1. Sean Wrote:
The first and most critical success factor is effective commitment and support from top management. The cybersecurity portion of a business continuity plan cannot hope to be successful without leadership buy-in. Because C-Suite members shoulder the ultimate responsibility for the business, the planning and strategy must involve concurrence from company leadership. They must be made to understand the threats to the business, how the threats manifest into risk, and how those risks impact the business process (Hour, 2012).
Another reason for top level buy-in is that management will be releasing company resources, to include funding and time, to the creation of the BCP. As strategic planning occurs, stakeholders and other critical designees should participate in relevant policy creation. If a BCP that includes cybersecurity is not relevant or in line with company/management goals, it will not succeed. A Business Impact Analysis (BIA) will assist in providing that focus by identifying key business processes and how their diminished performance affects the bottom line. Additionally, legal and regulatory concerns should be considered during the BIA process (UMUC, 2014).
There’s a great quote attributed to Mike Tyson- “Everyone has a plan until they’re punched in the face”- and it describes crisis management. If all of the safety measures put in place to prevent an intrusion have failed, crisis management will drive you to focus on the recovery and resilience of critical business functions (NIST.gov, 2014). In December of 2013, Target and other retailers received a punch in the face when it was reported over 70 million customers had their debit and credit card data stolen by hackers (). Effective strategic communication in Target’s crisis management approach played a critical role in the overall recovery effort. Although the media outlets picked up and ran with this story, the only thing that seems to matter to the American consumer is that it doesn’t happen again. Judging by their stock price and continuing sales numbers, this was nothing more than a bump in the road for Target.
Larry wrote:
2. It is first important to understand that the Business Continuity Plan (BCP) is different from the Disaster Recovery Plan (DRP) as the reason for the BCP is to know how to handle a temporary outage of the company’s network and/or business resources. These temporary outages can be the result of power outage, network outage due to a fiber cut or other incident or a major equipment failure resulting in loss of data. (SANS Institute, 2002) The DRP is in preparation of a major disaster in where the facilities are rendered inoperable or completely destroyed. This can occur from hurricanes, tornados or fires resulting in total loss of company assets. It will be part of the BCP being developed to decide when the BCP should be conducted versus when the DRP will be required.
There are several important steps that should be included when creating a Busines ...
1. Sean WroteThe first and most critical success factor is effe.docx
1. 1. Sean Wrote:
The first and most critical success factor is effective
commitment and support from top management. The
cybersecurity portion of a business continuity plan cannot hope
to be successful without leadership buy-in. Because C-Suite
members shoulder the ultimate responsibility for the business,
the planning and strategy must involve concurrence from
company leadership. They must be made to understand the
threats to the business, how the threats manifest into risk, and
how those risks impact the business process (Hour, 2012).
Another reason for top level buy-in is that management will be
releasing company resources, to include funding and time, to
the creation of the BCP. As strategic planning occurs,
stakeholders and other critical designees should participate in
relevant policy creation. If a BCP that includes cybersecurity is
not relevant or in line with company/management goals, it will
not succeed. A Business Impact Analysis (BIA) will assist in
providing that focus by identifying key business processes and
how their diminished performance affects the bottom line.
Additionally, legal and regulatory concerns should be
considered during the BIA process (UMUC, 2014).
There’s a great quote attributed to Mike Tyson- “Everyone has a
plan until they’re punched in the face”- and it describes crisis
management. If all of the safety measures put in place to
prevent an intrusion have failed, crisis management will drive
you to focus on the recovery and resilience of critical business
functions (NIST.gov, 2014). In December of 2013, Target and
other retailers received a punch in the face when it was reported
over 70 million customers had their debit and credit card data
stolen by hackers (). Effective strategic communication in
Target’s crisis management approach played a critical role in
the overall recovery effort. Although the media outlets picked
up and ran with this story, the only thing that seems to matter to
the American consumer is that it doesn’t happen again. Judging
2. by their stock price and continuing sales numbers, this was
nothing more than a bump in the road for Target.
Larry wrote:
2. It is first important to understand that the Business
Continuity Plan (BCP) is different from the Disaster Recovery
Plan (DRP) as the reason for the BCP is to know how to handle
a temporary outage of the company’s network and/or business
resources. These temporary outages can be the result of power
outage, network outage due to a fiber cut or other incident or a
major equipment failure resulting in loss of data. (SANS
Institute, 2002) The DRP is in preparation of a major disaster in
where the facilities are rendered inoperable or completely
destroyed. This can occur from hurricanes, tornados or fires
resulting in total loss of company assets. It will be part of the
BCP being developed to decide when the BCP should be
conducted versus when the DRP will be required.
There are several important steps that should be included when
creating a Business Continuity Plan (BCP). First and foremost
is that upper management needs to be involved from there very
beginning and fully support the plan. No plan can be successful
without management support. Once this has been established,
there needs to be a Business Impact Analysis (BIA) conducted.
The purpose of a BIA is to identify all of the assets of the
company and assign a value to it. This value will take into
consideration the type and dollar of the equipment, the dollar
value of the data and information that is stored within those
systems, what it would take to restore those systems and the
resources that will be needed. The BIA process will be an
essential part of the overall BCP.
Developing an overall strategy on how to develop the BCP
should be outlined in the following phases; Project Initiation,
Business Analysis (including the BIA), BCP Design, Creating
the BCP, testing of the BCP and then keeping the BCP updated
for any changes. (Tipton, 2010) These phases will help the BCP
team analyze their environment and determine what the areas
are that needs the most attention. This BCP will also better
3. prepare the company to deal with whatever incident arises and
the steps to bring their company back online. The BCP is a
living document that has to be tested and maintained regularly.
It will be up to the BCP team to determine frequency for the
review of the BCP and how to make sure that all employees are
aware of the plan trained to respond to the BCP
3. Larry Wrote:
A flooding attack can be a very damaging and relatively easy
type of attack as it can render a network, business or even a
government infrastructure unavailable. It has been mentioned
several times in this class regarding the cyber-attacks initiated
at the start of the Russian-Georgian War in 2008. Before the
traditional war began, a massive denial-of-service (DoS) attack
was launched towards the internal servers of the Georgian
government. This DoS attack specifically targeted the web,
financial and government operated servers making them
unavailable to everyone including the government. The web
servers were then remotely accessed where the official
government websites were defaced depicting the Georgian
leader in an unflattering way. As the result of the cyber-attack,
the overall war itself was not as big of a fight as a traditional
war. What made this war so much different and historical is the
fact that cyber technologies were utilized before any ground, air
or sea attack was launched. (Hollis, 2011) This type of attack
shows the devastation that can be done with a small group of
computers and actors to conduct this type of attack.
Attacks towards control systems are another type of attack that
can produce a great amount of damage depending on the targets.
Critical Infrastructures (CI) have been under constant attacks
from outside entities trying to shut down or control these
systems. This type of attack can be extremely detrimental and
damaging to these control systems. There was another well-
known documented incident that involved this type of internal
attack. The incident was launched against a control system
within the Iranian Nuclear Program. As a result, this attack
ended up shutting down their entire nuclear facility setting them
4. back years in nuclear development. It was called the Stuxnet
worm and was designed to infiltrate and seek out a particular
type of hardware that was using a vulnerable piece of software.
As a result of the worm’s action, it ended up causing the Iranian
nuclear engineers to shut down their centrifuges within the
nuclear facility. (Kerr, Rollins, & Theohary, 2010) Using this
type of attack can easily affect many other types of critical
infrastructure systems that may be in the same older state
operation.
Utilizing the key-logger attack can also be a great way to gather
vital information to either future attacks or some sort ransom.
Key-loggers will be installed usually using a Trojan malware as
its deploying method. These key-loggers are designed to record
every key stroke of the end user’s computer and send it back to
the attackers’ collection point. The information that can be
gathered is information like credit card numbers, social security
numbers, driver’s license info along with username and
passwords. Key-loggers can also be useful gathering
information from within a company’s network. Usernames and
passwords can be recorded and used to gain internal access
using escalated privileges. This would give the attack the “keys
to the kingdom” so to speak.
4. Sean Wrote:
There are a few initiatives on the books that appear to be
working towards a comprehensive strategy. The Comprehensive
National Cybersecurity Initiative (CNCI), established by
President Bush in 2008, has been reinforced by President
Obama and suggests twelve ideas that aim to build the
coordination and cooperation required to address cyber-attacks.
The CNCI involves the selection of an Executive Branch
Cybersecurity Coordinator (CSC) who will have immediate
access to the president. The CSC is also charged to work closely
with key players in cybersecurity including all levels of
government and the private sector, ensuring an organized
response to incidents along with finding relevant cybersecurity
5. technology (Whitehouse.gov, 2009).
Initiatives details include a single, managed Federal Enterprise
network protected by trusted internet connections, intrusion
detection sensors and intrusion prevention sensors. The
document goes on to announce initiatives in cybersecurity
research and development efforts, the connecting of cyber ops
centers, expanding cyber education, securing supply chains, and
expanding the Federal role of securing critical infrastructure
domains (Whitehouse.gov, 2009).
In the political realm, no proposal is without its detractors and
the CNCI is no different. The federally chartered Information
Security and Privacy Advisory Board (ISPAB) is concerned
with a lack of transparency and would like to see a release of
key documentation regarding personal cyber privacy (Sentor,
2010). There are also questions regarding the legality of
responding to cyber-attacks and the appropriate roles of
executive and legislative branches in addressing cybersecurity.
And finally, there are grumblings about the sharing of
intelligence between the government and the private sector
especially since the majority of threat information collected is
classified