Transcription
C Y B E R C R I S I S M A N A G E M E N T:A D E C I S I O N - S U P P O RT F R A M E W O R KF O R D I S C L O S I N G S E C U R I T Y I N C I D E N T I N F O R M AT I O Nby olga kulikovaJuly 12, 2012
Master ThesisC Y B E R C R I S I S M A N A G E M E N T:A D E C I S I O N - S U P P O RT F R A M E W O R K F O RD I S C L O S I N G S E C U R I T Y I N C I D E N T I N F O R M AT I O NbyO L G A K U L I K O VAStudent number 4122151kulikova.o.j@gmail.comCommittee:Dr.ir. Jan van den Berg, First SupervisorAssociate Professor at ICT sectionDr.ir. Wolter Pieters, Second SupervisorInformation security researcher at Energy&IndustryProf. Dr. Y. H. Tan, ChairHead of ICT sectionRonald Heil, External SupervisorSenior Manager at KPMG IT AdvisoryMaster Programme Management of TechnologyFaculty of Technology, Policy, and ManagementTU DelftJuly 12, 2012DELFT
Olga Kulikova: Advanced Cyber Incident Management: Designing a Framework for Disclosure of Security Incident Information, c July 12, 2012
Dedicated to my dearest mom and dad.Without your love and support, I would have never made it this far.
ABSTRACTThe growing sophistication and frequency of cyber attacks, as wellas the impossibility to completely secure IT systems force moderncompanies to be prepared beforehand for cyber security incidentsand data leaks. An advanced cyber attack can easily trigger a crisisthat involves numerous internal and external stakeholders. The way acompany disseminates security incident information among them isan essential part of incident mitigation. A proper incident disclosurestrategy can significantly improve the timeliness and the effectiveness of incident response activities, while a poor strategy can lead tolegal penalties and costly lawsuits. Incident information disclosure,hence, is becoming an important issue that requires good internalprocedures in place to facilitate incident response process and do notcause further damage for a company and its audiences.In this research project we determined four dimensions that shapeorganizational preferences regarding incident information disclosure:harm mitigation and prevention, regulatory compliance, cost-efficiency,and reputation. Together, they create challenges for a company whendeciding to whom, when, what, and how share incident information. After a thorough examination of existing recommendations onthe incident disclosure and business needs, we developed a decisionsupport framework that provides step-by-step guidance for organizations on developing an appropriate incident disclosure strategy. Theoverall validity and reliability of the developed framework was testedusing cyber incident scenarios and through an interview with a security expert.The proposed framework provides structure to enable incident disclosure processes within a company, and, at the same time, it givesflexibility to customize the framework according to organizationalbusiness needs. The framework can be applied to all kinds of securityincidents, but its main focus is on dealing with incidents of a cyber security nature. It incorporates strategic and tactical advice found in theliterature, as well as organizational preferences and concerns regarding the incident disclosure discovered through the interviews. Theframework broadens a pure technical, "wall-and-fortress" approachto manage cyber security incidents. It increases company’s chancesto successfully mitigate the consequences of such incidents and getthe business quickly back on track.vii
ACKNOWLEDGMENTSThis research has given me an invaluable opportunity to meet andwork with a lot of highly inspirational and professional people.I would like to express my sincere gratitude and appreciation to myTU Delft supervisors: dr.ir. Jan van den Berg and dr.ir. Wolter Pietersfor their great mentorship and advice that provided guidance anddirection for my thesis research. Your constructive criticisms, suggestions and encouragement sharpened my research skills and enhancedmy writing experience.I would also like to thank my KPMG supervisor, Ronald Heil,whose advice and suggestions enriched my knowledge and helpedme better understand how the real world works. Thank you for yourpositive influence in growing my vision.A great part of my gratitude goes to everyone from the ISC teamof KPMG. My internship turned out to be an amazing learning experience in such a friendly and yet highly professional environment.Marek, special thanks to you for giving the valuable comments onmy framework design, and the overall support during the internship.Jeroen, thank you for your contribution to our little stagiairs team: itwas fun (except one shooting episode).I would also like to thank all the interview participants who madethis research possible by contributing their valuable time and expertise.Finally, I want to thank my family and friends. You have all inspired me, helped me stay focused, and finish my research.Marcus, Kristian, Tony, Bassem, Paul, Elliot, many thanks for proofreading this report.– Olga KulikovaAmstelveen, June 26, 2012ix
CONTENTS1. introduction11.1. Background and Motivation11.2. Research Goal31.3. Research Strategy41.4. Thesis Structure52. cybersecurity challenges in modern corporations2.1. Why cybersecurity?72.1.1. Key Definitions72.2. Getting real about cyber adversaries82.2.1. Who are they?92.2.2. What are they after?102.2.3. What are their tools?112.3. Defense against cyber crime. Shifting Perspective122.3.1. Cyber Security Maturity Model132.3.2. Cyber Crisis Management Solution142.4. Summary153. incident disclosure challenges173.1. Disclosure Definied173.2. Why Plan for Incident Disclosure?183.3. Internal and External Stakeholders. Who are they?183.4. Four Dimensions of Incident Information Dislosure203.4.1. Harm mitigation and prevention213.4.2. Regulatory compliance223.4.3. Cost-efficiency233.4.4. Reputation243.5. Cyber Incident Disclosure Challenges253.6. Summary264. recommendations on cyber incident informationdisclosure294.1. Strategic vs. Tactical advice294.2. "To Whom"304.2.1. Strategic advice304.2.2. Tactical advice324.3. "What"334.3.1. Strategic advice334.3.2. Tactical advice344.4. "When"354.4.1. Strategic advice354.4.2. Tactical advice364.5. "How"364.5.1. Strategic advice364.5.2. Tactical advice367xi
xiicontents5.6.7.8.A.B.C.D.4.6. Recommendations summary374.7. Summary38interviews395.1. The target company395.2. Approach395.3. Key Findings415.3.1. Overview415.3.2. Harm mitigation and prevention425.3.3. Regulatory Compliance435.3.4. Cost-efficiency455.3.5. Reputation455.3.6. Business needs summary465.4. Summary46framework design496.1. The Framework Prerequisites496.2. The Decision-Support Framework506.2.1. Design Approach506.2.2. Incident Disclosure Strategy Flowchart526.3. The framework as an integrative tool of previous findings626.4. Summary62framework evaluation657.1. Framework Evaluation using Identified Challenges657.2. Framework Evaluation using Security Incident Scenarios677.2.1. Scenario 1: U.S. server goes down677.2.2. Scenario 2: Attack on the industrial control systems of the chemical plant707.2.3. Scenarios overview727.3. Framework Evaluation through Expert Interview727.3.1. The framework implementation possibility737.3.2. The framework added value747.3.3. Feedback Overview757.4. Summary76conclusions and contributions778.1. Main Contributions778.2. Research Limitations788.3. Future research possibilities79design science research method81A.1. Introdcution to Design Science81A.2. Design Science Research Framework81A.3. Design Science Research Guidelines82conflicting legal requirements due to multiplejurisdictions85notice content87tools and resources for incident communications89
contentsE. interview ouline and questions91E.1. General interview outline91E.2. Question examples to the coordinators91F. potential impact definitions for security objectives93bibliography95xiii
LIST OF is Outline5Ever changing threat landscape.11A shift towards advanced cyber attacks12Cyber Security Maturity Model13Cyber Crisis Management Process14Incident Response Stakeholders19Four Dimensions of Cyber Incident Information Disclosure21Interview Approach40The Generic Incident Notification Timeline51Incident Diclosure Strategy Flowchart53Incident Level Assessment Process55Incident Specifics Questionnaire Example57Incident Response Priority Sliders58Design Science Research Framework82Organisational Operations Across the Globe85Potential Impact Definitions for Security Objectives93L I S T O F TA B L E S1.2.3.4.5.6.7.xivIncident Information Disclosure Challenges26Message Mapping Template34Strategic and Tactical Advice on the IncidentInformation Disclosure37Integration of the previous findings in the framework63Framework Solution for the Identified Challenges66Design-Science Research Guidelines83Data Breach Notification Goes Global86
1INTRODUCTIONHe who tries to defend everything defends nothing.— Frederick II, Holy Roman EmperorMy idea, in its entirety, is that if vile people unite and constitute a force,then decent people are obliged to do likewise; just that.— Leo Tolstoy1.1background and motivationEven the casual observer could have noticed the recent uproar overcyber attacks on governments and businesses worldwide. "CyberwarIs Already Upon Us" or "A Digital Pearl Harbor Is Only a Matter ofTime" are just a few headline examples of recent hot discussions overcybersecurity. The magnitude and impact of cyber attacks have beenrising significantly over the past decade, capturing widespread public attention and involving in discussion not only corporations andcyber specialists, but also media, politicians, and the general public.In 2012, cyber attacks are among the top five global risks in terms oflikelihood [1], clearly becoming one of the major concerns for developed societies.Most enterprise systems nowadays rely on computer infrastructures - whether in storing, processing, and transferring data, or controlling and monitoring physical processes. It is a big dynamic domain where an enormous amount of innovation is going on; thousands of tools and applications are being developed on an ongoingbasis to help companies in their needs. All these technologies havemultiple points of vulnerabilities which give adversaries various opportunities to disrupt and paralyze IT systems or steal valuable information they contain [3].Different research studies have found that companies usually viewcybersecurity as a technological task and focus on investing in mainlytechnical solutions to defense against cyber attacks, like employingintrusion detection systems (IDS) or log analysis [4, 5]. The reality is,however, that cyber criminals are constantly improving in their targeting and approach at a speed which for many organizations is almostimpossible to match [6]. Recently, Bloomberg Government conducteda study with 172 organizations in different industries and found thatorganizations "would need to increase their cybersecurity spending almostnine times over – to 46.6 billion from the current 5.3 billion – to achievesecurity that could repel 95% of known attacks." [7] Obviously, organiza-1".Technology andthe Internet confergreat advantage onattackers. The cost,effort and risk to theattacker are low, thereward is high, andthe targets are all inone place - theInternet." [2]
2"There are two typesof companies: thosewho know they havebeen attacked, andthose who don’t."FBI Director RobertMueller.introductiontions cannot afford such spendings to guarantee total security, so inthe end, organizations are not only attacked often, but also attackedsuccessfully [8, 6].A new challenge has emerged for modern enterprises - shifting theorganizational focus of dealing with cyber incidents from pure technology centric to processes and stakeholders centric, in order to geta better handle on cyber incidents [9, 10]. Cybersecurity is no longera technical discipline, it has evolved into a strategic concept, whereeffective incident management procedures have to be established tohelp companies reduce as much as possible harm caused by seriouscyber attacks [11].It has long been acknowledged that an essential part of effectiveincident management is communication with stakeholders, since it canfacilitate incident response process, assure compliance, and influenceexternal perceptions about the company [12, 13, 14]. During the process of mitigating the impact of an incident and possibly findingits causes, various parties need to be properly informed such as infrastructure or application providers, third-parties, or business representatives [15, 5]. In addition, countries worldwide are introducingregulations that require organizations to disclose certain incidents tosuch audiences like affected individuals, government agencies, or lawenforcement [16, 17, 18]. Finally, keeping external parties informedabout the incident response process can help a company to influenceits brand image damaged after the incident.There are, however, certain disincentives for companies to disclosesecurity incident information, such as fear of bad publicity, costlylegal actions, or revealing too much data on their cybersecurity efforts. A fear of losing a good reputation becomes another disclosurebarrier, since admitting a mistake could lead to loss of customersand negative public scrutiny in general. However, a company that decides not to share relevant information bears a significant risk thataffected stakeholders would know about data leak from third partiesor cyber attackers themselves. In this case, the consequences can bemuch worse, like a complete loss of clients’ confidence or civil andcriminal penalties for failure to report cybersecurity incidents. Complex interconnections between people involved in security incidents,as well as changes in responsibilities during crises when the highermanagement takes over certain roles, make the situation even moredifficult.A good incident disclosure strategy can significantly improve timeliness and effectiveness of incident response activities, reduce legalfines, and restore confidence and trust of a company’s key stakeholders. In contrast, a bad incident disclosure strategy can lead to legalpenalties and costly lawsuits, and cause further harm to affected parties [16, 4]. Incident information disclosure is becoming an important,complex issue that requires good internal procedures in place to fa-
1.2 research goalcilitate incident response process and do not cause further harm fora company and its audiences.1.2research goalDecision-making considerations described in the previous section eventually form a big question for modern companies on how to createprocedures for effective notification of stakeholders after a cyber attack. There is a critical need for a decision support framework thatwill ensure incident information disclosure to internal and externalstakeholders in line with both organizational goals and existing requirements. This framework should give an answer on when, what,how, and, most importantly, to whom to disclose incident information,within a company as well as outside it, to effectively mitigate theconsequences of a cyber security incident.The goal of this thesis research is defined as follows:To design a decision-support framework on organizational disclosure of cyber security incident information to internal andexternal stakeholders that facilitates incident response in linewith organizational goals and existing requirements.Such framework would provide a step-by-step guidance for an organization on accessing the situation and finding the best solutionson how, what, when, and to whom disclose cyber security incidentinformation.In order to gain a profound understanding of the problem environment and in-depth knowledge on current business goals and challenges, the following subquestions should be addressed prior to aframework development:q1 Why is cybersecurity a problem for modern organizations?q2 What challenges do organizations face when deciding on theirincident disclosure strategies?q3 What recommendations are given in literature on effective notification of external and internal stakeholders?q4 How does a real company perform cyber security incident management regarding information disclosure? What are the mainpreferences and concerns?q5 What should be the process of arriving at a disclosure strategytaking into account information gathered from previous questions?3
4introduction1.3research strategyThis master thesis is based on the Design Science research approach1 ,in detail elaborated by Hevner et al. A design science project is aset of nested problems in which the top level problem is always apractical problem. The main question of this research is a practicalproblem on designing an organizational decision-support framework,which is decomposed into set of knowledge subproblems (Q1-Q4)and practical subproblems (Q5), introduced in the previous section.This research is conducted in the following phases that are aimedat answering the identified subquestions:1. Problem conceptualization (Q1). In this phase the study focus is established. We discuss challenges cyber attacks poses for modernenterprises, describes cyber adversaries and their tools, and consequences of successful attacks. We show that proper incidentinformation disclosure to internal and external stakeholders isbecoming an important task for modern organizations in theirincident response activities.2. Problem analysis (Q2). In this phase we assess the current situation within organizations and identify challenges they arefacing when deciding on incident disclosure strategies. Thesechallenges help to define what should a good decision-supportframework deal with.3. Synthesis of Practice-Oriented Theories (Q3). In this phase we summarize major recommendations on incident information disclosure from scientific articles and industry white papers with respect to identified challenge categories. These recommendationsare integrated in the framework design to assure rigor of thestudy.4. Comprehension of Business Needs (Q4). In this phase we gain insight in the current "state-of-the-art" of incident information disclosure. Results from semi-structured interviews are presentedand critically examined in order to acquire a thorough understanding of business needs regarding incident information disclosure. These requirements are addressed by the framework toassure the research relevance.5. Development stage (Q5). Here, we design the decision-supportframework on cyber incident information disclosure in accordance with the acquired understanding of the business needsand synthesized knowledge.1 A detail explanation of the Design Science research method can be found in Appendix A.
1.4 thesis structure6. Evaluation stage (Q5). Here, we evaluate the framework by usingcyber security incident scenarios and by asking for a security expert opinion. Findings are relevant for future improvements ofthe framework design. They also set new research opportunitiesregarding cyber security incident disclosure.1.4thesis structureThe thesis structure is aligned with the main research phases, asshown at Figure 1.Figure 1: Thesis Outline5
2CYBERSECURITY CHALLENGES IN MODERNC O R P O R AT I O N S2.1why cybersecurity?We live in a world where enterprises worldwide have their criticaldatabases connected to the Internet or rely on computer systems thatmonitor and control their operational processes. These business realities create a target rich environment for cyber attackers across theglobe [20]. Some attackers are interested purely in money, others inexposing or paralyzing business operations of corporations and government agencies [6, 21]. The range of cyber adversaries varies fromteen hackers to organized crime groups, industrial spies, terrorists,and even governments [22, 21].Despite an attacker’s identity or motivation, a successful intrusioncould cost a company a lot of trouble - financial losses, data leaks,business disruptions, or infrastructure failures [22]. The global market is becoming more and more interconnected, with new stakeholders joining every day, meaning that a cyber attack on one companycould easily trigger unexpected negative events in others [23]. Keeping information and operations secure, thus, is of vital importance forany enterprise, which becomes the task of cybersecurity.2.1.1Key DefinitionsIn this research, we refer to cybersecurity as body of technologies, processes and practices designed to protect organizational networks, computers,programs and data from attack, damage or unauthorized access [24]. Or, byusing information security attributes, cybersecurity seeks to ensureconfidentiality, availability, and integrity of digital information and information systems [25, 26].When a company experiences negative cybersecurity events likedata breaches, systems interruptions, malware, or virus outbreaks,it can be referred to as a cyber incident. The precise definition of acyber incident depends on a particular company. However, in broaderterms, we can talk about an adverse event in an informational oroperational system that impose harm or the attempt to harm for anorganization [27].There could be different causes of cyber incidents. Natural disasters, like Hurricane Katrina, can create a cyber incident by turningoff electrical supply of an organization and thus shutting down theirIT systems [28]. In this case, it is said that the cause of an incident7
8cybersecurity challenges in modern corporationsis unintentional. This master thesis, though, looks at cyber incidentsthat are intentional and caused by cyber attacks - deliberate human attempts to evade security services and violate the security policy of asystem [27].It is important to understand what kind of challenges cyber attackscreate for modern companies. Being fully aware of who representsthe cyber threat, what they can do and what can be an impact ofa cyber intrusion is the first step of any organization in designingtheir incident response procedures [22, 21]. The remaining part ofthis chapter is aimed at answering these questions.2.2getting real about cyber adversariesAs long as information technologies exist, there have always beenindividuals or groups that use it inappropriately for different reasons.At starters it was mainly recreational hackers who liked to make sometechnology-based jokes or intrude in networks just for fun or showingoff. It was random activity, that did not target specific companies.Hackers were not intending to cause harm to other computers, andsome of them even developed and followed a hacker’s ethics [29].However, the changing ways of doing business have created newopportunities for people with criminal intentions. When computersand networks became inevitable part of corporations, when largeamount of credit card numbers, account credentials, and other valuable information became reachable through the Internet, hackers realized that they could make money on it and began to organize criminalgroups [29, 5]. Through online message boards, they have started toshare intrusion techniques and newly discovered vulnerabilities reducing the marginal cost of cyber crime [6, 30]. Less technical skillhave become required to take advantage of the organizational networks. Before the world knew it, cyber crime became a global activity,with the participants from all over the world communicating anonymously.The situation is getting worse. Nowadays money is not anymorethe main purpose of cyber attacks. The rich variety of informationbeing stored on organizational servers and different tools availableto perform intrusions have allowed cyber adversaries to experimentwith final attack goals. Besides, more and more operational technologies, like SCADA, are becoming accessible from the Internet and thuspotentially vulnerable to assault. Cyber attacks are being used for espionage, industrial sabotage, or even as a sort of punishment for organizations who are doing business in a way not appreciated by hackercommunities. Attacks stopped being random, today’s many hackersknow exactly whom they want to strike and are patiently waiting forthe results [21, 23].
