Monthly Archives: April 2017

Corporate cyber-resilience — bad and getting worse

Larry Ponemon

Resilient, an IBM Company, and Ponemon Institute are pleased to release the findings of the second annual study on the importance of cyber resilience for a strong security posture. In a survey of more than 2,000 IT and IT security professionals from around the world1 , only 32 percent of respondents say their organization has a high level of cyber resilience—down slightly from 35 percent in 2015. The 2016 study also found that 66 percent of respondents believe their organization is not prepared to recover from cyber attacks.

In the context of this research we define cyber resilience as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks. It refers to an enterprise’s capacity to maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is one that can prevent, detect, contain and recover from a myriad of serious threats against data, applications and IT infrastructure.

Cyber resilience supports a stronger security posture. In this report, we look at those organizations that believe they have achieved a very high level of cyber resilience and compare them to organizations that believe they have achieved only an average level of cyber resilience. This comparison reveals that high level cyber resilience reduces the occurrence of data breaches, enables organizations to resolve cyber incidents faster and results in fewer disruptions to business processes or IT services. The research also shows that a cybersecurity incident response plan (CSIRP) applied consistently across the entire enterprise with senior management’s support makes a significant difference in the ability to achieve high level cyber resilience.

Despite its importance for cyber resilience, the research demonstrates the continued challenges to implementing a CSIRP. Seventy-five percent of respondents admit they do not have a formal CSIRP applied consistently across the organization. Of those with a CSIRP in place, 52 percent have either not reviewed or updated the plan since it was put in place or have no set plan for doing so. Additionally, 41 percent of respondents say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31 percent of respondents who say it has decreased.

Key components of cyber resilience are not improving. The key components of cyber resilience are the ability to prevent, detect, contain and recover from a cyber attack. As shown in Figure 1, respondents confidence in achieving these components has changed very little since last year’s study.

Last year, 38 percent of respondents rated their ability to prevent a cyber attack as high; this year 40 percent of respondents rated their ability to prevent a cyber attack as high.

Confidence in the ability to quickly detect and contain a cyber attack increased slightly from 47 percent of respondents to 50 percent of respondents and from 52 percent of respondents to 53 percent of respondents, respectively.

Confidence in the ability to recover from a cyber attack declined slightly. Last year, 38 percent of respondents rated their ability as high and this year, only 34 percent of respondents rate their ability as high.

Other key research findings

Investments in training, staffing and managed security services providers improves cyber resilience. In the past 12 months, only 27 percent of respondents say their cyber resilience has significantly improved (9 percent of respondents) or improved (18 percent of respondents). These respondents say if cyber resilience improved it was due to an investment in training of staff (54 percent of respondents) or engaging a managed security services provider (42 percent of respondents).

Business complexity is having a greater impact on cyber resilience. However, insufficient planning and preparedness remain the biggest barriers to cyber resilience. In 2015, 65 percent of respondents said insufficient planning and preparedness was the biggest barrier. This increased to 66 percent in 2016.

Complexity is having a greater impact on cyber resilience. In 2015, 36 percent of respondents said the complexity of IT processes was a barrier to a high level of cyber resilience and this increased significantly to 46 percent of respondents in 2016. More respondents also believe that the complexity of business processes has increased (47 percent of respondents in 2015 and 52 percent of respondents in 2016).

Incident response plans often do not exist or are ad hoc. Seventy-nine percent of respondents rate the importance of a CSIRP with skilled cybersecurity professionals as very important, and more organizations represented in this research have a CSIRP. However, only 25 percent of respondents say they have a CSIRP that is applied consistently across the enterprise (yet this does represent an increase from 18 percent in 2015). Similarly, the percentage of respondents who say their organizations do not have a CSIRP declined from 31 percent to 23 percent of respondents.

Cyber resilience is affected by the length of time it takes to respond to a security incident. Forty-one percent of respondents say the time to resolve a cyber incident has increased significantly (16 percent of respondents) or increased (25 percent of respondents). Only 31 percent of respondents say the time to resolve has decreased (22 percent of respondents) or decreased significantly (9 percent of respondents).

Human error is the top cyber threat affecting cyber resilience. When asked to rate seven IT security threats that may affect cyber resilience, the biggest threat is human error, followed by advanced persistent threats (APTs). Seventy-four percent of respondents say the incidents experienced involved human error. IT system failures and data exfiltration were also significant according to 46 percent of respondents and 45 percent of respondents, respectively. Malware and phishing are the most frequent compromises to an organization’s IT networks or endpoints. Forty-four percent of respondents say disruptions to business processes or IT services as a consequence of cybersecurity breaches occur very frequently (16 percent of respondents) or frequently (28 percent of respondents).

Malware and phishing are the most frequent compromises to an organization’s IT networks or endpoints. Forty-four percent of respondents say disruptions to business processes or IT services as a consequence of cybersecurity breaches occur very frequently (16 percent of respondents) or frequently (28 percent of respondents).

A lack of resources and no perceived benefits are reasons not to share. Why are some companies reluctant to share intelligence? According to the 47 percent of respondents who do not share threat intelligence say it is because there is no perceived benefit (42 percent of respondents), there is a lack of resources (42 percent of respondents) and it costs too much (33 percent of respondents).

Senior management’s perception of the importance of cyber resilience has not changed. A trend that has not improved is the recognition of how cyber resilience affects revenues and brand reputation. In 2015, 52 percent of respondents said their leaders recognize that cyber resilience affects revenues and this declined slightly to 47 percent in 2016. Similarly, in 2015, 43 percent of respondents said cyber resilience affects brand reputation, and this stayed virtually the same in 2016 (45 percent of respondents). Almost half (48 percent of respondents) recognize that enterprise risks affect cyber resilience, a slight increase from 47 percent of respondents in 2015.

Funding increases slightly for cybersecurity budgets. In 2015, the average cybersecurity budget was $10 million. In 2016, this increased to an average of $11.4 million. More funding has been allocated to cyber resilience-related activities. In 2015, 26 percent of the IT security budget was allocated to cyber-resilience activities. This increased to 30 percent in 2016.

Global privacy regulations drive IT security funding. When asked about regulations that drive IT security funding, most respondents believe it is the new EU General Data Protection Regulation (51 percent of respondents) or international laws by country (50 percent of respondents). Only 22 percent of respondents rate their organization’s ability to comply with the EU General Data Protection Regulation as high

To read the rest of this report, visit ResilientSystems.com

Hacked Dallas sirens, maintained by office furniture movers, shows U.S. not serious about critical infrastructure

We’d better not ignore these sirens.

Bob Sullivan

It’s tempting to ignore the warning sirens that blared Dallas out of bed Saturday night — but that would be a very serious mistake.

We hear so much about the importance of securing America’s critical infrastructure systems. Then you find out that the company responsible for maintaining the Dallas outdoor warning siren network — the one that was hacked Saturday night — is also as an office furniture moving company.

In case you missed it, Dallas’s outdoor sirens screeched continuously overnight Saturday, harassing many of the city residents with the ultimate false alarm.  Initially believed to be a malfunction, city officials conceded it was a hack by Sunday.

The sirens are supposed to warn residents about immediate danger, like tornadoes.

They did their job.

America just received perhaps the clearest warning ever that our essential services are comically easy to attack, putting our citizens in serious peril.  Will we listen, or just go back to sleep?

One can’t say it any plainer: When bricks start falling off a bridge into the water, you fix the bridge.  (Maybe.) That’s what we have here.

No one died Sunday morning. There was no blood, so there weren’t any dramatic pictures.  But there will be. It doesn’t take much imagination to see how easily this hacker prank (or, was it a test?) could have gone very wrong. For starters, it served as a denial of service attack on the city’s 911 system, which was overwhelmed with calls.

More than 4,400 911 calls were received from 11:30 p.m. to 3 a.m., the city said.  About 800 came right after midnight, causing wait times of six minutes. As far as we know, no one died because of this.  But that could have happened.

