1 / 57

Touchpoint! Where Cybersecurity and Business Continuity Meet The Webinar will begin shortly

Touchpoint! Where Cybersecurity and Business Continuity Meet The Webinar will begin shortly. Touchpoint! Where Cybersecurity and Business Continuity Meet The Webinar will begin in 2 minutes. Touchpoint! Where Cybersecurity and Business Continuity Meet The Webinar will begin in 1 minute.

tacita
Télécharger la présentation

Touchpoint! Where Cybersecurity and Business Continuity Meet The Webinar will begin shortly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Touchpoint!Where Cybersecurity and Business Continuity MeetThe Webinar will begin shortly

  2. Touchpoint!Where Cybersecurity and Business Continuity MeetThe Webinar will begin in 2 minutes

  3. Touchpoint!Where Cybersecurity and Business Continuity MeetThe Webinar will begin in 1 minute

  4. Touchpoint!Where Cybersecurity and Business Continuity MeetWelcome

  5. Agenda • Introduce our hosts and sponsors • Meeting logistics • Introduce our panelists • Presentations • Panel discussion/ Q&A

  6. www. continuitycompliance.org

  7. www. continuitycompliance.org

  8. www. NorthRiverSolutions.com The Architects of Resiliency

  9. www.metrix411.com The Assessment and Information Management Company

  10. Use the Instant Message feature to submit questions for discussion by the panelists.

  11. 3 Follow-On Activities • All questions listed at www.continuitycompliance.org • The slide deck and video recording of this session is available on • ACP Home Page • Continuity Compliance Home Page • A Linked-In group entitled “ACP Edu. Webinar Series Q and A Forum” has been set up. All questions will be posted on this forum for discussion.

  12. www.cyberdiligence.com

  13. www.fusionrm.com

  14. Touchpoint!Where Cybersecurity and Business Continuity MeetDavid Kondrup – Cyber Diligence, Inc.www.cyberdiligence.com

  15. Cyber Security & Business Continuity How Cyber Security Threats Impact Business Continuity Planning… Presenter: David A. Kondrup C.E.O. All Business Management, LLC Vice President, Cyber Diligence, Inc.

  16. Goals for today’s presentation • Discuss top Cyber-Security Threats in 2010 • They represent a real risk to business continuity and disaster recovery • Some Numbers ($) • How the Cyber Threats Impact Your BCM • What your BIA should address • Planning Considerations • Internal or External Help • Questions

  17. Technology Today • Communication via the internet, and the devices used through corporate networks have changed significantly. • Blackberry’s, Smart phones, Instant Messaging • USB drives, iPhones, iPods, Digital Cameras • Facebook, MySpace, LinkedIn, Twitter, Blogs • Technologies have created significant opportunities for employers, but they have also created significant risks! Business Continuity Planning (BCP): Impact ????????????????????????????????????????????????????

  18. Risk Analysis Strategies and Incident Response

  19. 2010 Cyber-Threat Predictions • Social Networks (Phishing, now Whaling and Spearing) • Operating Systems & Third-Party Programs • Cyber-Warfare (Attack of the Botnets) • Smart Phones • Data Loss (hard drives, Thumb Drives) • Malware Variants (Search Engine Optimization - Poisoning Info) • Threats to the MAC • In the “Clouds”

  20. 1. Social Networks & Engineering • Highly successful strategy for malware developers. • Trick people with important topics in the news • High-profile events “World Cup”, Public Holidays • Gold mine for “Personal Information”, intelligence gathering, Phishing, Whaling and Spearing BC Planning: BIA should examine employee training, review of Acceptable Use Policy. National Security Cyber Awareness Campaign: “Stop. Think. Connect.” People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness campaign… This campaign should focus on public messages to promote responsible us of the Internet and awareness of fraud, identity theft, cyber predators, and cyber ethics. - White House Cyberspace Policy Review 6/2009

  21. 2. Third Party Programs • Software Flaws (Patches) • Where are the Hackers going to go: • Third-party applications: Adobe Flash, Adobe Reader, Sun Java • Hackers are going to Facebook, MySpace, LinkedIn, other social/business networking BC Planning: Does the BIA examine updates & patches; October 4 new Critical Security Updates by Adobe (Reader & Flash Player) Scan of systems, networks and computers for known malware, viruses, Trojans

  22. 3. Cyber Warfare

  23. 3A. Attack of the Botnets • Governments & Criminal Enterprises are building botnets for use in cyber-warfare & criminal activities such as extortions, blackmail (denial of service attacks) • Sneaking Botnets & Trojans onto innocent, unsuspecting civilian and business computers • Criminals are bidding their capabilities online • Shadowserver, tracking 5,900 • Recent (Oct 2010) Symantec survey shows 53% of critical infrastructure firms around the globe have been hit with an attack; 48 % of the firms expect more attacks • http://www.symantec.com/content/en/us/about/presskits/Symantec_2010_CIP_Study_Global_Data.pdf • “Stuxnet worm attack” targets control systems made by Siemens that are commonly used to manage water supplies, oil rigs, factory controls, and plant systems BC Planning: Does the BIA address resiliency against Cyber attacks through: Security Training, Executive Management Awareness, Endpoint Security, Cyber Security Response, Cyber Security Audits Does the BIA, RTO and RPO address E-Commerce issues? Does the BIA address the impact of a Denial of Service attack? Is there an Incident Response Plan for Cyber Attacks? Plan for In-house or outside cyber security investigations? Specialized computer forensic tools & software.

  24. 4. Smart Phones

  25. Smart Phones iPhones, Droids, Blackberry’s, etc. • Smart phones are similar to a small computer on your hip or in your purse • Web browsing, email, word processing, spreadsheets, applications … of all types • Kaspersky Labs has identified 1,550 mobile malware signatures in September • Top Cell Phone Spy Products • “Spy Phone”: Android Spy App; Blackberry Spy; iPhone Spy App, Nokia Spy; “FlexiSpy”, ”Mobile-Spy” • Intercept, text messages, call logs, live interception, remote monitoring, GPS tracking (Wiretapping – crimes) • Fake movie player app for Android sent premium SMS’s costing owners $5 each BC planning: BIA address Enterprise Security Updates BIA address the Acceptable Use Policy for use of Private Phones at work Don’t leave unattended, do not install unknown apps Sweep phones if symptoms occur. Most enterprise platforms are OK if security maintained.

  26. Smart Phones • SIM Card Readers (don’t work on all phones) • No cell phone spyware installed • SIM Card Reader allows you to recover & read text messages (deleted), phone history, address book contacts • SIM card is removed then inserted into a device (can look like a USB thumb drive) BC Planning: BIA address policies on lost phones Training on safeguarding phones, do not lend out your phone.

  27. 5. Data Loss & Data Theft • CA Security Report Highlights Insider Threats • “rather than write variants of malware, they will hire ‘moles’ to pinpoint weaknesses within businesses, and use employees to siphon data for a profit”. • Two types of attacks: “internal threat” and “quiet attacks” • http://www.securecomputing.net.au/News/166248,ca-security-report-highlights-insider-threat.aspx • http://www.ca.com/files/SecurityAdvisorNews/h12010threatreport_244199.pdf • Lost laptops, loss of thumb drives, use of USB devices. “Pod-Slurp” use of email & FTP • Ponemon Institute reports that 800,000 devices are lost each year • Use of private e-mail accounts • Yahoo mail, Google mail, AOL, Hotmail, etc. BC Planning: Does the BIA examine policies for end point users (USB ports)? Does IT use a program to alert them when USB’s are accessed & copied? BIA examine policies on encryption, travel, transport, use of USB ports? Does Acceptable Use Policy address employee privacy expectations on use of private e-mail accounts on the corporate network? Private vendor to monitor networks or investigate “data in motion”

  28. 6. Malware • New malware variants have grown significantly over the past 3 years. • In 2009 PandaLabs identified 25 million new • Previously they identified 15 million over 20 yrs • NY Times 2/19/10 Page B3 “Malicious Software…” • Cyber criminals are using removable media & end-user naivety to introduce malware • SillyFDC Worm plagued the US Army; Conficker • Rouge Mail, pop-ups and re-directs (poison info), fake security software (stealing credit card info) • Used to install keystroke loggers to capture information BC Planning: BIA address Social media training (used to distribute malicious programs) BIA address network & computer scanning for malware & trojans (More than 55% of all Malware were trojans in the 3Q 2010 – per PandaLabs) BIA to address training executives and employees with financial responsibilities (Panda Security reports most malware are “Banker Trojans” to trick web users into navigating to fake financial sites so cybercriminals can steal login details and passwords)

  29. 7. Threats to the MAC • MAC’s don’t get Viruses (is now a myth) • MAC’s are not bulletproof against malware • In 2009 Apple fixed hundreds of vulnerabilities in its OS and supporting products • MAC Malware like DNS changer will increase; • First 6 months of 2010 • Jan – Traffic Redirector • Feb - Ransomware Blocker; • March - Safari Drive-by-attack CVE-2010-1120; • April - HellRaiser 4.2; • May - Safari Carpet Bomb attack; • June - PremiereOpinion” MAC OS X Spyware • As MAC’s continue to gain market share they will continue to be targeted by the bad guys for vulnerabilities in their OS platform BC Planning: BIA address security updates on MAC platforms

  30. 8. Cloud Computing • Can cloud vendors protect your sensitive data? • Will your ‘crown jewels” reside in the cloud? • Security vendors are finding ways to provide more robust and dynamic security services to cloud computing. • Someone will hack or penetrate the cloud. BC planning: Does your BIA address security and privacy regulations when sensitive data (“crown jewels”) resides in the cloud? Location of the equipment? BIA and Risk Assessment include Cloud Vendor certification of security? Cost benefit analysis should include fines & risks for loss of PII, HIPPA and financial data. You reap all the benefits from Cloud Computing however while you are responsible you are not in charge of managing the cloud security.

  31. Some Numbers $ • Fraud by Employees is Common, Hard to Detect. • Assoc Certified Fraud Examiners - $175,000 median loss • Most are first-timers, 7% prior convictions, 12% previously terminated for fraud related conduct • EEO Verdicts • Jury Verdict Research: Avg. $900,000 jury award • EEOC: Avg. negotiated settlement $550,000 • One $54 million settlement in sex harassment case with $12 million to one plaintiff • “Insider Threat”, Dr. Eric Cole & Sandra Ring. Syngress Press. • Average monetary loss on cases worked $350 million annually • The Symantec 2010 Critical Infrastructure Protection Study • Reports that the average cost to Small Businesses from malware attacks was $850,000 per attack • CBS Evening News (4/22/10) “Where America Stands” • U.S. estimates $20 Billion/year loss from Cyber Espionage

  32. BC Planning Considerations Cyber Threat BC Impact Unauthorized Access Unauthorized Access Denial of Service, E-Commerce Industrial espionage IP – PII – Reputational Losses Unauthorized Access, DOS OS Exploitation Loss of controls, but responsible for losses, regulatory issues • Social Networks • OS & 3rd Party Programs • Cyber-War • Smart Phones • Data Losses – Thefts • Malware Variants • MAC Computers • Cloud Computing

  33. What Can You Do, Some Solutions • Strategic Partnerships: • Security, It Department, HR Department, Agency Counsel • Employee Awareness & Training • Social Engineering: Train Employees to “Spot & Stop” • Develop “Smart Policies for Workplace Technologies” • USB Insecurity: • Encrypt devices, validate removable devices to prevent malware introduction, enforce device usage policies • Auto alerts to IT Security for unauthorized USB access/copying • Authorize key corporate individuals & pre-authorized devices • Internal or External Help • Pros & cons of internal vs. external help • Need to protect attorney client privileged information and work product

  34. Internal vs. External • Time is your enemy • Internal departments have other pressing duties • Capabilities • Equipment & specialized Software • Experience • Investigative as well as technical • Litigation Support & testimony • Confidentiality • Targets are IT, senior members, etc. • Preserve work product, attorney-client privilege • Duty of Care responsibilities • Independent outside Subject Matter Experts

  35. Cyber Security Vendor: What Can They Do • Information Technology Investigations • Network Forensics • Computer Forensics • Incident Response • E-Discovery • Expert Witness and Litigation Support • Training and Briefings • Technical Experts for Investigations • Information Technology Security-Risk Assessments • IT / Communication TSCM

  36. Cyber Security CSI Capabilities continued • Periodic Checks for Compliance with Corporate Responsibilities • Insider Threats • Outsider Threats • Operational Risks • Director’s & Officer’s • Duty of Care

  37. Contact information • Contact: David Kondrup (516) 507-4322 Vice President, Strategic Initiatives Email: dk@CyberDiligence.com www.CyberDiligence.com Cyber Diligence, Inc. 575 Underhill Blvd – suite 209 Syosset, N.Y. 11791

  38. Touchpoint!Where Cybersecurity and Business Continuity MeetDaniel Dec – Fusion Risk Management, Inc.www.fusionrm.com

  39. CyberSecurity Meets Business Continuity PlanningA BCP View • Daniel A. Dec • SVP Information Security Fusion Risk Management Inc.

  40. TOPICS Agenda • 6 Typical BCP / Security Challenges • Program Structure • Executive Commitment • Key Observations • Questions

  41. LEADINGOR BEGGING? Consider this question as we run Through the next few slides

  42. 6 Typical BCP/Security Challenges • 1) Security generally is more prominent in Business Risk Management activities Today’s typical Risk Management Situation Perceived Impact = Unknown Risk Control Effectiveness

  43. Effective DECISION FRAMEWORK Focus Up Here… Q: Does BCP/DR try to eliminate ALL risk? Perceived Impact …not down here!!!!!!! Control Effectiveness

  44. 6 Typical BCP/Security Challenges • 2) Security Changes affect BCP requirements and capabilities • Security is often part of Change Management • Too often these changes are not communicated to BC/DR • Q) Is the BC/DR team actively involved at the Change Management table?

  45. 6 Typical BCP/Security Challenges • 3) Supply Chain / Third Party Vendors • Security often evaluates vendors as part of vendor procurement • Security is often involved in regular reviews or audits of vendors for contract compliance • Too often these evaluations do not focus enough on “Availability” even though Security should be covering Confidentiality, Integrity and Availability • Q) Is BC/DR part of the vendor evaluation/certification process?

  46. 6 Typical BCP/Security Challenges • 4) Security and Human Resources • Security often has a direct link to the authoritative source for personnel (usually H/R) • Security utilizes this relationship to effectively manage provisioning and deprovisioning of access • This direct connection to H/R would benefit BC/DR because of the affect personnel changes have on the roles and responsibility of recovery plans. • Q) Does BC/DR have a direct link to H/R? Can it leverage from the Security/HR communication process?

  47. 6 Typical BCP/Security Challenges • 5) Security generally have forms of training and awareness in place, but lack BCP/DR focus • Security often has a security training and awareness embedded in new hire processes • Security may have annual certifications an various other require training tied to gaining system access. Often in compliance with regulations like HIPAA or other policy, standards or requirements • Security is often visible as the media regularly highlights failures in security. Think about Information Breach incidents, and the laws and requirements surrounding notifications • Q) How robust is your BC/DR training and awareness program?

  48. 6 Typical BCP/Security Challenges • 6) Security generally has collaborated and maintains business alignment • Security often deals with various risk mitigation solutions and has focused on the prioritization of risks and controls because: • “ Vulnerabilities and threats are endless, the funds to address them are not” • CEO, Fusion Risk Management • Security has established cross functional executive management teams • Q) How aligned is your BC/DR program with the business? awareness program?

  49. Promote Collaboration! PROGRAM STRUCTURE

  50. EXECUTIVE COMMITMENT

More Related