The big headlines have been all about Sony’s security breach, and the massive data leak that occurred. What you didn’t hear about was how large parts of their technology infrastructure were rendered unusable. Most of their workstations were severely infected and inoperable for at least several days (some for weeks) and a large portion of their network and server infrastructure was compromised. Even If the hardware was functional, everything still had to be taken offline, scrutinized and analyzed for evidence, reprogrammed then finally redeployed. Qualified or not, Sony’s IT department had a gigantic mess to clean up, and they had to do this quickly (and improve security along the way) as the company was hemorrhaging money every minute their operations were offline.
If there is one thing that is certain (besides Death & Taxes) is that hardware will fail, and probably at the worst possible time. Why it fails is not important – but how you recover from failure is critical and can mean the difference between an inconvenience and a catastrophe. Sony’s disastrous breach is more of an exception in terms of hardware failure – it’s unlikely every single machine in your company will fail at once, but there’s always the chance that a catastrophe – natural or man-made – can wipe out multiple machines at a time. Preventing this type of event from happening is largely beyond your control. What you can do is control how you recover from it, which is a mixture of preparation, training and flexibility.
- Have a current, offsite backup of all your critical data.
The words “offsite” and “current” cannot be emphasized enough. Onsite backups are better than no backups, but if they get destroyed alongside the equipment they were backing up, it’s the same as having no backups. Depending on your business, current can mean different things – old data might be better than no data, but it could still mean many hours of lost work to get back to where you were before the data loss, and then you have to make up for that lost time. Make sure you are backing up the right data as well. Backing up email that is already stored on a server (which is itself being backed up) is a waste of time and money that could be focused on backing up your work documents. - Understand where your data resides.
Where is your data stored? Where is your email stored? What about your applications? You don’t have to understand the technical details, but you should know whether your data is stored onsite, offsite, in the cloud, or some mixture of all of the above. More importantly, you should know how to get to it – either from an alternate location and hardware, or – in the case of backups – who to contact to have data restored. If your critical business data resides at a single point of failure (e.g. your laptop hard drive), consider what would happen if you were to lose that laptop or if the drive was to fail. - Document your infrastructure.
If your business or organization relies heavily on technology-supported processes, rebuilding your infrastructure from scratch could result in serious disruption, especially if it is built differently, and given the pace of technology advancement, this is almost a guarantee. Older equipment and software may not be replaceable, so plan for replacing them on a non-emergent timeline, and prepare your employees for the change. At minimum, you should know that even if you are able to get equipment and software quickly, there will still be a ramp-up period while everyone gets acclimated to the new environment. Making changes in a stable calm environment is a lot less disruptive than doing so in a disaster recovery situation. - Train yourself and your employees to be flexible.
While it may not be possible for all jobs and functions (and some businesses), the crux of disaster preparedness (and recovery) is knowing how to get things done with the tools you have at hand. Most folks don’t realize that their email can be accessed via other methods than the one or two ways they use currently. The same could be said for accessing organizational data. This is not to say that everyone needs to know exactly how to get it done (technology can be complicated, especially tech that isn’t used on a regular basis), but to be open to doing their jobs differently by using alternate tools and methods.
Whether your company relies on racks of equipment or a single laptop, all of the above applies. Catastrophes come in all shapes and sizes, but hardware failure is always a disaster when you are ill-prepared.
As many of you know, one of my specialties is framing complex technology concepts in more simple, human-relatable terms. When people have a better understanding of the tools they use, they have a tendency to use them more efficiently, effectively and to take better care of them. A thoughtful article in the Atlantic written by security guru Bruce Schneier got me thinking about cyber security and the internet in a new way.
Cyber attacks are something most people only comprehend at a conceptual level, but even high-profile victims and their big-budget investigations struggle to really understand what actually happened. In the case of the Sony attack, even the experts are still debating who was behind the attack, and it’s a definite possibility that we may never find out. As Schneier deftly points out, with physical attacks (criminal and political) there is usually a trail of evidence and witnesses that allow us to identify the weapons and attackers as well as motives.
Unfortunately, modern technology and the internet have made it possible to perpetrate large scale, damaging attacks that are difficult to see (even when they are underway), vexingly hard to counteract and sometimes impossible to trace back to the aggressor. In the case of Sony, does it even matter who was behind the attack? Would they retaliate? How? For those of us suffering under a never ending tide of smaller malware attacks held back by only the thinnest veneer of defenses, there’s no one person to arrest, group to disband or government to disrupt that will stop the onslaught. It’s largely anonymous, amorphous and pretty much dangerous to everyone who comes in contact with it.
It’s better to think of malware and cyber attacks as the digital equivalent of pollution.
It’s certainly a lot easier to visualize, and the analogies might help everyone understand and better prepare themselves for the next time they head out on the digital highway. It may also help organizations and governments frame their actions in a more productive manner. Even if North Korea was actually behind the Sony attack, is leveling sanctions against them really going to stop future attacks? No. Neither will hacking their internet nor any other retaliation measure we could take. Why not invest efforts in combating internet “pollution” (you could lump hate speech in there as well!) – instead of putting fingers in a leaky dike, why not see if you can reduce the pressure causing the leaks?
It’s hard to imagine how the cyber equivalent of solar energy or the banning of CFC’s might be able to stem the growing miasma of malware choking our technology, but maybe that’s because we are thinking about it the wrong way.
In the early days of malware, the most well-known viruses were designed to be noticed: at minimum they made themselves a nuisance through a variety of prankish behavior, all the way to the other extreme of destroying data (usually right after taunting you, just to make sure you noticed you got infected). Today, cyber criminals make their best money and achieve their political goals by going undetected for as long as possible, until they are ready to strike. Security firm Cylance has released a report that alleges networks of multiple companies considered to be critical infrastructure and/or highly sensitive – think airlines, natural gas producers, defense contractors – have been completely compromised and “owned” by an outside group suspected to be backed by the Iranian government. Through this coordinated campaign (also called an “Advanced Persistent Threat” – APT) dubbed “Operation Cleaver” by researchers, the unidentified group of hackers obtained complete control over the entire network infrastructures – all servers, network equipment and everything connected to them, and remained in control over the course of at least 2 years. The companies remain unidentified in the report, primarily for security concerns.
What this means for you:
In a conversation with a client today, we discussed the recent hacking takedown of Sony (another APT that completely owned their network), and why they made a more attractive target than my client who is only a fraction of the size. As mentioned above, malware was originally designed to wreak havoc in a chaotic fashion, but now that there is money or power to be gained from it, hackers are much more organized and pursuing targets which usually fall into one of two buckets:
- The average home computer user – easy to hack, but usually not worth much, except when campaigns net thousands of victims. The dollars add up quick.
- High-value companies or organizations – more difficult to hack, but once compromised, can result in significant monetary and political impact.
As you may have guessed, most small and medium-sized business fall squarely in the middle, and if they are hacked, it’s usually by a malware aimed at the first group. HOWEVER, the client and I considered another possibility: what if the object was to destroy data in order to disrupt your business? Even with a culture steeped in Hollywood fantasies of corporate espionage and sabotage, it may still be hard to imagine a competitor stooping so low as to put out a “cyber hit” on your organization. Considering that we already know organized crime is elbow-deep in funding and profitting from malware attacks, maybe that threat isn’t as far-fetched as we might have hoped. Coordinated attacks like Operation Cleaver are typically backed by nation states, primarily because the resource requirements are steep, but a smaller, focused campaign to take out a small company could be handled by a single, freelance “cyber-hitman”. If I can imagine it, you can bet this is already happening. We just don’t know about it yet.
A new website entitled “HaveIBeenPwned.com” recently launched that indexes millions of accounts that have been exposed in some of the largest data breaches in the past 3 years, including the most recent data theft from Adobe, in which over 153 millions accounts were dumped onto the internet. This website allows anyone to punch in their email address to see if their credentials were a part of the haul the data thieves looted in these attacks. Interestingly enough, I punched in my personal email address and discovered (as expected) my account was one of the 153 million exposed in the Adobe breach. Other breaches covered in this database include Yahoo, Sony, Stratfor and Gawker. If you happen to use any websites from those companies, it may be worth your while to check to see if you might have a password issue.
What this means for you:
If you happen to score one or more hits in the database on this website, and you know you’ve used the same password exposed in the above data breaches on other sites, you should stop using that password immediately and head out to change your other passwords ASAP. Even if you didn’t score a hit in the database, there are data breaches happening constantly, and computers have become strong enough to crack the encryption used to store and ostensibly protect them. Where possible (and reasonable), you should be using unique, strong passwords for all your important web services, especially the ones that have access to your sensitive data and money. Programs like Passpack (what I use) and LastPass are indispensible tools to assist in making strong password use practical. Each has a bit of a learning curve and will take some getting used to, but the time spent will be a worthwhile investment in protecting yourself online.
Image courtesy of Salvatore Vuono / FreeDigitalPhotos.net.