Gen AI in Business - Global Trends Report 2024.pdf
Responding to and recovering from sophisticated security attacks
1. IBM Global Technology Services IBM Security Services
IBM Global Technology Services i
White Paper
Responding to—and
recovering from—sophisticated
security attacks
The four things you can do now to help keep your
organization safe
2. 2 Responding to—and recovering from—sophisticated security attacks
Contents How severe? Sophisticated attacks can include:
2 Introduction • Stealing intellectual property
• Confiscating bank accounts and other financial assets
3 Step 1: Prioritize your business objectives and set
• Distributing malware on individual computers and
your risk tolerance
across systems
4 Step 2: Protect your organization with a proactive
• Posting confidential business and/or customer
security plan
information online
7 Step 3: Prepare your response to the inevitable:
• Damaging critical infrastructure
a sophisticated attack
8 Step 4: Promote and support a culture of How frequent? A 2012 study of 2,618 business leaders and
security awareness
security practitioners in the United States, United Kingdom,
10 Get started now—before your company becomes a victim Germany, Hong Kong and Brazil found that they experienced
12 For more information an average of 66 attacks per week, with organizations in
Germany and the U.S. reporting the highest numbers: 82
and 79 per week, respectively. And in their 2012 mid-year
Introduction
report, IBM X-Force research and development teams noted
Like so many other things in today’s world, cyber attacks—
an upward trend in overall vulnerabilities, predicting a possible
along with those who perpetrate them—are becoming more
all-time high by the end of the year.2
sophisticated every year. At the same time, IT resources are
moving outside the firewall and enterprises are distributing
How costly? The average cost of recovering from a single
their applications and data across multiple devices. It’s now
cyber attack was estimated to be as much as nearly $300,000
clear that simply protecting an organization’s perimeter is not
by the organizations mentioned in the above 2012 study.3 That
enough. These sophisticated attacks—which include advanced
could amount to nearly $1 billion over the course of a year.
persistent threats, or APTs—are bypassing traditional defenses.
What’s more, we know that the people behind these
We know all too well how major security incidents can affect
sophisticated attacks are patient, long-term planners. They do
a company’s data, networks and corporate brand. We also
reconnaissance and target specific vulnerabilities. And they’re
know that sophisticated attacks, designed to gain continuous
shifting their focus from exploitation to destruction.
access to critical information or to cause damage in critical
infrastructure, are becoming more severe, more frequent and
more costly.
3. IBM Global Technology Services 3
In this paper we’ll discuss the four proactive steps that Identify those areas most vulnerable to attack
you can — and should —take now to help keep your Just as there are some things that are more important than
organization safe: others to the security of your business, there are also some
• Prioritize your business objectives and set your risk areas that are more vulnerable than others. This is not an
tolerance exercise in finger-pointing or laying blame. Instead, it’s an
• Protect your organization with a proactive security plan opportunity to see things as they are—so you can create a more
• Prepare your response to the inevitable: secure environment overall.
a sophisticated attack
• Promote and support a culture of security awareness. Identify the specific types of attacks that pose the
biggest threat
Sophisticated attacks are designed to wreak as much havoc as
Step 1: Prioritize your business objectives
possible—typically resulting in the loss or misuse of critical
and set your risk tolerance data, the disruption of critical infrastructure, or both. That’s
Experience over the past several years has made it clear that
why you need to look at your company’s information and
“security” is a relative term. Because no matter how much
business critical systems from an attacker’s point of view. And
we may want to create a completely and permanently secure
then ask yourself how an attacker could do the most damage.
enterprise and be done with it, reality dictates otherwise. Still,
the growing threat of sophisticated attacks demands that we Identify those areas that would incur the greatest loss
take seriously the business of securing our information and in the event of an attack
protecting our people and infrastructure. And that starts with This is where you come face to face with your biggest
setting priorities. nightmare. If you’re going to come up with a successful plan,
you need to be able to see just how much devastation would
Determine what’s most important to the security of occur if an attack were to succeed in striking your business
your business and why where it would hurt the most.
This sounds fairly obvious. But taking the time to really
think about your business objectives and discuss what’s most
important—and how much risk you’re willing to tolerate—
will help lay a solid foundation for a security strategy that You need to look at your
meets the unique needs of your entire organization. Once
company’s information and
you’ve established this baseline, you’ll have taken a big step
in the right direction. business critical systems from
an attacker’s point of view.
4. 4 Responding to—and recovering from—sophisticated security attacks
Step 2: Protect your organization with
Online gaming / entertainment sites hacked, 100 million a proactive security plan
customer records compromised Now that you’ve established your priorities, it’s time to
make your plans, get the right technology in place and put
Estimated costs: $3.6 billion everything into action. This is where you take the steps to
ensure that your company is aware of potential threats and
Victim: Online gaming community and entertainment sites
working proactively to defend itself against them—on an
ongoing basis.
What happened: An “external intrusion” to a gaming network
resulted in 70 million customer accounts being compromised,
Create a proactive and informed approach to
putting personal and credit card data at risk. The firm was
IT security
forced to “turn off” online services during the investigation,
Develop a security strategy with policies and technologies
causing public backlash and widespread negative press.
A second hack in the entertainment division compromised designed to proactively protect the assets and information you
additional client data. identified as priorities in Step 1. Arming your organization
to successfully manage against those vulnerabilities is an
Why it happened: Hackers allegedly were able to penetrate essential part of taking a proactive stance to security. And the
network security and gain access to unencrypted account and security policies you develop will lay the foundation for your
user data, and possibly some credit card data. information security management strategy. These policies
should document your security requirements, processes and
Damage done: In addition to widespread, negative public technology standards. There’s also a bonus to be had here: in
sentiment, the firm reportedly faced costs exceeding addition to helping you detect and eliminate vulnerabilities, a
$171 million in lost business and response expense. The
smart security strategy can also enhance business operations by
firm’s reported market capitalization fell by approximately
reducing risk and decreasing IT security management costs.
$3.6 billion, as the stock priced dropped 12 percent.
Identify existing vulnerabilities and fix them
Lessons learned: It’s reported that one of the vulnerabilities
This could involve a process as straightforward (but resource
exploited was known to the company. Firms should leverage
a framework for managing risk associated with information intensive) as making sure every operating system on every
assets, as well as establish strong governance mechanisms to machine is up-to-date on security patches—and will stay that
support that framework. way. Other vulnerabilities are more difficult to detect and fix,
such as weaknesses in business applications.
Illustrative purposes only. The actual facts and damages associated with
these scenarios may vary from the examples provided. Estimated, based
on publicly available financial information, published articles.
5. IBM Global Technology Services 5
Mediate against any existing threats And because the security landscape is continuing to change
Are you confident that you aren’t already the victim of a at an ever-increasing pace, it’s equally important that you
sophisticated attack? Particularly pernicious attacks such implement policies for regular testing and review.
as advanced persistent threats, or APTs, are designed to
remain invisible for as long as possible, moving from one Take a smart approach to security intelligence
compromised host to the next, without generating identifiable How do you stay on top of all this—without sending your
network traffic. At the heart of every APT lies a remote IT department into a continual state of panic? Security
control function, which enables criminals to navigate to intelligence and analytics tools can actively monitor and
specific hosts within target organizations, manipulate local correlate data activity across multiple security technologies,
systems, and gain continuous access to critical information. offering you the visibility and insight into what’s going on in
To protect yourself, you need tools designed to detect remote your environment—to help you spot and investigate the kind
control communications between your system and the of suspicious activity that could indicate an attack is underway.
criminal invader. They help reduce complexity by communicating with one
common language across multi-vendor environments, while
taking the strain off your IT department and potentially
delivering both time and cost savings.
It’s become more important
than ever that you pay serious Develop governance procedures and assign ownership
of risk
attention to testing your Like most other things, your security programs and policies
security policies, procedures and designed to defend against threats such as sophisticated attacks
will only be as good as your organization’s ability to ensure that
technologies for effectiveness.
everyone is playing by the rules. So you need to have a plan in
place for staying on top of the situation for the long term. That
includes deciding who’s going to monitor and manage your
Test, test, and test some more security policies and how you’ll provide proof that your risk
With the emergence of sophisticated attacks comes the reality posture is being maintained. Make sure your security program
that one will strike your organization. It’s only a matter of has ownership and leadership assigned across critical business
time. That’s why it’s become more important than ever that areas. By expanding accountability and awareness across key
you pay serious attention to testing your security policies, areas of risk, you’ll create a heightened understanding and
procedures and technologies for effectiveness—especially enforcement of the security controls you’ve put in place.
since doing so is a key element of legal and regulatory And that, in turn, will allow you to create a more secure
requirements for due care and diligence. Failure to do so can business environment.
mean that corporate officers are held liable for the results of
a security breach.
6. 6 Responding to—and recovering from—sophisticated security attacks
Demonstrate and document the value of your security
investments Customer data stolen from retailer over 18+ months; at least
There’s no getting around the fact that your organization will 45 million records lifted
need to find the necessary room in its budget for creating
and maintaining an effective security program. And because Estimated costs: Up to $900 million
it’s very difficult to quantify value in terms of the attacks
that didn’t take place, it’s a good idea to maintain ongoing Victim: Nationwide discount retailer
communications about what you’re doing and why it’s
important. By reporting significant activities that have or could What happened: Apparently 45 million customer credit and
have penetrated critical systems and data, for example, you debit card numbers were stolen from the company’s systems,
can demonstrate the value of security technology investments, although the true number of records stolen is difficult to
determine, given the duration and nature of the incident. This
identify gaps, stop attacks in progress, uncover streamlining
data was sold to criminals and then used to make fraudulent
opportunities, and inspire confidence in your approach.
purchases.
Why it happened: The company reportedly collected
49%
and stored unnecessary and excessive amounts of
personal information for too long and relied on outdated
encryption technology to defend the data. Hackers
apparently gained initial access into the central database
of IT executives say they’re challenged by through unsecure wireless connections in retail stores.
an inability to measure the effectiveness The company was subsequently found to be in violation of
of their current security efforts.4 payment industry standards.
Damage done: This is reported to be the largest breach of its
kind to get widespread media coverage. In addition to lawsuits,
Review everything to ensure that there are no gaps or hefty fines, and remediation costs, the damage to reputation
unnecessary overlaps and other indirect costs is immeasurable.
When you’re working as a group, but taking individual
responsibility for specific aspects of a plan, it’s easy to make Lessons learned: Regular, periodic re-evaluation of
the mistake of assuming that someone else has covered infrastructure and information risks is required as changing
something that you haven’t. Likewise, it’s just as easy for threats and technologies can render previously acceptable
more than one person to cover the same thing. So do a final protections obsolete.
check for clarity and completeness—making sure that you’ve
Illustrative purposes only. The actual facts and damages associated with
included provisions for security intelligence, analytics and these scenarios may vary from the examples provided. Estimated, based
monitoring, for example—to reduce unnecessary complexity on publicly available financial information, published articles.
and spending, and looking for opportunities to simplify
ongoing monitoring, management, and real-time decision
making across technologies.
7. IBM Global Technology Services 7
Step 3: Prepare your response to the
inevitable: a sophisticated attack Having the resources or skills
Once you’ve implemented your security policies, procedures
and technologies to the best of your ability, it’s time to address
needed to actively respond to and
how you’re going to handle a breach if and when it should investigate security incidents is key
occur. In fact, as one analyst recently observed, “Most large to reducing their impact.
enterprise security administrators and chief information
security officers understand that it is not a matter of if, but
when their organization will experience a breach.” 5
It’s clear that having access to the resources or skills needed
Develop a detailed and coordinated response plan to actively respond to and investigate security incidents is
An organization needs a unified, cross-company policy and key to reducing their impact. If your reputation is critical to
process for managing its response to an incident. If you already your ability to conduct business, and you find that the nature
have a plan in place, have you tested your plan and determined of your business may heighten your risk to sophisticated
its effectiveness lately? attacks, you might want to consider employing ongoing threat
monitoring and management. This approach uses technology
Your incident response plan should specify how to stop an designed to improve defense, automate incident response and
attack, identify what (if anything) was compromised, and conduct forensic analysis across a broad range of threats.
calculate the financial and reputational impact. It should
also offer guidelines for communicating with employees, any Take a consistent approach to assigning responsibility
across the organization
individuals whose information may have been compromised
Accept the fact that virtually all organizations will fall victim
and the media.
to a sophisticated attack of some sort, at some time. Make
Ensure you have access to the resources and tools sure your incident response plan specifies who will need to do
needed to respond quickly what—and how everyone will share information. Coordination
The longer it takes to resolve an attack, the more damage it’s across the enterprise is key to effective detection, remediation
likely to do, and the more it’s likely to cost. What’s more, and containment. It’s important that everyone involved has a
about 78 percent of those senior executives responding to a role to play—and knows what that role is. Determine which
recent IBM-sponsored survey on reputational risk say they steps each stakeholder will take to prepare his or her area
recover from relatively minor incidents (such as a website to help reduce the occurrence—and limit the extent—of
outage) in less than six months. But it takes longer to recover sophisticated attacks.
