Avid readers of this column (you two know who you are) know that I often quote the results of two annual international surveys concerning data breaches: the IBM Security Cost of a Data Breach Report1 and Verizon’s 资料外泄调查报告.2 Note that they both refer, 虽然没有明确说明, 以电子形式储存供电脑系统使用的资料遭到破坏.
通过深入调查,我确定了“违规”一词的含义.(嗯……我查了字典.违约是指违反或违反法律、义务、关系或标准. They are gaps; broken, ruptured or torn conditions or areas. Breaches, in this context, imply failures of security, 允许发现应该保密的信息.3, 4 In other words, they concern the taking of data. What the term “breaches” does not address is the cost of the inability to operate a business because of data being unavailable.
The Cost of Downtime
I am not aware of any research into the cost of downtime comparable to the two referenced studies. Those reports deal primarily with intentional acts by cyberattackers and other miscreants. 尽管错误和事故也会被追踪,5, 6 多数是恶意行为. Notably, ransomware is shown in the IBM Security study to have an average cost of US$4.62 million per incident,7 including escalation, notification, lost business and response costs, 但不包括赎金.8 我相信(尽管没有证据),对于私营部门组织来说, the cost of not being able to conduct business operations is the overwhelming proportion of the losses, 虽然这是不可能计算的政府机构. 我认为这个数字太低了.
In the absence of verifiable financial information on the cost of malicious downtime, 让我分享一下我对一个事件的估计. The ransomware attack experienced by the US company Colonial Pipeline has been well publicized. 该公司的年收入为1美元.32 billion.9 Since gas is consumed every day of the year, the company’s average daily revenues are US$3.62 million. 攻击始于2021年5月6日,一直持续到2021年5月12日, 因此,管道全部或部分关闭了至少7天. For estimating purposes, let us assume that Colonial Pipeline was still able to move 50 percent of its gas. 这意味着它将遭受超过900万美元的收入损失. This is one attack on one company, which is why, to my mind, the economic consequences of forced downtime overwhelm those of other sorts of cyberattacks.
数据中心、云、SaaS和分布式停机时间
但勒索软件只是延长停机时间的一个原因. Natural and human-caused outages have plagued information technology since the Eniac10 first fired up its vacuum tubes. So, every IT executive has instituted a thorough, well-tested, up-to-date IT disaster recovery plan.
Well, actually, no. 当然,肯定有一些人这样做过. But contemporary application and infrastructure portfolios are a congeries of on-premises, cloud-based, 软件即服务(SaaS)和分布式系统. 有哪个组织真的能说自己有信心迅速恢复吗 all its systems?
As enterprises run fewer and fewer applications and store less and less data in internal data centers, the economic justification for the recovery plans put in place a decade ago or less becomes increasingly tenuous. It may simply not make sense to maintain an alternate data center when the primary one is being phased out. This is especially the case for those who built recoverability around commercial recovery services. (At the time of writing, 这些服务中最大的一家已经在加拿大申请破产, 英国和美国.11 在不久的将来,使用商业热点站点甚至可能不会成为一种选择.)
许多过去在本地运行的东西现在都在云端或云端运行, more specifically, 在商业云服务提供商(csp)运营的数据中心中. The architecture of the cloud enables rapid failover from a primary to a secondary data center should the former be incapacitated. 大多数(如果不是全部的话)csp都建立了高度弹性的站点. So, enterprises that use the cloud as their data centers must plan and pay for data centers in geographically distant regions along with sufficient bandwidth and wide-area route diversity. Not all do. 云中的灾难恢复是可以实现的,但不是给定的.
SaaS vendors realize that the resilience of their services is a strategic necessity, 但它们也不能幸免于停机. Recent cyberattacks on SaaS providers have had widespread ripple effects among their customers.12, 13 潜在买家应该确定他们的服务是否以及如何确保正常运行时间. They should also prepare themselves to build workarounds if the SaaS applications they use should go down.
It should come as no surprise that distributed servers and personal computers can also be attacked and fail. Viruses such as Shamoon,14 Shamoon II,15 Petya, WannaCry and NotPetya16 offer all the proof necessary.