2.2 getting real about cyber adversaries2.2.1Who are they?In general, the current literature on cyber threats distinguish the following groups of cyber adversaries [31, 22, 23]:individual hackersIndividuals who are making unauthorized attempts to bypassthe security mechanisms of organizational informational andoperational systems for their own specific purpose. They can beeither insiders (disgruntled employees) or outsiders (individualphishers, spammers, malware authors).industrial spiesIndividuals or groups spying to obtain secret information forcommercial purposes, for example on science and technology.The goals of cyber espionage can vary from saving money onresearch and development to undercutting a competitor’s tender.organized crime groupsGroups that use computer systems and the Internet as the mainelement to create fraud, such as distribution of malware, phishing, and theft of valuable information such as credit card credentials. In the majority of cases, the goal is economic fraud,where there is an intention to steal money, property, or a legalright.hacktivistsHacktivists are hackers who perform attacks for a politically orsocially motivated purpose [5]. Actions of hacktivists are notaimed at individuals, but rather companies or government entities with an attempt to cause disruptions to their networks andservices in order to bring public attention to some political orsocial cause. Quite often referred to as white hats since theirmain goal is not to commit crime but "to expose the corruptionand greed inherent in the playbooks of big business and rogueregimes powered by hyper-capitalism and intent on plunderingthe natural resources of the planet." [32]national governmentsGovernments that initiate state-sponsored espionage, for example for national security purposes, or deliberately perform sabotage in other countries as part of some political operation.terroristsTerrorist groups that moved to cyberspace with an intention touse computer, networks, and public internet to cause destruction and harm for political or ideological objectives.9
10cybersecurity challenges in modern corporations2.2.2"If you want to hit acountry severely youhit its power andwater supplies.Cyber technologycan do this withoutshooting a singlebullet." [33]What are they after?No longer is it the time when cyber attacks are targeting financial institutions and agencies operating with personal information that canbe stolen. Nowadays cyber attacks can also target operational industries like water, oil and gas sector, since these systems are more andmore controlled using computing equipment that is connected to theInternet. The Stuxnet attack on the Iranian plant, for example, hasbecome a wake-up call for the modern world, proving that critical infrastructures are also exposed to cyber attacks [11]. At this moment,the governmental concern about cyber attacks is becoming more understandable. While hacking commercial enterprises was being seenas mainly their internal problem, attacks against control systems andcritical infrastructures are extremely undesirable for societies as awhole.The recent study on purposes of cyber attacks revealed that intrusions to disrupt business and production processes happened moreoften than other ones [21]:1. Disruption of business and production processes - 30,0%;2. Access to money - 16,6%;3. Obtaining information on intellectual property - 16,1%;4. Access to third party information or systems - 14,6%;5. Obtaining Information concerning business operations, e.g. mergers and acquisitions - 12,1%;6. Others - 10,6%.It is crucial to discover which company’s assets can be exploitedby cyber attackers, not only from financial point of view, but keepingin mind other attackers motivations. Security specialists mention thefollowing goals of cyber adversaries as a check-list for an enterprise[22, 21, 23]:- personal interests (showing off, revenge),- financial interests (theft, business competition),- intellectual property interests (espionage),- ideological interests (political disagreement),- state interests (policy makers decisions, military strategies).There is also a growing tendency in multi-stage attacks, when cyberadversaries target a company just because it is in the middle of somevalue chain, and can be used as a bridge to exploit other organizations[16]. Hence, a company’s assessment of potential cyber attacks goalsshould also cover important players in its value chain.
2.2 getting real about cyber adversaries2.2.3What are their tools?Today’s Internet gives a perfect opportunity to collaborate and exchange tools for criminal activity through social network platformsand file exchange websites. As a consequence, cyber attacks are becoming more standardized, automated, and easier to perform. Eventually, more sophisticated intrusions can be performed by less matureadversaries [9].Figure 2: Ever changing threat landscape. Adapted from Walk.Figure 2 illustrates the sophistication of hacking knowledge throughthe past decade and lists the most common tools to perform attacks.New attack vectors have appeared, as well as the types of virus payload. It all started with attacks on personal computers, and now mobile devices and cloud computing are in the game as new ways ofstoring enterprises information. Organizations have to consider allpossible types of cyber attacks, so significant technical knowledge isrequired to combat them, in contrast to the knowledge required forhacking.In addition to the general sophistication of hacking tools, attacksnature have also changed from traditional to advanced once. RobertLentz, the CEO of Cyber Security Strategies, clearly explains the shiftin his Cyber Security Maturity Model
Cyber Security Maturity Model 13 2.3.2. Cyber Crisis Management Solution 14 2.4. Summary 15 . The framework as an integrative tool of previous find-ings 62 6.4. Summary 62 7. framework evaluation65 7.1. Framework Evaluation using Identified Challenges 65 7.2. Framework Evaluation using Security Incident Scenar-ios 67 7.2.1. Scenario 1: U.S .
