Beyond Disaster Recovery: Using BIA to Prioritize Cybersecurity Budget

image source: http://unisdr.org
Anyone who works as a cybersecurity professional has been in an organization that spends too much money, time, and resources on data or systems that don’t really matter. There is regulatory compliance requirements, which I will talk about later, but there are risk decisions that can be made on all other cyber assets. The following are common questions asked by successful information security professionals:

“What do we actually care about protecting?”

“Which assets, data, and processes should we be focusing our time, money, and resources into?”

Luckily, there is already a cybersecurity tool that can be used to measure the importance of assets, data, and processes for the organization. It is often overlooked, since it is used in another area of focus: the Disaster Recovery Plan (DRP). In case you haven’t already figured out where I am going with this, the tool I am proposing for the identification and prioritization of focus areas is the Business Impact Analysis (BIA).

If your organization is up-to-date with their DRP, you should already have access to the BIA. Most of your work is already completed. If you don’t already have a DRP or a current BIA, I would suggest that you conduct the analysis as soon and thoroughly as possible, so you can knock out two pigeons with one pebble.

Now that you already have your BIA, you can filter out all the human, supply chain, and backup site information, as they are not applicable for this measurement. Continue filtering until you are left with data, assets, and essential business processes.

Next, as promised above, you should filter out the regulatory compliance requirements for your organization. You should already know what these are, but the most common types of data that should be protected, according to governmental regulation, are personally identifiable information (PII) and protected health information (PHI). Protection measures under regulatory compliance requirements are not negotiable, so these items should be placed at the very top of your prioritization list.

Now add the data, assets, and processes from the BIA to your prioritization list, in order from most severe to minimal impact.

Congratulations! You know have a prioritized list that you can use to help determine where your time, money, and resources should be focused.

For further reading, please check out this detailed explanation on business impact analysis from TechTarget and this guide for determining applicable regulatory requirements for your organization by JURINNOV. As always, please let me know your thoughts in the “comments” section below. I always take pride in addressing comments and answering questions. After all, the best information protection efforts and advancement of the cybersecurity field are achieved through collaboration between like-minded people. Thank you for visiting!

 
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

Threat Actor Profile: Eastern European Coders, Crackers, and Hackers





image source: mashable.com


Hackers from Eastern European countries are credited as being the best in their field. They are very good at creating malware, cracking software (a term for enabling proprietary software use without purchasing a license), and hacking into individual and organizational systems to steal financial data and other personal information. Some might say that Chinese hackers operate with the goal of stealing governmental and trade secrets, while their Eastern European counterparts are after the contents of our wallets.

Technology

Typical personal computer systems in Eastern European countries are old, slow, and outdated. Either that, or they are built from do-it-yourself kits made by local manufacturers. To get anything to run correctly on these systems is a virtual miracle. Is it any surprise then, that programmers in Russia, Estonia, and other Eastern European countries are some of the best in the world? They are trained at an early age to write code that is lightweight, efficient, and effective. Key malware that has been used recently in high profile security incidents, including the Trojan Horse Bug,Turla, SNAKE, BlackEnergy, and BlackPOSall originate from Eastern Europe. It should also be noted that these examples made headlines in the last six months and include only a very small portion of the new code that surfaces daily from the Eastern European cyber underground. Necessity has driven a new generation of programmers in the region to create extremely deadly and targeted code that leaves a very small footprint and goes undetected by intrusion detection mechanisms and antivirus/antispyware sofware.

Education and Labor Market

One of the most influential and impactful changes to Eastern European countries since the fall of the Soviet Union has been advancements in education, more specifically the maths and sciences. According to the PISA, Estonia’s educational system has moved from seventh in the EU (thirteenth overall) to second in the EU (sixth overall), in less than ten years. We should all congratulate their accomplishments, as well as that of other Eastern European countries that have seen similar success. While education has flourished however, employment rates in these nations have largely plateaued or even declined. Many young scholars are forced to turn their superior minds to work in the cyber underground, writing malware, stealing payment information, or otherwise contributing to the overwhelmingly dangerous capabilities of this hacker subculture.

Culture of Apathy

Recent historical struggles in Eastern European countries have created a hotbed for criminality. Young adults turn to organized crime and the criminal underworld for survival, and there is little that the respective governments can do to curb the problem. Instead, these governments (notably in Russia) turn to internal policy. As long as the attacks are not conducted against local organizations, they are virtually ignored. Afterall, how can a government rightfully prosecute criminality that is seemingly victimless and provides a means for its citizens to feed themselves without depending on social programs?

For further reading, please check out this document by VeriSignand this thesis by Justin Allen Wilmes. As always, please let me know your thoughts in the “comments” section below. I always take pride in addressing comments and answering questions. Afterall, the best information protection efforts and advancement of the cybersecurity field is through collaboration between like-minded people. Thank you for visiting! 

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.