fail to plan
DESCRIPTION
"Fail to Plan, Plan to Plan" webcast slidesTRANSCRIPT
1
Today’s Speakers
2
Michael Hurley Bryan Cunningham
Lynne Monaco Jeff Passolt, Host
© 2011 - Copyrighted Materials
• Today’s presentation contains copyrighted materials, which are solely the property of their respective owners
• Any unauthorized use of these materials is strictly prohibited
3
Introduction
• Many questions, few answers• What we’ll cover
– Major threats – Natural and manmade– Disaster recovery/Business continuity– Why and how to plan– Heightened concerns about cyberthreats
4
Not THE List, A List
• Acts of terrorism• War-related disasters• Haz-mat events• Nuclear accidents• Aircraft accidents• Wild-land and urban fires• Natural disasters• Other types of natural/human
disasters
5
Source: US Government, National Incident Management Systems Characterization
Current Threats
• Our biggest worry: DANGEROUS TERRORISTS WITH DANGEROUS WEAPONS– Al-Qaeda recruiting and operating in the US– Continue to seek nuclear/other WMDs– If they get them, they’ll use them– Catastrophic consequences on many fronts
6
US Government Thoughts/Actions
• Post 9/11 Commission views• Protection efforts: The problem with
radiation detection• Cyberthreats – The flavor of the moment• Conventional weapons assessment
– Many problems short of WMDs
7
Low Probability vs. High Impact
• “Overriding priority of our national security policy must be to prevent the spread of nuclear weapons of mass destruction.” – Senators Sam Nunn, Richard Lugar– Lock down nuclear weapons and materials
• Highly enriched uranium and plutonium
– Cooperate with leaders around the world • It’s in their interest, too!
– Problem of Pakistan• Can extremists get the keys to the bomb?• Could directly harm the U.S.
8
More Concerns
• In Jan. 2010, both Iran and North Korea have energetic programs to develop nuclear weapons – Both are direct threats to the U.S.
• Terrorist interest in acquiring materials persist– 18 documented cases of theft of highly
enriched uranium and plutonium– Consequences: Hundreds of thousand
dead, worldwide economic reverberation -”Securing the Bomb,” April 2010
– “The Nuclear Bazaar” reports 40 plus countries now have nuclear materials
9
Homegrown Terrorism
• 2009 and 2010 – Significant increase in terrorist attacks/attempts on U.S. soil, and an alarming increase in the number of homegrown terrorists– Major Hassan and Ft. Hood attack – 13 dead– Abdumuttalab’s attempt on NWA flight bound for Detroit– Najibullah Zazi - Denver Airport shuttle bus driver, intent
to attack NYC subway– Farooq Admed – Virginia resident, intent to bomb D.C.
Metrorail– Faisal Shahzad – Attempted car bomb in Time Square– Mohamed Osman Mohamud – 19-year old Somali, Oregon
State student, attempted car bombing later November in Portland, Christmas tree lighting ceremony
– Abdulhakim Muhammad – Killed U.S. solider outside Little Rock Army recruiting office
10
America, We Have a Problem!
• David Headley• Colleen LaRose, a.k.a “Jihad Jane” of Pennsylvania• National Security Preparedness Group September 2010
Report– Places like Minneapolis and Portland, because of the growing
radicalization among Somali youth in those cities, are on the “frontlines” of terrorism
• Not Just Islamist Terrorists we need to worry about, what should really drive the point home to small- and medium size businesses:– August 2010, Omar Thornton - Hartford, CT beer distributorship– Faced a disciplinary hearing, possibly employment termination – Killed 8 co-workers and then killed himself
11
Cyber Attacks are Pervasive
• At least 500 million personal records have likely been compromised since January 2005– Source: Privacy Rights Clearinghouse
• 2009: Identity theft estimated to have cost the US economy $54 billion– Source: Forbes magazine
12
Big Brother is Listening
• President Obama identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.”
• USG has Project “Perfect Citizen” to place classified sensors in networks controlling nation’s key critical infrastructures e.g., the electric power grid
• 300 million electronic medical records by 2014; sophisticated electricity use sensors in every house
• Obvious privacy, civil liberties challenges
13
14
Locating adversaries in cyberspace is becoming increasingly difficult
Al Qaeda Internet recruiting
AQ in Iraq hacks UAV feeds with $29 software
Members of Al-Qauuam brigade use laptops to hack opposition IT
systems in 2006.
The Cyberthreat
• Theoretical? It’s already happened• The next war starts not with a bang, but a click
15
The Threat Issued Settled
• Russia-Estonia (5/2007)• Russia-Georgia (8/2008)• China – GhostNet (5/2009)• Iranian Non-Revolution• China - Google, etc. (12/09)• Eastern Europe – Kneber Botnet
(1/2010)– Acquired proprietary data from over
2,500 companies worldwide– Targeted energy, health, technology,
financial and government sectors– Likely run by organized cyber criminals
in Eastern Europe– Detection rate of less than 10% among
antivirus software/shielded from IDS systems
16
The Threat Issued Settled
• China State Department cables
• Wikileaks war• Hacktivism• Stuxnet
17
Ripped form the Headlines
• Google China• Preceded by GhostNet
– Investigation into attacks on the Dalai Lama
– Wide ranging network of compromised computers
– 1,295 spread across 103 countries– 30%= “High Value Targets”
• Min. Foreign Affairs, embassies, news orgs., NATO HQS computer
18
Shadows in the Cloud
• Deep/broad investigation by same group that originally uncovered GhostNet – Released Early April 2010
• Documented a new and extremely sophisticated “malware ecosystem” that leverages – Multiple redundant cloud computing systems– Social networking platforms (Twitter, Blogspot, etc.)– Free web hosting services to---
• Maintain persistent command and control over machines while operating core servers located in the PRC
19
Shadows in the Cloud - Key Findings
• New “Ecosystem” – Convergence of crime & national security threats
• Democratization of espionage• Theft of classified and sensitive documents• Collateral compromise
– Visa applications for US workers in Afghanistan—big OpSec problem
• Companies targeted like countries, e.g., Google– Need to act accordingly
• Clear links to Chinese hackers, but PRC government?– Wikileaks cable demonstrates USG thinks so
• Your network is only as strong as its weakest link
20
China Rising, Others Following
• April 18, 2010- 15% of all worldwide Internet traffic redirected to networks inside PRC
• Victims included:– Secretary of Defense– All four US armed services– United States Senate– Dell, Yahoo, IBM, Microsoft and
other private companies
21
9/7/07 – “Chinese Army Blamed for Pentagon Attack”
Collateral Damage
• Even if not the prime target, operating in a foreign country may expose organizations to risks associated with cyber-wars/hacktivism– MasterCard, Amazon targeted by Wikileaks supporters
• High-tech harassment• Instigators of cyber-wars can cloak true source of attack by
hiring hackers in other countries, and by zombie-ing privately owned computers
22
Our #1 Threat?
• Nuclear, bio scarier, possibly worse, but…
• Combining factors– Intent– Ease of acquisition (democratization of
terror/espionage) – Potential for serious damage and mass
fear/uncertainty
• Strong case for cyber as #1 threat
23
Our #1 Threat?
• Examples of viable national security targets– Government systems– Air-traffic control– Financial sector– Telecom– “Smart” energy grid– Other SCADA targets– Healthcare (especially with EMR
revolution)
24
Keeping Corporate Leaders Up at Night
• Damage from security breaches can cause– Fines and penalties– Lawsuits– Reduced shareholder value– Negative publicity– Loss of customer trust
• Few companies have the right elements in place
25
Real Money
• ChoicePoint Data Breach results in $55 million in fines and settlement payments. Largest EVER settlement for FTC
• November 2010: AvMed class action suit by 1.2 million health plan members whose unencrypted PII was on two missing laptops
26
Top Information Security Threats
• Identity theft and espionage directed from China and other countries
• Expected major increase in attacks from trusted organizations• Insider attacks• “Massive armies” of persistent botnets• Supply-chain attacks infecting consumer devices• Attacks on mobile phones (esp. iPhones)• Web application security exploits
Source: SANS Institute, 2008.
27
Other Costs of Information Security Breaches
• Loss of customer & shareholder confidence• Potentially increased insurance/bonding costs• Negative public image of corporations that don’t do all that
was reasonable
• Positive public image for those that do; Do well by doing good
Your company can set the standard!
28
Why You Should Care…
• As a manager/employee:– Accountability– Legal liability– More importantly: Right thing to
do– You could lose:
• Your competitive advantage• Your sales leads• Your marketing strategies
– Embarrassment/reputational damage
29
Why You Should Care…
• As a person:– If bad guys get access to your electronics,
they’ll not stop with company data, they’ll take everything:
• Identity theft/use of credit cards, etc.• Personal contact information• Using your contacts, data, to attack friends,
relatives, and others• Personal information (books/movies purchased,
medical information, etc.) you might well not want “out there”
• Massive “black market” of personal/credit information
• Particularly risky if you use same passwords/comingle personal with business information
30
Legal Liability by Sector (Some Examples)
• Banking/Finance– Gramm-Leach-Bliley
• Healthcare– HIPAA– Expanded in 2009– National breach disclosure requirement– Massive fines
• Government– FISMA/NIST for Federal $$
• Education– FERPA
• ALL– 46 State Laws, Bills in Congress, International
31
Officer/Director Liability
• Sarbanes-Oxley – Publicly Traded Companies:– Requires senior management to perform annual assessment of internal
controls over financial reporting– Indirectly requires management to certify data accuracy – Regulators believe securing data necessary to ensure accuracy and
reliability
32
It’s Not If,It’ When
33
Why Plan?
• Responsibility to employees, customers, investors• Planning compels new understanding of crucial business
processes• Enables business survival, reduces degradation in event of
disaster• Competitive advantage/marketing angle• Reduces “failure of imagination”
34
Planning Fundamentals
1. Risk/business impact analysis 2. Communication3. Transportation4. Coordination5. Redundancy 6. KISS7. Chains of command8. Imagination - Failure thereof
35
More Planning Fundamentals
• To start, you have to start • Scope – Lessons from Goldilocks• Seats at the table• Baselining and imagining• Disaster recovery vs. business continuity• All hazards approach• Biggest bang for the buck
36
No Battle Plan Survives the First Shot
• Communications is Key• Empower Improvisation• Recrimination Control• Multiple Contingencies• Checklists and SOPs• Failsafes
37
Communications
• Do you have a list of IDs, passwords, important files, etc. printed out/electronic and in a safe place off-site?
• What do you do with mail/customer orders?• Set up call forwarding to a back up location• Consider alternate & redundant routing of
communications• Dial-up may not be the most sophisticated
technology but if the Internet is down you can still connect point-to-point with dial-up
38
Information Sharing & Analysis Centers
• Communications • Energy• Financial Services• Information Technology• Emergency Management & Response• Surface Transportation• Supply Chain
www.isaccouncil.org/sites/index.php
39
Disaster Planning Spectrum
40
Business Process Mapping
Threat/Risk Assessment
Create DR planAcquire assetsTrain DR plan
Continuously Reassess And Refine
Test & exercisePlan Regularly
CyberRisk:What Do To
41
Key Information Security Planning Principles
• The worst thing is not to start• 2nd worst thing: Start in the middle• Data Classification Process• Strategic Security Plan• Attorney-client privilege• Advice of Counsel defense
42
Don’ts
• Start with a penetration test• Focus only on the technical• Focus only on the IT
department• Move forward without
Attorney-Client privilege in place
43
Private Sector Preparedness
• Private sector preparedness for crises is essential to the nation’s well being
• Large businesses, often with far-reaching interests, see themselves as more at risk from terrorist plots
• Many small/medium-businesses, even though they can be crippled by a crisis, have done little
44
Private Sector Preparedness
• Insurance brokers and companies should consider business preparedness in their risk evaluation process
• We need to promote greater understanding that corporate resilience and preparedness are competitive advantages for companies
• Investors should be aware of a company’s preparedness status to guide their investment decisions
45
Private Sector Preparedness
• Fed legislation empowers DHS to establish a voluntary accreditation and certification program
• Key: Integrate insurance, legal, rating agency communities into certification program to encourage them to reward certified businesses
46
Don’t be Overwhelmed by Fear, Manage Risk
• Before 9/11, most of us were unaware of these threats• The reality is they are with us to stay• Our message is not to be afraid but to know that bad things
can happen in today’s world and to take steps to be prepared to manage risk and deal with a disaster if and when it happens
• It only makes good business sense; the business that does this planning is one that will emerge from whatever happens, taking care of its customers and employees and move forward.
• It makes every bit of sense to think through scenarios in advance
47
Don’t Try This at Home
• Areas Discussed Today Are Extremely Complex• Only Constant in this Area is Change• Warning: This presentation is not legal advice, and should
not be relied upon
48
Michael [email protected]
Bryan Cunningham(303) 743-0003
Telecommunications Continuity
• DHS Considers Telecommunications to be a Critical Part of Infrastructure– Employee Safety (911 and family)– Encourage Family Pre-planning
Ready.gov– Operations/Staffing needs
• Telecommunications Systems are an Important Component of Business Continuity Planning- Travel/meetings curtailed- Access to Data, PBX/voice
communications, call center operations, access to networks
49
Telecommunications Continuity
• Videoconferencing and Audio conferencing are cost/effective alternatives
• Electronic Data Transfer
• Web based presentations
• Accessible, Effective Data Back-Up
• Reliability of Telecommunications is a key to Business Continuity
50
Telecommunications Continuity
• Reliability Considerations:– Will your system work during a power outage? Landlines
typically have both battery and generator backup.– Cell Towers may become overloaded. – Redundancy in the network.– Call Transfer capabilities – inbound call center operations
• Automated Emergency Notifications • Automated Attendant Systems (e.g. Voicemail)
• Safety and Security are the highest priorities!
51
Today’s Speakers
52
Michael Hurley Bryan Cunningham
Lynne Monaco Jeff Passolt, Host
53