fail to plan

53
1

Upload: bfuesz

Post on 22-Apr-2015

343 views

Category:

Documents


4 download

DESCRIPTION

"Fail to Plan, Plan to Plan" webcast slides

TRANSCRIPT

Page 1: Fail To Plan

1

Page 2: Fail To Plan

Today’s Speakers

2

Michael Hurley Bryan Cunningham

Lynne Monaco Jeff Passolt, Host

Page 3: Fail To Plan

© 2011 - Copyrighted Materials

• Today’s presentation contains copyrighted materials, which are solely the property of their respective owners

• Any unauthorized use of these materials is strictly prohibited

3

Page 4: Fail To Plan

Introduction

• Many questions, few answers• What we’ll cover

– Major threats – Natural and manmade– Disaster recovery/Business continuity– Why and how to plan– Heightened concerns about cyberthreats

4

Page 5: Fail To Plan

Not THE List, A List

• Acts of terrorism• War-related disasters• Haz-mat events• Nuclear accidents• Aircraft accidents• Wild-land and urban fires• Natural disasters• Other types of natural/human

disasters

5

Source: US Government, National Incident Management Systems Characterization

Page 6: Fail To Plan

Current Threats

• Our biggest worry: DANGEROUS TERRORISTS WITH DANGEROUS WEAPONS– Al-Qaeda recruiting and operating in the US– Continue to seek nuclear/other WMDs– If they get them, they’ll use them– Catastrophic consequences on many fronts

6

Page 7: Fail To Plan

US Government Thoughts/Actions

• Post 9/11 Commission views• Protection efforts: The problem with

radiation detection• Cyberthreats – The flavor of the moment• Conventional weapons assessment

– Many problems short of WMDs

7

Page 8: Fail To Plan

Low Probability vs. High Impact

• “Overriding priority of our national security policy must be to prevent the spread of nuclear weapons of mass destruction.” – Senators Sam Nunn, Richard Lugar– Lock down nuclear weapons and materials

• Highly enriched uranium and plutonium

– Cooperate with leaders around the world • It’s in their interest, too!

– Problem of Pakistan• Can extremists get the keys to the bomb?• Could directly harm the U.S.

8

Page 9: Fail To Plan

More Concerns

• In Jan. 2010, both Iran and North Korea have energetic programs to develop nuclear weapons – Both are direct threats to the U.S.

• Terrorist interest in acquiring materials persist– 18 documented cases of theft of highly

enriched uranium and plutonium– Consequences: Hundreds of thousand

dead, worldwide economic reverberation -”Securing the Bomb,” April 2010

– “The Nuclear Bazaar” reports 40 plus countries now have nuclear materials

9

Page 10: Fail To Plan

Homegrown Terrorism

• 2009 and 2010 – Significant increase in terrorist attacks/attempts on U.S. soil, and an alarming increase in the number of homegrown terrorists– Major Hassan and Ft. Hood attack – 13 dead– Abdumuttalab’s attempt on NWA flight bound for Detroit– Najibullah Zazi - Denver Airport shuttle bus driver, intent

to attack NYC subway– Farooq Admed – Virginia resident, intent to bomb D.C.

Metrorail– Faisal Shahzad – Attempted car bomb in Time Square– Mohamed Osman Mohamud – 19-year old Somali, Oregon

State student, attempted car bombing later November in Portland, Christmas tree lighting ceremony

– Abdulhakim Muhammad – Killed U.S. solider outside Little Rock Army recruiting office

10

Page 11: Fail To Plan

America, We Have a Problem!

• David Headley• Colleen LaRose, a.k.a “Jihad Jane” of Pennsylvania• National Security Preparedness Group September 2010

Report– Places like Minneapolis and Portland, because of the growing

radicalization among Somali youth in those cities, are on the “frontlines” of terrorism

• Not Just Islamist Terrorists we need to worry about, what should really drive the point home to small- and medium size businesses:– August 2010, Omar Thornton - Hartford, CT beer distributorship– Faced a disciplinary hearing, possibly employment termination – Killed 8 co-workers and then killed himself

11

Page 12: Fail To Plan

Cyber Attacks are Pervasive

• At least 500 million personal records have likely been compromised since January 2005– Source: Privacy Rights Clearinghouse

• 2009: Identity theft estimated to have cost the US economy $54 billion– Source: Forbes magazine

12

Page 13: Fail To Plan

Big Brother is Listening

• President Obama identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.”

• USG has Project “Perfect Citizen” to place classified sensors in networks controlling nation’s key critical infrastructures e.g., the electric power grid

• 300 million electronic medical records by 2014; sophisticated electricity use sensors in every house

• Obvious privacy, civil liberties challenges

13

Page 14: Fail To Plan

14

Locating adversaries in cyberspace is becoming increasingly difficult

Al Qaeda Internet recruiting

AQ in Iraq hacks UAV feeds with $29 software

Members of Al-Qauuam brigade use laptops to hack opposition IT

systems in 2006.

Page 15: Fail To Plan

The Cyberthreat

• Theoretical? It’s already happened• The next war starts not with a bang, but a click

15

Page 16: Fail To Plan

The Threat Issued Settled

• Russia-Estonia (5/2007)• Russia-Georgia (8/2008)• China – GhostNet (5/2009)• Iranian Non-Revolution• China - Google, etc. (12/09)• Eastern Europe – Kneber Botnet

(1/2010)– Acquired proprietary data from over

2,500 companies worldwide– Targeted energy, health, technology,

financial and government sectors– Likely run by organized cyber criminals

in Eastern Europe– Detection rate of less than 10% among

antivirus software/shielded from IDS systems

16

Page 17: Fail To Plan

The Threat Issued Settled

• China State Department cables

• Wikileaks war• Hacktivism• Stuxnet

17

Page 18: Fail To Plan

Ripped form the Headlines

• Google China• Preceded by GhostNet

– Investigation into attacks on the Dalai Lama

– Wide ranging network of compromised computers

– 1,295 spread across 103 countries– 30%= “High Value Targets”

• Min. Foreign Affairs, embassies, news orgs., NATO HQS computer

18

Page 19: Fail To Plan

Shadows in the Cloud

• Deep/broad investigation by same group that originally uncovered GhostNet – Released Early April 2010

• Documented a new and extremely sophisticated “malware ecosystem” that leverages – Multiple redundant cloud computing systems– Social networking platforms (Twitter, Blogspot, etc.)– Free web hosting services to---

• Maintain persistent command and control over machines while operating core servers located in the PRC

19

Page 20: Fail To Plan

Shadows in the Cloud - Key Findings

• New “Ecosystem” – Convergence of crime & national security threats

• Democratization of espionage• Theft of classified and sensitive documents• Collateral compromise

– Visa applications for US workers in Afghanistan—big OpSec problem

• Companies targeted like countries, e.g., Google– Need to act accordingly

• Clear links to Chinese hackers, but PRC government?– Wikileaks cable demonstrates USG thinks so

• Your network is only as strong as its weakest link

20

Page 21: Fail To Plan

China Rising, Others Following

• April 18, 2010- 15% of all worldwide Internet traffic redirected to networks inside PRC

• Victims included:– Secretary of Defense– All four US armed services– United States Senate– Dell, Yahoo, IBM, Microsoft and

other private companies

21

9/7/07 – “Chinese Army Blamed for Pentagon Attack”

Page 22: Fail To Plan

Collateral Damage

• Even if not the prime target, operating in a foreign country may expose organizations to risks associated with cyber-wars/hacktivism– MasterCard, Amazon targeted by Wikileaks supporters

• High-tech harassment• Instigators of cyber-wars can cloak true source of attack by

hiring hackers in other countries, and by zombie-ing privately owned computers

22

Page 23: Fail To Plan

Our #1 Threat?

• Nuclear, bio scarier, possibly worse, but…

• Combining factors– Intent– Ease of acquisition (democratization of

terror/espionage) – Potential for serious damage and mass

fear/uncertainty

• Strong case for cyber as #1 threat

23

Page 24: Fail To Plan

Our #1 Threat?

• Examples of viable national security targets– Government systems– Air-traffic control– Financial sector– Telecom– “Smart” energy grid– Other SCADA targets– Healthcare (especially with EMR

revolution)

24

Page 25: Fail To Plan

Keeping Corporate Leaders Up at Night

• Damage from security breaches can cause– Fines and penalties– Lawsuits– Reduced shareholder value– Negative publicity– Loss of customer trust

• Few companies have the right elements in place

25

Page 26: Fail To Plan

Real Money

• ChoicePoint Data Breach results in $55 million in fines and settlement payments. Largest EVER settlement for FTC

• November 2010: AvMed class action suit by 1.2 million health plan members whose unencrypted PII was on two missing laptops

26

Page 27: Fail To Plan

Top Information Security Threats

• Identity theft and espionage directed from China and other countries

• Expected major increase in attacks from trusted organizations• Insider attacks• “Massive armies” of persistent botnets• Supply-chain attacks infecting consumer devices• Attacks on mobile phones (esp. iPhones)• Web application security exploits

Source: SANS Institute, 2008.

27

Page 28: Fail To Plan

Other Costs of Information Security Breaches

• Loss of customer & shareholder confidence• Potentially increased insurance/bonding costs• Negative public image of corporations that don’t do all that

was reasonable

• Positive public image for those that do; Do well by doing good

Your company can set the standard!

28

Page 29: Fail To Plan

Why You Should Care…

• As a manager/employee:– Accountability– Legal liability– More importantly: Right thing to

do– You could lose:

• Your competitive advantage• Your sales leads• Your marketing strategies

– Embarrassment/reputational damage

29

Page 30: Fail To Plan

Why You Should Care…

• As a person:– If bad guys get access to your electronics,

they’ll not stop with company data, they’ll take everything:

• Identity theft/use of credit cards, etc.• Personal contact information• Using your contacts, data, to attack friends,

relatives, and others• Personal information (books/movies purchased,

medical information, etc.) you might well not want “out there”

• Massive “black market” of personal/credit information

• Particularly risky if you use same passwords/comingle personal with business information

30

Page 31: Fail To Plan

Legal Liability by Sector (Some Examples)

• Banking/Finance– Gramm-Leach-Bliley

• Healthcare– HIPAA– Expanded in 2009– National breach disclosure requirement– Massive fines

• Government– FISMA/NIST for Federal $$

• Education– FERPA

• ALL– 46 State Laws, Bills in Congress, International

31

Page 32: Fail To Plan

Officer/Director Liability

• Sarbanes-Oxley – Publicly Traded Companies:– Requires senior management to perform annual assessment of internal

controls over financial reporting– Indirectly requires management to certify data accuracy – Regulators believe securing data necessary to ensure accuracy and

reliability

32

Page 33: Fail To Plan

It’s Not If,It’ When

33

Page 34: Fail To Plan

Why Plan?

• Responsibility to employees, customers, investors• Planning compels new understanding of crucial business

processes• Enables business survival, reduces degradation in event of

disaster• Competitive advantage/marketing angle• Reduces “failure of imagination”

34

Page 35: Fail To Plan

Planning Fundamentals

1. Risk/business impact analysis 2. Communication3. Transportation4. Coordination5. Redundancy 6. KISS7. Chains of command8. Imagination - Failure thereof

35

Page 36: Fail To Plan

More Planning Fundamentals

• To start, you have to start • Scope – Lessons from Goldilocks• Seats at the table• Baselining and imagining• Disaster recovery vs. business continuity• All hazards approach• Biggest bang for the buck

36

Page 37: Fail To Plan

No Battle Plan Survives the First Shot

• Communications is Key• Empower Improvisation• Recrimination Control• Multiple Contingencies• Checklists and SOPs• Failsafes

37

Page 38: Fail To Plan

Communications

• Do you have a list of IDs, passwords, important files, etc. printed out/electronic and in a safe place off-site?

• What do you do with mail/customer orders?• Set up call forwarding to a back up location• Consider alternate & redundant routing of

communications• Dial-up may not be the most sophisticated

technology but if the Internet is down you can still connect point-to-point with dial-up

38

Page 39: Fail To Plan

Information Sharing & Analysis Centers

• Communications • Energy• Financial Services• Information Technology• Emergency Management & Response• Surface Transportation• Supply Chain

www.isaccouncil.org/sites/index.php

39

Page 40: Fail To Plan

Disaster Planning Spectrum

40

Business Process Mapping

Threat/Risk Assessment

Create DR planAcquire assetsTrain DR plan

Continuously Reassess And Refine

Test & exercisePlan Regularly

Page 41: Fail To Plan

CyberRisk:What Do To

41

Page 42: Fail To Plan

Key Information Security Planning Principles

• The worst thing is not to start• 2nd worst thing: Start in the middle• Data Classification Process• Strategic Security Plan• Attorney-client privilege• Advice of Counsel defense

42

Page 43: Fail To Plan

Don’ts

• Start with a penetration test• Focus only on the technical• Focus only on the IT

department• Move forward without

Attorney-Client privilege in place

43

Page 44: Fail To Plan

Private Sector Preparedness

• Private sector preparedness for crises is essential to the nation’s well being

• Large businesses, often with far-reaching interests, see themselves as more at risk from terrorist plots

• Many small/medium-businesses, even though they can be crippled by a crisis, have done little

44

Page 45: Fail To Plan

Private Sector Preparedness

• Insurance brokers and companies should consider business preparedness in their risk evaluation process

• We need to promote greater understanding that corporate resilience and preparedness are competitive advantages for companies

• Investors should be aware of a company’s preparedness status to guide their investment decisions

45

Page 46: Fail To Plan

Private Sector Preparedness

• Fed legislation empowers DHS to establish a voluntary accreditation and certification program

• Key: Integrate insurance, legal, rating agency communities into certification program to encourage them to reward certified businesses

46

Page 47: Fail To Plan

Don’t be Overwhelmed by Fear, Manage Risk

• Before 9/11, most of us were unaware of these threats• The reality is they are with us to stay• Our message is not to be afraid but to know that bad things

can happen in today’s world and to take steps to be prepared to manage risk and deal with a disaster if and when it happens

• It only makes good business sense; the business that does this planning is one that will emerge from whatever happens, taking care of its customers and employees and move forward.

• It makes every bit of sense to think through scenarios in advance

47

Page 48: Fail To Plan

Don’t Try This at Home

• Areas Discussed Today Are Extremely Complex• Only Constant in this Area is Change• Warning: This presentation is not legal advice, and should

not be relied upon

48

Michael [email protected]

Bryan Cunningham(303) 743-0003

[email protected]

Page 49: Fail To Plan

Telecommunications Continuity

• DHS Considers Telecommunications to be a Critical Part of Infrastructure– Employee Safety (911 and family)– Encourage Family Pre-planning

Ready.gov– Operations/Staffing needs

• Telecommunications Systems are an Important Component of Business Continuity Planning- Travel/meetings curtailed- Access to Data, PBX/voice

communications, call center operations, access to networks

49

Page 50: Fail To Plan

Telecommunications Continuity

• Videoconferencing and Audio conferencing are cost/effective alternatives

• Electronic Data Transfer

• Web based presentations

• Accessible, Effective Data Back-Up

• Reliability of Telecommunications is a key to Business Continuity

50

Page 51: Fail To Plan

Telecommunications Continuity

• Reliability Considerations:– Will your system work during a power outage? Landlines

typically have both battery and generator backup.– Cell Towers may become overloaded. – Redundancy in the network.– Call Transfer capabilities – inbound call center operations

• Automated Emergency Notifications • Automated Attendant Systems (e.g. Voicemail)

• Safety and Security are the highest priorities!

51

Page 52: Fail To Plan

Today’s Speakers

52

Michael Hurley Bryan Cunningham

Lynne Monaco Jeff Passolt, Host

Page 53: Fail To Plan

53