from reputational damage due to cybercrime—partly because
it can be harder tosell the message that the problem has been
entirely fixed.6
8. 8 Responding to—and recovering from—sophisticated security attacks
Step 4: Promote and support a culture of
Payment processor suffers intrusion into core business, security awareness
affecting 130 million customers The job of securing an enterprise’s network continues to
grow infinitely more complex as information pours in from
Estimated costs: Up to $500 million thousands of devices and through scores of public web-based
services. One study reports that 91 percent of enterprise smart
Victim: Payment processor
phone users connect to corporate email, but only one in
three is required to install mobile security software.7 In such
What happened: Around 130 million customer credit and debit
card numbers were stolen from a payment processing system, an environment, access is easy for everyone involved—
resulting in fraudulent transactions. including criminals.
Why it happened: Malicious software was apparently inserted Create and support a risk-aware culture throughout
into the processing system and used to collect in-transit, your organization
unencrypted payment data while it was being processed by It’s time to expand the mission of enterprise security, from
the firm during the transaction authorization process. Card the tech staff and their machines to every person within the
data included card numbers, expiration dates, and certain company, and everyone who does business with it. Since each
other information from the magnetic stripe on the back of the person poses a potential breach, each one must also represent
payment card. a piece of the solution. In the end, success hinges upon
promoting and supporting a risk-aware culture, where the
Damage done: This was a large, visible breach that also importance of security informs every decision and procedure
received widespread media coverage. The firm reportedly at every level of the company. That means secure procedures
paid in excess of $140 million in direct costs related to legal
for data need to become second nature, much like locking the
judgments, settlements, and fees. And the company’s market
door behind you when you leave home.
capitalization reportedly dropped by nearly half a billion dollars
in the three months following the event.
Ensure that each employee knows what to do
The process of changing a company’s culture can be
Lessons learned: Direct, forthright crisis response minimized
client defection. The information shared and leveraged from an enormously challenging. But if you start by taking steps
industry standards association strengthened the company’s to communicate the real importance of helping to improve
security posture, allowing it to eventually recover its loss in security and teach everyone how to recognize and report
market value. possible security problems, you will be heading in the
right direction.
Illustrative purposes only. The actual facts and damages associated with
these scenarios may vary from the examples provided. Estimated, based
on publicly available financial information, published articles.
9. IBM Global Technology Services 9
Our security essentials
At IBM, we are constantly striving to find the balance between that’s running, be confident that it’s current, and have
improving the way we do business and the need to control risk. a system in place to install updates and patches as
The company’s comprehensive response includes technology, they’re released.
process and policy measures. It involves 10 essential practices.
6. Control network access—Companies that channel
1. Build a risk-aware culture—where there’s simply zero registered data through monitored access points will have a
tolerance, at a company level, when colleagues are far easier time spotting and isolating malware.
careless about security. Management needs to push this
change relentlessly from the very top down, while also 7. Security in the clouds—If an enterprise is migrating certain
implementing tools to track progress. IT services to a cloud environment, it will be in close
quarters with lots of others—possibly including scam
2. Manage incidents and respond—A company-wide effort artists. So it’s important to have the tools and procedures
to implement intelligent analytics and automated response to isolate yourself from the others, and to monitor
capabilities is essential. Creating an automated and unified possible threats.
system will enable an enterprise to monitor its operations—
and respond quickly. 8. Patrol the neighborhood—An enterprise’s culture of security
must extend beyond company walls, and establish best
3. Defend the workplace—Each work station, laptop or smart practices among its contractors and suppliers. This is
phone provides a potential opening for malicious a similar process to the drive for quality control a
attacks. The settings on each device must all be subject to generation ago.
centralized management and enforcement. And the streams
of data within an enterprise have to be classified and routed 9. Protect the company jewels—Each enterprise should carry
solely to its circle of users. out an inventory of its critical assets—whether it’s scientific
or technical data, confidential documents or clients’ private
4. Security by design—One of the biggest vulnerabilities in information—and ensure it gets special treatment. Each
information systems comes from implementing services priority item should be guarded, tracked, and encrypted as if
first, and then adding security on afterwards. The only the company’s survival hinged on it.
solution is to build in security from the beginning, and to
carry out regular tests to track compliance. 10. Track who’s who—Companies that mismanage the “identity
lifecycle” are operating in the dark and could be vulnerable
5. Keep it clean—Managing updates on a hodgepodge to intrusions. You can address this risk by implementing
of software can be next to impossible. In a secure meticulous systems to identify people, manage their
system, administrators can keep track of every program permissions, and revoke them as soon as they depart.
10. 10 Responding to— and recovering from—sophisticated security attacks
small amounts of key personal data from public social media
sites, attackers have been able to use clever social engineering
Build a risk- Control network
aware culture access “tricks” to gain unrestricted access to targeted accounts. They
have even bypassed two-factor authentication by convincing
Manage incidents Security in the mobile providers to relocate a user’s voicemail. So it’s not
and respond clouds a matter of whether your company will become a victim,
but when. In fact, 61 percent of the senior executives who
Defend the Patrol the
workplace neighborhood participated in IBM’s recent study on reputational risk and IT
said that data breaches, data theft and cybercrime posed the
Security by Protect the greatest threat to their companies’ reputations.8
design company jewels
Keep it clean Track who’s who
It’s not a matter of whether your company
will become a victim, but when.
Figure 1. Ten essential practices: A successful security program strikes a balance
that allows for flexibility and innovation while maintaining consistent safeguards that
are understood and practiced throughout the organization. It’s okay to seek help
It’s easy to feel overwhelmed when you consider what it
Get started now—before your company takes to protect your organization from sophisticated attacks.
becomes a victim There’s a lot to talk about, think about and worry about. But
IBM X-Force reported just over 4,400 new security you just need to take it one step at a time. And you don’t need
vulnerabilities for the first half of 2012. Assuming that this to go it alone.
trend continued throughout the rest of the year, the total
projected vulnerabilities would likely surpass the record of IBM Security Services consultants can help you plan,
nearly 9,000, set in 2010. In addition, the rate of unpatched implement and manage virtually all aspects of your security
vulnerabilities for the first half of 2012 was the highest that strategy. They’re senior security professionals who have
IBM X-Force had seen since 2008. honed their skills in both the public and private sectors,
working in corporate security leadership and consulting,
Many organizations have had to deal with the fallout caused investigative branches of government, law enforcement,
by password and personal data leaks. And these attacks have and research and development.
become increasingly sophisticated. For example, by obtaining
11. IBM Global Technology Services 11
In addition to offering consulting services, IBM has helped to
set the standard for accountability, reliability and protection What would a Security Health Scan find at your company?
in managed security services since 1995. These services are Here are sample Security Health Scan findings for several
designed to help you enhance your information security types of organizations, showing the average number of
posture, lower your total cost of ownership and demonstrate vulnerabilities found after just one of three consecutive
compliance by outsourcing the monitoring and management of weekly scans. It’s not a surprise to see that even the most
your security operations to IBM, regardless of device type or secure companies can find they have significant exposures,
vendor, on a 24x7x365 basis or as needed. sometimes on multiple fronts. In today’s dynamic business
environment, where boundaries no longer exist, you’re more
than likely to find at least some vulnerabilities and exposures.
IBM Managed Security Services can provide the security
intelligence, expertise, tools and infrastructure you need to
help secure your information assets from Internet attacks
University Insurance company
around the clock, often at a fraction of the cost of in-house
Severe Severe
security resources. 106 86
Begin with a complimentary Security Health Scan
Moderate Moderate
By now you’re probably starting to think about how
7 11
vulnerable your company may be. You can get a glimpse with
a complimentary Security Health Scan from IBM Security Critical Critical
Services. Here’s how it works: IBM will scan up to 10 IP 23 17
addresses or a web domain of your choosing once a week for
three weeks, at no charge. You’ll receive a detailed analysis Virtual hosting/ City government
of the vulnerabilities that are found—classified by their level web hosting provider
Severe Severe
of severity—along with step-by-step instructions on how 112 112
to remediate them. What’s more, for the duration of your
scanning period you’ll have access to the IBM Managed Moderate
Security Services Virtual Security Operations Center portal 20
and all the intelligence and threat information it provides. Moderate
Critical 20
38 Critical
9