Preparing for the Worst in Cyber Security

To preparedness and emergency-response professionals, proper planning is essential to the execution of every mission.  Their organizational mandate is wide in scope and incredibly complex, but relatively simple at its core: Imagine the worst possible scenarios and take them into account to ensure that the organization’s readiness to respond is not diminished in the unlikely event any of those scenarios occur.  

This is particularly true if the organization has a vital role to play in the protection of national health and human life. Whether the scenario postulated is a natural disaster, a pandemic outbreak, riot control, or an act of domestic or international terrorism, the organization or agency should have very carefully – and in advance – developed, documented, and tested its response plans.

Even if all this is done, though, there still might be one critical type of “unnatural” disaster scenario that many emergency-response professionals have not considered thoroughly: a failure to protect the organization’s own IT (information technology) security strategy and its resilience to cyber attacks.  This oversight could easily jeopardize the organization’s ability to respond effectively.

Trojan Horses vs. Imperfect Science

Because of the importance of IT systems, many organizations in the preparedness and emergency-response field are ideal targets for cyber attacks. The information managed and used by these organizations is of immeasurable value for a number of potentially harmful purposes. State-sponsored agencies, organized crime, and other malicious entities desire access to the organization’s IT information so that they can exploit it when planning potential attacks against national, state, and/or local infrastructures or commercial targets of interest.  

Those attacks might and probably would include, among other things: network and system reconnaissance and the gathering of intelligence about the organization; the insertion of “Trojan Horse” programs that could be used to control the organization’s systems (or to steal sensitive data); and/or the installation of destructive programs that might be used to deny the availability of these systems to their legal users during a period of critical need.  In any time of crisis, this added destruction, misappropriation, or denial of service to the IT and/or telecommunications systems of the emergency-response community could create grave problems for citizens dependent upon those services.

As with disaster-preparedness and business-continuity planning, the protection of IT security is an imperfect science – i.e., there is no way to create either a perfectly secure or “hardened” network infrastructure or a totally risk-free IT environment. However, there are sound and prudent approaches for discovering and managing IT risk that address these advanced and evolving threats, and that can help preparedness security professionals and emergency-response organizations build resilience into their IT systems and networks.

The Key Question in Risk Management: What Matters Most?

To close this cyber-security gap and to protect the organization’s information assets, IT staff must not only understand the threat environment, but also plan and prepare to cope with potentially major cyber security problems.  Best practices today in information security include the deployment of advanced network and system-level monitoring and risk-discovery systems both on organizational networks and on individual workstations and servers that can help alert the IT staff to the types of attacks mentioned earlier.  Senior managers should think of these monitoring devices as alarm systems that would: (a) notify the organization of the presence of advanced threats; and (b) permit the IT staff to take action before a cyber problem affects a critical IT asset needed by the emergency responders.

Ideally, the monitoring and IT risk-discovery infrastructure would be able to do any and all of the following: (1) Capture and analyze all inbound and outbound network data crossing the wires (to detect the numerous types of advanced threats that exist today); (2) Discover mission-critical data on all workstations, servers, and other “host” devices in the organization; (3) Evaluate the specific security condition of these IT assets; and (4) Alert, notify, and report the various software applications that can interface with the organization’s own communication systems (to ensure that IT staff not only can receive timely information but also take immediate action to deal with potential threats, vulnerabilities, and the IT risks that are of the greatest importance).

There are many types of cyber security-related issues that IT staff should monitor on a 24/7 basis.  Cyber risks can come from inside or outside of the network.  When thinking about IT risks to the organization, it is useful to consider problems from a business point of view, and in that context see how increased monitoring and risk discovery may provide greater visibility into potential issues.  Following are several IT “risk questions” that might well be asked to help determine the potential implications of a negative or at least suspicious finding:

  • Why are data leaving the network to organizations or countries with which there are no legitimate business needs for communications?
  • Why are large amounts of data being transferred in the middle of the night or during non-work hours?
  • What are these new network services or applications running on the IT infrastructure?
  • Which end-users on the network seem to be trying to evade organizational security policies by downloading inappropriate programs or files and/or by using rogue encryption?
  • Who is carrying out research on firearms, other dangerous materials, or terrorist groups?
  • Who seems to be storing or transmitting personal data on other employees (or on persons unknown) in violation of federal, state, or local regulatory requirements?
  • What systems possess the largest concentration of sensitive or citizen data, but the weakest security controls?

For the preparedness or emergency-response professional, the availability, reliability, and resilience of the organization’s IT assets can literally mean the difference between life and death in times of crisis.  In today’s world, unfortunately, organizations must plan for the worst-case scenario when considering how best to protect their information systems and IT assets. Implementing the recommendations above, particularly those related to the installation of a robust monitoring and IT risk-discovery infrastructure, can help any organization’s preparedness and emergency-response professionals not only protect their systems and networks from harm but also plan more effectively to avoid future cyber emergencies.

Amit Yoran

Amit Yoran, chairman and CEO of NetWitness, has been serving in those posts since November 2006. Prior to joining NetWitness, he was director of the US-CERT and National Cyber Security Division of the U.S. Department of Homeland Security, and before that was CEO and advisor to In-Q-Tel, the venture-capital arm of the U.S. Central Intelligence Agency. He also previously served as the vice president of Worldwide Managed Security Services at the Symantec Corporation. Yoran was the co-founder of Riptech, a market-leading IT security company, and served as its CEO until it was acquired by Symantec in 2002. A former U.S. Air Force officer—and member of the Department of Defense’s Computer Emergency Response Team—Yoran also serves as a commissioner on the CSIS Commission on Cyber Security for the 44th Presidency and on numerous other industry advisory bodies.



No tags to display


Translate »