But that’s only the tip of the iceberg. Security experts I’ve chatted with have warned for years of a hybrid attack that could easily cause panic in a big city. Imagine if this hack had been combined with a couple of convincing fake news stories suggesting there was an ongoing chemical attack on Dallas.  Without firing a shot, you could easily see real catastrophes.  Take it a step further, and combine it with some kind of physical attack, and you have a serious, long-lasting incident on your hands. Death, followed by massive confusion, then panic, then a bunch of sitting ducks stuck in traffic.

Playing the “what…if” game sometimes leads to exaggeration. But it is called for when someone is about to ignore a warning sign.  So I asked security consultant Jeff Bardin of Treadstone71 to tell me why the Dallas incident should be taken seriously.

For one, it could have been a diversionary tactic.

“Testing the emergency systems, getting to a ‘cry wolf’ state of affairs, getting authorities into a full state of chaos and confusion while hacking and penetrating something else.  Kansas City shuffle,” he said.  “This looks to me to be a test of the systems. Could also be more than a test meaning what was hacked during this fake emergency?”

Dallas has been hit by “prank” hacks before.  Last year, traffic signs were hijacked to display funny messages like “Work is Canceled — Go Back Home.”  Very funny. But this means we know the city’s systems are being actively probed.  Any intelligent person has to consider what other systems this person or gang has toyed with. And, more important, what other cities have they toyed with.

“If I as a hacker can control the emergency systems, alarms, building security, HVAC, traffic lights, first responder system, medical facility interfaces, law enforcement, etc., all the normal physical systems that now have internet interfaces, I can control the whole of the city,” Bardin said. “What else was penetrated during this ‘test?’  How many other major cities in the US operate the same way? What was injected into these systems during the test for later access?”

Hopefully, the Dallas siren hacker is this is a kid who found flaws in a very old, insecure system and had some fun for a night, Bardin said. Perhaps it was someone trying to “prove a point,” though in a careless, dangerous way that did put lives in danger.

Point not made.  Life is full of disasters averted, then ignored. The planes that almost collided. The car accident narrowly averted. The key that was lost (without a duplicate!) but is found.

It’s 48 hours after a major U.S. city had its sirens blaring all night long. Are you hearing about federal investigations? Are you hearing about executive orders around critical infrastructure? (You did. But then, you didn’t.)

“Amazing this is not getting headlines,” Bardin said. “Not amazing that they have the uninitiated managing the systems who have a side job in furniture. Perfect. Just f**ing perfect.”

As for the furniture-moving company behind the sirens, it’s probably unfair to blame them.  The Dallas Morning News reported that Michigan-based West Shore Services was in charge of maintaining the system.

Indeed, here is the resolution from the city council back in 2015 authorizing payment of $567,000 to West Shore during a six-year period.  Yup, that’s around $100,000 annually, for repair and maintenance. And that’s a MAXIMUM.  I suspect it includes the price of replacing broken equipment. I’d think it doesn’t include penetration testing. I’m sure it doesn’t include overhauling the system from its old, practically indefensible architecture.

No wonder the firm needs a side business.

An operations manager for West Short told the Dallas Morning news he didn’t know anything about the incident.  The firm didn’t respond to my questions sent via email.

But the biggest question of all:  Will anyone hear this warning siren? Or will we all go back to sleep, like Dallas did?

UPDATE 6:30 p.m. 4/10/17 – Federal Signal Corporation, which made the Dallas sirens but does not currently manage them, said it was working with authorities to determine what happened.

“The City of Dallas, Texas, has multiple outdoor warning sirens installed across the Dallas area. The outdoor warning sirens were manufactured by and purchased from Federal Signal Corporation …  Although, Federal Signal does not currently have the contract to maintain the City of Dallas outdoor warning siren system, the company is actively working with the Dallas Office of Emergency Management to determine the cause of the unintended activation,” the firm said in a statement emailed to me.

Dallas Mayor Mike Rawlings seemed to get it, and called for serious investment in the wake of the attack.

“This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure,” he wrote on his Facebook page. “It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind. Making the necessary improvements is imperative for the safety of our citizens.”

Let’s hope someone listens, and those sirens are heard far outside Texas.