Security News > 2006 > January > The Worst-Case Hack Scenario
http://business.newsfactor.com/story.xhtml?story_id=41047 By Jack M. Germain January 23, 2006 A flurry of data breaches at major corporations late last year seemed to confirm a growing consensus among computer-security experts that 2005 was the worst year yet for such transgressions. Incidents at Marriott International, Ford Motor Company, and ABN Amro Mortgage Group served as eerie reminders to CIOs that they could be the next victims of thieves looking to poach Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands. Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked. As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable. Tales of Tech Terror An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company. Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders. ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost. Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December. Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data. We Have a Situation Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall. "Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity." The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures. Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved. Opening It Up At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services. "Now we try to assess threats and decide how to handle them before the crisis hits," he said. GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said. GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T. Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said. Assessing Risk Clearly Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within. "CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations. Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said. Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line. "By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario. "Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all." As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign. "Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend. But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on." The Best Defense Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either. The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said. That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis. Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed. "That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan." _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org