ACL, AI, APs, Artificial Intelligence, Behavior analysis, brand, business, Business Impact Analysis, BYOD, CBT, data leakage, data loss, emergency shut off button, financials, forecasting, future casting, hackers, human, Human security, information security, Innovation, intangibles, IP, logging, malicious, malicious actors, Mobile Communications, mobile devices, NDA, Non-Disclosure Agreements, physical security, PII, reputation, Risk, Risk management, rogue Access Points, rulesets, Security, SLA, social media, strategy, threats, training, vulnerabilities, wi-fi hotspots
[I have this piece in Word doc format if a better copy is desired, it is appx. 19 pages long – having issues with formatting on this site.]
Business & Profit
Standard Definitions – Risk & Risk Management
Areas of Risk
Areas of Focus
People Corporate Data Security Plans
Security Cameras Security Guards Network Security
Social Media Cloud MSSP & ISP
Wi-Fi & Bluetooth connections Mobile – Tablets & Smart Phones (BYOD)
Land lines & Communication Providers Physical Infrastructure
Data Center & Computing Hardware Networking Hardware & WAN
Disaster Recovery (Business Continuity) Personnel/HR
Mitigation of Risk
Reducing & Eliminating Risk
First, this piece is heavily slanted towards Information Security / Cybersecurity / Information Assurance / Information Technology, then with looks at Businesses aother areas discussed briefly throughout. And I do craft the paper towards new: CEOs, Presidents, EVPs, CIOs, CTOs, CSOs, CPOs, and Managers who may want hints in their first weeks.
This particular piece is written from drawing on multiple aspects of my career, from:
- Many years in the IT field and multiple areas within IT, to
- MSc grad degree (Cum Laude) in cyber security, to
- MBA training and degree (Technology Management, Strategy & Innovation), to
- Political Science along with the global aspects of everything, to
- Constant research and lastly, incorporating my
- Intelligence Analyst/Officer training & work to look at other aspects of Risk and Risk Management.
Take this piece lightly if you wish but for those who are concerned with Risk on a daily basis, you know that risk vulnerability is potentially hundreds of millions of dollars down the drain.
This writing is much longer than originally intended due to all the growing areas of concern in technology. Even though the writing is long and somewhat comprehensive, it is not comprehensive enough. Providing basic ideas, thoughts and perspectives in various areas was the purpose of this piece. I’m not committed to writing a book to cover such vastly broad areas.
Read what you wish, copy what you want but please, do not read this paper in one sitting. Read it in chunks, or blocks of reading and please, read with an open mind. There is more than one right answer to most problems – few problems in the world have a single resulting answer, most problems have multiple solutions to gain a desired or successful result.
Determining risk and deciding what areas within an organization falls to a comprehensive engagement with all pertinent individuals in your firm. These people are the stakeholders in the organization. These individuals are:
- CEO, Chairman, President, all the divisional VPs, the Managers and Supervisors
- Even the employees need to have some sort of input because they are the ones who are or might be seeing risks to the firm on a daily basis.
The firm simply cannot rely on only one or two individuals determining what the firms’ risks are, there are too many areas for these few individuals to know or be completely aware of. It has to be an organization-wide effort, primarily from the leadership roles with input from subordinate members in the firm.
Make no mistake about it, Risk Management is not an area that you can simply fob off on a “well, we’ll get to it when we can,” because by then, it’ll be too late.
What is your cost benefit analysis going to tell you before and/or after choosing the least expensive item at hand, for some function, because you wanted to save some revenue up front? Especially when what you chose does not scale well as you grow, or when that item only comes with basic features and you need to purchase additional options – ones that you really needed but you passed on ‘em early on… You took a Risk but you did not think it fully through about what you may need down the road and you did it without additional input from others.
Risk Management is not my current primary area but it is an area of concern for everyone as we all go forward with our daily work. The area of Risk is important enough that I do keep abreast of what risks are out there and what possible mitigations might be necessary. However, I am well aware of, have been exposed to (work or graduate degree) or actually worked in the various fields. Besides, this area of Risk Management is huge – people write books on this topic, for each industry…
Also, this writing does not cross or touch NBCR (Nuclear, Biological, Chemical and Radiological) areas – I am only a lay person in those fields like nearly everyone else. I would only have opinions to offer in those domains.
Business & Profit
All business entities want to make a profit, there is nothing more clear than that, period. Some firms go about it above board and with their customers AND employees in mind. Other firms go about it underhandedly with a massive lack of transparency and minor consideration of their employees, complete with stipulations that the customer comes first – “Period!”
So, which firm do you believe that customers will want to frequent and that potential employees will want to work at this place?
Businesses do need to make a profit, for itself, its shareholders (if any) and the folks who pore in massive amounts of their time hoping they can have a great future at the firm. Yet, all firms have to deal with risk and these firms need to deal with that risk smartly. This is where Risk Management comes to the forefront.
What is it about Risk Management that many do not seem to get?
There is no intended patronizing or putting down of anyone out there that does Risk Management for a living; this piece is not about that. It is also not about pointing at others and saying “Aha, you are incompetent!”
This is just a piece discussing Risk Management for various areas, hopefully in a logical manner so some who do not get it, can get it – at their pace.
There are many great people out there who do a great job, while there are others who are out of their depth and know it but cannot seem to do anything about it.
And then there are still others who are far out of their depth but do not realize it. In this situation, those who work with and/or are above this individual, these folks need to re-think their role in the matter… They should help this individual to improve or to move into another section/division of the firm. It is a great disservice to everyone when the person who needs the help is not getting it. That is just a waste of time and money.
1) Noun – a situation involving exposure to danger OR the possibility of injury or loss
2) Verb – expose (someone or something valued) to danger, harm, or loss
- techniques used to minimize and prevent accidental loss to a business
- identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities
Or, a good item I found from a posting (Microsoft) that you may ‘enjoy.’
“When you manage risk, you strategically minimize the variance between the outcome that you want and the actual outcome.”
As everyone should know, you must create a master list of all Risks for each category/division throughout the organization. Next, you should be prioritizing all these risks in each category/division based on the vulnerability to your organization, the cost to mitigate them and/or time and resources required to reduce or eliminate the highest risks.
Microsoft had a primary list on Technet that I agree with – I saw it in 2014 but do not know when they first wrote it:
Then, within these categories, break them down further as necessary.
Over the years, I have seen two primary risk formulations, along with one variation:
1) Risk = Threat x Vulnerability
2) Risk = Probability x Impact
3) Risk = Threat x Vulnerability x Impact (or Consequence) – but this is not one I would use, it starts getting complicated… more than it already is.
From 1) in the Risk Formulas above:
Your threats are anything and anyone with the resources, the means to carry out their malicious attempt to be a threat such as, do they have the:
a) Money to acquire the technology – I included this because some of the bigger threats “may” need this to build their infrastructure (people, equipment, etc.)
b) Capability – knowledge or expertise
c) Motive – is there one (ie – disgruntled employee)
e) And of course – Time
Your vulnerabilities – anything and anyone in your organization with a weakness:
a) Software is out of date
b) Security is not current – software (no: encryption, authentication or some kind of Behavioral Anomaly Detection) and human (guards and/or employees)
c) Firewall is not efficient or powerful enough for today’s bandwidth, allowing significant packet drops or allows malicious traffic to pass through
d) Motive – is there one (aka – disgruntled employee)
From 2) in the Risk Formulas above:
Your probabilities could be something along the lines of; what is the likelihood of some event occurring, such as:
a) Malicious activities – pilferage of proprietary information or employee gun fire in an office
b) Devastating – brand reputation marred or building is flooded from overflowing river
c) Greed – embezzlement
Your impacts could be:
a) Stolen proprietary information and used by a competitor locally or abroad – loss of revenue
b) Brand is hammered – will your customers continue buying your product or worse, return
c) Expensive outlay of cash – to cover some product liability lawsuit or replacement of office equipment or worse, individuals suing the firm
d) Loss of life or business…
To obtain the Risk results you need, you should use the version most apt for you and your organization. For more details and examples on Risk, Exposure to Risk, Impact and some formulations, see link 1 in Reference.
Whatever version you use, you definitely need to know or work out the issues, in something like the following cause & effect example:
Root Cause(s) Firewall is down
Condition No power
Consequence Either, no ‘Net traffic gets through or all traffic (good and malicious) get in
Aftermath Customers cannot access your company or you ‘may’ become hacked…
having some or all of your data compromised (infected, stolen, altered, etc)
Building a Risk Map as I have seen people do will help in plotting your risks. And if and when you do use something like a Risk Map, have other things at hand like, consequences and thresholds.
No matter what industry you work in, performing Business Impact Analysis on various portions of the organization (databases, public website portal, data center, etc. is another must do as you work out your Risks and Risk Management.
Obtaining Service Level Agreements (SLA) with all of your vendors is a MUST; you have to have these in place. And you must have knowledgeable/informed individuals working with the legal team before signing them. You cannot just leave SLAs to the legal team to work out…
Not to forget, Non-Disclosure Agreements with all employees, partners and vendors – keep these up to date and enforced.
For sure, if you do not work on improving your firms’ Risk Management, the after effects relating to liabilities will be crippling to your firm due to lawsuits, bankruptcy, brand reputation, injurious deaths – all of which could be devastating.
This is an ongoing requirement, you have to constantly evaluate the organizations’ risk and how you manage those risks.
Do you have policies in place at your organization? Do you make sure all employees of the firm, from CEO to mail room clerk have read, understands and signed the various policies?
If you do not or did not act on having “current” policies in play, you need to get on the stick and do this because the time for enforcing the policies have been with us for a very long time and they are ever more critical now in the age of everything being interconnected.
Next are several policies a firm could start from and build upon for all employees to follow while they work on or through the corporate network (PCs, laptops, bandwidth, servers, wireless AP (WAP) & rogue hotspots, VPN):
User Acceptance Policy
– Users understand that they may be monitored at any time while on the corporate network –
User Activity Monitoring
– Users understand that they may be monitored at any time while on the corporate network
– The organization actually does periodic and/or ongoing monitoring of the corporate network for individuals abusing the network, whether it is for online shopping, downloading of who knows what, transferring proprietary/confidential company material out of the firm, watching illicit content on illicit websites
– Acceptable behavior while using the firm’s network and visiting websites – prohibited websites
Corporate Network Usage
– Email, File sharing, Hours of use, Computers allowed to work from, Passwords etc.
Areas of Risk
There of multiple areas associated with risk to deal with, such as:
– Humans – employees (unintended and intentional) and criminals (corporate spies)
– Natural – disasters (sink holes, tornadoes, flooding, fires)
– Accidents – power pole falling on building
– Failure – computers fail, building / structural failure (ceiling collapse)
– Breaches – computer crimes (privacy and/or IP stolen), physical (unauthorized people accessing areas of buildings)
– Lapses – falling asleep on the job (security guards, employees performing critical jobs)
– Financial – operating expenses outstripping corporate revenue unchecked, for months – embezzlement – super-complex (and quasi-legal) derivatives – trading companies with no track record – etc…
And on top of the above, the short list that it is, there is more to this – it depends on what industry you work in:
– Energy – Oil
– Forestry – Investment / Banking
– Medical information – Hospitals (any & all areas)
– Aerospace – Airplane manufacturers
– Pharmaceuticals – Etc…
In piling it on, the Risk Management experience levels of the people in whatever industry you are in also matters. There should be a balance of senior experience with lack of experience, you all know that. But it also matters how diverse the individuals are, the folks keeping an eye on risk management. It matters because individuals with high levels of Cognitive Diversity bring in other areas of knowledge, expertise and ways of looking at things than those who have very little in the way of Cognitive Diversity.
Cognitive Diversity is just a fancy term for people who have broader breadths of experience and/or knowledge of the world around them. These people could be individuals who have:
- Traveled to various parts of their country or the world and understand other cultures or are simply more sensitive to the mannerisms and affectations of others due to the regionalization of where ‘others’ are born, raised, live and work
- Worked in different jobs that use different skills
- Worked in different jobs that range from time critical to pressure cookers to heavy customer service
Basically it boils down to people who have complementary work and/or interpersonal skills, enabling them to work better with others, raising the bar on successful outcomes – greater productivity, more creativity, better innovation and on and on. Diversity is a game changer.
However, the catch here is that the ‘other’ people at the firm, who are less cognitively diverse, need to have an open and receptive mind to listen to new ideas, to new people. If there is a stone wall mentality and the people at the top of the firm do nothing to change that, well, there will be no new successes…
I brought up this topic because cognitive diversity is critical to overall success or failure and that it is not just applicable here in the primary topic of Risk Management. Cognitive diversity, along with both, Divergent and Convergent thinking, will gain your firm better overall results. Listen to the members of your team, of the employees in the firm – whether junior or senior – many of them can and will come up with great solutions, if you have an open mind to listen to others who may not have the degrees you hold or earn the salary you make…
Areas of Focus
So, what do you focus on, what do you prioritize? According to one of my security certifications, people should be the first thing you put on any list. Humans, in any endeavor are the reason why we are successful. And with a slight reference to the hanging sword situation with Damocles illustrates, there is another side to that. Humans, in any endeavor are also the reason why things fail, sometimes catastrophically…
What items or areas do you identify as the more critical? Which assets do you identify as being a show stopper – in that you cannot serve your customers in a timely manner? Which employees are most essential in times of crises?
Then, what aspects of risk management is your firm good at, weakest at? Either way, whatever you are not good at – that is where you should focus more on improving how you mitigate (reduce and/or eliminate) your risk.
I listed people first because, well, things happen to people and/or are caused by people, either in well intended manners, unintentionally or by evil malicious minded individuals.
How do you engage and deal with employees of the firm, at all levels? For their safety – from outside influences or even internal, ahhh, hostile environment issues that could be a problem, that crop up (again – disgruntled employees)?
What about erratic behavior that shows up in some member of the firm and it grows in its bizarreness over time – does anyone (on staff nurse, doctor or Personnel/HR) track anything like that?
What about their online activities during working hours as they use corporate resources to do illegal activities – do you have some kind of monitoring in place in an attempt to get ahead of the curve in case things go south?
Does your firm employ background checks and are they deep or rigorous enough for all employees?
Then there is the matter of corporate data, it is second to people but it really should be a very, very close second – this is the firm’s money….
How do you protect your most prized data (proprietary, customer and/or PII)? Next Generation firewalls? What about smarter routers? Advanced AI systems to help guard against intruders hacking in and altering, deleting or stealing that data?
Can your public facing web server allow hackers and spies to get into the closed corporate network and data?
Do you use encryption for your data at rest on the various servers? What about during transit from endpoint to endpoint?
Do your employees use some form of tokens to unlock the data they need, to get away from multiple passwords and to avoid unauthorized people accessing data they do not need or have permission to access (as in system administrators like Edward Snowden)?
