How Would People React and Deal with an Attack on the Electrical Grid?

Could a cyber attack destroy the electrical grid and leave the nation powerless and in the dark for days, weeks or even months? Would we be prepared, or would chaos ensue?

On Oct. 27, National Geographic will premiere “American Blackout,” a movie that tells the story of a national power failure in the U.S. caused by a cyber attack. The film is told in real time, over the span of 10 days, by the characters depicted in the film who kept filming on their cameras and phones. It will air on the National Geographic Channel.

According to Richard Andres, a consultant for the film, the threat isn’t all that far-fetched. “This was a dramatization of something that is not unrealistic. We don’t need to be this vulnerable. But the first step is people need to be aware that this is a problem”.

The film depicts a nationwide power outage caused by a cyber attack. It takes a point-of-view look by different characters affected by the blackout. Some of the characters depicted include a doomsday prepper family, a family awaiting the birth of their second child, and a group of college students stranded in an elevator.

As depicted in the movie, ATMs would not work and neither would credit cards. Andres said that 20 years ago people were more reliant on cash, which would be able to keep commerce going. But now people are more reliant on virtual money, which would stop commerce.

Andres consulted the film and reviewed the script for elements of realism. He told the creators what scenarios he believed were realistic and said he thought that the movie put the experience into terms that the average viewer could relate to. Although many families are not prepared for an event like this, the doomsday preppers in the film had enough food to last them two years. And although he wouldn’t say if that was extreme or not, Andres said food and water are essential and he would advise people to have more than three days worth on hand at any given time.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

• Does it follow any recognized standard (internal or external)?
• How well has it documented? Do people know about it and their role in it?
• Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

• Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  
• Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  
• Have roles and responsibilities been defined?
  
• Are the response strategies devised appropriate to the potential level of disruption?
  
• Are the plans tested? If so, how, when and by whom?
  
• Are the test results evaluated, lessons learned and plans enhanced?
  
• Are the initial response structures well-known and fully tested?
  
• Are appropriate communications with external parties defined and tested?
  
• If pre-defined alternate locations are designated, do staff know how to access them?
  
• Are all critical resources backed up and recoverable?
  
• Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.

Breach Preparation: 4 Key Steps

Tips to Develop Breach Plan

You have one shot to get it right. How should organizations prepare properly for a data breach?

Too often, organizations that go to the effort of creating a breach response plan - but then they fail to actually test it. That is as if you have a fire evacuation plan, but you don't actually execute the drill to make sure the people get out of the building.

To prepare properly for a breach, organizations should:

Select an Individual to Lead the Charge:

Pick that right individual that has enough knowledge of the company and an overview of the importance of the personal identity information that needs to be protected.

Conduct an Audit of All Subcontractors:

So many breaches today occur at third-party service providers. Organizations, then, should ask their key vendors about their own data breach response plans, as well as how big of a priority it is to protect the data they're handling. It's also important to have a formalized agreement of the vendors' breach plans and that they practice it.

Involve the Right Departments:

Privacy, public relations, customer service and information security departments all need to be involved in breach planning. Outside professionals, such as legal and law enforcement, should also be included in the preparation process.

Complete a Yearly Breach Drill:

The ones that actually practice it and have seen some of the hitches that go on, when they've actually experienced a real breach they've done much better in responding more quickly, satisfying the regulators, minimizing the cost and protecting brand reputation.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:

1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.
   
   Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.
   
   
2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.
   
   Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.
   
   
3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
   
   This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.
   
   
4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.
   
   The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.
   
   
5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.
   
   In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.
   
   
6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.
   
   The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.
   
   
7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.
   
   The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.
   
   
8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
   
   
9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.
   
   Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.
   
   
10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.
    
    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

Stuxnet worm infected at least 30,000 Windows PCs

Iran confirms massive Stuxnet infection of industrial systems

Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday. Experts from Iran's Atomic Energy Organization also reportedly met this week to discuss how to remove the malware.

Stuxnet, considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus. A month later Microsoft acknowledged that the worm targeted Windows PCs that managed large-scale industrial-control systems in manufacturing and utility companies.

Those control systems, called SCADA, for "supervisory control and data acquisition," operate everything from power plants and factory machinery to oil pipelines and military installations.

Refer here to read more details.

Leadership Lessons in Disaster Recovery

BP and Toyota

No career is without its hiccups. No company goes straight up and to the right. Every successful executive and every company that’s been around has been to the brink of disaster at some point. What distinguishes the great ones is the way they handle it. Few are proactive and decisive. They recover. The rest, well, don’t.

Survivors see disaster as a wakeup call, an opportunity to learn and change. The rest try to sweep it under the rug, sugarcoat the truth, or make believe it isn’t really happening. Here are three anecdotes about companies and executives in crisis. Executives, leaders, managers, indeed everyone, listen up. Your time will come. You can count on it.

Toyota, once the king of quality, has recalled over 8.5 million cars and trucks over the past six months due to a laundry list of quality and reliability problems. And in J.D. Power’s annual Initial Quality Survey of new vehicles, Toyota fell to a dismal 21st place overall. I’d call that a wakeup call.

The situation is even more dire for embattled oil giant BP. The gulf oil spill has cost the company $100 billion in market valuation and the price tag for cleaning up the mess will likely be upwards of $20 billion. Throw in the global destruction of the BP brand and you can bet that top executive heads will roll when the leak is finally stopped and the crisis abated.
 
Each example provides a takeway for how companies and individuals can best recover from disaster:

1. Leave no stone unturned in determining how to restructure. Nothing is sacred. Don’t decry lost efficiency, productivity, profits, or anything you have to sacrifice to get back on track. You can deal with that later. If you don’t fix what’s wrong, there won’t be any later.
2. Wakeup calls can save your career, your company, your industry, but only if you actually wake up. That means being honest with yourself about your failure. That takes humility, courage, and perseverance, not coincidentally, all basic qualities of successful leaders.
    
3. The sooner you realize what’s going on, the quicker you react, the better the recovery. Almost every company (and everybody) reacts tenuously or takes a wait-and-see approach. In virtually every case, that’s a bad idea. Be decisive and be quick about it. If you need to cut, cut early and cut deep. You can build back up as conditions improve.

Business Continuity Planning - BCP

Business Continuity Planning is an ongoing iterative process.

Business Continuity Planning is not a project with a finite commencement and conclusion. Access your Business Continuity Planning when you need it from wherever you can gain web access. The web-based model of delivery removes your reliance on the very infrastructure at rrisk of being impacted by a critical event.

The Important Of Planning.

The primary goal of a Business Continuity Planning has always been its successful use in reponse to some form of disaster. In addition to protecting your business, successful use of a Business Continuity Planning can also demonstrate your business resilience to your clients, and other businesses you deal with.

However, there are significant additional benefits to any organisation simply through the creation and ongoing management of a Business Continuity Planning. The creation of a cohesive Business Continuity Planning helps to ensure that representatives from all facets of your business are aware of each other's roles and responsibilities. As the Business Continuity Planning is reviewed it can help highlight issues and provide the required focus on resourcing or change in key business units. And as an organisation and the people within it change over time, a Business Continuity Planning lifecycle review process can help identify adverse impact of change within that organisation.

The Business Continuity Planning Lifecycle

Business Continuity Plannings require a lifecycle approch; as your business grows and changes, the Business Continuity Planning needs to grow and change to help protect your business. Once a Business Continuity Planning is created it needs to kept current through scheduled reviews and updates, and in order to validate that it is current, it needs to be regularly tested.

The following steps are required to create, manage and test your Business Continuity Planning:

• Project Initiation - program and user hierarchy
  
  
• Funcational Analysis - Business Impact Analysis, surveys
  
  
• Design/Creation - import existing or new files into templates
  
  
• Training - maintain Business Continuity Planning traning schedules, and report on access
  
  
• Testing - store, use and re-use test excercises
  
  
• Maintenance - alert task assignees, report on compliance
  
  
• Execution - use pre-planned response actions, track execution for post-execution review.