Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

Jon Seals

Computerworld — A federal court in New Jersey this week affirmed the Federal Trade Commission's contention that it can sue companies on charges related to data breaches, a major victory for the agency.

Judge Esther Salas of the U.S. District Court for the District Court of New Jersey ruled that the FTC can hold companies responsible for failing to use reasonable security practices.

Wyndham Worldwide Corp. had challenged a 2012 FTC lawsuit in connection with a data breach that exposed hundreds of thousands of credit and debit cards and resulted in more than $10.6 million in fraud losses.

...

http://www.cio.com/article/751343/FTC_Can_Sue_Companies_Hit_with_Data_Breaches_Court_Says

CIO — As government CIOs begin consolidating their agency data centers, they should leave the forklift in park.

That was the message senior officials in the government IT sphere delivered in a panel discussion on how to maximize return on investment through overhauling the sprawling federal data center apparatus — which numbers well into the thousands of facilities.

Its not enough simply to pack up one set of servers and reshelf them in another location. Government IT leaders stress that any data center overhaul cannot simply be an IT-driven initiative that amounts to a check-box exercise. The process should entail a considered engagement with the business lines of the agency, they say.

...

http://www.cio.com/article/751332/Government_CIOs_Face_Data_Center_Consolidation_Challenges

Network World — The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.

"Half a million websites are vulnerable, including my own," wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a "catastrophic bug" in OpenSSL because it "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software." It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. "This means anything in memory--SSL private keys, user keys, anything--is vulnerable."

...

http://www.cio.com/article/751342/Who_s_to_Blame_for_Catastrophic_Heartbleed_Bug_

By staff reporter

Security experts consider the Heartbleed bug to be a very serious issue, and one that will require action by most Internet users – not just for businesses – bringing the topic of information security home for web users everywhere.

“It's a pretty significant bug, particularly since it impacts popular open-source web servers such as Apache (the most popular web server) and Nginx,” explains ISACA director of emerging business and technology, Ed Moyle. “One significant area that has been covered less in the industry press is the impact this issue could have outside of the population of vulnerable web servers. Now clearly, the impact to web servers is a big deal. But consider for a moment what else might be impacted by this.”

In other words, he explains, consider the impact on embedded systems and "special purpose" systems (like biomed or ICS). “OpenSSL has a very developer-friendly license, requiring only attribution for it to be linked against, copied/pasted or otherwise incorporated into a derivative software product. It is also free. This makes it compelling for developers to incorporate it into anything they're building that requires SSL functionality: everything from toasters to ICS systems, medical equipment, smoke detectors, remote cameras, consumer-oriented cable routers and wireless access points. It's literally the path of least resistance as a supporting library/toolkit when developing new software that requires SSL.

...

http://www.cirmagazine.com/cir/Information-security-hits-home-with-Heartbleed.php

You could say that those of us who work in preparedness are a little obsessed with making sure we’ve got our emergency kits stocked and ready, our emergency plans up to date, and our neighbors are ready too.  So we’ve got a few households in Georgia ready for a public health emergency (and a few others around the country – don’t forget about friends and family!), but how do we get the country ready?  How do we get the government and other response organizations prepared?

The answer, just like learning how to ride a bike, is practice. Practice, practice, and more practice.  And this past week, CDC participated in a government-wide exercise that tested our preparedness and response capabilities.  The National Exercise Program Capstone Exercise (NEPCE) 2014External Web Site Icon is a congressionally mandated preparedness exercise to test, assess, and improve the nation’s preparedness and resiliency.  CDC’s Office of Public Health Preparedness and Response (PHPR) and the National Center for Environmental Health and the Agency for Toxic Substances and Disease Registry (NCEH/ATSDR) worked together to participate in this event.  

NEPCE 2014 was designed to educate and prepare the whole community – from schools to businesses and hospitals to families – to prevent, mitigate against, protect from, respond to, and recover from acts of terroristic and catastrophic incidents. This was the first Capstone Exercise, formerly known as National Level Exercise, incorporated into the newly revised National Exercise Plan (NEP)External Web Site Icon, concluding and building on two years of smaller scale exercises.  The NEP includes exercises of all types, designed to engage all levels of government, non-government organizations and private sector organizations. 

exercise briefingThis exercise culminated over nine months of interagency planning efforts among DHS, HHS and CDC along with our state and local partners.  CDC planning officials attended planning meetings in Washington, D.C. to integrate CDC operations into the exercise. Additionally, CDC deployed four public health personnel with the HHS Incident Response Coordination Team to Sacramento, California, during the exercise to simulate coordination activities that CDC would normally provide to the impacted population.

History Repeats Itself for Exercise Purposes

The exercise scenario centered on a 9.2 magnitude earthquake in Alaska that caused catastrophic damage across multiple communities, requiring federal response and recovery assistance.  A similar event happened in Alaska at the same time in 1964.

As it did 50 years ago, the earthquake resulted in several tsunamis with substantial threat and damage to critical infrastructure like buildings, bridges, and roads, along with injuries, deaths, and population displacement across Alaska and Canada. While national officials confronted earthquake and tsunami impacts, disruption in and around Juneau, the capital, resulted in a requirement for government entities to relocate to alternate sites.

RADM Scott Deitchman, M.D. M.P.H., USPHS, Assistant Surgeon General who is the Associate Director for Environmental Health Emergencies in NCEH/ATSDR served as the Incident Manager and lead for the exercise. He remarked, “I appreciated the opportunity the exercise gave us, like the rest of government, to exercise how we would respond to a catastrophic disaster of this magnitude. A real earthquake, like a nuclear detonation, suddenly puts you in a situation where the things we take for granted – communications systems to give messages to the public, transportation systems to send responders to the area, data systems for collecting surveillance data – all are gone. How do we launch a public health response in that setting? In exercises like this, the goal is to “test to fail” – to see where things break down, in a setting where we can learn without failing people in actual need. That gives us the opportunity to strengthen our response systems in anticipation of a real disaster.”

exercise planningOne of CDC’s primary missions is to ensure that we are prepared to assist the nation to respond to, recover from, and alleviate the impacts of public health disasters.  Participation in last week’s exercise enhanced our overall ability to support our nation during emergency situations. 

During this and other exercises, all aspects of CDC’s response capabilities are tested.  Managed out of CDC’s Emergency Operations Center (EOC), this exercise brought together experts in public health preparedness, as well as those with expertise in earthquakes.  During a real emergency, CDC would activate the EOC in order to help coordinate the Agency’s response.  Although no exercise will truly mimic a real life emergency, we do everything possible to imagine what could happen – from dealing with power outages to delays in supplies reaching affected areas to incorrect media reports and wild rumors – in order to test who we would respond.  After the exercise is over, we work with the other organizations involved and analyze what went well and what could be improved upon next time.

David Maples, Exercise Lead for OPHPR’s Division of Exercise Operations, commented, “The Alaska Shield earthquake exercise provided CDC the primary venue to validate our All-Hazards Plan and its Natural Disaster Annex and Earthquake Appendix.  We engaged our whole of community partners in this exercise at the federal, state and local levels, our tribal partners as well as several non-governmental organizations and private public health partners.  Maintaining these relationships is essential to our ability to get our public health guidance and messaging into the hands of those impacted by an event like this.  In a catastrophic natural disaster similar to the one we just exercised, CDC’s mission is just the beginning. Similar to our real world response to Superstorm Sandy, the recovery phase of an event like this will challenge our public health capabilities for some time.  But that is the goodness of our Public Health Preparedness and Response exercise program; it gives us the opportunity to prepare for no-notice disasters and emergent outbreaks before they occur.”

http://blogs.cdc.gov/publichealthmatters/2014/04/exercise-exercise-exercise/

BALTIMORE—After his Food Safety Summit session on food fraud and economically motivated adulteration, I caught up with Doug Moyer, a pharmaceutical fraud expert and adjunct with Michigan State University’s Food Fraud Initiative. Here are a few of his insights into top challenges for the supply chain, and the biggest risks to be wary of as a consumer.

What are the riskiest foods for fraud?