The “So What?” Factor
读到这里的人一定会说,“好吧,停机是一件坏事. But so what?” There are three reasons why I consider downtime important enough to focus on it. The first is that I think it is important that we stop measuring the cost of cyberattacks only in the number of records breached and start focusing on hours of unavailable systems and data. 我当然不喜欢侵犯隐私和窃取机密. But I see hours of lost production―when profits are not being made and citizens are not being served, to say nothing of shores not being defended—as the most significant metric of the impact of cyberattacks.
It is important that we stop measuring the cost of cyberattacks only in the number of records breached and start focusing on hours of unavailable systems and data.
Second, we cannot lose sight of the fact that system downtime has many causes and targets. Mother Nature will have her way with information technology and so will human beings. 后者中的一些人可能有恶意, 但是长时间的停电也可能是由懒惰造成的, 无能和容易出错的人. Effective monitoring and quality control will help organizations withstand these sorts of folks as well as the attackers.
最后,也是我认为最紧迫的是,我们在IT界生活在一个非常危险的世界. There are horrible wars going on and cyberwarfare has become a predictable part of the fight. Ransomware has done a great deal of damage and costs a significant amount of money. But at least the attackers are offering (if not always delivering) to turn over the decryption key for a cryptocurrency payment. 我们可能很快就会遇到对数据进行加密的攻击者 throw away the key. Effective backups, well-drilled recovery specialists and business continuity procedures17 适应网络攻击可能是一种生存策略.
Endnotes
1 IBM Security, 2021年数据泄露报告的成本, 2021, http://www.ibm.com/downloads/cas/OJDVQGRY
2 Verizon, 2022年数据泄露调查报告, 2022, http://www.verizon.com/business/resources/reports/dbir/
3 韦氏词典里的“breach”, http://www.merriam-webster.com/dictionary/breach
4 麦克米伦字典,“违反安全” http://www.macmillandictionary.com/us/dictionary/american/breach-of-security
5 Op cit Verizon
6 Op cit IBM Security
7 Ibid., as compared with US $4.全球各类数据泄露的平均总成本为2400万美元
8 Ibid.
9 Dun & 布拉德斯特里特,《澳门赌场官方下载》 http://www.dnb.com/business-directory/company-profiles.colonial_pipeline_company.11bf157f4e91ff2d98b81cdf484d9f24.html
10 计算机历史博物馆,“Eniac”, http://www.computerhistory.org/revolution/birth-of-the-computer/4/78.
11 Sungard Availability Services, "Sungard Availability Services Takes Action to Strengthen Operating Cost Structure for Future Success," 11 April 2022, http://www.sungardas.com/en-us/news/2022/april/sungard-availability-services-takes-action-to-strengthen-operating-cost-structure-for-future-success/
12 我指的是Salesforce的中断.com and Kronos. Daoudi, M.; “Is Your Business Prepared For the Next Major SaaS Outage?” Forbes, 25 June 2021, http://www.forbes.com/sites/forbestechcouncil/2021/06/25/is-your-business-prepared-for-the-next-major-saas-outage/?sh=7acf50e657ea
13 UKG Workforce Central, “Communications Sent to Impacted Kronos Private Cloud (KPC) Customers Beginning December, 13 at 12:45AM ET,” Kronos Community, 13 December 2021, http://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US
14 Council on Foreign Relations, “Compromise of Saudi Aramco and RasGas,” August 2012, http://www.cfr.org/cyber-operations/compromise-saudi-aramco-and-rasgas
15 Jewkes, S.; J. Finkle; “Shamoon Computer Virus Variant Is Lead Suspect in Hack on Oil Firm Saipem,” Reuters, 12 December 2018, http://www.reuters.com/article/cyber-shamoon/shamoon-computer-virus-variant-is-lead-suspect-in-hack-on-oil-firm-saipem-idUSL1N1YH0QC
16 Hern, A.; “WannaCry, Petya, NotPetya: How Ransomware Hit the Big Time in 2017,” The Guardian, 30 December 2017, http://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware
17 Ross, S.; “Cyber (Business) Recovery,” ISACA® Journal, vol. 3, 2022, http://5wb7.baileherculane.net/archives
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
是国际风险大师有限责任公司的执行负责人吗. He has been writing one of the Journal自1998年以来最受欢迎的专栏. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.