SlideShare a Scribd company logo

Fail To Plan

B
bfuesz

"Fail to Plan, Plan to Plan" webcast slides

1 of 53
Download to read offline
1
Today’s Speakers Michael Hurley Bryan Cunningham Lynne Monaco Jeff Passolt, Host 2
© 2011 - Copyrighted Materials • Today’s presentation contains copyrighted materials, which are solely the property of their respective owners • Any unauthorized use of these materials is strictly prohibited 3
Introduction • Many questions, few answers • What we’ll cover – Major threats – Natural and manmade – Disaster recovery/Business continuity – Why and how to plan – Heightened concerns about cyberthreats 4
Not THE List, A List • Acts of terrorism • War-related disasters • Haz-mat events • Nuclear accidents • Aircraft accidents • Wild-land and urban fires • Natural disasters • Other types of natural/human disasters Source: US Government, National Incident Management Systems Characterization 5
Current Threats • Our biggest worry: DANGEROUS TERRORISTS WITH DANGEROUS WEAPONS – Al-Qaeda recruiting and operating in the US – Continue to seek nuclear/other WMDs – If they get them, they’ll use them – Catastrophic consequences on many fronts 6
US Government Thoughts/Actions • Post 9/11 Commission views • Protection efforts: The problem with radiation detection • Cyberthreats – The flavor of the moment • Conventional weapons assessment – Many problems short of WMDs 7
Low Probability vs. High Impact • “Overriding priority of our national security policy must be to prevent the spread of nuclear weapons of mass destruction.” – Senators Sam Nunn, Richard Lugar – Lock down nuclear weapons and materials • Highly enriched uranium and plutonium – Cooperate with leaders around the world • It’s in their interest, too! – Problem of Pakistan • Can extremists get the keys to the bomb? • Could directly harm the U.S. 8
More Concerns • In Jan. 2010, both Iran and North Korea have energetic programs to develop nuclear weapons – Both are direct threats to the U.S. • Terrorist interest in acquiring materials persist – 18 documented cases of theft of highly enriched uranium and plutonium – Consequences: Hundreds of thousand dead, worldwide economic reverberation - ”Securing the Bomb,” April 2010 – “The Nuclear Bazaar” reports 40 plus countries now have nuclear materials 9
Homegrown Terrorism • 2009 and 2010 – Significant increase in terrorist attacks/attempts on U.S. soil, and an alarming increase in the number of homegrown terrorists – Major Hassan and Ft. Hood attack – 13 dead – Abdumuttalab’s attempt on NWA flight bound for Detroit – Najibullah Zazi - Denver Airport shuttle bus driver, intent to attack NYC subway – Farooq Admed – Virginia resident, intent to bomb D.C. Metrorail – Faisal Shahzad – Attempted car bomb in Time Square – Mohamed Osman Mohamud – 19-year old Somali, Oregon State student, attempted car bombing later November in Portland, Christmas tree lighting ceremony – Abdulhakim Muhammad – Killed U.S. solider outside Little Rock Army recruiting office 10
America, We Have a Problem! • David Headley • Colleen LaRose, a.k.a “Jihad Jane” of Pennsylvania • National Security Preparedness Group September 2010 Report – Places like Minneapolis and Portland, because of the growing radicalization among Somali youth in those cities, are on the “frontlines” of terrorism • Not Just Islamist Terrorists we need to worry about, what should really drive the point home to small- and medium size businesses: – August 2010, Omar Thornton - Hartford, CT beer distributorship – Faced a disciplinary hearing, possibly employment termination – Killed 8 co-workers and then killed himself 11
Cyber Attacks are Pervasive • At least 500 million personal records have likely been compromised since January 2005 – Source: Privacy Rights Clearinghouse • 2009: Identity theft estimated to have cost the US economy $54 billion – Source: Forbes magazine 12
Big Brother is Listening • President Obama identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” • USG has Project “Perfect Citizen” to place classified sensors in networks controlling nation’s key critical infrastructures e.g., the electric power grid • 300 million electronic medical records by 2014; sophisticated electricity use sensors in every house • Obvious privacy, civil liberties challenges 13
AQ in Iraq hacks UAV feeds Locating adversaries in cyberspace with $29 software is becoming increasingly difficult Members of Al-Qauuam brigade use laptops to hack opposition IT systems in 2006. Al Qaeda Internet recruiting 14
The Cyberthreat • Theoretical? It’s already happened • The next war starts not with a bang, but a click 15
The Threat Issued Settled • Russia-Estonia (5/2007) • Russia-Georgia (8/2008) • China – GhostNet (5/2009) • Iranian Non-Revolution • China - Google, etc. (12/09) • Eastern Europe – Kneber Botnet (1/2010) – Acquired proprietary data from over 2,500 companies worldwide – Targeted energy, health, technology, financial and government sectors – Likely run by organized cyber criminals in Eastern Europe – Detection rate of less than 10% among antivirus software/shielded from IDS systems 16
