Are You At Risk? -
Ask These Questions:
1. Does your business impact analysis include a risk assessment addressing the following threats: employee sabotage, industrial espionage, hackers, and cyber terrorism?
2. Does your plan include responses to intrusion detection?
3. Does your plan address computer viruses?
4. Does your plan address inadvertently infecting your customers, constituents or business partners?
The cost of a computer outage or fraud related loss is staggering. For a bank, the cost of service interruption could be between $60,000 to $250,000 a minute according to USBanker, (the average bank computer loss is $1.5 million). For the rest of us, computer fraud is estimated to exceed $3 billion and Web based activity could pass 200 Billion transactions by 2001. There is no denying the trend for businesses, both small and large alike. At one point or another, the Internet and other interrelated computer systems will touch you and your business. Yet many of us may think that without a Web presence we are secure from system attacks or failures. Unfortunately, that is far from the truth. Internal Employees and modem line access make you vulnerable.
I often hear the following: 'We are not a likely target, we are not unique, we have no Web presence, how can I be at risk, etc.?' Unfortunately, we are all at some level of risk and should plan accordingly. Government entities, multinational businesses and the hometown shop are all subject to system disasters as are their business partners. If your organization or business partners have critical automated systems, an Internet presence or even a dialup line, you need to think through possible system threats and make a business decision on how you will address them.
Disgruntled employees can also cause untold damage. In fact, most threats to your systems are internal, some innocent and some not. As an employer, you don't often know employees' hobbies or true motivation. When was the last time an employee listed hacking or 'Web defacing' as a hobby.
What Are These Evolving Threats?
Do not be fooled into thinking attacks are just foreign issues or perpetrated against major corporations. Anyone with the time can find help in attacking your business. Try the following, do a search on any Internet search engine for hacking information. When my ten year-old did he got 8.7 million hits. The Internet provided step by step instructions on how to hack into Windows NT, Web servers, Unix, etc. These sites included free automated hacking tools such as 'Crack' for Unix and 'L0phtcrack' for Windows NT. If your system is breached, you may not even know it happened, for many attackers, that is the goal. In those cases you may be protecting infected or altered information, including all those backups you so diligently saved offsite.
With an estimated 80% of security violations coming from inside, this should be the driving force behind your planning. The statistics are daunting; a 1998 CSI/FBI computer crime and security survey reported the following:
62% reported security breaches
90% reported virus infections
69% laptop theft
57% reported Internet connection as a frequent point of attack
30% reported outside intrusions
57% reported inside intrusion
only 31% could quantify loss, total $123,779,000.
Hacking is the new hobby for the bored and over-equipped and few of us are aware of what hackers can do. Recent government penetration tests with the DOD showed only 4% of systems were aware of an intrusion and only 1% responded.
Another key issue to keep in mind when thinking of threats is that unlikely scenarios in the United States could be very likely in other countries. What about your overseas units or business partners? If they are critical to your business are you aware of what threats they may face.
The new face of threats can also come from very innocent origins. Employees may not intentionally be the cause, but nonetheless, they are. For example, W32/explorerZip.worm creates an E-mail file that looks like a reply from someone you sent an E-mail to. Once the attached file is opened, it is automatically sent to everyone in your in-box: a very quick and innocent way of infecting friends, fellow employees and customers.
On average, there are 3 - 7 new viruses created each day, so anti-virus software may not be completely effective. Be sure you and your employees are periodically trained in what to look for as part of your disaster mitigation and business continuity planning. The following is a short list of some basic threats that have been seen by entities of all size. Ask yourself if they are in your BIA and business contingency plans? Would you know how to detect and recover from the following threats:
- Sophisticated and automated firewall and system probing
- NFS attacks
- Email attacks
- Vendor default user names and passwords
- Spoofing/ sniffing/ fragmentation and splicing attacks
- Social attacks
- Prefix scanning, (scanning phone numbers for companies to get modem lines and thereby bypassing some security checks.)
- Denial of service (floods system)
- Scanning & probing
- Password attack and theft
- Privilege grabbing, (exploiting start-up files)
- Hostile codes, (viruses, trojan horses, backdoors for repeated hacking)
- E-vandalism, (web defacing)
- Data theft
- Fraud, waste and abuse
- Audit trail tampering
- System infrastructure attacks
- Logic time bombs effecting back up tapes
- Stealth Viruses - hiding
- Laptop theft
In the case of laptop theft, consider that more is at risk than just replacement cost. Loss of confidential data, time loss to recreate, stored passwords and modem numbers on laptops could lead to substantial additional direct and indirect costs.
Consider too that writing hacking software is not necessarily illegal! Look into the history of such groups as the 'Cult of the dead cow' (CDC), legal protection may not be adequate. One of CDC's upgraded tools, BO2K, was proudly showcased at the July 1999 DefCon conference for hackers in Las Vegas. Targeted at Microsoft's Office 2000 as a stealth invader for remote access to your computer or network.
What Are The Response Options
The goal of risk assessment should be prevention and diligence first, but following that, we need to know how to respond quickly and effectively? Speed and flexibility are critical for an effective response. An effective project should, at a minimum, address the following concerns:
What to Protect How to protect it Response to threats
- Project Approval Cost to protect BCP execution
- Business Processes Mitigation Security reviews
- Risk Analysis Security Testing
- Business Impact Analysis BCP development Training
- Policies & Procedures
1. What to Protect
First understand what is critical and assess the likely risks. Project Approval is the first step in determining what to protect. Without the support of senior management your project could languish and falter. With this support, inform your employees what you are doing and why. Through interviews and discussions with employees, map your business processes and perform a thorough Risk and Business Impact Analysis, (BIA). In so doing, be sure that all significant threats, natural or not, are addressed and documented. Include a risk assessment with the following minimum information:
- Frequency of possible occurrence
- Degree of predictability (Forewarning measures, e.g., State Department warnings, hack intrusion devices, etc.)
- Speed of onset
- Impact to:
- Property including infrastructure systems
As part of your BIA, you should document your business processes and determine what the associated systems, tools and partners are required to perform those functions deemed critical. Many continuity projects fail to completely document risk reduction strategies and the interdependencies of business functions. Prioritization of options and insurance reviews should also be documented within your BIA. (Certain acts of a computer systems destruction by third parties are considered as acts of vandalism by insurance policy language.)
A thorough BIA will be the cornerstone to your plan and should be well prepared and thought through. In many cases, this will require educating your employees during these discussions to many of the threats addressed earlier in the article. Without their understanding of the threats, you won't be able to properly address the options.
2. How Do I Protect These Processes?
Contingency planning should address both internal and external processes. What about domestic business partners, are they ready? What about business units, your supply chain or critical customers overseas? What are their threats? Are they different from yours? Do they understand continuity needs? In many cases it may not be appropriate to obtain full plans for these external relationships. However, at a minimum you need to be sure that they are addressed and can be responded to by these parties. For example, if your ISP is a critical partner; do you know their plan? Why is that important. Consider the following;
Does your Internet service provider have a reserved facility? Even if your Internet service provider has a recovery facility, what if a disaster requires that you obtain a new IP address that is different than the primary address? The ISOP must be notified of your disaster who, in turn, must send instructions out to the DNS servers that a new IP address should be used for your domain name.
However; even if your ISP performs the updates, you have no control over when the thousands of ISP's update their DNS servers. Or how about all those users who try to access your site using browsers that have cached your old IP? They will get error messages that your site is unavailable when in fact it is available. Don't expect a pleasant response from your constituents, customers or business partners.
Fortunately, there are many automated tools available to assist in the protection of critical systems and the detection of threats. Real-time decision support systems allow you to perform multi-dimensional analysis, data mining, statistical analysis, and 'What-If' analysis of data. The use of automated Business Continuity software that is flexible and user friendly can also be a critical component in keeping your plans current and viable. Be sure these come with the appropriate product support and that your continuity software includes a BIA and other critical components. Review the cost of these automated tools compared to the goals of your mitigation and security needs.
Internally, the options are often as numerous and confusing as the threats faced. A case in point is intrusion detection systems. Many companies have intrusion detection systems but no documented procedures to respond; one without the other is ineffective. Employees are also often unaware of their role in security and mitigation. Development of and training on security policies and procedures should be upfront and ongoing.
Keep your employees involved as you are developing your continuity plan. Interview employees to determine the tools they may need to perform manual procedures or restore their systems. Document this information and keep it regularly updated.
Following are some standard precautions to consider in protecting critical systems:
- Security policies & procedures
- Awareness training
- Security alert mailing lists
- Audit trials
- Backup data and store securely
- Antiviral software
- Password changes
- Public domain security tools
- RAID (Redundant Array of Inexpensive Disks)
- Electronic vaulting options and automatic remote copying
- Mirrored systems
3. So how will you respond?
As with protection and detection activities, the possibilities are never ending. Some basic steps to consider for these business processes.
- Hot sites, backup sites, mobile war rooms and recovery centers
- Regularly monitor intrusion detection reports and system generated audit logs
- Determine external communication strategies
- Identify alternate vendors and suppliers
- Identify high priority tasks
- Document and test manual operating procedures
- Document who responds
- Identify who to report issues to
- Review the use of computer forensic services
- Develop computer emergency response teams, (CERTS)
- Document and respond to attacks
- Use virus protection software
- Know who and what data recovery services are available
- Perform security audits
- Determine 'trigger' points and procedures for activation
If critical enough, take advantage of computer forensic services. They will help you pinpoint the origin and who attacked, what happened and where it happened. Not all of it may be visible. Another option is to have a trained and prepared CERT (computer emergency response team) made up of business and technical employees. They should have the authority to:
- Deploy the newest anti-virus software and stay current
- Install firewalls, filters, etc
- Provide training and awareness to other employees
- Take the time to research what is on the forefront
- Network with other companies, CERTS, forums, consultants and business partners to share information
- Attend training and planning seminars
- Implement sections of the continuity plans in an emergency
Finally, don't forget to regularly review and test the plan. Without this, your plan may not be viable or practical. Updating the plan and performing regular employee training will also be a critical part of this process.
The chart will help to summarize and provide a high level overview of the business continuity planning process.
Continuity planners face an ever-changing frontier with many pitfalls. It is nearly impossible for any one person to stay on top of this rapidly changing environment. There is a remarkable amount of complacency regarding continuity planning especially when it comes to non-natural disasters. Disaster recovery plans provide procedures emphasizing major disasters and recovery but often fail to thoroughly address data loss or corruption. In the mean time, revenue enhancements, cheaper costs and customer relationship potential are fueling increasing Web presence and activity.
Viruses and intrusion threats are ever present from inside and outside your business. Business continuity planning should address much more than high profile disasters. It should address system failures, data integrity and threat mitigation. Finally, this is not only an IT issue, auditors, risk managers and front line employees all must be involved in continuity planning. Your Business Continuity Planning Committee should be made up of individuals representing these and other areas of your company.
Keith Baker is a manager with the Integrated Technology Solutions Group of RSM McGladrey, Inc. His expertise is in business continuity planning, business impact analysis, project management and risk analysis. Mr. Baker currently works with both domestic and international clients involved in the financial government and manufacturing sectors