4. Introduction
• Many questions, few answers
• What we’ll cover
– Major threats – Natural and manmade
– Disaster recovery/Business continuity
– Why and how to plan
– Heightened concerns about cyberthreats
4
5. Not THE List, A List
• Acts of terrorism
• War-related disasters
• Haz-mat events
• Nuclear accidents
• Aircraft accidents
• Wild-land and urban fires
• Natural disasters
• Other types of natural/human
disasters
Source: US Government, National Incident Management Systems Characterization
5
6. Current Threats
• Our biggest worry: DANGEROUS TERRORISTS
WITH DANGEROUS WEAPONS
– Al-Qaeda recruiting and operating in the US
– Continue to seek nuclear/other WMDs
– If they get them, they’ll use them
– Catastrophic consequences on many fronts
6
7. US Government Thoughts/Actions
• Post 9/11 Commission views
• Protection efforts: The problem with
radiation detection
• Cyberthreats – The flavor of the moment
• Conventional weapons assessment
– Many problems short of WMDs
7
8. Low Probability vs. High Impact
• “Overriding priority of our national security policy must be to
prevent the spread of nuclear weapons of mass destruction.”
– Senators Sam Nunn, Richard Lugar
– Lock down nuclear weapons and materials
• Highly enriched uranium and plutonium
– Cooperate with leaders around the world
• It’s in their interest, too!
– Problem of Pakistan
• Can extremists get the keys to the bomb?
• Could directly harm the U.S.
8
9. More Concerns
• In Jan. 2010, both Iran and North Korea
have energetic programs to develop
nuclear weapons
– Both are direct threats to the U.S.
• Terrorist interest in acquiring materials
persist
– 18 documented cases of theft of highly
enriched uranium and plutonium
– Consequences: Hundreds of thousand
dead, worldwide economic reverberation -
”Securing the Bomb,” April 2010
– “The Nuclear Bazaar” reports 40 plus
countries now have nuclear materials
9
10. Homegrown Terrorism
• 2009 and 2010 – Significant increase in
terrorist attacks/attempts on U.S. soil, and
an alarming increase in the number of
homegrown terrorists
– Major Hassan and Ft. Hood attack – 13 dead
– Abdumuttalab’s attempt on NWA flight bound for Detroit
– Najibullah Zazi - Denver Airport shuttle bus driver, intent
to attack NYC subway
– Farooq Admed – Virginia resident, intent to bomb D.C.
Metrorail
– Faisal Shahzad – Attempted car bomb in Time Square
– Mohamed Osman Mohamud – 19-year old Somali, Oregon
State student, attempted car bombing later November in
Portland, Christmas tree lighting ceremony
– Abdulhakim Muhammad – Killed U.S. solider outside Little
Rock Army recruiting office
10
11. America, We Have a Problem!
• David Headley
• Colleen LaRose, a.k.a “Jihad Jane” of Pennsylvania
• National Security Preparedness Group September 2010
Report
– Places like Minneapolis and Portland, because of the growing
radicalization among Somali youth in those cities, are on the “frontlines”
of terrorism
• Not Just Islamist Terrorists we need to worry about, what
should really drive the point home to small- and medium size
businesses:
– August 2010, Omar Thornton - Hartford, CT beer distributorship
– Faced a disciplinary hearing, possibly employment termination
– Killed 8 co-workers and then killed himself
11
12. Cyber Attacks are Pervasive
• At least 500 million personal records have likely been
compromised since January 2005
– Source: Privacy Rights Clearinghouse
• 2009: Identity theft estimated to have cost the US economy
$54 billion
– Source: Forbes magazine
12
13. Big Brother is Listening
• President Obama identified
cybersecurity as “one of the most
serious economic and national security
challenges we face as a nation.”
• USG has Project “Perfect Citizen” to
place classified sensors in networks
controlling nation’s key critical
infrastructures e.g., the electric power
grid
• 300 million electronic medical records
by 2014; sophisticated electricity use
sensors in every house
• Obvious privacy, civil liberties
challenges
13
14. AQ in Iraq hacks UAV feeds
Locating adversaries in cyberspace with $29 software
is becoming increasingly difficult
Members of Al-Qauuam brigade
use laptops to hack opposition IT
systems in 2006.
Al Qaeda Internet recruiting
14
16. The Threat Issued Settled
• Russia-Estonia (5/2007)
• Russia-Georgia (8/2008)
• China – GhostNet (5/2009)
• Iranian Non-Revolution
• China - Google, etc. (12/09)
• Eastern Europe – Kneber Botnet
(1/2010)
– Acquired proprietary data from over
2,500 companies worldwide
– Targeted energy, health, technology,
financial and government sectors
– Likely run by organized cyber criminals
in Eastern Europe
– Detection rate of less than 10% among
antivirus software/shielded from IDS
systems
16
17. The Threat Issued Settled
• China State Department
cables
• Wikileaks war
• Hacktivism
• Stuxnet
17
18. Ripped form the Headlines
• Google China
• Preceded by GhostNet
– Investigation into attacks on the
Dalai Lama
– Wide ranging network of
compromised computers
– 1,295 spread across 103 countries
– 30%= “High Value Targets”
• Min. Foreign Affairs, embassies,
news orgs., NATO HQS computer
18
19. Shadows in the Cloud
• Deep/broad investigation by same group that originally
uncovered GhostNet – Released Early April 2010
• Documented a new and extremely sophisticated “malware
ecosystem” that leverages
– Multiple redundant cloud computing systems
– Social networking platforms (Twitter, Blogspot, etc.)
– Free web hosting services to---
• Maintain persistent command and control over machines while
operating core servers located in the PRC
19
20. Shadows in the Cloud - Key Findings
• New “Ecosystem”
– Convergence of crime & national security threats
• Democratization of espionage
• Theft of classified and sensitive documents
• Collateral compromise
– Visa applications for US workers in Afghanistan—big OpSec
problem
• Companies targeted like countries, e.g., Google
– Need to act accordingly
• Clear links to Chinese hackers, but PRC government?
– Wikileaks cable demonstrates USG thinks so
• Your network is only as strong as its weakest link
20
21. China Rising, Others Following
• April 18, 2010- 15% of all
worldwide Internet traffic
redirected to networks inside
PRC
• Victims included:
– Secretary of Defense
– All four US armed services
– United States Senate
– Dell, Yahoo, IBM, Microsoft and
other private companies
9/7/07 – “Chinese Army Blamed for Pentagon Attack”
21
22. Collateral Damage
• Even if not the prime target, operating in a foreign country
may expose organizations to risks associated with cyber-
wars/hacktivism
– MasterCard, Amazon targeted by Wikileaks supporters
• High-tech harassment
• Instigators of cyber-wars can cloak true source of attack by
hiring hackers in other countries, and by zombie-ing
privately owned computers
22
23. Our #1 Threat?
• Nuclear, bio scarier, possibly
worse, but…
• Combining factors
– Intent
– Ease of acquisition (democratization of
terror/espionage)
– Potential for serious damage and mass
fear/uncertainty
• Strong case for cyber as #1 threat
23
24. Our #1 Threat?
• Examples of viable national
security targets
– Government systems
– Air-traffic control
– Financial sector
– Telecom
– “Smart” energy grid
– Other SCADA targets
– Healthcare (especially with EMR
revolution)
24
25. Keeping Corporate Leaders Up at Night
• Damage from security breaches can
cause
– Fines and penalties
– Lawsuits
– Reduced shareholder value
– Negative publicity
– Loss of customer trust
• Few companies have the right
elements in place
25
26. Real Money
• ChoicePoint Data Breach results in
$55 million in fines and settlement
payments. Largest EVER settlement
for FTC
• November 2010: AvMed class action
suit by 1.2 million health plan
members whose unencrypted PII was
on two missing laptops
26
27. Top Information Security Threats
• Identity theft and espionage directed from China and other
countries
• Expected major increase in attacks from trusted organizations
• Insider attacks
• “Massive armies” of persistent botnets
• Supply-chain attacks infecting consumer devices
• Attacks on mobile phones (esp. iPhones)
• Web application security exploits
Source: SANS Institute, 2008.
27
28. Other Costs of Information Security Breaches
• Loss of customer & shareholder confidence
• Potentially increased insurance/bonding costs
• Negative public image of corporations that don’t do all that
was reasonable
• Positive public image for those that do; Do well by doing good
Your company can set the standard!
28
29. Why You Should Care…
• As a manager/employee:
– Accountability
– Legal liability
– More importantly: Right thing to
do
– You could lose:
• Your competitive advantage
• Your sales leads
• Your marketing strategies
– Embarrassment/reputational
damage
29
30. Why You Should Care…
• As a person:
– If bad guys get access to your electronics,
they’ll not stop with company data, they’ll
take everything:
• Identity theft/use of credit cards, etc.
• Personal contact information
• Using your contacts, data, to attack friends,
relatives, and others
• Personal information (books/movies purchased,
medical information, etc.) you might well not want
“out there”
• Massive “black market” of personal/credit
information
• Particularly risky if you use same
passwords/comingle personal with
business information
30
31. Legal Liability by Sector (Some Examples)
• Banking/Finance
– Gramm-Leach-Bliley
• Healthcare
– HIPAA
– Expanded in 2009
– National breach disclosure requirement
– Massive fines
• Government
– FISMA/NIST for Federal $$
• Education
– FERPA
• ALL
– 46 State Laws, Bills in Congress, International
31
32. Officer/Director Liability
• Sarbanes-Oxley – Publicly Traded Companies:
– Requires senior management to perform annual assessment of internal
controls over financial reporting
– Indirectly requires management to certify data accuracy
– Regulators believe securing data necessary to ensure accuracy and
reliability
32
34. Why Plan?
• Responsibility to employees, customers, investors
• Planning compels new understanding of crucial business
processes
• Enables business survival, reduces degradation in event of
disaster
• Competitive advantage/marketing angle
• Reduces “failure of imagination”
34
35. Planning Fundamentals
1. Risk/business impact analysis
2. Communication
3. Transportation
4. Coordination
5. Redundancy
6. KISS
7. Chains of command
8. Imagination - Failure thereof
35
36. More Planning Fundamentals
• To start, you have to start
• Scope – Lessons from Goldilocks
• Seats at the table
• Baselining and imagining
• Disaster recovery vs. business continuity
• All hazards approach
• Biggest bang for the buck
36
37. No Battle Plan Survives the First Shot
• Communications is Key
• Empower Improvisation
• Recrimination Control
• Multiple Contingencies
• Checklists and SOPs
• Failsafes
37
38. Communications
• Do you have a list of IDs, passwords,
important files, etc. printed out/electronic
and in a safe place off-site?
• What do you do with mail/customer orders?
• Set up call forwarding to a back up location
• Consider alternate & redundant routing of
communications
• Dial-up may not be the most sophisticated
technology but if the Internet is down you
can still connect point-to-point with dial-up
38
39. Information Sharing & Analysis Centers
• Communications
• Energy
• Financial Services
• Information Technology
• Emergency Management & Response
• Surface Transportation
• Supply Chain
www.isaccouncil.org/sites/index.php
39
40. Disaster Planning Spectrum
Business Process Mapping
Threat/Risk Assessment
Create DR plan
Acquire assets
Train DR plan
Test & exercise
Plan Regularly
Continuously Reassess
And Refine
40
42. Key Information Security Planning Principles
• The worst thing is not to start
• 2nd worst thing: Start in the middle
• Data Classification Process
• Strategic Security Plan
• Attorney-client privilege
• Advice of Counsel defense
42
43. Don’ts
• Start with a penetration test
• Focus only on the technical
• Focus only on the IT
department
• Move forward without
Attorney-Client privilege in
place
43
44. Private Sector Preparedness
• Private sector preparedness for crises is essential to the
nation’s well being
• Large businesses, often with far-reaching interests, see
themselves as more at risk from terrorist plots
• Many small/medium-businesses, even though they can be
crippled by a crisis, have done little
44
45. Private Sector Preparedness
• Insurance brokers and companies
should consider business
preparedness in their risk evaluation
process
• We need to promote greater
understanding that corporate
resilience and preparedness are
competitive advantages for
companies
• Investors should be aware of a
company’s preparedness status to
guide their investment decisions
45
46. Private Sector Preparedness
• Fed legislation empowers DHS to establish a voluntary
accreditation and certification program
• Key: Integrate insurance, legal, rating agency communities
into certification program to encourage them to reward
certified businesses
46
47. Don’t be Overwhelmed by Fear, Manage Risk
• Before 9/11, most of us were unaware of these threats
• The reality is they are with us to stay
• Our message is not to be afraid but to know that bad things
can happen in today’s world and to take steps to be prepared
to manage risk and deal with a disaster if and when it
happens
• It only makes good business sense; the business that does
this planning is one that will emerge from whatever happens,
taking care of its customers and employees and move
forward.
• It makes every bit of sense to think through scenarios in
advance
47
48. Don’t Try This at Home
• Areas Discussed Today Are Extremely Complex
• Only Constant in this Area is Change
• Warning: This presentation is not legal advice, and should
not be relied upon
Bryan Cunningham
Michael Hurley (303) 743-0003
mihurley@hotmail.com bc@morgancunningham.net
48
49. Telecommunications Continuity
• DHS Considers Telecommunications
to be a Critical Part of Infrastructure
– Employee Safety (911 and family)
– Encourage Family Pre-planning
Ready.gov
– Operations/Staffing needs
• Telecommunications Systems are an
Important Component of Business
Continuity Planning
- Travel/meetings curtailed
- Access to Data, PBX/voice
communications, call center
operations, access to networks
49
50. Telecommunications Continuity
• Videoconferencing and Audio
conferencing are cost/effective
alternatives
• Electronic Data Transfer
• Web based presentations
• Accessible, Effective Data Back-Up
• Reliability of Telecommunications is a
key to Business Continuity
50
51. Telecommunications Continuity
• Reliability Considerations:
– Will your system work during a power outage? Landlines
typically have both battery and generator backup.
– Cell Towers may become overloaded.
– Redundancy in the network.
– Call Transfer capabilities – inbound call center operations
• Automated Emergency Notifications
• Automated Attendant Systems (e.g. Voicemail)
• Safety and Security are the highest priorities!
51