Does your firm employ two-person authentication to access, transfer and/or alter the company’s most prized and sensitive data? Can your firm easily track who is accessing data when they are not authorized to do so? Do you use a very good data mining software tool with great dashboard capabilities? Some of this depends on the size of the organization and the industry you are in.
Do you have Incident Plans in place? Are they updated? Do you test them for viability?
What kinds of Incident Plans you ask? Well, there are several you definitely need to concentrate on, you need Incident Plans for:
- Computer network breaches – disgruntled employees, hackers and criminal activitiesDisaster Recovery – more below
- PII & IP theft is scary with devastating results – you need a plan, working in conjunction with other divisions of the firm
- Disaster Recovery – more below
Bottom line, if you do not have up to date Incident Plans, you need to get on it now. You cannot afford to wait until an incident occurs to make up a plan on the spot. These plans are comprehensive and can be intense and require ‘excellent’ collaboration with many diverse parts of the organization.
Besides having cameras throughout your locations – in key hallways, entrances/exits and critical areas, do you have dummy cameras that look active? You need these to assist in your effort of thwarting potential incidents. It will also save money, in not spending it to have active cameras (and cabling and display monitors and power) in every location…. If you use wireless communications for your cameras, do you have a redundant cabling system in place?
Are you having your guards roaming around on fixed schedules or randomized outings? Do you enough guards or is there only have one guard per shift and that one cannot leave the desk?
Could the guards be better trained? Are the guards hired outside of the organization or are they in-house? If they are hired outsiders, are you paying at the bottom of the scale gaining the lowest bidder? I’m pretty sure you, the reader, know how things can go with the lowest bid approach.
Does the organization, depending on the size of the firm and the industry, test for physical breaches and intruders?
What about your computer/communication networks, do you have adequate protections in place? As we see, antivirus packages by themselves are no longer viable in today’s world of more busy and aggressive hackers. Do you supplement the AV with rootkit software? What about anomalous behavior activity?
What about end to end encryption, all the way up to the application layer and not just at the transport layers?
Are you working on your application security for your various databases (personnel, medical, financial, investment and customer)? What about allowing different data through the network – are you doing blacklisting (blocking specific websites and content), which is more arduous or are you using whitelisting techniques, only allowing the more manageable number of websites and content?
You cannot risk your network due to overloaded and underpowered routers and firewalls – these are valuable commodities to the health of the organization. Your firewalls, are they bloated with thousands of complex rulesets and overloading the processor(s) running that firewall? Are you explicitly denying way too many items before you explicitly permit items to enter? Is it at that Next Generation stage? Same thing for the ACL in your routers – are there too many permissions/denials choking the processor(s)?
And we cannot neglect the SEIM, do you have one and is it also at that NG stage? Is it a barebones box or is it advanced enough to handle large log files, while doing the best incident correlation possible to track and pinpoint what is actually malicious and not an innocent flow of traffic that just looks suspicious…?
What about the use of passwords in the corporation, are you storing those passwords in clear text, which is an outdated method or are you storing them encrypted, along with salted values?
Are you protecting yourself against malicious use of USB drives, you had better be. Now, USB threats are so much more threatening. For instance, the latest USB iteration, v3.0, allows for massively faster download speeds, for stealing data as well as uploading any kind of malware… Transfer rates from 30 MB/s up to 240 MB/s (depending on vendor) and read speeds from 80 MB/s to 240 MB/s…
Well, now we come to a tricky area. Are you trying to mother hen your employees’ when it comes to social media sites? Or are you providing them simple guidance on what kind of content they are allowed to put on their sites, so they do not publish sensitive or proprietary information there?
Hopefully, you the corporation are not snooping on your employees’ websites… While you should be concerned about the employees putting your firm and your firms’ data at risk, this is an area you should be working closely with your Legal, Personnel, Privacy and Public Affairs divisions with to ensure everything is done above board, legally so as to not infringe on anyone’s rights. And that all employees know for a fact about what they legally cannot post on Social Media sites.
The cloud… More and more firms are going to the cloud, all I can really say is – make sure you have a significantly comprehensive SLA in place with the cloud vendor as well as your telco.
Do you have an SLA strong enough to stand up in court? Is that SLA going to cover what you need covered?
At the site(s) where your server(s)/data are collocated with other firms’ data, can the cloud vendor ensure and prove to you that your data will have no venue to comingle with say, maybe a competitors’ data that happens to be on the same rack?
What about the security aspects of this cloud vendor, are the people who work there able to access your firms’ data?
How good is the authentication process for someone to physically access the racks where your content is located? What about someone accessing the data remotely?
The risks and risk management does not stop here but goes on.
Are you happy with the service you get with your MSSP? Can the MSSP handle DDoS and other malware attacks? Can that ISP manage attacks further downstream so you do not get hit preventing customers (and employees) from accessing the network? Can the MSSP aid in incident response and computer forensic efforts? Can they keep all of the necessary updated to best practice level, for the software, firmware and hardware?
Are you happy with the service you get with your ISP? How about the bandwidth allocation used for your firm? What about during DDoS attacks, can your ISP throttle the attacks further downstream so you do not get hit preventing customers (and employees) from accessing the network?
Can the ISP dynamically allocate more bandwidth for your site – that is, if that is what you have agreed to in the contract?
Wi-Fi & Bluetooth connections
Bluetooth, even though it is out there, it does not yet seem to be as great a concern as USB v3 (or the older USB 2.0 standard) or Wi-Fi. It is nevertheless, still a massive concern for you to lock down.
Wi-Fi, well, you must continually crack down on rogue Wi-Fi activity throughout the organization. You have to do constant scanning for rogue Wi-Fi hotspots and unauthorized connections. Are you currently scanning for these WAPs? If you aren’t, then you likely have a backdoor into your network for malware…
Mobile – Tablets & Smart Phones (BYOD)
By now, everyone in the U.S. should have heard at least some small nugget of info regarding Mobile devices and BYOD, correct? If not, you could be deaf and blind to what is going on in the corporate and public spaces concerning mobility.
The risks emanating from mobile devices and the people using them is significant. Are you working on the following?
- Engaging your employees (all of them, top to bottom) with reference to policy compliance and enforcement?
- Are you using MDM (mobile device management) software to manage and secure those mobile devices you do allow, such as by allowing specific brands and models as well as using containerization techniques – splitting off the corporate data into its own area on the device, keeping it separate from the user’s personal data – in order to wipe that container should the device be lost or stolen
- What MAM (mobile application management) software so you can manage and control certain applications on the user’s device?
- Who wrote the apps on the mobile devices your employees are using? Are the apps from reputable sources in the industry, can you trust them not to be surreptitiously stealing your employees’ PII, or your firms’ data, GPS location of certain employees, etc…?
- Do your mobile devices use HTTPS for all communications or is it the unsecure HTTP connectivity only?
- Are you performing periodic scanning throughout all of the firm’s properties for those rogue Wi-Fi hotspots, rogue APs? APs that so many people believe they have a right to put up. But the risk could be disastrous in that your firm’s proprietary and expensively obtained R & D data goes skimming over the ether and out the door, unseen…
Land lines & Communication Providers
Does your firm use one or multiple carriers for your voice and data communications? Does your firm use redundant communication links (if the firm can afford it) into the building? Does the organization have SLAs in play for that magic five 9s (99.999%) uptime?
Let’s talk about the firm’s physical presence, do you have fire drill plans – plans that are checked periodically to ensure people actually know what to do and where to go? Are there area, floor and building ‘fire marshals’ to ensure everyone is accounted for?
Do you have trained staff, facilities and Personnel/HR for example, in preparation of various ‘events’ such as office/domestic situations, which could escalate and get out of hand?
What about water contamination? What about power outage? What about a norovirus outbreak in part of the building as continually occurring on cruise ships?
Then there are the bogus bomb/terrorist threats – can you handle those when you never know if they are for real?
What about those magnetic door locks you have at critical locations (offices, storage facility, sensitive materials, etc.), do you have redundant backup power or some kind of backup physical mechanism if power is lost? Is that backup actually checked to see if it is working?
What about the power itself that your firm requires on a daily basis? Do you have contingencies on hand to deal with when your supplier loses a transformer and/or a sub-station? What if your building’s main fuse box fuses itself (as I’ve seen firsthand) and you lose your primary power AND alternate power…? Do you have a backup generator, with enough fuel (fossil or renewable) to supply you with enough power to handle at least the basic functions of your building – enough to do a clean shutdown of everything at least?
Data Center & Computing Hardware
What about your data center, is it up to snuff for multiple areas? How about the gas to stop and contain fires? Are you using the older banned Halon gas or a newer Halon replacement gas like FM200 or some other halocarbon clean agent gas? In either case, do periodically check the state of that gas?
If you are still using Halon, as an existing system since the ban, is your organization considering replacing it yet?
Then there the matter of water for your water chiller if you’re using that – do you have enough to last during emergencies or at least until a clean shut down is completed?
What about fuel for your emergency generators during power outages? Is there enough stored and easily accessible?
Then there is the matter of emergency shut off buttons – do you have them in easily identified locations? Are they easily accessible in moments of panic and possible sheer terror? Are the individuals who work in the area knowledgeable and trained on what to do in those times when they may need to push that big red button…?
Next, what about Configuration management and Patch management software, do you have these two highly critical components of software installed to minimize the risk of multiple personnel installing software and updates? The risk AND time saved by having these software packages should be no-brainers to all management in all organizations.
Networking Hardware & WAN
What about your networking gear – your LAN and WAN? Do you use WAN optimization to handle the periodic increased load from consumers so you do not run the risk of losing those customers due to overburdened network constraints?
Your routers, are they capable of high gigabit throughput with very, very minimal packet drops? At this time, there are router competitors out there putting finishing touches on backhaul 400 Gb/s core routers. 100 Gp/s routers are already here, is your network up to the challenge of handling even more data throughput at the risk of losing customers?
Disaster Recovery (Business Continuity)
What do you do in power outage situations? In events of potential or actual flooding? Fires?
Do you have plans in place, tested plans, for eventualities when you need them? Has your firm considered any and/or all of the following options?
There are a number of plans out there on the ‘Net where you gain all of the info you could ever want; here is at least a teaser for some consideration.
a) Cold (recovery) sites – this is for those situations when you deem it necessary and a cost effective measure to occupy a contingency site to install your own, or leased, computer equipment and furniture. Telecommunication links and power are already at the facility per any agreement signed with that facility owner.
b) Warm (preventive) sites – for those situations where you pre-install your own, or leased computer equipment and furniture. Pre-configured telecommunication links and power are already at the facility per any agreement signed with that facility owner – you just arrive and load the necessary software to start the recovery process for that temporary situation.
c) Hot (proactive) sites – where you can hit the ground running to recover when your primary data center/network takes a hit and is down – all the necessary equipment is on-site and on-line and the software is already up and running due to the continuous backups to the hot site.
How often are you going to be using a disaster recovery locations (sites coming up), which is more effective in getting your crucial operations going again? Which is going to be more cost effective to the bottom line, keeping in mind that sometimes paying more up front will pay much more in dividends later?
Do you have redundant backups or rely solely on one set of backups that you rotate? Do you perform periodic checks on the backups for accuracy and integrity? Then too, how often do you back up – nightly, weekly? Real time? Do you back up to tape or DVDs/CDs and then ship them off on a schedule or is your backups completed via fiber-optic link (hopefully) to an off-site?
What about this division, do you have measures in place to prevent PII theft or abuse of position? Is there any kind of auditing to overcome the inherent risks here of which I mention two of them above?
The same thing goes for this division; do you have measures in place to prevent PII theft, abuse of position or embezzlement? I hope you do have auditing, rigid and comprehensive auditing, turned on to watch for anomalous behavior/activity in the financial/accounting division?
While liabilities are listed last here, it is not meant to be the least of your organizations’ concerns. Do you have your many, many liabilities covered and accounted for; are you missing any or glossing over the importance of them? And yes, liabilities do cover a huge range – from:
– Workers who slip on the icy sidewalk because there was no scheduled items to salt/shovel the sidewalks
– Not cleaning the ventilation air ducts on a schedule so employees do not breathe in Legionnaire’s disease or some other communicable airborne germs
– Covering the payroll to ensure employees are not forced to miss a paycheck because of the firm’s lapse in funding
– Not having an on-staff doctor and/or nurse to handle some of life’s little miseries to serious calamities
– Training, good high quality training, whether it is an on-site or off-site class, HIGH quality CBT courses where your employees can gain real useful knowledge and skills and remain with the firm longer than the liability of your better, more productive staff leaving for other firms who do offer something along those lines
– Having clear and enforced anti-discrimination (gender, race, age and religion), harassment, anti-drug and work place violence policies along with actual mechanisms in place to mitigate any possible future liabilities
– Ergonomic furniture and work spaces to prevent sporadic outbreaks of carpal tunnel syndrome
– How about full spectrum lighting to energize your employees, rather than the dull, energy sapping fluorescent overhead lighting – the kind that leaves one drained by the end of the day
– And even the recognition (financially – cash, dinners, amusement park tickets, etc.) of outstanding employees – this alone can pay off in intangible dividends to the organization
You know this list goes on and on and on but you get the gist of including this section.
Espionage – Corporate and Nation state actors
Do you have an experienced enough counterintelligence staff to handle threats that could show up in your most sensitive activities? Can you counteract those threats? What about painting those offices (see reference 2 below), which contain proprietary information and conversations, to block Wi-Fi and other radiated signals (laser/infrared/etc.)? What about coating the windows with similar tech or else pipe white noise in-between the double paned glass…
Implantable Contact Lens (reference 3 below) – in use outside of the U.S. since 1996 and within the U.S. (for myopia) since 2004/5 – imagine, some criminals implanting a miniaturized computer chip on a lenses and a crooked ophthalmologist implants it…
As it is, there is already work taking place on putting computer chips on regular contact lenses – U. Washington (Seattle) for one (reference 4) or at MIT (reference 5).
– How does one protect against this type of technology? There are massive implications of malicious use with these…
Google Glass and the like – same issues as with ICL/IOL, just more obvious until Google Glass looks exactly like regular glasses – how are you going to know if the wearer is recording everything taking place…?
Advanced hearing aids by Soundhawk (or recording devices) – how about people eavesdropping on sensitive or classified conversations wearing these hearing aids? If regular listeners outside of a conference room can hear muffled sounds, imagine using hearing aids that boost what you hear – not the kind of cheap devices you see on “As seen on TV…” (reference 6) Also, these hearing aids are adjustable enough to drop out the extraneous noise, allowing only what the wearer wants to focus on, via BlueTooth.
Enhanced Wi-Fi capabilities – advances continue to occur in Wi-Fi, things are not going to stop at 802.11 a/b/g/n – the capabilities will increase in range and data speeds – we already see increasing use of microcells and femtocells by wireless providers (AT&T & even Cisco) to offload some of the burden and congestion from the monstrous large cell towers. Micro and Femtocells are hand sized cubes that can be placed anywhere to boost wireless signals – in the home or at a bus stop or on the side of a building or throughout a conference hall.
BYOD – Bring Your Own Device – I added this here even though it is a current threat, it will also continue to be a potential threat as capabilities increase. Do you allow employees to bring in their own portable devices, whether they are smart phones, thumb drives, portable external storage drives, their own mouse and keyboards (which could both have logging and storage capabilities unbeknownst to you…)
With BYOD and encryption requirements as well as employees (universally) disdain for slow computers, you need to have to more powerful computers to handle the extra processing requirements – at the desktop and on the backend servers/mainframes. No one wants to have to constantly wait for their devices to respond every time they want to access encrypted data or for a computing device to wake up from sleep and decrypt whatever data is required for the device to be useable.
Companies have to innovate in the equipment they purchase and use. And yes, there will be upfront costs to move to a better computing platform – but in the long run, it will pay for itself as users find themselves more productive and not having to wait multiple times per day. Getting more advanced devices in play will offset the costs, giving you a Return On Investment on your bottom line.
All supply chains producing software, hardware, mechanical parts, infrastructure elements (cement, PVC piping, copper wiring, etc.) and electronic components are a current and potential threat. Can you vet and vouch your entire supply chain, from end to end?
What about the middle men (no offense ladies), can you trust them not to undercut or provide you with inferior material down the road once they gain your initial trust?
Mitigation of Risk
Reducing & Eliminating Risk
Businesses can use multiple methods to mitigate the risks that might crop up. There are several vectors that can be used, alone on in any combinatorial strategy that works for your firm for unforeseen, unknown events that could come knocking on your door.
- Risk assumption
- Risk avoidance
- Risk retention
- Risk transfer
I hope you assume the inherent risks as much as feasible and lock down the various vulnerabilities.
Humans cannot keep up with the massively large complex varieties of technology, there is just too much and no one can focus on all of those areas continuously. There will be slips between the cracks if not a full and complete dike breakdown.
Following are multiple areas of protections you should have in place, such as:
AV suites – we still need AV suites to protect against known and/or recognizable malware signatures
Data Leakage Prevention/Protection or Data Loss Protection/Prevention – do you watermark your more sensitive documents and data in order to prevent that content leaving the network at will
FDE – Full Disk Encryption (also folder and file encryption) for data at rest ‘and’ in transit
HIDS – Host IDS (for the PC or Server)
IDS – Intrusion Detection System
IPS – Intrusion Protection System (IPS are picking up where the older IDS leaves off)
NIDS – Network IDS (for placement around the computer network – at the perimeter and even within the perimeter)
SEIM – Security Event and Information Monitor (some title it as SIEM but it is the same thing)
Tokens & Smartcards – we need to get rid of passwords and move to better system access technologies. Some companies do it but many do not. The use of tokens and smartcards allow for better security and will prevent most, if not all breaches by unauthorized individuals and allow for better auditing of who is logging in and from where. Are you working on some kind of biometric system usage – retina, iris, hand?
USB devices – either block via corporate ad computer policies or explicitly allow for specific computing devices for specific users – USB ports should no longer be allowed carte blanche use – and the same goes for CD & DVD usage – your firm needs to ensure only employees who actually have a need for USB, DVD & CD use can use it and that other employees who attempt to use the same computing device is locked out of using those functionalities
VPNs – in conjunction with tokens will minimize unauthorized access
Vulnerability (and Threat) Assessments – unfortunately now, VAs need to be done periodically to ensure your firms’ network and applications are at their strongest level of protection. If you do not have in-house staff trained and/or experienced enough to perform thorough VA testing, you will need to hire a reputable firm to do so. After your staff is up speed, then they can do this more frequently. It has to be done. Your firm needs to invest in the software and/or hardware necessary to do more than just a perfunctory job in this endeavor.
The same goes for Threat Assessments, you have to account for as many threat vectors as you can brainstorm…
I hate to include this but humans being what they are… Do you use some kind of behavioral analysis from time to time on the firm’s employees…? After you have made it abundantly clear to all employees (new and old) that there will be the possibility of this process being used.
Sometimes, humans do things they should not do, due to problems outside of work – financial, medically, mentally, emotional. Sad to say, people go through some of these problems and bring their troubled minds to work and will, unintentionally or intentionally, do something that is prohibited.
Does your firm have some kind of outreach programs in place to help these individuals…? This can head off employees who become weak and get them off the path of becoming disgruntled employees. It will save your firm money, in intangible costs, because it will help prevent your firm’s reputation being tarnished. It will help your firm in not seeing your most private data strewn across the headlines of your local or national news outlets (social media, newspapers, TV, radio). Or, what about preventing future financial investment catastrophes – say, someone in the firm does some kind of financial shenanigans and future investors become leery of your firm…
No one is an expert in everything, not anymore. There are simply too many concentrations of knowledge in various areas of professional life, especially if it is technically related. You must draw on as much aid as you can from within the organization and the various communities related to mitigating Risk.
I come back to this again, firms most likely need to start implementing advanced systems such as Artificial Intelligence (or Expert Systems) to assist with analyzing potential breaches and vulnerabilities that could occur in the organization. The amount of data continues to grow at staggering rates, Petabytes, Exabytes and on to Zettabytes (reference 7). And no one on this planet that I am aware of at any rate, can sift, sort and analyze this exponentially growing amount of data – unassisted.
You are going to need something like a Predictive Analysis or Visual Analysis software tool with a very good Dashboard that will allow you to drill down with as much granularity as you need and with as many options as possible to drill down with.
Anyone involved with Risk Management should be using, and have training in, critical thinking, you need it. You need it to perform practical and analytical processes. As well, you need creative thinking to go along with that to think outside of the bubble (aka ‘thinking outside the box’). I use the term ‘bubble’ because it is a temporary state before it bursts and disappears. Nothing in life is permanent, except death but that is ‘nother story for someone else to write about.
If you are not doing critical and creative thinking, you should. Why? Because you have to be critical about all the decisions you have to make but you also may have to resort to creative thinking to gain a newer, or possibly better, perspective on a problem’s solution.
Remember, there is almost always more than one solution to a problem, or a ‘challenge’ as some like to state. There are many areas of gray in the solutions you choose because it all depends on your specific situation. Sometimes, you are lucky and do have exact black and white answers.
1 – http://technet.microsoft.com/en-us/library/cc535373.aspx – Step 2 – Analyzing and Prioritizing Risks
2 – www.pcworld.com/article/158288/paint_secures_wifi.html – Block Wi-Fi Intruders with a Secure Paint Job, Jowitt, Tom, Jan 24, 2009
3 – Visian lens http://visianinfo.com/ & Verisyse lens www.urmc.rochester.edu/eye-institute/lasik/procedures/verisyse.cfm – ICL vs IOL (implantable contact lenses / intraocular lenses)
7 – What is a Yottabyte www.geekgirlcamp.com/?attachment_id=2542
Definitions (many reading these will already know them, for others, they are basic primers)
AES – Advanced Encryption Standard – three levels, AES 128, 192 & 256
AI – Artificial Intelligence
AP – Access Point – wireless connection to and through the firm to other computing devices and connections
AV – Anti-Virus suites
Devices – Smart phones, Tablets, Laptops, PDAs (if any are still around), etc.
DLP – these three letters are defined in several ways: Data Leakage Prevention, Data Leakage Protection or Data Loss Protection/Prevention
FDE – Full Disk Encryption (also folder and file encryption)
HIDS – Host IDS (for the PC or Server)
Hotspots – basically points or areas where a person can wirelessly access computing resources (ie – the Internet)
IDS – Intrusion Detection System
IP – Intellectual Property – proprietary / confidential information (secret competitive data)
IPS – Intrusion Protection System (IPS are picking up where the older IDS leaves off)
ISP – Internet Service Provider, basically the cable or fiber-optic company your ‘Net traffic travels over
Malware – Malicious software designed to cause damage or theft of information/monetary gains
MSSP – Manage Security Services Provider, the firm, if you have a contract with them that handles your firewalls, routers, switches and also helps to prevent malware attacks (or recover)
NIDS – Network IDS (for placement around the computer network – at the perimeter and even within the perimeter)
PII – Personally Identifiable Information – medical, financial and other personal info
Risk assumption – knowingly accepting a risk that could be potentially risky, expensive or dangerous if the right outcome does not occur
Risk avoidance – take action(s) to remove a hazard, perform alternative activities, or end a specific risky exposure
Risk retention – (I had to go look this one up again – very similar to Risk Assumption) assumption of certain risks as opposed to paying another party to assume the risks. For example, a corporation may decide to pay the health expenses of its employees rather than purchase a health insurance plan. Similarly, an individual with an older vehicle may decide to retain the risk of damage to the vehicle and forgo collision and comprehensive insurance
Risk transfer – a risk that is insurable and can be shifted to another party by means of a) an insurance policy or b) using a non-insurance method such as using a warranty
SEIM – Security Event and Information Monitor (some title it as SIEM but it is the same thing)
Threats – Who might attack against what assets, using what resources, with what goal in mind, when/where/why, and with what probability? There might also be included some general aspect of the nature of the attack (e.g., car bombing, theft of equipment, etc.), but not details about the attack or the security measures that must be defeated and the Vulnerabilities to be exploited
USB devices – Universal Serial Bus devices, anything used to store data – thumb drive, flash drive, pen drive (literally an ink pen drive), a watch (yes, a watch with a built in USB port connection), mugs with a USB port, even eye glasses… and do not forget those external portable hard drives (now available with wifi connectivity) – as of the 2013 Consumer Electronic Show (CES) USB drives could hold up to 512 GB, while later in Q1 2013 (Kingston stated) 1 TB USB drives will be available – elsewhere there is talk of 2 TB USB flash drives (not external hard drives) in the works…
VPN – Virtual Private Network used for more secure remote connectivity
Vulnerability – a specific weakness in security (or a lack of security measures) that typically could be exploited by multiple adversaries having a range of motivations and interest in a lot of different assets