Emerging Risks, BCP & DRP


Published on

Emerging Risk Presentation at the Karachi - BCI Business Continuity Conference - Dec 2007

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Emerging Risks, BCP & DRP

    1. 1. Emerging Risks & Business Continuity Jorge Sebastiao [email_address]
    2. 2. You ready for the challenge?
    3. 3. Threats Industrial Espionage Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats
    4. 4. Business Risk Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
    5. 5. The alternative is!
    6. 6. Exercise in Disaster? <ul><li>Marriott Hotel </li></ul><ul><ul><li>4:00pm Fire in Building </li></ul></ul><ul><ul><li>you have 2 min Respond </li></ul></ul><ul><ul><li>Decision </li></ul></ul><ul><ul><ul><li>Staff </li></ul></ul></ul><ul><ul><ul><li>Facilities </li></ul></ul></ul><ul><ul><ul><li>Data </li></ul></ul></ul><ul><ul><ul><li>Customers </li></ul></ul></ul><ul><ul><ul><li>Media (news) </li></ul></ul></ul><ul><ul><li>What is the plan? </li></ul></ul>
    7. 7. Time is everything <ul><li>2 minutes before the disaster is a little late to start planning how to respond! </li></ul>
    8. 8. Yellow pages Planning? “ When disaster happens, do you open the Yellow Pages and look for help….”
    9. 9. Threats and Risk
    10. 10. The backup tapes are locked in the trunk!
    11. 11. We make wrong Assumptions?
    12. 12. ICT is Complex Desktop Help Desk LAN Admin DBA Operations Mainframe Security Network Management Chaos Business User Non IT Devices Applications Databases Systems Networks
    13. 13. Complexity= Unavailability Desktop Help Desk LAN Admin DBA Operations Mainframe Security Network Management 99% 99% 99% 99% 99% 99% 99% 99% Business User Non IT Devices Applications Databases Systems Networks 92% Availability
    14. 14. IT complexity is costly! “ THIS YEAR ALONE IT COMPLEXITY WILL COST FIRMS WORLDWIDE SOME $750 BILLION” - Tony Picardi, IDC
    15. 15. Outage impact? Software bug Virus Data corruption Accidental delete Dropped table D.o.S. Attack CPU fault Disk failure Array failure Host Bus Adapter Network Card Software Fire Power Outage Terrorism/War Flooding Storms Hurricane Component Outages Logical Outages Site Outages
    16. 16. The Costs & Consequences HP Business Continuity Services Revenue: Direct loss Indirect impact is more severe & unpredictable Productivity: # employees x hours x hours Damaged reputation: Customers, competitors, lose face Financial performance: Revenue recognition, value productivity/ employees $ millions minutes days time $ impact $ billions direct financial/ customer reputation financial performance constant increase exponential increase
    17. 17. New and Emerging Threats
    18. 18. 2005-2007 Social Engineering-Risk <ul><li>… 70 percent of those asked said they would reveal their computer passwords for a … </li></ul>Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
    19. 19. Oct-Nov 2007 <ul><li>Court Filings Estimate Impact on 96 Million Accounts </li></ul><ul><li>The estimated number of reported credit card numbers that were taken in the TJX breach has doubled from more than 45 million to nearly 100 million accounts being affected, according to VISA. </li></ul><ul><li>New documents filed in the Federal Court in Boston on October 23 reveal that as many as 96 million consumers may have been affected, including about 29 million MasterCard victims and 65 million VISA victims. </li></ul>
    20. 20. 2005-2007 World wide ATM attacks-1
    21. 21. 2005-2007 World wide ATM attacks-1
    22. 22. Hackers grow UP?
    23. 23. Al Qaeda Hacking?
    24. 24. Oct 2007 <ul><li>Storm worm strikes back at security -Researcher says those discovered trying to defeat worm suffer DDoS attacks </li></ul><ul><ul><li>The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. </li></ul></ul><ul><ul><li>The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them… </li></ul></ul>
    25. 25. Mark Simon Jakob, uses knowledge to submit press releases, write a false & negative press release about technology company Emulex. Stock plummets $2.5 billion before the scam is caught . 2006 Information Warfare
    26. 26. 2007 Estonia vs Russia <ul><li>Escalation from Political incident </li></ul><ul><li>One of Most advanced EU Internet </li></ul><ul><li>Over 2 Weeks complete shutdown </li></ul><ul><li>1st massive external DDOS </li></ul><ul><li>2nd massive internal DDOS </li></ul><ul><li>No eGov – 0% </li></ul><ul><li>No eBanking - 0% </li></ul><ul><li>Severe Economic cost </li></ul>
    27. 27. 2005-2006 Blackout Disasters Rome New York London Bahrain
    28. 28. 2007 New Technologies, New Risks <ul><li>Laptops </li></ul><ul><li>Mobiles </li></ul><ul><li>Bluetooth </li></ul><ul><li>PDA </li></ul><ul><li>Smart Card </li></ul>
    29. 29. Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
    30. 30. 24x7 Monitoring
    31. 31. Integration Business Security Management Physical Security Management ICT Security Management
    32. 32. A 5 ™ - Skilled Process ASSESS ARCHITECT APPLY ADMINISTER Awareness Business Risk Controls Maturity
    33. 33. Infrastructure… Best Practices
    34. 34. Leverage Standards Business Continuity Key Performance Indicators CoBiT ITIL ISO20000 ( & BS15000) ISO27001 ISO2700x PAS56 BS25999
    35. 35. Risk Classification
    36. 36. Comprehensive Response Contingency Planning Disaster Recovery Security Business Continuity Crisis Communications Traditional Emergency Management
    37. 37. Response must be exercised
    38. 38. Knowledge fills gaps SETA = Security +Training + Awareness + Education
    39. 39. <ul><li>Strategy Development </li></ul>How much to spend? Time Cost of Strategy Mitigation Lost Revenue Optimum Mitigation Strategy
    40. 40. Solutions must be practical
    41. 41. Leverage Virtualization Hardware OS Applications Services Storage NETWORK Business Continuity Clients Best Practices
    42. 42. Trade Offs In BCM there are trade-offs Secure Fast/Easy Cheap
    43. 43. Are u ready for emerging Risks? <ul><li>“… Don’t bring a knife to a Gun fight …” </li></ul>
    44. 44. Questions?