Companies are at risk from inadequate IT security disaster recovery planning and testing.
So says a recent report from IT security product firm Symantec.<br><br>While 91 percent of IT organizations carry out full scenario testing of their disaster recovery plans incorporating relevant people, processes and technologies, nearly half of those tests fail. These high incidents of disaster recovery testing failures put companies at increasing risk for negative and expensive consequences if a disaster disrupts mission critical applications and services, the IT firm claims. <br><br>The study also found that the most feared consequences of disasters among IT professionals include suffering harm to their company’s brand and reputation, negative impact on overall customer loyalty, damage to their competitive standing and loss of company information.<br><br>Disaster recovery plans have traditionally been documents that companies hope they will never have to use. The findings of the survey suggested according to the IT company that nearly half of IT organizations have had to execute their company’s disaster recovery plans. Though the respondents polled recognize that planning and testing is important, many IT professionals have failed to put proper measures in place to ensure disaster recovery plans meet critical recovery time objectives (RTOs) and recovery point objectives (RPOs). According to the research findings, 48 percent of organisations have had to execute their disaster recovery plans. <br><br>Also, 44 percent of organisations without a disaster recovery plan experienced one problem or disaster, while 26 percent experience two or more, and 11 percent experienced three or more.<br><br>Th findings also suggested that 69 percent of respondents are concerned about suffering damage to their company’s brand and reputation, 65 percent fear harm to overall customer loyalty, 65 percent are concerned about the impact to their competitive standing, and 64 percent worry about losing company data in the wake of disasters. Despite these concerns, the rigorous legal requirements and the severe fines companies can face by not ensuring that they have adequate disaster recovery plans in place, the study also indicates that 77 percent of CEOs are still failing to take an active role on disaster planning committees.<br>Findings Reveal Incomplete Disaster Recovery Planning and <br><br>Testing <br><br>Although a majority of respondents stated that they do test their disaster recovery plans, respondents surveyed indicated that even when tests do work, plan testing as well as probability and impact assessments are not comprehensive, leaving lingering concerns about the actual effectiveness of their efforts.<br><br>While 88 percent of IT professionals polled carried out a probability and impact assessment for at least one threat, only 40 percent carried these out for all threats, and 12 percent did not carry out a probability and impact assessment for any threat. Configuration change management was the least assessed threat area, and only 42 percent of respondents who felt exposed to this threat actually carried out a probability and impact assessment for it.<br><br>Failure to plan<br><br>A variety of concerns have prompted IT organisations to create a disaster recovery plan, with 69 percent citing natural disasters, 57 percent naming virus attacks and 31 percent specifying war and/or terrorism. Respondents also feel exposed to IT-specific threats, with 67 percent citing computer failure and 57 percent naming external computer threats. However, while 89 percent of respondents have agreed upon acceptable levels of risk with non-IT business executives in their organization, only 33 percent have done so for all the threats to which they feel exposed.<br><br>Need for strategies<br><br>To help ensure business continuity, Symantec recommends that organisations adopt disaster recovery strategies that ensure application and data availability across any physical or virtual platform and distance. Symantec offers industry leading solutions and services to help organisations build disaster recovery strategies. These solutions include data protection, server provisioning, application clustering, storage management and replication offerings. <br><br>What they say<br><br>“IT executives are taking a fresh, hard look at their disaster recovery and business continuity strategies,” said Sean Derrington, director, storage management product marketing, Symantec. “To protect against downtime, organizations must implement high availability and disaster recovery across their enterprise environments. They must also maintain procedures for non-disruptive disaster recovery testing that continually evaluate the effectiveness of their disaster recovery strategy without impacting the production environment.”<br><br>Cyber criminals are increasingly becoming more professional – even commercial – in the development, distribution and use of malicious code and services. While cybercrime continues to be driven by financial gain, cyber criminals are now utilizing more professional attack methods, tools and strategies to conduct malicious activity. <br><br>“As the global cyber threat continues to grow, it has never been more important to remain vigilant and informed on the evolving threat landscape,” said Dan Lohrmann, chief information security officer, State of Michigan. “Symantec’s Internet Security Threat Report continues to provide us with critical information on the most current online security trends, helping us better protect our state’s infrastructure and citizen information.”<br><br>During the reporting period of January 2007, through June 30, 2007¹, Symantec detected an increase in cyber criminals leveraging sophisticated toolkits to carry out malicious attacks. One example of this strategy was MPack, a professionally developed toolkit sold in the underground economy. Once purchased, attackers could deploy MPack’s collection of software components to install malicious code on thousands of computers around the world and then monitor the success of the attack through various metrics on its online, password protected control and management console. MPack also exemplifies a coordinated attack, which Symantec reported as a growing trend in the previous volume of the ISTR where cyber criminals deploy a combination of malicious activity.<br><br>Phishing toolkits, which are a series of scripts that allow an attacker to automatically set up phishing Web sites that spoof legitimate Web sites, are also available for professional and commercial cybercrime. The top three most widely used phishing toolkits were responsible for 42 per cent of all phishing attacks detected during the reporting period.<br><br>“In the last several Internet Security Threat Reports, Symantec discussed a significant shift in attackers motivated from fame to fortune,” said Arthur Wong, senior vice president, Symantec Security Response and Managed Services. “The Internet threats and malicious activity we are currently tracking demonstrate that hackers are taking this trend to the next level by making cybercrime their actual profession, and they are employing business-like practices to successfully accomplish this goal.”<br><br>Increase <br><br>During the reporting period, Symantec detected attackers indirectly targeting victims by first exploiting vulnerabilities in trusted environments, such as popular financial, social networking and career recruitment Web sites. <br><br>Symantec observed 61 percent of all vulnerabilities disclosed were in Web applications. Once a trusted Web site has been compromised, cyber criminals can use it as a source for distribution of malicious programs in order to then compromise individual computers. This attack method allows cyber criminals to wait for their victims to come to them verses actively seeking out targets. Social networking websites are particularly valuable to attackers since they provide access to a large number of people, many of whom trust the site and its security. These Web sites can also expose a lot of confidential user information that can then be used in attempts to conduct identity theft, online fraud or to provide access to other websites from which attackers can deploy further attacks.<br><br>Rise in Multi-Staged Attacks<br><br>During the first six months of 2007, Symantec observed an increase in the number of multi-staged attacks which consist of an initial attack that is not intended to perform malicious activities immediately, but that is used to deploy subsequent attacks. <br><br>One example of a multi-staged attack is a staged downloader that allows an attacker to change the downloadable component to any type of threat that suits the attacker’s objectives. According to the ISTR, Symantec observed that 28 of the top 50 malicious code samples were staged downloaders. Peacomm Trojan, mostly known as Storm Worm, is a staged downloader that was also the most widely reported new malicious code family during the reporting period. In addition to serving as an attack toolkit, MPack is an example of a multi-staged attack that included a staged downloader component.<br>Additional Key Findings<br><br>The Symantec Internet Security Threat Report, Volume XII covers the reporting period of January 2007, through June 30, 2007.<br>Credit cards were the most commonly advertised commodity on underground economy servers, making up 22 percent of all advertisements; bank accounts were in close second with 21 percent.<br><br>Symantec documented 237 vulnerabilities in Web browser plug-ins. This is a significant increase over 74 in the second half of 2006, and 34 in the first half of 2006.<br><br>Malicious code that attempted to steal account information for online games made up 5 percent of the top 50 malicious code samples by potential infection. Online gaming is becoming one of the most popular Internet activities and often features goods that can be purchased for real money, which provides a potential opportunity for attackers to benefit financially.<br><br>Spam made up 61 percent of all monitored e-mail traffic, representing a slight increase over the last six months of 2006 when 59 percent of e-mail was classified as spam.<br><br>Theft or loss of computer or other data-storage medium made up 46 percent of all data breaches that could lead to identity theft. Similarly, Symantec’s IT Risk Management Report found that 58 percent of enterprises expect a major data loss at least once every five years.<br>
