In this video, Kip Boyle discusses the necessity of being resilient to cyber attacks and cyber failures. Understand why resilience is a major goal of an information security program.
- [Instructor] Being resilient to cyber attacks and cyber failures is one of the four major goals of an information security program. Without enough resilience, a cyber attack or failure could result in damage severe enough that a company could be greatly hurt or even go out of business. Let's review a few high profile cases to get a feel for what's at risk. Code Spaces was a software source code hosting and software collaboration platform with over 200 business customers.
In 2014, it was put out of business within 12 hours by a cyber attacker who deleted all their data and data backups. The attacker broke into Code Spaces Amazon EC2 control panel and left extortion demands. When the attackers saw signs that Code Spaces was fighting back, they deleted the data, putting the cost of recovery out of reach. On February 5th, 2016, staff at Hollywood Presbyterian Medical Center discovered they were in the middle of an attack.
Many computer systems had been encrypted by malicious code and held for ransom. The attack forced the hospital to return to pen and paper for its record keeping for than a week. The recovery began only after the hospital paid a $17,000 ransom. In 2012, malware partially wiped or totally destroyed the hard drives of 35,000 Saudi Aramco computers. Like at Hollywood Presbyterian, employees used pens, typewriters, and fax machines to run the massive company that handles 10% of the global oil supply.
It took the rapid purchase of 50,000 new hard drives and five months of hard work, but Saudi Aramco eventually came back online. In another case involving Sony Pictures, on November 24th, 2014, a hacker group which identified itself by the name Guardians of Peace leaked a large amount of Sony's confidential data. The data included personally identifiable information about employees and their families, emails between employees, information about executive salaries, copies of yet unreleased Sony films, and other sensitive information.
It took over six weeks to achieve the initial recovery and total costs may top $100 million. The studio resorted to fax machines, and paying its 7,000 employees with paper checks. Shortly after the data breach, the CEO resigned, which can be another major consequence of large cyber failures. In 2013, over 40 million credit and debit card accounts were stolen in the Target data breach. Shortly thereafter, a new CIO and then a new CEO joined the company.
Recovery costs hit $162 million as of February 2015. In April 2016, a German newspaper announced that 12.7 million confidential documents from the Columbian law firm, Mossack Fonseca, had been leaked to them by an anonymous source. The Panama papers show how firm's clients hid billions of dollars to avoid paying taxes. Vice.com called Mossack Fonseca the law firm that works with oligarchs, money launders, and dictators.
The final case we'll look at involves damages at a national level. The Natanz uranium enrichment plant in Iran was attacked by a malicious piece of code called Stuxnet. Publicly revealed in 2010, Stuxnet sabotaged uranium gas enrichment centrifuges by silently manipulating valves to damage the devices as well as the enrichment process. It also sent fake data to the system's monitors showing all was well. Many credit this cyber attack with helping to bring the Iranians to the nuclear arms control negotiating table.
I want to wrap up this video with a couple of thoughts about the insidious nature of integrity attacks. Think about the power of Stuxnet and imagine the potential damage a data integrity attack could have against a hospital. By relying on inaccurate medical records, a doctor might prescribe the wrong drug or administer a dose that's too large or too small. Without accurate monitors on medical equipment, a patient could get an overdose of radiation. What about an integrity attack against the stock market, a major bank, or our electrical grid.
Helping your organization be resilient in the face of cyber attacks and cyber failures will become even more crucial in the future.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance