News of the whistle-blowing activities of the WikiLeaks Website has spread like wildfire through the world’s press, TV and Internet forums. One result of this attention is that hackers are ramping up the cyberwar, downloading software used to launch attacks against commercial companies

It is estimated that some 260 000 secret documents from the US State Department are in the hands of WikiLeaks, but less than one percent of this trove has been released. WikiLeaks has released classified information, potentially putting American lives at risk, threatening the country’s infrastructure and having an impact on national security. WikiLeaks has also had an impact on many commercial online companies.

One group taking up the cyber-war game is a shadowy organization called Operation Payback, which has coordinated a number of successful “distributed denial of service” (DDoS) attacks on PayPal, Visa, MasterCard and Amazon. Although Operation Payback has no known affiliation with WikiLeaks, the two groups fight for similar ideals in demanding transparency and countering censorship. It might be described as the first real info-war.

Cyber-security was an issue long before WikiLeaks became a household name. There are many reported cases of stolen personal and customer data, including hundreds of thousands of social security numbers. Other cyber-threats are widespread identity theft, a boom in Internet fraud and crimes against children.

One of the most disturbing events of 2010 was the Stuxnet computer “worm” that was capable of compromising the safety of industrial systems such as nuclear power plant controllers, hydroelectric plants, power grids and other energy facilities. The frequency and sophistication of this type of malware – as well as questions about the possible motivations of the perpetrators – have raised concerns in governments and operators of critical infrastructure.

The Stuxnet worm spotlights the vulnerabilities of Internet communications and the fact that some parts of critical national infrastructure can be viewed as a “ticking time-bomb” But this is not the only area where many countries are vulnerable to cyber-warfare.

We are likely seeing the overture to a performance that is only beginning. When it does, the consequences could be catastrophic for governments, commercial organizations and individuals.

Cyber-security standards

So is it likely that the future will include a secure, Web-based environment to be used by business, governments and citizens ? Are companies and governments fully aware of the risks and impacts they face ?

The general answer is that most organizations are still not adopting an appropriate risk-based approach to protecting themselves and their assets. This means assessing the risks, implementing security controls to reduce these risks, regularly monitoring and reviewing the effectiveness of these controls, re-assessing risks and making necessary improvements if risk levels have increased (see Figure 1).  

Figure 1

In other words, the risk-based approach is a continual improvement process to keep an organization up-to-date and fully protected.

ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, is a risk-based standard that has been adopted by hundreds of thousands of organizations to implement appropriate risk management processes. ISO/IEC 27001 provides an effective management framework for information security, as it accommodates all types of organizational security needs and business requirements and is capable of evolving and improving the level of protection commensurate with changes in the cyber-threat environment.

Many programmes designed to tackle the cyber-war issue reference ISO/IEC 27001 and its supporting code of practice ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management. One such activity is the US Homeland Security programme, which references both of these standards as appropriate risk-based frameworks for managing and tackling cyber-security risks.

The implementation of ISO/IEC 27001 is supported by a range of guidelines in what is referred to as the ISO/IEC 27000 family of information security management system (ISMS) standards. These include :

  • ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management
  • ISO/IEC 27003:2010, Information technology – Security techniques – Information security management system implementation guidance
  • ISO/IEC 27004:2009, Information technology – Security techniques – Information security management – Measurement
  • ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management.

Another important feature of ISO/IEC 27001 is that it can be used for third-party certification audits, which means an organization can have its ISMS independently assessed by an external body. This provides greater confidence and assurance that the organization’s ISMS is “fit-for-purpose”. More than 12 000 organizations have been certified to ISO/IEC 27001 since the standard was first published by ISO five years ago. The certification rate is almost trebling each year, a reflection of the standard’s utility in tackling organizational risks.

Taming the cyber-tiger

Another area of ISO standardization focuses on information security incidents. It is important for organizations that experience a cyber-incident to be able to respond efficiently and expediently to limit its impacts.

Time is of the essence – the longer it takes to control and recover from the incident, the more likely it is that the effects will penetrate deeper into organizational systems. If the incident takes down business systems, then the organization cannot carry on with normal operations. The question becomes how long the organization can tolerate having its systems offline.

Is it acceptable that the online presence is inaccessible to customers for 24 to 48 hours, or is the limit just 12 hours or less? How long can a company survive when it is unable to supply services, and how much will customers tolerate before they change suppliers? These questions are particularly important to financial systems, online booking, electricity and gas supply management, telecom operators and other systems providing customer services.

Information and communication technology (ICT) has become an integral part of the critical infrastructure in all sectors, whether public, private or voluntary. The proliferation of networking services, and the capabilities of systems and applications, has also meant that organizations are ever-more reliant on safe and secure ICT infrastructures. Failure of these systems, including security issues such as hacking and malware, will impact the continuity of business operations.

The critical functions that require business continuity are usually dependent upon ICT. This dependence means that ICT disruptions can constitute strategic risks to organizational reputation. In comes ISO/IEC 27031, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity, currently at final draft stage.

ISO/IEC 27031 deals with ICT readiness for business continuity, which enables organizations to be prepared when an incident, such as a cyber-attack, occurs and to have ICT systems back up a running in the shortest possible time. It is associated with a number of other International Standards aimed at dealing with incident preparedness, disaster recovery planning, and emergency response and management including :

  • ISO/IEC 27035 on information security incident management
  • ISO/IEC 24762 on guidelines for information and communication technology disaster recovery services
  • ISO/IEC 18043 on the selection, deployment and operations of intrusion detection systems (IDS)
  • ISO/IEC 27010 on information security management inter-sector communications
  • ISO/PAS 22399:2007 on guidelines for incident preparedness and operational continuity management
  • ITU-T X.1056 on security incident management guidelines for telecommunications organizations.

Together with the ISO/IEC 27001 family, this suite of standards provides a set of management tools that can mean the difference between survival and destruction of the organization’s business. These standards increase the organization’s ability to reduce the impacts of most cyber-attacks.

The business environment is constantly changing – along with threats to a company’s survival. Organizations need to be ahead of the game, and an excellent defence can be built around risk-based ISMS founded on ISO/IEC 27001, together with incident preparedness and business continuity management processes based on ISO/IEC 27031 and ISO/IEC 27035.

WikiLeaks may be today’s sensational news story, but it could easily be eclipsed by another cyber-warfare story tomorrow. Organizations should not be tempted to fall into the complacency of “ it won’t happen to us.” The risks are there, and we all share the same technology, the same Internet and many applications, so being prepared is simply common sense.

Prof. Edward J. Humphreys
Prof. Edward J. Humphreys
ISO/IEC JTC 1/SC27 WG1 Convenor ISMS standards