theft and denial of service attacks. Be very careful, however, about taking the position that it is cheaper to simply pay your insurance premium and file a claim for damages if an event does occur. Insurance companies are slowly incorporating investigative techniques into their claims response processes that are meant to determine if the breach was somehow due to negligence or fault. Organizations that choose not to deploy effective controls and who expect that insurance will cover the damages may find themselves left holding the bag if the insurance company denies their claims.

09_23_14_3

For more information on security standards and practices for your organization, please contact Daimon E. Geopfert, national leader, Security and Privacy Consulting, Technology Risk Advisory Services, McGladrey LLP, at 312.634.4523.