The most fraudulent are the perennials: olive oil, honey, juices and species swapping in fish. Most people underestimate the amount of olive oil adulteration, but the amount of what is labeled “extra virgin olive oil” that Americans buy is more than Italy could ever produce. I buy certified California olive oil because I’ve sat down with that group and I know that their industry is really concerned about standards and have established a rigorous certification process. I am also really concerned about species swapping in the seafood industry. I love sushi, but I have a lot of concerns eating it, and they are not always about health. I don’t like feeling duped, and a lot of companies now have to contend with that reputation issue after so many studies have found that the odds can be incredibly low that you are eating the fish that you think you ordered—as little as 30% in some sushi restaurants in Los Angeles, for example.

...

http://www.riskmanagementmonitor.com/five-questions-with-a-food-fraud-expert/

By Geary W. Sikich

The post-crisis recovery phase is one of the least addressed in planning, training and simulations. This is an area that, if not properly managed, can cost financially, reputationally and operationally. Guidelines for post-crisis recovery are lacking; and many entities lose focus when it comes to discussing post-crisis recovery operations. It may be that post-crisis recovery is one of the most complicated of the Business Continuity Lifecycle elements and that no two recoveries are going to follow the same pattern. However, the post-crisis recovery process can be segmented into manageable bits that can be undertaken using a project management approach.

The diagram below provides a top level graphic depiction of the typical cycle of event response, management, recovery and resumption of operations. I have added the emergency response and crisis management elements as they intermingle with business continuity. I have simplified the cycle to four major transition points.

...

http://www.continuitycentral.com/feature1168.html

Andrew Waite gives an overview of the Heartbleed vulnerability.

This week has been an interesting and busy one for those on both sides of the information security fence: a critical vulnerability, dubbed Heartbleed, was publicly disclosed in the widely used library OpenSSL, which forms the core of many SSL/HTTPS provisions.

What is it?

Without getting too technical, the Heartbleed flaw allows a malicious and unauthorised third party to access protected data in memory. The exact data access is random, but there have been corroborated reports that it can expose clear-text passwords, private SSL keys and other sensitive data which would negatively impact the security of your systems, users and clients.

How to determine if you’re vulnerable

The vulnerability effects any service utilising OpenSSL version 1.0.1 through to OpenSSL version 1.0.1f. If you (or your in-house sysadmin) can confirm that your SSL implementation isn’t running any of the affected versions, you’re safe from this particular weakness. Unfortunately, OpenSSL is widely used and embedded into many other appliances and application stacks.

Since the notification announcement, a number of websites have been released to enable you to enter your system name/IP address and the site will check for you. However, what a third party may do with the information once determining your system is vulnerable could be a risk in its own right…

...

http://www.continuitycentral.com/feature1169.html

Tamiflu (the antiviral drug oseltamivir) shortens symptoms of influenza by half a day, but there is no good evidence to support claims that it reduces admissions to hospital or complications of influenza. This is according to the updated Cochrane evidence review, published today (10th April 2014) by The Cochrane Collaboration, the independent, global healthcare research network and The BMJ.

Evidence from treatment trials confirms increased risk of suffering from nausea and vomiting. And when Tamiflu was used in prevention trials there was an increased risk of headaches, psychiatric disturbances, and renal events.

Although when used as a preventative treatment, the drug can reduce the risk of people suffering symptomatic influenza, it is unproven that it can stop people carrying the influenza virus and spreading it to others.

...

http://www.continuitycentral.com/news07168.html

CIO — In 1998, when Paul Rogers started at GE, implementing optimization software at a coal-fired power plant was easier said than done. Management understood and worked with GE to develop the software. Within the plant itself, though, the vast majority of employees didn't know how to use a computer, let alone software, and were very suspicious of the system.

These days, says Rogers, now GE's chief development officer, the tables have turned. Smartphone-toting plant employees know firsthand how technology changes their lives as consumers — and they want to know why the industrial environment isn't like their home environment.

"They want to optimize equipment, and that's a sign that the world is ready," Rogers says. Put another way: "My daughter has radically different experiences about how the world works."

...

http://www.cio.com/article/751015/Industrial_Internet_Can_t_Succeed_Without_Big_Data_and_Cloud_GE_Says