How Would People React and Deal with an Attack on the Electrical Grid?

Could a cyber attack destroy the electrical grid and leave the nation powerless and in the dark for days, weeks or even months? Would we be prepared, or would chaos ensue?

On Oct. 27, National Geographic will premiere “American Blackout,” a movie that tells the story of a national power failure in the U.S. caused by a cyber attack. The film is told in real time, over the span of 10 days, by the characters depicted in the film who kept filming on their cameras and phones. It will air on the National Geographic Channel.

According to Richard Andres, a consultant for the film, the threat isn’t all that far-fetched. “This was a dramatization of something that is not unrealistic. We don’t need to be this vulnerable. But the first step is people need to be aware that this is a problem”.

The film depicts a nationwide power outage caused by a cyber attack. It takes a point-of-view look by different characters affected by the blackout. Some of the characters depicted include a doomsday prepper family, a family awaiting the birth of their second child, and a group of college students stranded in an elevator.

As depicted in the movie, ATMs would not work and neither would credit cards. Andres said that 20 years ago people were more reliant on cash, which would be able to keep commerce going. But now people are more reliant on virtual money, which would stop commerce.

Andres consulted the film and reviewed the script for elements of realism. He told the creators what scenarios he believed were realistic and said he thought that the movie put the experience into terms that the average viewer could relate to. Although many families are not prepared for an event like this, the doomsday preppers in the film had enough food to last them two years. And although he wouldn’t say if that was extreme or not, Andres said food and water are essential and he would advise people to have more than three days worth on hand at any given time.

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

• Invest in an external backup drive for storing your backups. You can see some good guidance here.
  
• For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  
• Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  
• Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  
• If personal information is on your backup drive, encrypt it!
  
• If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  
• Regularly test backups to ensure the backup data is actually good.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

What Is Future of Information Security?

Hackers will and always be ahead of us!

It has become extremely hard for fraudster to make money from stealing credit cards, internet banking details, personal information etc due to increase in security measures by majority of the banks.

Now they are hacking, encrypting data and requesting for ransom money before they release the data. They're doing their calculations right, they are requesting the ransom amount which is way less to what it would cost company to recover/decrypt. The senior management finding this approach much easier to recover.

THIS IS THE FUTURE OF INFORMATION SECURITY!

I have been saying this for ages that bad guys will and always be ahead of us. They motive is to make money, for years and years financial crime was the easiest way for them to make money. Due to increase security technologies deployed by banks such as two-factor authentications, chip readers, proactive fraud detections systems etc, it is extremely difficult for fraudsters to make money.

The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

I believe we will continue to loose the battle with the bad guys because we are not proactive in information security. We always wait for bad guys to setup a trend so we can follow :)

We will take few years to protect their latest tactics and by that time they will already come up with a new way to make money. 

Here are my suggestions:

• We have to change our strategy, we need to be more proactive!
• We need to consider security in each and everything!
• We need to ensure disaster recovery and business continuity is considered in every business!
• We should stop relying on technologies!
• We need to understand process and people are more important then technology
• We need to find innovative ways of protecting our data tailored to business needs

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

• Does it follow any recognized standard (internal or external)?
• How well has it documented? Do people know about it and their role in it?
• Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

• Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  
• Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  
• Have roles and responsibilities been defined?
  
• Are the response strategies devised appropriate to the potential level of disruption?
  
• Are the plans tested? If so, how, when and by whom?
  
• Are the test results evaluated, lessons learned and plans enhanced?
  
• Are the initial response structures well-known and fully tested?
  
• Are appropriate communications with external parties defined and tested?
  
• If pre-defined alternate locations are designated, do staff know how to access them?
  
• Are all critical resources backed up and recoverable?
  
• Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Cloud computing guide to help enterprise increase value and manage risk

ISACA issued a new guide for implementing controls and governance

For all the talk of Cloud computing, the governance issue remains, for many enterprises, the great unknown. Cloud computing inevitably impacts business processes, making governance vital to managing risk and adapting to take advantage of new opportunities.

According to a survey of ISACA’s Australian members, less than half — 42 per cent — currently include Cloud computing strategies within their enterprise. And 80 per cent of these organisations limit Cloud computing to low-risk, non-mission-critical IT services.

Due diligence around the proposed service provider and appropriate controls must also be in place, she said, to ensure corporate information, is protected from loss, theft, tampering and loss of jurisdictional control.

Key questions for Cloud governance

ISACA’s guidance recommends enterprises ask the following key questions:

• What is the enterprise’s expected availability?
• How are identity and access managed in the Cloud?
• Where will the enterprise’s data be located?
• What are the Cloud service provider’s disaster recovery capabilities?
• How is the security of the enterprise’s data managed?
• How is the whole system protected from internet threats?
• How are activities monitored and audited?
• What type of certification or assurances can the enterprise expect from the provider?

ISACA will hold its Oceania CACS2011 conference to be held in Brisbane from 18-23 September, which will explore issues such as control, risk management, data loss prevention and assurance for Cloud strategies.

A government-produced worm that may be aimed at an Iranian nuclear plant?

The Story Behind The Stuxnet Virus

Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

The Stuxnet computer worm that appears aimed at undermining Iran's nuclear program is part of a worsening phenomenon. Half of all companies running "critical infrastructure" systems worldwide say they have sustained politically motivated attacks.

A global survey of such attacks – rarely acknowledged in public because of their potential to cause alarm – found companies estimated they had suffered an average of 10 instances of cyber war or cyber terrorism in the past five years at a cost of $US850,000 ($880,000) a company.

After going through quite few articles and news, here are some interesting and useful links I would like to share which help you to understand the Stuxnet Worm.

F-Secure - Stuxnet Questions and Answers
ICSA Labs - Stuxnet Worm: Facts First
Bruce Schneier's Commentary - The Story Behind The Stuxnet Virus
Sydney Morning Herald - Mystery computer worm part of a global cyber war
Ralp Langner - Stuxnet Logbook *Updated*

Stuxnet - First worm to control the inner workings of industrial plants

Who funded virus attack on Iran Nuclear plants

A cyber worm burrowing into computers linked to Iran's nuclear programme has yet to trigger any signs of major damage, but it was likely spawned either by a government or a well-funded private group, according to a new analysis.

The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec Corp. Government experts and outside analysts say they haven't been able to determine who developed the malware or why.

Stuxnet, which is attacking industrial facilities around the world, was designed to go after several "high-value targets," said Liam O Murchu, manager of security response operations at Symantec. But both O Murchu and US government experts say there's no proof it was specifically developed to target nuclear plants in Iran, despite recent speculation from some researchers.

The Stuxnet worm infected the personal computers of staff working at Iran's first nuclear power station just weeks before the facility is to go online, the official Iranian news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.

It was the first clear sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has affected equipment linked to the country's controversial nuclear programme. The US has been pressing international partners to threaten stiff financial sanctions against Tehran goes ahead with its nuclear program.

The Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss."

Stuxnet worm created by team of hackers

Governments with sophisticated computer skills would have the ability to create such a code

A POWERFUL computer code attacking industrial facilities around the world, but mainly in Iran, was probably created by experts working for a country or a well-funded private group.

The malicious code, called Stuxnet, was designed to go after several "high-value targets," Liam O Murchu, manager of security response operations at Symantec Corp, said.

It has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data. Creating the malicious code required a team of as many as five to 10 highly educated and well-funded hackers. Government experts and outside analysts say they haven't been able to determine who developed it or why.

The malware has so far infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said it has infected 15 of the industrial control plants it was apparently intended to infiltrate.

One of them is Iran's first nuclear power station at Bashehr, just weeks before the facility is to go online. The US Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss".

The Russian-built plant will be internationally supervised, but world powers are concerned that Iran wants to use other aspects of its civil nuclear power program as a cover for making weapons.

Of highest concern to world powers is Iran's main uranium enrichment facility in the city of Natanz. Iran, which denies having any nuclear weapons ambitions, says it only wants to enrich uranium to the lower levels needed for producing fuel for power plants.

At higher levels of processing, the material can also be used in nuclear warheads. The computer worm, which can be carried or transmitted through portable thumb drives, has affected the personal computers of staff working at the plant.

Iranian news agency ISNA said it has not yet caused any damage to the plant's major systems. Experts from the Atomic Energy Organization of Iran met this past week to discuss how to remove the malware, according to the semiofficial ISNA news agency.

Source: News.com.au

Stuxnet worm infected at least 30,000 Windows PCs

Iran confirms massive Stuxnet infection of industrial systems

Officials in Iran have confirmed that the Stuxnet worm infected at least 30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday. Experts from Iran's Atomic Energy Organization also reportedly met this week to discuss how to remove the malware.

Stuxnet, considered by many security researchers to be the most sophisticated malware ever, was first spotted in mid-June by VirusBlokAda, a little-known security firm based in Belarus. A month later Microsoft acknowledged that the worm targeted Windows PCs that managed large-scale industrial-control systems in manufacturing and utility companies.

Those control systems, called SCADA, for "supervisory control and data acquisition," operate everything from power plants and factory machinery to oil pipelines and military installations.

Refer here to read more details.

Leadership Lessons in Disaster Recovery

BP and Toyota

No career is without its hiccups. No company goes straight up and to the right. Every successful executive and every company that’s been around has been to the brink of disaster at some point. What distinguishes the great ones is the way they handle it. Few are proactive and decisive. They recover. The rest, well, don’t.

Survivors see disaster as a wakeup call, an opportunity to learn and change. The rest try to sweep it under the rug, sugarcoat the truth, or make believe it isn’t really happening. Here are three anecdotes about companies and executives in crisis. Executives, leaders, managers, indeed everyone, listen up. Your time will come. You can count on it.

Toyota, once the king of quality, has recalled over 8.5 million cars and trucks over the past six months due to a laundry list of quality and reliability problems. And in J.D. Power’s annual Initial Quality Survey of new vehicles, Toyota fell to a dismal 21st place overall. I’d call that a wakeup call.

The situation is even more dire for embattled oil giant BP. The gulf oil spill has cost the company $100 billion in market valuation and the price tag for cleaning up the mess will likely be upwards of $20 billion. Throw in the global destruction of the BP brand and you can bet that top executive heads will roll when the leak is finally stopped and the crisis abated.
 
Each example provides a takeway for how companies and individuals can best recover from disaster:

1. Leave no stone unturned in determining how to restructure. Nothing is sacred. Don’t decry lost efficiency, productivity, profits, or anything you have to sacrifice to get back on track. You can deal with that later. If you don’t fix what’s wrong, there won’t be any later.
2. Wakeup calls can save your career, your company, your industry, but only if you actually wake up. That means being honest with yourself about your failure. That takes humility, courage, and perseverance, not coincidentally, all basic qualities of successful leaders.
    
3. The sooner you realize what’s going on, the quicker you react, the better the recovery. Almost every company (and everybody) reacts tenuously or takes a wait-and-see approach. In virtually every case, that’s a bad idea. Be decisive and be quick about it. If you need to cut, cut early and cut deep. You can build back up as conditions improve.