Working backwards

How to think about risk mitigation

backwards up slide
downing.amanda (Creative Commons BY or BY-SA)

The recent high profile hacking incidents at Target, Sony and Anthem Health demonstrate clearly the need for timely and effective response to information security incidents.   The negative consequences of such incidents were the loss of significant finances and productivity and, ultimately, a severe blow reputation to the organization. For an individual company this could lead to loss of sales and jobs. On a national level, however, a hacking incident aimed at a nation’s critical infrastructure could disable operations affecting their national transportation systems, medical facilities, defense industries, police, universities, telecommunications, government operations and utilities. This could result in a major loss of life and severe disruptions to the national economy and critical services.

Developed countries have, for the most part, already developed computer incident response capabilities and oftentimes at multiple layers of the government. For example, most European Union nations have their own national incident response teams whereas the EU, as a whole, has a computer emergency response team, the EU CERT, which coordinates with the EU member states in helping to respond effectively to information security incidents. Unfortunately, developing countries often lack this type of computer incident response capability and, if they exist at all, are usually concentrated only within their military. For example, according to the International Telecommunication Union’s IMPACT survey, less than ¼ of African countries have a national CERT. To better protect their nation’s critical infrastructure, developing nations need to develop an effective means of quickly detecting and effectively responding to attacks.

What is needed for a developing nation to develop an incident response team? To best answer to this question I like to employ a technique I refer to as “working backwards.” At first glance this term may seem to have a pejorative connotation. After all, developing nations generally want to improve themselves by going forward or becoming more progressive which seems to run counter to going backwards on anything.   Rather, in this instance, I mean a nation must begin working backwards as a mental exercise rather than a physical one. That is, a developing nation must envision a worst case scenario that could occur through a deliberate information security attack by another nation, cyber-criminals or computer hacktivists. Then, working backwards, the country can put in place those safeguards would be necessary in order to have rapidly, detected, reacted, contained, corrected and learned from the event.

First, look at the impact of a severe disruption of a critical service through a cyber-attack. Given the current level of controls for that infrastructure what would be the probability of an attack being successful? If the answer to both questions is high impact and high probability, then the country must ensure that sufficient mitigating controls are put in place. These mitigating controls must be part of a strategic effort of risk assessment and mitigation for all of a countries critical infrastructure.

Second, if those controls were to fail, who would be notified and how quickly? Does the critical service have a means of quickly detecting and responding to the breach? Is there an incident response team that could quickly evaluate the problem and make a decision to contain the incident from spreading further? Have the operational procedures been defined and have they been exercised regularly? Does the response team have the proper expertise—not just in the technical skills of malware analysis, forensics, application and network security but also the soft skills of being able to interface with the appropriate legal authorities and the messaging that is presented to the public. The latter is especially important because if a nation’s critical infrastructure has been affected the public will need to be notified in a way that is informative without provoking panic.

Third, after successful detection, reaction and containment, the national incident response team must learn from the incident by determining what caused it and what lessons can be drawn from the incident to prevent its happening again. These could be additional technical controls, changed business processes or the even the implementation of new policies or laws.

In sum, working backwards is an excellent method of envisioning the worst and then systematically examining the root causes of the potential worst case incident in order to put in place the necessary controls, systems and procedures that would allow the successful prevention, detection, reaction, containment and resolution of the incident. These measures by themselves may not prevent a major hacking incident but they certainly make them much less likely. Without them, no major hacking incident can be responded to effectively.

Copyright © 2015 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline