1.
Sean Wrote:
The first and most
critical success factor is effective commitment and support from top
management. The cybersecurity portion of a business continuity plan cannot hope
to be successful without leadership buy-in. Because C-Suite members shoulder
the ultimate responsibility for the business, the planning and strategy must
involve concurrence from company leadership. They must be made to understand
the threats to the business, how the threats manifest into risk, and how those
risks impact the business process (Hour, 2012).
Another reason for top
level buy-in is that management will be releasing company resources, to include
funding and time, to the creation of the BCP. As strategic planning occurs,
stakeholders and other critical designees should participate in relevant policy
creation. If a BCP that includes cybersecurity is not relevant or in line with
company/management goals, it will not succeed. A Business Impact Analysis (BIA)
will assist in providing that focus by identifying key business processes and
how their diminished performance affects the bottom line. Additionally, legal
and regulatory concerns should be considered during the BIA process (UMUC,
2014).
There’s a great quote
attributed to Mike Tyson- “Everyone has a plan until they’re punched in the
face”- and it describes crisis management. If all of the safety measures put in
place to prevent an intrusion have failed, crisis management will drive you to
focus on the recovery and resilience of critical business functions (NIST.gov,
2014). In December of 2013, Target and other retailers received a punch in the
face when it was reported over 70 million customers had their debit and credit
card data stolen by hackers (). Effective strategic communication in Target’s
crisis management approach played a critical role in the overall recovery
effort. Although the media outlets picked up and ran with this story, the only
thing that seems to matter to the American consumer is that it doesn’t happen
again. Judging by their stock price and continuing sales numbers, this was
nothing more than a bump in the road for Target.
Larry wrote:
2.
It
is first important to understand that the Business Continuity Plan (BCP) is
different from the Disaster Recovery Plan (DRP) as the reason for the BCP is to
know how to handle a temporary outage of the company’s network and/or business
resources. These temporary outages can be the result of power outage, network
outage due to a fiber cut or other incident or a major equipment failure
resulting in loss of data. (SANS Institute,
2002) The DRP is in preparation of a major disaster in where the
facilities are rendered inoperable or completely destroyed. This can occur from
hurricanes, tornados or fires resulting in total loss of company assets. It
will be part of the BCP being developed to decide when the BCP should be
conducted versus when the DRP will be required.
There are several important steps
that should be included when creating a Business Continuity Plan (BCP). First
and foremost is that upper management needs to be involved from there very
beginning and fully support the plan. No plan can be successful without
management support. Once this has been established, there needs to be a
Business Impact Analysis (BIA) conducted. The purpose of a BIA is to identify all
of the assets of the company and assign a value to it. This value will take
into consideration the type and dollar of the equipment, the dollar value of
the data and information that is stored within those systems, what it would
take to restore those systems and the resources that will be needed. The BIA
process will be an essential part of the overall BCP.
Developing an overall strategy on
how to develop the BCP should be outlined in the following phases; Project
Initiation, Business Analysis (including the BIA), BCP Design, Creating the
BCP, testing of the BCP and then keeping the BCP updated for any changes. (Tipton, 2010) These phases will help the BCP
team analyze their environment and determine what the areas are that needs the
most attention. This BCP will also better prepare the company to deal with
whatever incident arises and the steps to bring their company back online. The
BCP is a living document that has to be tested and maintained regularly. It
will be up to the BCP team to determine frequency for the review of the BCP and
how to make sure that all employees are aware of the plan trained to respond to
the BCP
3.
Larry
Wrote:
A flooding attack can be a very
damaging and relatively easy type of attack as it can render a network,
business or even a government infrastructure unavailable. It has been mentioned several times in this
class regarding the cyber-attacks initiated at the start of the
Russian-Georgian War in 2008. Before the traditional war began, a massive
denial-of-service (DoS) attack was launched towards the internal servers of the
Georgian government. This DoS attack specifically targeted the web, financial
and government operated servers making them unavailable to everyone including
the government. The web servers were then remotely accessed where the official
government websites were defaced depicting the Georgian leader in an
unflattering way. As the result of the cyber-attack, the overall war itself was
not as big of a fight as a traditional war. What made this war so much
different and historical is the fact that cyber technologies were utilized
before any ground, air or sea attack was launched. (Hollis, 2011) This type of attack shows the devastation that can
be done with a small group of computers and actors to conduct this type of attack.
Attacks towards control systems are
another type of attack that can produce a great amount of damage depending on
the targets. Critical Infrastructures (CI) have been under constant attacks
from outside entities trying to shut down or control these systems. This type
of attack can be extremely detrimental and damaging to these control systems.
There was another well-known documented incident that involved this type of
internal attack. The incident was launched against a control system within the
Iranian Nuclear Program. As a result, this attack ended up shutting down their
entire nuclear facility setting them back years in nuclear development. It was
called the Stuxnet worm and was designed to infiltrate and seek out a
particular type of hardware that was using a vulnerable piece of software. As a
result of the worm’s action, it ended up causing the Iranian nuclear
engineers to shut down their centrifuges within the nuclear facility. (Kerr, Rollins, & Theohary, 2010) Using this type
of attack can easily affect many other types of critical infrastructure systems
that may be in the same older state operation.
Utilizing the key-logger attack can
also be a great way to gather vital information to either future attacks or
some sort ransom. Key-loggers will be installed usually using a Trojan malware
as its deploying method. These key-loggers are designed to record every key
stroke of the end user’s computer and send it back to the attackers’ collection
point. The information that can be gathered is information like credit card
numbers, social security numbers, driver’s license info along with username and
passwords. Key-loggers can also be useful gathering information from within a
company’s network. Usernames and passwords can be recorded and used to gain internal
access using escalated privileges. This would give the attack the “keys to the
kingdom” so to speak.
4.
Sean Wrote:
There are a few initiatives on the
books that appear to be working towards a comprehensive strategy. The
Comprehensive National Cybersecurity Initiative (CNCI), established by
President Bush in 2008, has been reinforced by President Obama and suggests twelve
ideas that aim to build the coordination and cooperation required to address
cyber-attacks. The CNCI involves the selection of an Executive Branch
Cybersecurity Coordinator (CSC) who will have immediate access to the
president. The CSC is also charged to work closely with key players in
cybersecurity including all levels of government and the private sector,
ensuring an organized response to incidents along with finding relevant
cybersecurity technology (Whitehouse.gov, 2009).
Initiatives details include a single, managed Federal
Enterprise network protected by trusted internet connections, intrusion
detection sensors and intrusion prevention sensors. The document goes on to
announce initiatives in cybersecurity research and development efforts, the connecting
of cyber ops centers, expanding cyber education, securing supply chains, and
expanding the Federal role of securing critical infrastructure domains
(Whitehouse.gov, 2009).
In the political realm, no proposal is without its
detractors and the CNCI is no different. The federally chartered Information
Security and Privacy Advisory Board (ISPAB) is concerned with a lack of
transparency and would like to see a release of key documentation regarding
personal cyber privacy (Sentor, 2010). There are also questions regarding the
legality of responding to cyber-attacks and the appropriate roles of executive
and legislative branches in addressing cybersecurity. And finally, there are
grumblings about the sharing of intelligence between the government and the private
sector especially since the majority of threat information collected is
classified
No comments:
Post a Comment