Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Emerging Risks, BCP & DRP

7,465 views

Published on

Emerging Risk Presentation at the Karachi - BCI Business Continuity Conference - Dec 2007

Emerging Risks, BCP & DRP

  1. 1. Emerging Risks & Business Continuity Jorge Sebastiao [email_address]
  2. 2. You ready for the challenge?
  3. 3. Threats Industrial Espionage Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats
  4. 4. Business Risk Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  5. 5. The alternative is!
  6. 6. Exercise in Disaster? <ul><li>Marriott Hotel </li></ul><ul><ul><li>4:00pm Fire in Building </li></ul></ul><ul><ul><li>you have 2 min Respond </li></ul></ul><ul><ul><li>Decision </li></ul></ul><ul><ul><ul><li>Staff </li></ul></ul></ul><ul><ul><ul><li>Facilities </li></ul></ul></ul><ul><ul><ul><li>Data </li></ul></ul></ul><ul><ul><ul><li>Customers </li></ul></ul></ul><ul><ul><ul><li>Media (news) </li></ul></ul></ul><ul><ul><li>What is the plan? </li></ul></ul>
  7. 7. Time is everything <ul><li>2 minutes before the disaster is a little late to start planning how to respond! </li></ul>
  8. 8. Yellow pages Planning? “ When disaster happens, do you open the Yellow Pages and look for help….”
  9. 9. Threats and Risk
  10. 10. The backup tapes are locked in the trunk!
  11. 11. We make wrong Assumptions?
  12. 12. ICT is Complex Desktop Help Desk LAN Admin DBA Operations Mainframe Security Network Management Chaos Business User Non IT Devices Applications Databases Systems Networks
  13. 13. Complexity= Unavailability Desktop Help Desk LAN Admin DBA Operations Mainframe Security Network Management 99% 99% 99% 99% 99% 99% 99% 99% Business User Non IT Devices Applications Databases Systems Networks 92% Availability
  14. 14. IT complexity is costly! “ THIS YEAR ALONE IT COMPLEXITY WILL COST FIRMS WORLDWIDE SOME $750 BILLION” - Tony Picardi, IDC
  15. 15. Outage impact? Software bug Virus Data corruption Accidental delete Dropped table D.o.S. Attack CPU fault Disk failure Array failure Host Bus Adapter Network Card Software Fire Power Outage Terrorism/War Flooding Storms Hurricane Component Outages Logical Outages Site Outages
  16. 16. The Costs & Consequences HP Business Continuity Services Revenue: Direct loss Indirect impact is more severe & unpredictable Productivity: # employees x hours x hours Damaged reputation: Customers, competitors, lose face Financial performance: Revenue recognition, value productivity/ employees $ millions minutes days time $ impact $ billions direct financial/ customer reputation financial performance constant increase exponential increase
  17. 17. New and Emerging Threats
  18. 18. 2005-2007 Social Engineering-Risk <ul><li>… 70 percent of those asked said they would reveal their computer passwords for a … </li></ul>Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  19. 19. Oct-Nov 2007 <ul><li>Court Filings Estimate Impact on 96 Million Accounts </li></ul><ul><li>The estimated number of reported credit card numbers that were taken in the TJX breach has doubled from more than 45 million to nearly 100 million accounts being affected, according to VISA. </li></ul><ul><li>New documents filed in the Federal Court in Boston on October 23 reveal that as many as 96 million consumers may have been affected, including about 29 million MasterCard victims and 65 million VISA victims. </li></ul>
  20. 20. 2005-2007 World wide ATM attacks-1
  21. 21. 2005-2007 World wide ATM attacks-1
  22. 22. Hackers grow UP?
  23. 23. Al Qaeda Hacking?
  24. 24. Oct 2007 <ul><li>Storm worm strikes back at security -Researcher says those discovered trying to defeat worm suffer DDoS attacks </li></ul><ul><ul><li>The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. </li></ul></ul><ul><ul><li>The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them… </li></ul></ul>
  25. 25. Mark Simon Jakob, uses knowledge to submit press releases, write a false & negative press release about technology company Emulex. Stock plummets $2.5 billion before the scam is caught . 2006 Information Warfare
  26. 26. 2007 Estonia vs Russia <ul><li>Escalation from Political incident </li></ul><ul><li>One of Most advanced EU Internet </li></ul><ul><li>Over 2 Weeks complete shutdown </li></ul><ul><li>1st massive external DDOS </li></ul><ul><li>2nd massive internal DDOS </li></ul><ul><li>No eGov – 0% </li></ul><ul><li>No eBanking - 0% </li></ul><ul><li>Severe Economic cost </li></ul>
  27. 27. 2005-2006 Blackout Disasters Rome New York London Bahrain
  28. 28. 2007 New Technologies, New Risks <ul><li>Laptops </li></ul><ul><li>Mobiles </li></ul><ul><li>Bluetooth </li></ul><ul><li>PDA </li></ul><ul><li>Smart Card </li></ul>
  29. 29. Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation
  30. 30. 24x7 Monitoring
  31. 31. Integration Business Security Management Physical Security Management ICT Security Management
  32. 32. A 5 ™ - Skilled Process ASSESS ARCHITECT APPLY ADMINISTER Awareness Business Risk Controls Maturity
  33. 33. Infrastructure… Best Practices
  34. 34. Leverage Standards Business Continuity Key Performance Indicators CoBiT ITIL ISO20000 ( & BS15000) ISO27001 ISO2700x PAS56 BS25999
  35. 35. Risk Classification
  36. 36. Comprehensive Response Contingency Planning Disaster Recovery Security Business Continuity Crisis Communications Traditional Emergency Management
  37. 37. Response must be exercised
  38. 38. Knowledge fills gaps SETA = Security +Training + Awareness + Education
  39. 39. <ul><li>Strategy Development </li></ul>How much to spend? Time Cost of Strategy Mitigation Lost Revenue Optimum Mitigation Strategy
  40. 40. Solutions must be practical
  41. 41. Leverage Virtualization Hardware OS Applications Services Storage NETWORK Business Continuity Clients Best Practices
  42. 42. Trade Offs In BCM there are trade-offs Secure Fast/Easy Cheap
  43. 43. Are u ready for emerging Risks? <ul><li>“… Don’t bring a knife to a Gun fight …” </li></ul>
  44. 44. Questions?

×