Comments on Business Continuity

I was recently asked to speak to a group of local businesses on the topic of Business Continuity and thought I might share some of my observations and thoughts. The first is that of how many people, security professionals included, share misconceptions about the fundamentals of Business Continuity usually confusing them with Disaster Recovery or something else.

Business Continuity can be defined as the ability of an organization to maintain its operations and services in the face of a disruptive event (Ciampa, 2009). He goes on to discuss the breadth and depth of these kinds of disruptions including power outages and Hurricanes (Ciampa, 2009). Anything that disrupts the day to day operations of a company can be classified as a business continuity issue.

Some of the misconceptions that company CXO’s as well as some Security Professionals hold are that Business Continuity means keeping offsite backups in th event a critical server fails. While vital and certainly disruptive these are in fact issues fall more under the heading of disaster recovery.

Business Continuity is and does mean being prepared for things like the following:

  1. Disgruntled employees (either still employed or recently discharged) and the havoc they can wreak on a worksite. This is particularly true if that employee worked in IT and had access to critical data or applications.
  2. Natural disasters such as fires, tornado’s, floods, and even simple things such as a roof leak. Any or all of these can have a dramatic effect on business operations if no plan has been prepared. You’d be surprised how many companies have NO plan for dealing with natural disasters such as who to call phone lists, employee rosters to be able to provide law enforcement in the event they are needed for victim location, etc.
  3. Providing some sort of appropriate plan for redundancy. One common example would be if you lost internet connectivity because of a cut service line do you have a backup plan in place to keep business running. If a fire were to damage but not destroy your facility do you have somewhere you could relocate to temporarily so that you could keep the business running? Do you have spare hardware for those times when some critical piece of gear fails? During the Katrina disaster in Louisiana the state was able to recover almost all of their servers and workstations but the keyboard and mice were destroyed. And there was no place to obtain new hardware so their perfectly good machines were useless.
  4. Have you identified your vulnerable spots? Have you reviewed your insurance coverage lately to see if you have adequate coverage? We all like to put off things like this until forced to do so but some assets depreciate over time while others become more valuable. It’s a good idea to review your coverage annually. Do you have a succession plan in place in the event something happens to yourself or other key employees?
  5. Are you educating your employees on good security procedures? Do you have monthly, quarterly, or annual meetings to go over company security policies? Are your security policies well defined?
  6. Are you keeping an eye on any companies with whom you outsource? Is their staff trustworthy? Do they do background checks? Can they provide you with documentation? Are they adequately insured? Can they provide you with proof?
  7. Do you have an incident response plan? Is anyone trained and do you test it regularly? Do you know who to call and what to do in the event of an incident? Do you even understand what an “incident” might consist of? Do you have it defined?
  8. Do you have a trusted outside third party advisor that you can turn to before a crisis?
  9. Are you aware of reporting requirements for your specific industry if any exist? Data breaches can bring huge liability to the table and you need to know what the local state and Federal laws are governing such breeches.
  10. Where, when, and how are you using encryption. You should be using whole disk encryption on ANY mobile platform in order to protect what you DON’T know is on your hard drive. But more importantly do you have a way to recover as well as report and deal with stolen or lost mobile devices. A high percentage of breached data comes from lost or stolen laptops and the vast majority of those are either left in a car or cab. Not having those assets secured could cause your company devastating consequences.

The point in all this that I want to make is that Business Continuity planning is like shopping for life insurance. No one wants to do it but we all know we should. My advice is, find a trusted security professional party with whom you can work and at least get the dialogue going on the subject. Business disruption is just like death and taxes. It’s not an if scenario but when. So plan for it and you may just save your company and everything you have worked so hard to obtain.

If you have further questions or would like to schedule a free assessment you can contact me at btohara@outlook.com . Until next time…

Stay Secure!

The Nature of an Incident Response

or
What to Do When You Don’t Know What To Do

A customer of mine once said “I don’t know what I don’t know” and if I don’t know then how could I know what questions to ask (regarding security). This second in the series of Blogs addresses one of those “I don’t know” issues; that of a computer or network based (forensic) incident and what to do when a business owner thinks one has occurred.

After spending many years in, around, and working with computers, the rules governing what to do when something or someone goes wrong (an incident) have changed numerous times. In the early days we were taught that when a computer system was suspected of having been tampered with or containing damaging information there was only one option; pull the plug and call the local authorities. What to do after that depended on how much money you had and whether or not law enforcement was involved. Once the box was disconnected from power the authorities were contacted and events unfolded. Computer forensics was in its infancy and specialists were few and far between or employed only by top government agencies such as the FBI, NSA, etc. The small business owner really had nowhere to turn for help. And by the time they usually figured what to do or who to turn to any evidence was damaged to the point of being useless in a court of law.

In the late 90’s we started practicing leaving power applied to the systems but disconnecting them from the network; the idea being that once disconnected from the network any malicious behavior would be halted and the system could be analyzed by the local admin or simply gracefully shutdown. However, computer forensics while having begun to advance was still outside the reach of most small businesses leaving them still on their own. Security itself only started becoming a more important with the disruption caused by some of the worms and DOS outages of the time (Melissa, Slammer, Code Red, etc.).

In the last decade things have gone from bad to worse with regard to the dangers faced daily on the internet. We are no longer worried so much about outages caused by things like Melissa or Code Red but by malicious C2C (crime to crime) vendors who steal our identities and trade them openly over the internet like discounted Amazon.com books. Root Kits, once the exclusive purview of Unix distros are now a constant threat for any desktop or NOS. More and more sophisticated malware is being released with the ability to hide in memory, stay hidden on the hard drive, and disappear when the machine is either powered off or simply disconnected from the network.

As a result of the changing nature of these threats we have developed yet another set of standards for handling “incidents”; those nefarious things that leave us all searching for answers when they occur. The business of incidents has started to mature so that we are not so helpless when responding to events as they unfold. We have more tools at our disposal. The big question is will we utilize them effectively? What follows are some generally accepted industry standards and guidelines and are designed only in part to help you put together an incident response policy of your own. It is neither authoritative nor complete. It is intended to get you thinking about what you would do if there were an “incident” in your company and whether you are prepared to your satisfaction.

  1. The site MUST be secured! This means that any suspect device(s) must be confined and contained such that nothing can be touched or contaminated until a decision is made as to how to proceed. This would mean things like securing not only the device(s) but the room(s) in which they reside complete with uninterrupted guard of some kind. Any person or employee suspected should be sequestered only with permission and based on your HR policy regarding suspicious employee behavior, or by law enforcement. You or your company own the computer equipment, software, etc. but not the employee.
  2. The device or devices in question as well as the surrounding area should not be touched in anyway. This means don’t even touch the keyboard to log off a user. Anything you do could taint what could later be considered a crime scene.
  3. Contact legal counsel immediately. This is where most business owners go wrong. They usually think that the first thing they should do is to contact the authorities. Since you are not trained in law or law enforcement you should not jump to conclusions until you touch base with someone with more training in the area. And since your lawyer is your legal consultant they should be your first point of contact.
    1. Once counsel has been informed they will usually agree that it is time to call in a forensic specialist. Computer and network forensics is a VERY specialized field and requires very specific training and experience. Look for certifications such as CSA, CISSP, etc. Make sure the individual has experience working with local law enforcement. Be sure and check their credentials and recommendations.
  4. If legal counsel feels it is necessary then contact local law enforcement. They will need all the information you can give them so be sure to document who, what, where, when, etc. in detail. This will make everyone’s work much easier in the long run.
  5. You should already have in place an “internet and computer usage” policy in place and should be able to produce it. If you do not have one get one in place right away. If you have one, it should be reviewed with your HR and legal counsel at least once a year.

These are some of the reasons I stress to both small and large businesses to be sure they have a solid usage policy in place and review it annually for necessary changes based on the industry to which you belong. Health Care will have different needs than manufacturing and/or financials. So be sure you are meeting all of your regulatory requirements. But most importantly find a trusted reliable security resource you can call on BEFORE an incident occurs. Let them review your policies and consider doing a security audit just as you would for accounting.

Tech Defenders, Inc. has been specializing in security for over 10 years and is the area’s leading security specialists. Whether it is computer, network, or physical security we can provide you with cost effective solutions that will prepare you for unforeseen events that can disrupt business.

For a free incident response policy consultation or a complete audit of your security systems I can be reached at btohara@outlook.com . Until next time…

Stay Secure!

Wireless Woes

While traveling through several Midwest airports recently I was presented with the usual onslaught of numerous “FREE” public wireless access services. From Airport terminals to coffee shops in the center of the city, everyone wants to give away free wireless access. And I say Bully! The problem I have with all this ubiquitous access is that as security professionals we typically cringe at the thought of connecting to an “unknown” or “untrusted” wireless source and then surfing the web, checking email, or any of another dozen things we do each day in order to do our jobs, stay in touch with friends and family, or just download really cool music. We are terrified of connecting without encryption and should be.

As all these “Hot Spots” begin showing up on my machine, it occurred to me. Why don’t business owners that give away free internet access setup good encryption and make the key public. As we are trained in the secret trade of security we are taught that keys must always be kept secret and never revealed publicly in order to insure privacy. Well, “public” Wi-Fi is just that; PUBLIC. It is meant to be used freely by anyone who can gain a signal strong enough to connect. The owners typically care not what you do or where you go (although some do apply restrictions with web filtering, etc.). And unfortunately users do just that. Poor Jack down the street logs into his bank account not knowing that the kid in the parking lot is sniffing his passwords while he sips his morning cappuccino. Sara logs into her email and the same thing happens.

What about systems that use “portals” for authentication? Most of them do just that; authenticate, not encrypt. They are used for “pay” services and use your username and password to ensure that you are, or have been billed properly. They rarely make any attempt at securing your transmissions. But couldn’t we use these pages for advertisements and reminders about security? Perhaps adds for the morning special on Blueberry muffins at the local coffee shop or who will be playing at open mike night on Thursday; all ways to drive more business.

And why don’t we use encryption in “FREE” public access wireless? Mostly due to ignorance. Most business operations either don’t realize or don’t care about the security problems associated with transmitting in the clear or are simply too lazy to do anything about it. But what would it hurt? Most new OSs prompt for a key when connecting to a new network and once you have exchanged keys everything from that point on is encrypted. All the other dangers of public Wi-Fi still exist but the single most dangerous could be eliminated with as single flip of the switch on the interface of the AP or system being used.

So next time you are at your favorite coffee shop ask the owners if they even know how to enable security on their Wi-Fi, and if so, to do it. At least you can surf the web with a little more sense of security than before.

That’s enough ranting for one week.  Stay tuned for next week’s on the subject of Anonymous FTP.   Until then…

Stay Secure!

Reflections on 2009

WOW! What a year. We elected our first African-American President, suffered the world’s worst financial crisis since the Great Depression, still have fighting troops in multiple countries, and the Yankees won the series. I feel like I need to stop and take a huge dose of something.

This has been, hands down, the toughest year in my 30 years in business.  Not just because budgets were tight, but because of the upheaval caused by the financial crisis,  businesses folding, people losing their homes after years in their jobs and in our area in particular, the collapse of the auto industry.  At times it felt like it was all too much to take.

But this is the New Year.  A time for reflection, a time for renewal, a time for new beginnings. This is the time of year when we all make those crazy resolutions that we consistently make each and every year.  It is time for a fresh start. I think it is this newness that makes us feel like we can do anything we want.

So it is with this childlike renewal that I make my New Years resolution to work harder in the coming year to be the best I can be and make Tech Defenders the best it can be.  I will try to find ways to make my customers happier, more productive, and safer. I will try to be a better listener so that I can more clearly understand the challenges you face.  I will work harder to find solutions to your problems, not my needs.  And I will try to do it with enthusiasm and fervor.

I want to wish everyone, but especially our loyal customers, a Safe and Happy New Year and all the best for 2010.  As always I look forward to hearing from each and every one of you.  Until then…

Stay Secure!