Disaster Recovery In The APT Age - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
News
11/7/2014
01:06 PM
Michael Cobb
Michael Cobb
News
50%
50%

Disaster Recovery In The APT Age

Does your resiliency plan take into account both natural disasters and man-made mayhem? If the CISO hasn't signed off, assume the answer is no.

Download Dark Reading's November Tech Digest on disaster recovery, distributed in an all-digital format (registration required).

They say it's an ill wind that blows nobody any good. More extreme weather, more fear of terrorist attacks, and more dependence on data have been a boon to the disaster recovery industry, however. The DR-as-a-service market alone is forecast by MarketsandMarkets to be worth $5.77 billion by 2018.

Don't take all that spending to mean we're ready to cope with anything that comes our way, though. Seventy-three percent of companies are failing at disaster readiness, the Disaster Recovery Preparedness Council's 2014 annual report concludes. InformationWeek's 2014 Backup Technologies Survey shows just 23% of respondents extremely confident that they could get their businesses up and running again in a reasonable time frame after a major disaster that takes out the main data center.

Not to pile on, but these figures would be worse if they took cyber attacks into account. Business continuity plans focus mainly on preparing for natural disasters and destructive man-made events, like a fire or bomb blast. Yet the annual impact of cyber events worldwide is estimated at $400 billion, much of it associated with the inability of the victims to continue operations.

Is having your data locked up by ransomware really less of a problem than a fire destroying servers?

It can be worse, in fact, in terms of public perception. When major disasters such as Hurricane Katrina hit, there is a certain amount of public sympathy for businesses caught in the ensuing chaos. Companies that fail to handle cyber attacks are often viewed as careless or incompetent. Loss of trust can be much more difficult to replace than data, so companies need to put targeted cyber attacks on the list of catastrophes from which they can bounce back.

Yes, you're almost certainly a target
Many IT organizations assume that only government agencies and big players in certain industries, such as pharma research or defense, are at risk from targeted attacks. But reports from security firms including Mandiant and Arbor Networks suggest that this is not the case. More than 20% of respondents to Arbor Networks' Worldwide Infrastructure Security Report say their enterprises experienced an advanced persistent threat (APT) attack. This puts the risk of occurrence higher than either fire or flood, or of being hit by a violent storm even if you're in a high-risk region such as Tornado Alley.

Business continuity planners need to consider two types of targeted exploits: high-profile and publicly visible assaults, such as distributed denial-of-service and DNS attacks; and the invisible APT attack, which requires a different strategy to thwart.

The main drivers of high-profile attacks are hacktivism, extortion, and vandalism, and those behind them range from nation states and cyber criminals to hacktivists, extremists, and the employee or man in the street with a grudge. This range of motivations makes any organization a potential target.

Mandiant's 2014 Threat Report says the list of potential APT targets also has increased because information about how businesses work and make decisions has been added to the list of intellectual property worth stealing. This means contents of email accounts, appointment details, meeting minutes, budgets, human resources records, policies, and procedures are all reasons a company could become an APT target.

Attackers also target small businesses as a first step toward launching an attack against one of the business's customers, much as Target was compromised via a contractor. Law firms that hold confidential merger and acquisitions information and sensitive intellectual property are an obvious example.

One reason few companies include such attacks in their business continuity planning is that estimating the likelihood of a targeted cyber attack -- and the impact it would have on the business -- is not as straightforward as calculating for natural disasters.

Yet the general process is the same: risk assessment, business impact analysis, plan development, testing, activation, and maintenance. 

If a risk assessment concludes that a targeted attack is a realistic threat, the next step is to decide whether it merits inclusion in the business continuity plan. That decision happens by completing a business impact analysis (BIA).

The impact of visible targeted attacks is relatively straightforward to calculate: the real and measurable cost to the business of dollars lost per minute in downtime, along with the impact on productivity and reputational damage. The potential impact of an APT is far more difficult to quantify as it entails more conjecture.

To read the rest of this story,
download Dark Reading's November Tech Digest on disaster recovery
.
Michael Cobb, CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services. He co-authored the book IIS Security ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll