Drexel University’s Online MS in Cybersecurity
The online MS in Cybersecurity at Drexel utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more!
Business Continuity and the Cloud
When major issues arise, cloud services often play a major role in allowing an organization to get back up and running with a distributed workforce or from an alternative location, but security should not be compromised in favour of restarting operations.
Business continuity (BC) is a many-headed beast, because it covers so many areas of business operations. As well as carrying out business continuity planning (BCP) across the organisation as a whole, each of the core functions must do its own function-specific BCP and integrate it as part of the larger plan. Which is fine, but to do BCP properly requires training and experience in the techniques of how to do it – so the various functional subject matter experts (the CFO, the head of IT, the HR director, the head of facilities, and so on, and so on) find themselves becoming de facto subject matter experts in BCP too.
No surprise, then, that this logic extends to CISOs and their teams. But BCP in a cyber context is something of a special case because cyber risk tends all too frequently toward a risk manager’s worst nightmare – where a tiny action or seemingly trivial mistake, such as clicking on a bogus link in an email, can lead to utter catastrophe with regard to data losses and system outages. Then just as we have decided cyber BCP is hard enough, we decide to extend our infrastructure into the cloud, where we have less control over it than our on-premise kit.
Integrating the Cloud into Business Continuity Plans
How, then, do you deal with the challenges of doing cyber-related business continuity in the cloud?
The first half is Cyber Risk Management 101 – the bit where you you list your information assets, assess and evaluate the risks to those assets, then put mitigation in place (which usually involves implementing controls – policies and procedures – around how to work with the information assets, and deploying tools to provide defences and to help control the blast radius in the event of a successful attack). That is also a risk management issue. There’s also the issue of determining what can remain in the cloud, what can be moved to the cloud etc. in order to facilitate and eventual return to service, especially if the incident prevents staff from working normally (be that using their regular hardware and/or their regular place of work).
Business continuity is primarily about how you deal with something bad happening once it’s happened. Of course, the risk management element helps prepare you for how you act afterwards (after all, the incident response team can’t decide, for instance, to fail your core apps over to a different region if you didn’t configure redundancy as part of risk management) but BC is the in-the-moment activity.
Step one in responding to a cyber attack, then, is the same as for any incident response: mobilise the incident response team. If you’ve built the response team sensibly it will comprise people who are skilled at incident response: the average decent response team probably doesn’t have subject matter experts (SMEs – IT people, lawyers, HR staff, cyber specialists) because the team exists to run the incident as a generic thing. In its smallest form you’ll have an incident manager (key skills: leadership, rationality, calmness under pressure and organisation), an administrator (for taking notes, keeping an eye on the clock, contacting SMEs when the time comes, supporting the rest of the team) and a comms specialist (good communication with staff, customers, the press, the board and anyone else relevant is the difference between a decent incident response and an utter disaster).
Once the team has convened – which might be electronically in the first instance – the first question to ask is perhaps slightly surreal: do we actually have an incident on our hands? Generally speaking, if a company has the approach of: “If you think it’s an incident but you’re not sure, invoke a response anyway” then they’re on the way to a good incident response regime.
Once it’s been decided that yes, it probably is an incident, this is when the incident team will call on the SMEs. Now, we just said they don’t necessarily have any particular expertise outside managing incidents, so the rule is: overdo it. If there might be an IT angle, call the IT SME. If there’s a sniff of cyber, call the cyber SME. Potential legal angle? Mobilise the SME. It’s a good move to get people in from the start then send them home if they turn out not to be needed.
The Role of the Cybersecurity SME
As a cyber responder, expect to be called out for the majority of incidents. The problem with business incidents is that pretty much anything that goes wrong could potentially be a result of a cyber attack. Building on fire? Maybe someone hacked something in the plant room. Web site giving weird behaviour? Could have been compromised. Email server not working? DDoS, perhaps. Of course, some suspicions are a bit of a leap of faith, but if the team starts thinking that the idea of a cyber attack is a bit far-fetched, ask them whether they ever got hacked via the thermometer of their fish tank .
On the other side of the coin, if the team thinks it could be a cyber attack, always call up the IT team as well. The cyber team will have tools at its disposal for diagnosing the cyber element of incidents (SIEM and SOAR systems, the console of the malware system, the management portal of the web filtering and inbound email defences, and so on) but generic IT support is essential. As a cyber responder you will need to know things like what connections are established on the VPN and what remote entities have called in on the internet connection this afternoon: answering these queries is an IT job, and the cyber team probably don’t have enough access to the core network to find out for themselves.
Task one is to figure out what’s going on – and again, this is a relatively high level task because detailed forensive investigation can take hours, days or (if you’re unlucky) weeks. What you’re really looking for is the blast radius – the magnitude of the attack. Take a ransomware attack, for example (still top of the list of most likely attack types): is one PC encrypting one folder tree, or do files seem to be changing all over the place under instruction from many user devices? Blast radius dictates the severity of the action you’ll take to contain the attack: a good cyber response plan will contain procedures that cover all the reasonably likely mitigating actions, from killing a single rogue process on a single server via the EDR tool right up to powering down (in a virtual sense) your whole IaaS infrastructure. And guess what: you’ll need the IT team here too, because your cyber team probably have neither the skills nor the access to take many of these actions.
In real life, identification and containment tend to be the core activities for the cyber team, because cleaning up systems and restoring service is the bailiwick of the IT group. This doesn’t mean the cyber team can head off home, of course, just that their role flips from leading to advising: a wise IT team will take counsel from the security specialists with regard to what they should be doing. Never forget that what looks like a sole attack could well be a distraction from other, sneakier attacks, so the security group need to continue watching to be sure that this is not the case.
So far, so IT and cyber. But remember what we said in the first paragraph: “subject matter experts … find themselves becoming de facto subject matter experts in BCP too”. As a cyber specialist, incident response is an inevitable part of your job: we suspect nobody reading this knows an experienced cyber specialist with a history of zero real-life incident responses. And if you know you will eventually be part of a response team, it makes sense to understand how responses work. Maybe take a course in business continuity, or perhaps look to certifications like the CISSP , domain 7.6 of which covers the fundamentals of how to respond to incidents.
- Read this article on disaster preparedness in response to weather events
- One of the five domains of ISC2’s Certified in Cybersecurity (CC) certification focuses on Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts