Security vulnerability assessment & liability dsm linkedin


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Notes:
  • Notes:
  • Notes:
  • Notes:
  • Notes:
  • The wording of these questions will be improved
  • This is just a slide indicating that I will be happy to answer any questions…
  • Security vulnerability assessment & liability dsm linkedin

    2. 2. TODAY’S PRESENTATION WILL ENCOMPASS THE FOLLOWING: <ul><ul><ul><li>The Basics of an SVA </li></ul></ul></ul><ul><ul><ul><li>Why an SVA is Important </li></ul></ul></ul><ul><ul><ul><li>SVA History </li></ul></ul></ul><ul><ul><ul><li>Federal & State Legislation </li></ul></ul></ul><ul><ul><ul><li>Liability Arising from an SVA </li></ul></ul></ul><ul><ul><ul><li>Solutions </li></ul></ul></ul>
    3. 3. THE BASICS OF AN SVA <ul><li>What is the Threat Level? </li></ul><ul><li>Who and/or What Should be Protected? </li></ul><ul><li>What Can or Should Be Done? </li></ul><ul><li>What Will It Cost? </li></ul>
    4. 4. THE BASICS OF AN SVA <ul><li>Threat Levels </li></ul><ul><ul><li>Outsider </li></ul></ul><ul><ul><li>Insider </li></ul></ul><ul><ul><li>Cyber </li></ul></ul>
    5. 5. AS A NATION THE US REMAINS AT ELEVATED THREAT LEVELS Current Prevailing Nationwide Threat Level: It was Raised to High around the Anniversary of Sept. 11
    6. 6. CURRENT STATE OF SECURITY… OUTSIDER - PHYSICAL ATTACKS Type of Adversary Criminal Foreign State-Sponsored Terrorist Domestic Terrorist Environmental Extremist Vandals Threat Level Many users have historically protected at this level.
    7. 7. VANDAL (LOWEST RISK) <ul><li>Intentions: Minor Damage/Petty Mischief </li></ul><ul><li>Motivations:Boredom, Drug Related’ gang? </li></ul><ul><li>Capabilities: Minimum Tools (1 to 4 individuals) </li></ul><ul><li>Police Response: Assessment?, Time?, Deployment? </li></ul><ul><li>Threat Level: Low (Depending on past history) </li></ul><ul><li>Impacts: Minimal (unless intent remains a mystery) </li></ul>Vandal: Usually between the ages of 7 – 19
    8. 8. FOREIGN STATE-SPONSORED TERRORIST (HIGHEST RISK) <ul><li>Intentions: Total Destruction/Panic/Casualties </li></ul><ul><li>Motivations: Ideological/Terrorism </li></ul><ul><li>Capabilities: Major – Worst Case (3 to 6 Individuals) </li></ul><ul><li>Police Response: Assessment?, Time?, Deployment? </li></ul><ul><li>Threat Level: Very High </li></ul><ul><li>Impacts: Very High </li></ul>International Terrorist: Adult, Male or Female, Ideology Driven
    9. 9. LET’S EXAMINE INSIDER THREAT SPECTRUM Type of Adversary Disgruntled (Sending a Message) Super-Insider (coercion) Disgruntled (Revenge) Threat Level Criminal Acts (Personal Gain) Disgruntled (Collusion) <ul><li>Employee </li></ul><ul><li>Contractor </li></ul><ul><li>Vendor </li></ul>Increased Access, Motivation, & Skill Level increases threat
    10. 10. CYBER DBT IS AMATEUR HACKER & INSIDER WITH OPERATIONAL PRIVILEGES Novice Amateur Hacker Organized Crime Government Sponsored Type of Cyber Terrorist Knowledge
    11. 11. THE BASICS OF AN SVA <ul><li>Critical Assets </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Infrastructure </li></ul></ul><ul><ul><li>Equipment </li></ul></ul><ul><ul><li>Data </li></ul></ul><ul><ul><li>Inventory </li></ul></ul><ul><ul><li>Processes </li></ul></ul><ul><ul><li>Other </li></ul></ul>
    12. 12. THE BASICS OF AN SVA <ul><li>Recommendations </li></ul><ul><ul><li>Security Improvements </li></ul></ul><ul><ul><li>Mitigation </li></ul></ul><ul><ul><li>IST </li></ul></ul><ul><ul><li>Other </li></ul></ul>
    13. 13. THE BASICS OF AN SVA <ul><li>Cost </li></ul><ul><ul><li>Security Versus Mitigation </li></ul></ul><ul><ul><li>Implementation Period </li></ul></ul><ul><ul><li>Electronic Versus Physical Security </li></ul></ul><ul><ul><li>Threat Event Cost </li></ul></ul>
    14. 14. Client XXX Security Improvement Cost Estimate Sandia Methodology Approach Summary of Risk Reduction Solutions for Client XXX RISK REDUCTION SOLUTION CRITICAL ASSET DESCRIPTION ESTIMATED COST (1A) Control # X Relocate with New Housing $TBD (1B) Control # X Perimeter Security Improvements & Upgrades $600,000 (2A) Control # Y & I-XX/C-XX Culverts Perimeter Security Improvements $200,000 (2B) As Above Hardening Measures $190,000 (3A) WTP Facility Perimeter Security Improvements & Upgrade 1,240,000 (3B) As Above Perimeter Security Improvements & Upgrade 300,000 (3C) As Above Hardening Measures 1,060,000 TOTAL $3,590,000
    15. 15. Client XXX Security Improvement Cost Estimate Deterrent Methodology Approach Summary of Risk Reduction Solutions for Client XXX RISK REDUCTION SOLUTION CRITICAL ASSET DESCRIPTION ESTIMATED COST (1A) Control # X Relocate with New Housing $TBD (1B) Control # X Perimeter Security Improvements & Upgrades $276,000 (2A) Control # Y & I-XX/C-XX Culverts Perimeter Security Improvements $105,400 (2B) As Above Hardening Measures N/A (3A) WTP Facility Perimeter Security Improvements & Upgrade $560,500 (3B) As Above Perimeter Security Improvements & Upgrade $192,000 (3C) As Above Hardening Measures $1,060,000 TOTAL REDUCTION OF 68.42% $1,133,900
    17. 17. A PROPERLY EXECUTED SVA PROVIDES: <ul><li>Identification of Appropriate Threat Level </li></ul><ul><li>Identification of Critical Assets </li></ul><ul><li>Measurement of Consequences </li></ul><ul><li>Sound Recommendations </li></ul><ul><ul><li>Security Improvements </li></ul></ul><ul><ul><li>Mitigation & Inherently Safer Technology (IST) </li></ul></ul><ul><ul><li>Orderly Steps </li></ul></ul><ul><ul><li>Cost Effectiveness </li></ul></ul>
    18. 18. WITHOUT PERFORMING A VA <ul><li>What is Threat Level? </li></ul><ul><li>What are the Critical Assets? </li></ul><ul><li>What is Likely to Happen? </li></ul><ul><li>What will be the Response? </li></ul><ul><li>What are the Likely Consequences? </li></ul><ul><li>Who will be held Responsible? </li></ul>
    19. 19. HISTORY OF SVA LEGISLATION <ul><li>Nuclear Power Plants </li></ul><ul><li>Sandia National Laboratory </li></ul><ul><li>1998 Directive </li></ul>
    21. 21. HISTORY OF SVA <ul><li>Water and Waste Water </li></ul><ul><li>US EPA required SVA of public water systems: </li></ul><ul><li>Serving more than 100,000 by March, 2003 </li></ul><ul><li>Serving 50,000 to 100,00 by December, 2003 </li></ul><ul><li>Serving 3,300 to 50,000 by June, 2004 </li></ul><ul><li>Funding was available for the largest water systems to cover cost of SVA, but no funding yet for smaller water systems. </li></ul>
    22. 22. HISTORY OF SVA <ul><li>Oil and Gas </li></ul>Since1998 the National Petroleum Council has been reviewing the vulnerabilities of oil & gas industry to attack (both physical and cyber). Post 9/11, oil and gas has been monitoring the security of its oil and gas transportation network, its refineries and its distribution facilities The American Petroleum Institute is coordinating information sharing among members. ISAC (Information Sharing and Analysis Center) has been promoting collection, assessment, and sharing of oil & gas member information on physical and electronic threats, vulnerabilities, incidents, and solutions/best practices.