The Threat Issued Settled • China State Department cables • Wikileaks war • Hacktivism • Stuxnet 17
Ripped form the Headlines • Google China • Preceded by GhostNet – Investigation into attacks on the Dalai Lama – Wide ranging network of compromised computers – 1,295 spread across 103 countries – 30%= “High Value Targets” • Min. Foreign Affairs, embassies, news orgs., NATO HQS computer 18
Shadows in the Cloud • Deep/broad investigation by same group that originally uncovered GhostNet – Released Early April 2010 • Documented a new and extremely sophisticated “malware ecosystem” that leverages – Multiple redundant cloud computing systems – Social networking platforms (Twitter, Blogspot, etc.) – Free web hosting services to--- • Maintain persistent command and control over machines while operating core servers located in the PRC 19
Shadows in the Cloud - Key Findings • New “Ecosystem” – Convergence of crime & national security threats • Democratization of espionage • Theft of classified and sensitive documents • Collateral compromise – Visa applications for US workers in Afghanistan—big OpSec problem • Companies targeted like countries, e.g., Google – Need to act accordingly • Clear links to Chinese hackers, but PRC government? – Wikileaks cable demonstrates USG thinks so • Your network is only as strong as its weakest link 20
China Rising, Others Following • April 18, 2010- 15% of all worldwide Internet traffic redirected to networks inside PRC • Victims included: – Secretary of Defense – All four US armed services – United States Senate – Dell, Yahoo, IBM, Microsoft and other private companies 9/7/07 – “Chinese Army Blamed for Pentagon Attack” 21
Collateral Damage • Even if not the prime target, operating in a foreign country may expose organizations to risks associated with cyber- wars/hacktivism – MasterCard, Amazon targeted by Wikileaks supporters • High-tech harassment • Instigators of cyber-wars can cloak true source of attack by hiring hackers in other countries, and by zombie-ing privately owned computers 22
Our #1 Threat? • Nuclear, bio scarier, possibly worse, but… • Combining factors – Intent – Ease of acquisition (democratization of terror/espionage) – Potential for serious damage and mass fear/uncertainty • Strong case for cyber as #1 threat 23
Our #1 Threat? • Examples of viable national security targets – Government systems – Air-traffic control – Financial sector – Telecom – “Smart” energy grid – Other SCADA targets – Healthcare (especially with EMR revolution) 24
Keeping Corporate Leaders Up at Night • Damage from security breaches can cause – Fines and penalties – Lawsuits – Reduced shareholder value – Negative publicity – Loss of customer trust • Few companies have the right elements in place 25
Real Money • ChoicePoint Data Breach results in $55 million in fines and settlement payments. Largest EVER settlement for FTC • November 2010: AvMed class action suit by 1.2 million health plan members whose unencrypted PII was on two missing laptops 26
Top Information Security Threats • Identity theft and espionage directed from China and other countries • Expected major increase in attacks from trusted organizations • Insider attacks • “Massive armies” of persistent botnets • Supply-chain attacks infecting consumer devices • Attacks on mobile phones (esp. iPhones) • Web application security exploits Source: SANS Institute, 2008. 27
Other Costs of Information Security Breaches • Loss of customer & shareholder confidence • Potentially increased insurance/bonding costs • Negative public image of corporations that don’t do all that was reasonable • Positive public image for those that do; Do well by doing good Your company can set the standard! 28
Why You Should Care… • As a manager/employee: – Accountability – Legal liability – More importantly: Right thing to do – You could lose: • Your competitive advantage • Your sales leads • Your marketing strategies – Embarrassment/reputational damage 29
Why You Should Care… • As a person: – If bad guys get access to your electronics, they’ll not stop with company data, they’ll take everything: • Identity theft/use of credit cards, etc. • Personal contact information • Using your contacts, data, to attack friends, relatives, and others • Personal information (books/movies purchased, medical information, etc.) you might well not want “out there” • Massive “black market” of personal/credit information • Particularly risky if you use same passwords/comingle personal with business information 30
Legal Liability by Sector (Some Examples) • Banking/Finance – Gramm-Leach-Bliley • Healthcare – HIPAA – Expanded in 2009 – National breach disclosure requirement – Massive fines • Government – FISMA/NIST for Federal $$ • Education – FERPA • ALL – 46 State Laws, Bills in Congress, International 31
Officer/Director Liability • Sarbanes-Oxley – Publicly Traded Companies: – Requires senior management to perform annual assessment of internal controls over financial reporting – Indirectly requires management to certify data accuracy – Regulators believe securing data necessary to ensure accuracy and reliability 32
It’s Not If, It’ When 33
Why Plan? • Responsibility to employees, customers, investors • Planning compels new understanding of crucial business processes • Enables business survival, reduces degradation in event of disaster • Competitive advantage/marketing angle • Reduces “failure of imagination” 34
Planning Fundamentals 1. Risk/business impact analysis 2. Communication 3. Transportation 4. Coordination 5. Redundancy 6. KISS 7. Chains of command 8. Imagination - Failure thereof 35
More Planning Fundamentals • To start, you have to start • Scope – Lessons from Goldilocks • Seats at the table • Baselining and imagining • Disaster recovery vs. business continuity • All hazards approach • Biggest bang for the buck 36
No Battle Plan Survives the First Shot • Communications is Key • Empower Improvisation • Recrimination Control • Multiple Contingencies • Checklists and SOPs • Failsafes 37
Communications • Do you have a list of IDs, passwords, important files, etc. printed out/electronic and in a safe place off-site? • What do you do with mail/customer orders? • Set up call forwarding to a back up location • Consider alternate & redundant routing of communications • Dial-up may not be the most sophisticated technology but if the Internet is down you can still connect point-to-point with dial-up 38
Information Sharing & Analysis Centers • Communications • Energy • Financial Services • Information Technology • Emergency Management & Response • Surface Transportation • Supply Chain www.isaccouncil.org/sites/index.php 39
Disaster Planning Spectrum Business Process Mapping Threat/Risk Assessment Create DR plan Acquire assets Train DR plan Test & exercise Plan Regularly Continuously Reassess And Refine 40
CyberRisk: What Do To 41
Key Information Security Planning Principles • The worst thing is not to start • 2nd worst thing: Start in the middle • Data Classification Process • Strategic Security Plan • Attorney-client privilege • Advice of Counsel defense 42
Don’ts • Start with a penetration test • Focus only on the technical • Focus only on the IT department • Move forward without Attorney-Client privilege in place 43
Private Sector Preparedness • Private sector preparedness for crises is essential to the nation’s well being • Large businesses, often with far-reaching interests, see themselves as more at risk from terrorist plots • Many small/medium-businesses, even though they can be crippled by a crisis, have done little 44
Private Sector Preparedness • Insurance brokers and companies should consider business preparedness in their risk evaluation process • We need to promote greater understanding that corporate resilience and preparedness are competitive advantages for companies • Investors should be aware of a company’s preparedness status to guide their investment decisions 45
Private Sector Preparedness • Fed legislation empowers DHS to establish a voluntary accreditation and certification program • Key: Integrate insurance, legal, rating agency communities into certification program to encourage them to reward certified businesses 46
Don’t be Overwhelmed by Fear, Manage Risk • Before 9/11, most of us were unaware of these threats • The reality is they are with us to stay • Our message is not to be afraid but to know that bad things can happen in today’s world and to take steps to be prepared to manage risk and deal with a disaster if and when it happens • It only makes good business sense; the business that does this planning is one that will emerge from whatever happens, taking care of its customers and employees and move forward. • It makes every bit of sense to think through scenarios in advance 47
Don’t Try This at Home • Areas Discussed Today Are Extremely Complex • Only Constant in this Area is Change • Warning: This presentation is not legal advice, and should not be relied upon Bryan Cunningham Michael Hurley (303) 743-0003 mihurley@hotmail.com bc@morgancunningham.net 48
Telecommunications Continuity • DHS Considers Telecommunications to be a Critical Part of Infrastructure – Employee Safety (911 and family) – Encourage Family Pre-planning Ready.gov – Operations/Staffing needs • Telecommunications Systems are an Important Component of Business Continuity Planning - Travel/meetings curtailed - Access to Data, PBX/voice communications, call center operations, access to networks 49
Telecommunications Continuity • Videoconferencing and Audio conferencing are cost/effective alternatives • Electronic Data Transfer • Web based presentations • Accessible, Effective Data Back-Up • Reliability of Telecommunications is a key to Business Continuity 50
Telecommunications Continuity • Reliability Considerations: – Will your system work during a power outage? Landlines typically have both battery and generator backup. – Cell Towers may become overloaded. – Redundancy in the network. – Call Transfer capabilities – inbound call center operations • Automated Emergency Notifications • Automated Attendant Systems (e.g. Voicemail) • Safety and Security are the highest priorities! 51
Today’s Speakers Michael Hurley Bryan Cunningham Lynne Monaco Jeff Passolt, Host 52
53

Recommended

CWFI Presentation Version 1
CWFI Presentation Version 1CWFI Presentation Version 1
CWFI Presentation Version 1Brett L. Scott
 
Cyberware
CyberwareCyberware
CyberwareEnsar Seker
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...blogzilla
 
What we can learn from LulzSec
What we can learn from LulzSecWhat we can learn from LulzSec
What we can learn from LulzSecPositive Hack Days
 
Prosecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebProsecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebDarius Whelan
 
Towngas Infomation Security Week 2013 presentation
Towngas Infomation Security Week 2013 presentationTowngas Infomation Security Week 2013 presentation
Towngas Infomation Security Week 2013 presentationCharles Mok
 
English presentation
English presentationEnglish presentation
English presentationGinaSoler10
 
Kenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warKenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warMarioEliseo3
 

Recommended

CWFI Presentation Version 1
CWFI Presentation Version 1CWFI Presentation Version 1
CWFI Presentation Version 1Brett L. Scott
 
Cyberware
CyberwareCyberware
CyberwareEnsar Seker
 
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...
Faraday Cages, Marbled Palaces and Humpty Dumpty: the Reality of Internet Gov...blogzilla
 
What we can learn from LulzSec
What we can learn from LulzSecWhat we can learn from LulzSec
What we can learn from LulzSecPositive Hack Days
 
Prosecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebProsecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebDarius Whelan
 
Towngas Infomation Security Week 2013 presentation
Towngas Infomation Security Week 2013 presentationTowngas Infomation Security Week 2013 presentation
Towngas Infomation Security Week 2013 presentationCharles Mok
 
English presentation
English presentationEnglish presentation
English presentationGinaSoler10
 
Kenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warKenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warMarioEliseo3
 
CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document LeAnn Rhodes
 
Vol7no2 ball
Vol7no2 ballVol7no2 ball
Vol7no2 ballMarioEliseo3
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Kunihiro Maeda
 
Technology, human rights & movement building around the world
Technology, human rights & movement building around the worldTechnology, human rights & movement building around the world
Technology, human rights & movement building around the worldTechSoup Canada
 
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin44CON
 
Cybercrime an international-crisis
Cybercrime an international-crisisCybercrime an international-crisis
Cybercrime an international-crisistamiuthomas
 
Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065University of Sydney
 
Future of Chinese Cyber Warfare
Future of Chinese Cyber WarfareFuture of Chinese Cyber Warfare
Future of Chinese Cyber WarfareBill Hagestad II
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fiskJulesroa
 
Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2Mark Raduenzel
 
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014Bill Hagestad II
 
Zapatistas and online activism
Zapatistas and online activismZapatistas and online activism
Zapatistas and online activismHillbilly Gothic
 
Future_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESFuture_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESJenny O'Meara
 
Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.Peter Ludlow
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsMarioEliseo3
 
National security and Freedom of expresion after Wikileaks
National security and Freedom of expresion after Wikileaks National security and Freedom of expresion after Wikileaks
National security and Freedom of expresion after Wikileaks Centre for Media Pluralism and Media Freedom
 
2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_masterbodaceacat
 
Pascalle
PascallePascalle
Pascalleroxani fernandez ventura
 
Trajes típicos elaborados con material reciclado
Trajes típicos elaborados con material recicladoTrajes típicos elaborados con material reciclado
Trajes típicos elaborados con material recicladoNancy Cecilia Herrera Chavez
 
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...CanadaHelps / MyCharityConnects
 
How to fail
How to failHow to fail
How to failMohit Singla
 

More Related Content

What's hot

CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document LeAnn Rhodes
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Kunihiro Maeda
 
Technology, human rights & movement building around the world
Technology, human rights & movement building around the worldTechnology, human rights & movement building around the world
Technology, human rights & movement building around the worldTechSoup Canada
 
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin44CON
 
Cybercrime an international-crisis
Cybercrime an international-crisisCybercrime an international-crisis
Cybercrime an international-crisistamiuthomas
 
Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065University of Sydney
 
Future of Chinese Cyber Warfare
Future of Chinese Cyber WarfareFuture of Chinese Cyber Warfare
Future of Chinese Cyber WarfareBill Hagestad II
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fiskJulesroa
 
Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2Mark Raduenzel
 
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014Bill Hagestad II
 
Zapatistas and online activism
Zapatistas and online activismZapatistas and online activism
Zapatistas and online activismHillbilly Gothic
 
Future_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESFuture_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESJenny O'Meara
 
Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.Peter Ludlow
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsMarioEliseo3
 
2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_masterbodaceacat
 

What's hot (18)

CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document
 
Vol7no2 ball
Vol7no2 ballVol7no2 ball
Vol7no2 ball
 
Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212Keep in touch for cyber peace_20150212
Keep in touch for cyber peace_20150212
 
Technology, human rights & movement building around the world
Technology, human rights & movement building around the worldTechnology, human rights & movement building around the world
Technology, human rights & movement building around the world
 
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
44CON 2013 - Security Lessons from Dictators - Jerry Gamblin
 
Cybercrime an international-crisis
Cybercrime an international-crisisCybercrime an international-crisis
Cybercrime an international-crisis
 
Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065Global, Mobile Internets lecture - USYD MECO3065
Global, Mobile Internets lecture - USYD MECO3065
 
Future of Chinese Cyber Warfare
Future of Chinese Cyber WarfareFuture of Chinese Cyber Warfare
Future of Chinese Cyber Warfare
 
CyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels CyberwarCyberSecurity: Intellectual Property dispute fuels Cyberwar
CyberSecurity: Intellectual Property dispute fuels Cyberwar
 
Clt3328fisk
Clt3328fiskClt3328fisk
Clt3328fisk
 
Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2Raduenzel - INTL621 Assignment 2
Raduenzel - INTL621 Assignment 2
 
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
Red Dragon Rising Understanding the Chinese Cyber Scenarios 02 march 2014
 
Zapatistas and online activism
Zapatistas and online activismZapatistas and online activism
Zapatistas and online activism
 
Future_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RESFuture_Radicals_Study_Guide_HIGH_RES
Future_Radicals_Study_Guide_HIGH_RES
 
Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.Hacktivism 2: A brief history of hacktivism.
Hacktivism 2: A brief history of hacktivism.
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! news
 
National security and Freedom of expresion after Wikileaks
National security and Freedom of expresion after Wikileaks National security and Freedom of expresion after Wikileaks
National security and Freedom of expresion after Wikileaks
 
2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master2019 11 terp_breuer_disclosure_master
2019 11 terp_breuer_disclosure_master
 

Viewers also liked

Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...CanadaHelps / MyCharityConnects
 
If You Fail to Plan Will Your Plan Fail? by Jaroslav Trojan
If You Fail to Plan Will Your Plan Fail? by Jaroslav TrojanIf You Fail to Plan Will Your Plan Fail? by Jaroslav Trojan
If You Fail to Plan Will Your Plan Fail? by Jaroslav TrojanStartupYard
 
7 reasons why your plan will fail (and what to do about it)
7 reasons why your plan will fail (and what to do about it)7 reasons why your plan will fail (and what to do about it)
7 reasons why your plan will fail (and what to do about it)Hugh Culver
 
Disfraz con material reciclable
Disfraz con material reciclableDisfraz con material reciclable
Disfraz con material reciclablepochito
 
How To Overcome Fear Of Failure – Self Confidence Tips
How To Overcome Fear Of Failure – Self Confidence TipsHow To Overcome Fear Of Failure – Self Confidence Tips
How To Overcome Fear Of Failure – Self Confidence TipsVKool Magazine - VKool.com
 

Viewers also liked (11)

Pascalle
PascallePascalle
Pascalle
 
Trajes típicos elaborados con material reciclado
Trajes típicos elaborados con material recicladoTrajes típicos elaborados con material reciclado
Trajes típicos elaborados con material reciclado
 
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
Archana Sridhar - If You Fail To Plan, You Plan To Fail: Developing A Social...
 
How to fail
How to failHow to fail
How to fail
 
If You Fail to Plan Will Your Plan Fail? by Jaroslav Trojan
If You Fail to Plan Will Your Plan Fail? by Jaroslav TrojanIf You Fail to Plan Will Your Plan Fail? by Jaroslav Trojan
If You Fail to Plan Will Your Plan Fail? by Jaroslav Trojan
 
"If you fail to plan, you plan to fail."
"If you fail to plan, you plan to fail.""If you fail to plan, you plan to fail."
"If you fail to plan, you plan to fail."
 
7 reasons why your plan will fail (and what to do about it)
7 reasons why your plan will fail (and what to do about it)7 reasons why your plan will fail (and what to do about it)
7 reasons why your plan will fail (and what to do about it)
 
ElaboracióN Del Disfraz De Un Inca Con Material
ElaboracióN Del Disfraz De Un Inca Con MaterialElaboracióN Del Disfraz De Un Inca Con Material
ElaboracióN Del Disfraz De Un Inca Con Material
 
Disfraz con material reciclable
Disfraz con material reciclableDisfraz con material reciclable
Disfraz con material reciclable
 
Smart Goal Setting
Smart Goal SettingSmart Goal Setting
Smart Goal Setting
 
How To Overcome Fear Of Failure – Self Confidence Tips
How To Overcome Fear Of Failure – Self Confidence TipsHow To Overcome Fear Of Failure – Self Confidence Tips
How To Overcome Fear Of Failure – Self Confidence Tips
 

Similar to Fail To Plan

Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threatsisc2dfw
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidPhil Agcaoili
 
The Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismThe Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismPierluigi Paganini
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryJonathan Francis Roscoe
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationHinne Hettema
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopoliticstnwac
 
Securing Indian Cyberspace Shojan
Securing Indian Cyberspace ShojanSecuring Indian Cyberspace Shojan
Securing Indian Cyberspace ShojanShojan Jacob
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all timePRESENTATIONSFORESL
 
An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of GovernmentsRobbie Mitchell
 
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...Pw Carey
 
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...Pw Carey
 
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...Cyber Security Alliance
 
Challenges from the Cyber Domain: Cyber Security and Human Rights
Challenges from the Cyber Domain: Cyber Security and Human RightsChallenges from the Cyber Domain: Cyber Security and Human Rights
Challenges from the Cyber Domain: Cyber Security and Human RightsAdam David Brown
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ssMaira Asif
 
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...Pw Carey
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 

Similar to Fail To Plan (20)

Cyber Security Emerging Threats
Cyber Security Emerging ThreatsCyber Security Emerging Threats
Cyber Security Emerging Threats
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
The Role Of Technology In Modern Terrorism
The Role Of Technology In Modern TerrorismThe Role Of Technology In Modern Terrorism
The Role Of Technology In Modern Terrorism
 
The New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st centuryThe New Front Line:An observation of cyber threats in the 21st century
The New Front Line:An observation of cyber threats in the 21st century
 
Sovereignty in Cyberspace
Sovereignty in CyberspaceSovereignty in Cyberspace
Sovereignty in Cyberspace
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generation
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopolitics
 
Securing Indian Cyberspace Shojan
Securing Indian Cyberspace ShojanSecuring Indian Cyberspace Shojan
Securing Indian Cyberspace Shojan
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
 
Badolato April 2011 Slideshow
Badolato April 2011 SlideshowBadolato April 2011 Slideshow
Badolato April 2011 Slideshow
 
Powerpoint
PowerpointPowerpoint
Powerpoint
 
An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of Governments
 
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
 
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
San Francisco Isaca Fall Security Conference G32 Wiki Leaks Social Media &amp...
 
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s persp...
 
Challenges from the Cyber Domain: Cyber Security and Human Rights
Challenges from the Cyber Domain: Cyber Security and Human RightsChallenges from the Cyber Domain: Cyber Security and Human Rights
Challenges from the Cyber Domain: Cyber Security and Human Rights
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
G32 Wiki Leaks Social Media & Whistleblowers The Future Of It Auditing A ...
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
Cyber Threat
Cyber ThreatCyber Threat
Cyber Threat
 

Fail To Plan

  • 1. 1
  • 2. Today’s Speakers Michael Hurley Bryan Cunningham Lynne Monaco Jeff Passolt, Host 2
  • 3. © 2011 - Copyrighted Materials • Today’s presentation contains copyrighted materials, which are solely the property of their respective owners • Any unauthorized use of these materials is strictly prohibited 3
  • 4. Introduction • Many questions, few answers • What we’ll cover – Major threats – Natural and manmade – Disaster recovery/Business continuity – Why and how to plan – Heightened concerns about cyberthreats 4
  • 5. Not THE List, A List • Acts of terrorism • War-related disasters • Haz-mat events • Nuclear accidents • Aircraft accidents • Wild-land and urban fires • Natural disasters • Other types of natural/human disasters Source: US Government, National Incident Management Systems Characterization 5
  • 6. Current Threats • Our biggest worry: DANGEROUS TERRORISTS WITH DANGEROUS WEAPONS – Al-Qaeda recruiting and operating in the US – Continue to seek nuclear/other WMDs – If they get them, they’ll use them – Catastrophic consequences on many fronts 6
  • 7. US Government Thoughts/Actions • Post 9/11 Commission views • Protection efforts: The problem with radiation detection • Cyberthreats – The flavor of the moment • Conventional weapons assessment – Many problems short of WMDs 7
  • 8. Low Probability vs. High Impact • “Overriding priority of our national security policy must be to prevent the spread of nuclear weapons of mass destruction.” – Senators Sam Nunn, Richard Lugar – Lock down nuclear weapons and materials • Highly enriched uranium and plutonium – Cooperate with leaders around the world • It’s in their interest, too! – Problem of Pakistan • Can extremists get the keys to the bomb? • Could directly harm the U.S. 8
  • 9. More Concerns • In Jan. 2010, both Iran and North Korea have energetic programs to develop nuclear weapons – Both are direct threats to the U.S. • Terrorist interest in acquiring materials persist – 18 documented cases of theft of highly enriched uranium and plutonium – Consequences: Hundreds of thousand dead, worldwide economic reverberation - ”Securing the Bomb,” April 2010 – “The Nuclear Bazaar” reports 40 plus countries now have nuclear materials 9
  • 10. Homegrown Terrorism • 2009 and 2010 – Significant increase in terrorist attacks/attempts on U.S. soil, and an alarming increase in the number of homegrown terrorists – Major Hassan and Ft. Hood attack – 13 dead – Abdumuttalab’s attempt on NWA flight bound for Detroit – Najibullah Zazi - Denver Airport shuttle bus driver, intent to attack NYC subway – Farooq Admed – Virginia resident, intent to bomb D.C. Metrorail – Faisal Shahzad – Attempted car bomb in Time Square – Mohamed Osman Mohamud – 19-year old Somali, Oregon State student, attempted car bombing later November in Portland, Christmas tree lighting ceremony – Abdulhakim Muhammad – Killed U.S. solider outside Little Rock Army recruiting office 10
  • 11. America, We Have a Problem! • David Headley • Colleen LaRose, a.k.a “Jihad Jane” of Pennsylvania • National Security Preparedness Group September 2010 Report – Places like Minneapolis and Portland, because of the growing radicalization among Somali youth in those cities, are on the “frontlines” of terrorism • Not Just Islamist Terrorists we need to worry about, what should really drive the point home to small- and medium size businesses: – August 2010, Omar Thornton - Hartford, CT beer distributorship – Faced a disciplinary hearing, possibly employment termination – Killed 8 co-workers and then killed himself 11
  • 12. Cyber Attacks are Pervasive • At least 500 million personal records have likely been compromised since January 2005 – Source: Privacy Rights Clearinghouse • 2009: Identity theft estimated to have cost the US economy $54 billion – Source: Forbes magazine 12
  • 13. Big Brother is Listening • President Obama identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” • USG has Project “Perfect Citizen” to place classified sensors in networks controlling nation’s key critical infrastructures e.g., the electric power grid • 300 million electronic medical records by 2014; sophisticated electricity use sensors in every house • Obvious privacy, civil liberties challenges 13
  • 14. AQ in Iraq hacks UAV feeds Locating adversaries in cyberspace with $29 software is becoming increasingly difficult Members of Al-Qauuam brigade use laptops to hack opposition IT systems in 2006. Al Qaeda Internet recruiting 14
  • 15. The Cyberthreat • Theoretical? It’s already happened • The next war starts not with a bang, but a click 15
  • 16. The Threat Issued Settled • Russia-Estonia (5/2007) • Russia-Georgia (8/2008) • China – GhostNet (5/2009) • Iranian Non-Revolution • China - Google, etc. (12/09) • Eastern Europe – Kneber Botnet (1/2010) – Acquired proprietary data from over 2,500 companies worldwide – Targeted energy, health, technology, financial and government sectors – Likely run by organized cyber criminals in Eastern Europe – Detection rate of less than 10% among antivirus software/shielded from IDS systems 16
  • 17. The Threat Issued Settled • China State Department cables • Wikileaks war • Hacktivism • Stuxnet 17
  • 18. Ripped form the Headlines • Google China • Preceded by GhostNet – Investigation into attacks on the Dalai Lama – Wide ranging network of compromised computers – 1,295 spread across 103 countries – 30%= “High Value Targets” • Min. Foreign Affairs, embassies, news orgs., NATO HQS computer 18
  • 19. Shadows in the Cloud • Deep/broad investigation by same group that originally uncovered GhostNet – Released Early April 2010 • Documented a new and extremely sophisticated “malware ecosystem” that leverages – Multiple redundant cloud computing systems – Social networking platforms (Twitter, Blogspot, etc.) – Free web hosting services to--- • Maintain persistent command and control over machines while operating core servers located in the PRC 19
  • 20. Shadows in the Cloud - Key Findings • New “Ecosystem” – Convergence of crime & national security threats • Democratization of espionage • Theft of classified and sensitive documents • Collateral compromise – Visa applications for US workers in Afghanistan—big OpSec problem • Companies targeted like countries, e.g., Google – Need to act accordingly • Clear links to Chinese hackers, but PRC government? – Wikileaks cable demonstrates USG thinks so • Your network is only as strong as its weakest link 20
  • 21. China Rising, Others Following • April 18, 2010- 15% of all worldwide Internet traffic redirected to networks inside PRC • Victims included: – Secretary of Defense – All four US armed services – United States Senate – Dell, Yahoo, IBM, Microsoft and other private companies 9/7/07 – “Chinese Army Blamed for Pentagon Attack” 21
  • 22. Collateral Damage • Even if not the prime target, operating in a foreign country may expose organizations to risks associated with cyber- wars/hacktivism – MasterCard, Amazon targeted by Wikileaks supporters • High-tech harassment • Instigators of cyber-wars can cloak true source of attack by hiring hackers in other countries, and by zombie-ing privately owned computers 22
  • 23. Our #1 Threat? • Nuclear, bio scarier, possibly worse, but… • Combining factors – Intent – Ease of acquisition (democratization of terror/espionage) – Potential for serious damage and mass fear/uncertainty • Strong case for cyber as #1 threat 23
  • 24. Our #1 Threat? • Examples of viable national security targets – Government systems – Air-traffic control – Financial sector – Telecom – “Smart” energy grid – Other SCADA targets – Healthcare (especially with EMR revolution) 24
  • 25. Keeping Corporate Leaders Up at Night • Damage from security breaches can cause – Fines and penalties – Lawsuits – Reduced shareholder value – Negative publicity – Loss of customer trust • Few companies have the right elements in place 25
  • 26. Real Money • ChoicePoint Data Breach results in $55 million in fines and settlement payments. Largest EVER settlement for FTC • November 2010: AvMed class action suit by 1.2 million health plan members whose unencrypted PII was on two missing laptops 26
  • 27. Top Information Security Threats • Identity theft and espionage directed from China and other countries • Expected major increase in attacks from trusted organizations • Insider attacks • “Massive armies” of persistent botnets • Supply-chain attacks infecting consumer devices • Attacks on mobile phones (esp. iPhones) • Web application security exploits Source: SANS Institute, 2008. 27
  • 28. Other Costs of Information Security Breaches • Loss of customer & shareholder confidence • Potentially increased insurance/bonding costs • Negative public image of corporations that don’t do all that was reasonable • Positive public image for those that do; Do well by doing good Your company can set the standard! 28
  • 29. Why You Should Care… • As a manager/employee: – Accountability – Legal liability – More importantly: Right thing to do – You could lose: • Your competitive advantage • Your sales leads • Your marketing strategies – Embarrassment/reputational damage 29
  • 30. Why You Should Care… • As a person: – If bad guys get access to your electronics, they’ll not stop with company data, they’ll take everything: • Identity theft/use of credit cards, etc. • Personal contact information • Using your contacts, data, to attack friends, relatives, and others • Personal information (books/movies purchased, medical information, etc.) you might well not want “out there” • Massive “black market” of personal/credit information • Particularly risky if you use same passwords/comingle personal with business information 30
  • 31. Legal Liability by Sector (Some Examples) • Banking/Finance – Gramm-Leach-Bliley • Healthcare – HIPAA – Expanded in 2009 – National breach disclosure requirement – Massive fines • Government – FISMA/NIST for Federal $$ • Education – FERPA • ALL – 46 State Laws, Bills in Congress, International 31
  • 32. Officer/Director Liability • Sarbanes-Oxley – Publicly Traded Companies: – Requires senior management to perform annual assessment of internal controls over financial reporting – Indirectly requires management to certify data accuracy – Regulators believe securing data necessary to ensure accuracy and reliability 32
  • 33. It’s Not If, It’ When 33
  • 34. Why Plan? • Responsibility to employees, customers, investors • Planning compels new understanding of crucial business processes • Enables business survival, reduces degradation in event of disaster • Competitive advantage/marketing angle • Reduces “failure of imagination” 34
  • 35. Planning Fundamentals 1. Risk/business impact analysis 2. Communication 3. Transportation 4. Coordination 5. Redundancy 6. KISS 7. Chains of command 8. Imagination - Failure thereof 35
  • 36. More Planning Fundamentals • To start, you have to start • Scope – Lessons from Goldilocks • Seats at the table • Baselining and imagining • Disaster recovery vs. business continuity • All hazards approach • Biggest bang for the buck 36
  • 37. No Battle Plan Survives the First Shot • Communications is Key • Empower Improvisation • Recrimination Control • Multiple Contingencies • Checklists and SOPs • Failsafes 37
  • 38. Communications • Do you have a list of IDs, passwords, important files, etc. printed out/electronic and in a safe place off-site? • What do you do with mail/customer orders? • Set up call forwarding to a back up location • Consider alternate & redundant routing of communications • Dial-up may not be the most sophisticated technology but if the Internet is down you can still connect point-to-point with dial-up 38
  • 39. Information Sharing & Analysis Centers • Communications • Energy • Financial Services • Information Technology • Emergency Management & Response • Surface Transportation • Supply Chain www.isaccouncil.org/sites/index.php 39
  • 40. Disaster Planning Spectrum Business Process Mapping Threat/Risk Assessment Create DR plan Acquire assets Train DR plan Test & exercise Plan Regularly Continuously Reassess And Refine 40
  • 42. Key Information Security Planning Principles • The worst thing is not to start • 2nd worst thing: Start in the middle • Data Classification Process • Strategic Security Plan • Attorney-client privilege • Advice of Counsel defense 42
  • 43. Don’ts • Start with a penetration test • Focus only on the technical • Focus only on the IT department • Move forward without Attorney-Client privilege in place 43
  • 44. Private Sector Preparedness • Private sector preparedness for crises is essential to the nation’s well being • Large businesses, often with far-reaching interests, see themselves as more at risk from terrorist plots • Many small/medium-businesses, even though they can be crippled by a crisis, have done little 44
  • 45. Private Sector Preparedness • Insurance brokers and companies should consider business preparedness in their risk evaluation process • We need to promote greater understanding that corporate resilience and preparedness are competitive advantages for companies • Investors should be aware of a company’s preparedness status to guide their investment decisions 45
  • 46. Private Sector Preparedness • Fed legislation empowers DHS to establish a voluntary accreditation and certification program • Key: Integrate insurance, legal, rating agency communities into certification program to encourage them to reward certified businesses 46
  • 47. Don’t be Overwhelmed by Fear, Manage Risk • Before 9/11, most of us were unaware of these threats • The reality is they are with us to stay • Our message is not to be afraid but to know that bad things can happen in today’s world and to take steps to be prepared to manage risk and deal with a disaster if and when it happens • It only makes good business sense; the business that does this planning is one that will emerge from whatever happens, taking care of its customers and employees and move forward. • It makes every bit of sense to think through scenarios in advance 47
  • 48. Don’t Try This at Home • Areas Discussed Today Are Extremely Complex • Only Constant in this Area is Change • Warning: This presentation is not legal advice, and should not be relied upon Bryan Cunningham Michael Hurley (303) 743-0003 mihurley@hotmail.com bc@morgancunningham.net 48
  • 49. Telecommunications Continuity • DHS Considers Telecommunications to be a Critical Part of Infrastructure – Employee Safety (911 and family) – Encourage Family Pre-planning Ready.gov – Operations/Staffing needs • Telecommunications Systems are an Important Component of Business Continuity Planning - Travel/meetings curtailed - Access to Data, PBX/voice communications, call center operations, access to networks 49
  • 50. Telecommunications Continuity • Videoconferencing and Audio conferencing are cost/effective alternatives • Electronic Data Transfer • Web based presentations • Accessible, Effective Data Back-Up • Reliability of Telecommunications is a key to Business Continuity 50
  • 51. Telecommunications Continuity • Reliability Considerations: – Will your system work during a power outage? Landlines typically have both battery and generator backup. – Cell Towers may become overloaded. – Redundancy in the network. – Call Transfer capabilities – inbound call center operations • Automated Emergency Notifications • Automated Attendant Systems (e.g. Voicemail) • Safety and Security are the highest priorities! 51
  • 52. Today’s Speakers Michael Hurley Bryan Cunningham Lynne Monaco Jeff Passolt, Host 52
  • 53. 53