    23. 23. HISTORY OF SVA <ul><li>Chemical </li></ul><ul><li>Early in 2002, the American Chemical Council asked its members to complete a SVA of their facilities. </li></ul><ul><li>Highest risk by 12/31/02 </li></ul><ul><li>Lesser risk by 6/30/03 </li></ul><ul><li>Low risk by 12/31/03 </li></ul><ul><li>No off-site risk by 12/31/03 </li></ul><ul><li>Enhancements to be completed one year later. </li></ul><ul><li>Third party verification three months later. </li></ul>
    24. 24. NEW INITIATIVES BY STATE <ul><li>New Jersey </li></ul><ul><li>Maryland </li></ul><ul><li>Illinois </li></ul><ul><li>Florida </li></ul><ul><li>New York </li></ul><ul><li>California </li></ul>
    25. 25. NEW JERSEY <ul><li>New Legislation Enacted November 2005 </li></ul><ul><li>Requires SVA Plus Response Plan Plus Schedule </li></ul><ul><li>Emphasis on Security and IST </li></ul><ul><li>Monitored by NJDEP </li></ul><ul><li>Possible Further Legislation Stressing IST </li></ul>
    26. 26. MARYLAND <ul><li>New Legislation </li></ul><ul><li>Similar Requirements to New Jersey </li></ul><ul><li>SVA </li></ul><ul><li>Monitoring? </li></ul>
    27. 27. ILLINOIS <ul><li>Bill Introduced May 2006 by State Senator </li></ul><ul><li>Will Require All Chemical Companies to Declare all Hazardous Chemicals Manufactured or Stored On Site </li></ul><ul><li>Will Require SVA Based on Terrorist Attack </li></ul>
    28. 28. HISTORY OF SVA <ul><li>Pharmaceutical </li></ul><ul><li>Although no current regulatory or statutory regulations, some FDA requirements in place for quality control. </li></ul><ul><li>HIPPA regulations creating great changes in information and IT security. </li></ul><ul><li>Comprehensive SVA may identify vulnerabilities to counterfeit drugs and drug reimportation, and opportunities for competitive intelligence. </li></ul><ul><li>SVA may identify weaknesses in supply chain security </li></ul>
    29. 29. HISTORY OF SVA <ul><li>Manufacturing </li></ul><ul><li>EPA has not yet required a SVA of non-chemical manufacturing facilities. However, performing an SVA at a manufacturing facility will reduce the risk of: </li></ul><ul><li>Attacks on Employees </li></ul><ul><li>Theft of Company and Personal Property </li></ul><ul><li>Loss of Confidential Information </li></ul><ul><li>Accidents involving Non-Employees </li></ul><ul><li>Accidents involving Workers </li></ul>
    30. 30. NEW LEGISLATION <ul><li>Gas Storage New Jersey </li></ul><ul><li>Food Manufacturing Federal & State </li></ul><ul><li>Chemical Additions Federal & NJ </li></ul><ul><li>Transportation Federal & States </li></ul><ul><li>Healthcare Federal & States </li></ul><ul><li>Education New Jersey </li></ul>
    31. 31. CLEAR PATTERN <ul><li>Legislation Not Going Away </li></ul><ul><li>Legislation Activity is on the Increase </li></ul><ul><li>SVA is the Common Denominator </li></ul>
    32. 32. LIABILITY
    33. 33. LIABILITY ISSUES <ul><li>In simple terms, a properly executed security vulnerability assessment will identify the vulnerabilities or weaknesses of a facility or organization to specific threats </li></ul><ul><li>In identifying those vulnerabilities or weaknesses, the facility or organization has been placed on notice that something has to be done with respect to such issues </li></ul>
    34. 34. LIABILITY ISSUES <ul><li>In the event that there is an incident, and it turns out that it was related to one of those vulnerabilities, and nothing had been done to address that particular vulnerability the facility or organization is not only facing a clear liability but possible negligence as well. </li></ul>
    35. 35. LIABILITY ISSUES <ul><li>Definition of Liability </li></ul><ul><li>Liability as it pertains to security: relates to an obligation one is bound or have a responsibility to do; it is the condition of being actually or potentially subject to an obligation; the obligation required is based on the comparison of what others in an industry would do in the same circumstances – that is, they are held to an industry standard. if that obligation or standard is not met then there is a liability exposure </li></ul>
    36. 36. LIABILITY ISSUES <ul><li>Definition of Liability </li></ul><ul><li>As an example, if tenants in a building are exposed to unauthorized intrusion it becomes the responsibility for the landlord to provide a reasonable level of security to prevent the intrusions. There is sufficient case law supporting the obligation of the landlord to provide for the protection of the tenant when it is clearly recognized that the tenant is vulnerable due to unauthorized intrusions and insufficient security in the building. </li></ul>
    37. 37. NEGLIGENCE ISSUES <ul><li>Definition of Negligence </li></ul><ul><li>The legal definition of negligence is: the omission to do something which a reasonable person, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which A reasonable and prudent person would not do . </li></ul>
    38. 38. NEGLIGENCE ISSUES <ul><li>Definition of Gross Negligence </li></ul><ul><li>The legal definition of gross negligence is: the intentional failure to perform a manifest duty in reckless disregard of the consequences as affecting the life or property of another; such a gross want of care and regard for the rights of others as to Justify The Presumption Of Willingness And Wantoness . </li></ul>
    39. 39. NEGLIGENCE ISSUES <ul><li>Definition of Punitive Damages (also known as exemplary or vindictive damages) </li></ul><ul><li>Damages awarded by a court against a defendant as a deterrent or punishment to redress An Egregious Wrong Perpetrated By The Defendant ; damages on an increased scale, awarded to the plaintiff over and above what will barely compensate him for his property loss, Where the Wrong Done to Him Was Aggravated by Circumstances of Violence, Oppression, Malice, Fraud, or Wanton and Wicked Conduct on the part of the defendant. </li></ul>
    40. 40. FURTHER LIABILITY ISSUES <ul><li>Implementation of Security Recommendation including new systems </li></ul><ul><li>Are the new security systems based on good Design Criteria that is consistent with Security Industry standards? </li></ul>
    41. 41. STATEMENT <ul><li>Many Security Systems Are Installed Without Being Designed, And More Importantly, Without Proper Design Criteria </li></ul>
    42. 42. FURTHER LIABILITY ISSUES <ul><li>Without good design criteria consistent with Security Industry, and even having installed new security systems, it is possible that a facility or organization could be liable, and possibly negligent </li></ul>
    43. 44. LACK OF DESIGN CRITERIA <ul><li>Leads to Four Major Problems: </li></ul><ul><ul><li>Inadequate Counter Measures to Meet Threat Level </li></ul></ul><ul><ul><li>Faulty Security System Design </li></ul></ul><ul><ul><li>Inability to Support Installed Security System </li></ul></ul><ul><ul><li>Possible Legal Consequences </li></ul></ul>
    44. 45. INADEQUATE SECURITY <ul><li>Failure To Detect </li></ul><ul><li>Failure To Surveil </li></ul><ul><li>Inadequate Perimeter Security </li></ul><ul><li>Inadequate Security At All Critical Assets </li></ul><ul><li>Inappropriate Equipment </li></ul><ul><li>Does Not Provide Adequate Protection To Meet Threat Level </li></ul>
    46. 47. LIKELY QUESTIONS…. <ul><ul><li>1) Why did you use this equipment </li></ul></ul><ul><ul><ul><li>Cameras </li></ul></ul></ul><ul><ul><ul><li>Motion Detectors </li></ul></ul></ul><ul><ul><ul><li>Type of DVR </li></ul></ul></ul><ul><ul><ul><li>Intrusion Detection Equipment </li></ul></ul></ul><ul><ul><ul><li>Type of Fence </li></ul></ul></ul>
    47. 48. LIKELY QUESTIONS… <ul><li>Explain the reasons for installing this type of security system? </li></ul><ul><li>Why did the security only attempt to cover the outer perimeter? </li></ul><ul><li>Why were Insider threats ignored? </li></ul><ul><li>The following people had clearance for all access points……. Why? </li></ul><ul><li>What was the Design Criteria for the security system? </li></ul>
    48. 49. FURTHER LIABILITY ISSUES <ul><li>Monitoring and Operation of </li></ul><ul><li>Security Systems </li></ul><ul><ul><li>Expectation of Public </li></ul></ul><ul><ul><li>Third Form of Possible Liability </li></ul></ul>
    49. 50. FURTHER LIABILITY ISSUES <ul><li>TRAINING – Has Adequate Training Been Given to All Staff </li></ul><ul><ul><li>Security Awareness </li></ul></ul><ul><ul><li>Specialty System Training </li></ul></ul><ul><ul><li>Crisis Response </li></ul></ul><ul><ul><li>Procedures </li></ul></ul>
    50. 51. SOLUTIONS
    51. 52. SECURITY VULNERABILITY ASSESSMENT (SVA) <ul><li>If you have not performed an SVA, do it soon </li></ul><ul><li>Use experienced, certified professionals who understand existing and future Legislation </li></ul>
    52. 53. SECURITY VULNERABILITY ASSESSMENT (SVA) <ul><li>If an SVA has already been done, have experienced professionals review the results </li></ul><ul><li>Prepare Sound Design Criteria </li></ul><ul><li>Implement, Modify, Add as Appropriate </li></ul>
    53. 54. SECURITY VULNERABILITY ASSESSMENT (SVA) <ul><li>If you are not sure where you currently stand, initiate an SVA Screening Evaluation </li></ul><ul><li>Provides an Outline of where you currently stand with respect to SVA Requirements, Legislation, and more importantly, options on what to do next </li></ul>
    54. 55. SOLUTIONS <ul><li>Consider new security measures properly designed with design criteria that meets or exceeds current legislation </li></ul><ul><li>Implement over phased period that reduces initial costs </li></ul><ul><li>Incorporate as part of Business Plan </li></ul>
    55. 56. SOLUTIONS <ul><li>Consider Deterrent Approach together with Detect, Delay, and Respond </li></ul><ul><li>Consider Security Audit </li></ul><ul><li>Invest in Professional Training </li></ul>
    56. 57. SOLUTIONS <ul><li>Work with Local and Federal Law Enforcement </li></ul><ul><li>Work with Emergency Management </li></ul><ul><li>Stay Up To Date </li></ul>
    57. 58. QUESTIONS Phone: 609-208-0112 E-mail: