THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Business Continuity Testing & Evaluation ScenariosWhen it comes to Business Continuity Planning (BCP), nothing makes an IT Security Pro more nervous than testing the plan they just created. Whether you live in the Northwestern US, or in Europe, planning for a disaster or business interruption is an important aspect of evaluating the planning process. Whether you are looking to perform a functional test, or just a table-top test, determining the type of scenario can be a daunting task, even scary to even contemplate. Testing & Evaluation As part of the evaluation process, IT Security Pros will have to test the BCP in order to determine any gaps or areas that should be addressed that may have been missed during the planning process. This process is perhaps the most important part of planning for a disaster. Measuring the effectiveness of the planning process will allow the organization to determine if they need additional controls or assets in order to deal with the possible incident. Testing of the BCP should be only to the level that you need to have in order to validate the planning process. There are several levels of testing, and I have listed a few of them here for you:
Choosing a test scenario is important to help to establish guidance that will help the stakeholders or decision makers to “visualize” the events. This is where some creativity may be expressed, as to how realistic you want to be. The basic rule of thumb here is to keep it realistic enough that the company can realistically plan for dealing with the various scenario that is addressed in the testing process. Some examples might be:
Evaluation
Evaluating how your business did during the testing process can be difficult do to how you set up the overall testing and evaluation strategy that you will be using. Evaluation can take many forms, but the focus is to provide feedback to leadership as to how well the company will or won’t do in case of a significant business impacting event. Some sample metrics are below:
Communications Communication in case of a disaster is one of the most important aspects that an organization should address prior to the testing and evaluation process. Asking the following questions may help:
Summary While you will not be able to plan for every major disaster that may occur (see zombie apocalypse/ asteroid impact). Your BCP should be robust enough to be able to deal with multiple types of events. Testing and evaluation of the planning process will help to validate the plan and show the business where potential improvements may need to be made. One plan will not fit all situations, so flexibility will be the name of the game when developing your plan. With the focus of the plan being on the services or products that your business provides being one of the main drivers, it is also important to remember that without your employees and staff, those capabilities will not be able to be carried out. The company can always replace equipment or where it conducts business, but you can’t replace your personnel.
0 Comments
As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse. Security Failures While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked. Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal. Attacker Accomplished The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public. Corrective Action Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them. While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications? Remaining Threat Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future. These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture. Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow: 1.Only use supported hardware/software This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it. 2.Have a patch management program With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner. 3.Establish Strong Security Policies/ Standards The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts. 4.Restrict VPN Access to Key Systems This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center. Summary While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector. The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible. Reference Site abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550 The use of Artificial Intelligence (AI) in IT Security is shaping up to be transformative in that it helps the IT Security Pro focus on the important aspects of the business, educating the end users. While AI allows for extra source of intelligence in the field, the biggest fear is that it will replace IT Security Professionals and the industry. This is not the case, but there will be synergy between the human in the loop, and the machine in the response to potential threats to the corporate business network. AI vs. Machine Learning AI implies that there is adaptive learning involved, and actions can change based on a given set of inputs. With Machine Learning (ML) there are a set of automated processes that are developed with a given scenario or set of inputs that match the specific criteria. Understanding these key differences allows for the IT Security Pro to use the best technology for any given situation that they may run into. The use of ML is common with most IDS and IPS applications as they provide quick action and prevent further issues for the network with a given a specific set of inputs. This can be everything from disconnecting servers or preventing certain IP packets from traversing the network or to being addressed to a specific targeted IP address. AI will take more time to determine if the behavior is malicious and may also take other inputs into account prior to acting. Data Overload As an IT Security Pro, your day is filled with reviewing logs and data that is collected from various sources around your computer network. Whether these are firewall logs, or network traffic IP packets, there is a lot of data to process. This is one of the reasons that security applications that can correlate these records are one of the key components of any well-established IT Security Program. The need we find is having to sift through these tens of thousands of entries to find the information that is meaningful to us. Even with this, sometimes the IT Security Pro may be overwhelmed with the amount of information they may be presented. This is where AI and ML come into their own. These technologies can help to sort out this data and provide the IT Security Pro actionable information and suggest a course of action depending on all the inputs that have been gathered. Work with AI in IT Security With the ever-complex state of IT Security these days, it is important that we use all the tools in the fight against any potential threats to our networks. This means leveraging the strengths of AI and ML to keep up with the changing attack vectors of the adversaries we must defend against. These are an ever-growing number of threats that the IT Security Pro must defend against and having a backup or additional support to help determine the course of action will be helpful. Especially when we must do more with less. Some of these areas may be any of the following:
These are just some of the issues that an IT Security Pro may have to deal with daily. This is not mentioning the biggest threat of all, the end user. No matter how well you have a network protected, this can always be bypassed by the employee who does not want to work within the security guidelines.
Automated Processes for AI & ML While there are number of areas that AI and ML can help, these technologies can also help streamline or automate repetitive processes that require attention from the IT Security Pro. These automated processes can be worked into an application or as part of a solution:
Summary While AI and ML are advancing in their skills and capabilities, it is important to remember that these two supporting technologies will help ease the load from overworked and few IT Security Pros. Having an electronic eye on all the various operations that go on a computer network day in and day out will allow staff to address issues that they should really pay attention to, and not all of the static or background noise. Technology should help to enable the IT Security Pro to better secure the networks that we are responsible for, and not take the jobs away from human beings. When developing policies and standards for any company, the question always comes up with Senior Management, “how will we manage all of these policies?” This is a question that should be answered prior to starting any compliance project. As various standards will have different requirements and the company may have to change its process to be compliant with those new processes. Whether the company wants to streamline the process, or if they want to do their own thing, its important for the IT Security Pro to strike a balance. Compliance Requirements Compliance has many facets that the IT Security Pro will have to navigate through the course of their career. Companies of all sizes may decide to pursue a compliance standard, or they may be required to do so by the nature of the business that they are in. Whatever the reason, compliance standards will suggest or recommend certain features. This requirement should be clearly communicated to all of the stakeholders in advance. Having an IT Security Program is more than having a few policies that address security related issues, its also adhering to the standard and having the specific required documentation in the manner prescribed by that standard. Whether it is having the Information Security Management System (ISMS) as prescribed by ISO 27001:2013, SOC2 Compliance Checklist, or even NIST’s Cyber Security Framework, each on will have specific requirements for the business to follow to be “compliant with the standard”. Designated Compliance Structures An area of focus that all the above compliance standards have in common is that there will be a structure as to how the new policies or standards are to be managed. While how the company goes about this is left to be determined by the standard, the business may have several courses of action in this area. Whether it is designating or using a central document repository or some other mechanism, the business should determine this prior to moving forward with any compliance standard. Policy Development IT Security standards are notorious for having multiple areas of focus or requirement what seems to be multiple documents for the same thing. While this may seem to be the case on the outset, this granularity provides a robust in complex set of requirements for IT staff and security staff to follow. Additionally, these requirements help to outline how the policy will be affected when it is implemented by the business With a list of controls outlined in the standard, these can be correlated into a checklist that allows for the quick determination of whether the control is in place, or if it may be missing. Auditors can quickly and accurately determine if this is a major finding, or if it is something that will allow the business to continue with the audit in order to determine its compliance with the designated standard. These policies or documents may have multiples that address various aspects of the same policy. Common Hurdles
Some common hurdles at the IT Security Pro will face when implementing new policies and standards for the business are the following: • There are too many policies to keep track of. • Do we really need all these policies? • Are all these policies and documents required by the standard? • How detailed do we have to get for an auditor? • This is too complicated to keep track of. All these areas are common misconceptions about how to manage IT Security policies. Whether the refrain is given by a stakeholder or an employee, its important for the IT Security Pro to understand that these are roadblocks that will need to be overcome if there are going to be an adherence to the defined standard. Centralized Management Providing a central location for the management of IT security policies allows for these policy's to be reviewed and approved on an annual basis per (this is the current best practice by most IT security standards) and allows for the centralized management of these policies. IT security continues to evolve, and change based on the number of threats, changes in technology, or governmental regulatory requirements. Summary There are many benefits for managing IT security policies from one location, whether it is the management of those policies, or keeping these readily accessible to review. In most cases IT Security policies are living documents (and will need to change and be updated in accordance with current best practices or changes within the business itself). Additionally, having a designated individual role that reviews and updates these policies on a regular basis is a requirement of most of the current list of IT Security related standards. While having over a hundred designated controls may seem like a daunting task for a business to comply with but having those policies that address these specific controls in multiple areas of the organization is an even more daunting task. Let alone keeping track of them in a coherent manner. Developing and implementing IT Security policies is an area that an IT Security Pro may spend a lot of their time during the course of a year, but it is also one of the most rewarding as well. With growing unrest in the US, there is growing concern that there will be unrest in the country following the Presidential election in November of 2020. While the country continues to deal with ongoing race riots and protests all over the country, it is important to remember that these may be localized to a particular city or even neighborhoods in which the protests are taking place. While it is important to listen to those that are protesting and what their concerns might be. It can’t be disputed that these actions continue to alienate a large part of the population. No matter where you are on the political spectrum, these civil disturbances can directly affect your business. This is not strictly effecting large or national businesses, as we have seen local independent companies effected just as much as the large chain stores. Protests vs. Large Scale Unrest When the terms protest and large scale unrest are used, they can be a little confusing. Protests may be short lived and for one political cause and may last a few hours to maybe even days. A large scales civil unrest is different in that it may encompass a large part of the country as a whole and large numbers of the population take to the streets to demand their demands to be heard. Additionally, large governmental infrastructure (power grid, Internet, supply lines, roadways) may also be impacted as protesters sabotage or disable them in order to make more of the population aware of what is going on. Also, killings of individuals may occur on a regular basis as the population on each side of the political divide fight for their cause. Business Continuity Planning As with any event that may have the possibility of impacting your business, it will be important to plan for the worst case scenario when it comes to a civil unrest situation. With a lot of things in 2020, the unexpected event is one thing you can expect this year. Within the IT Security community, we are treading on new ground as we have never been through a pandemic, and yet we find ourselves 7 months into one. We don’t know what to expect with a large scale civil unrest. Plan for Major Interruptions The one thing Business Continuity has shown us is that we can plan for those events that are most likely to happen instead of those events that may never happen. With civil unrest, the following should be the top of your list of impacting events to prepare for:
While there is not one area on the list that may directly impact your business, any combination of them surely will. Also, while other countries around the world have had to cope with similar issues or impacting events. It is important to realize that the US has not and that North America houses the largest majority of the global Internet infrastructure. So what happens on the continent could have global ramifications.
Pandemic with Civil Unrest The majority of businesses today are worried about just dealing with the global pandemic going on. But if the civil unrest were to materialize, then there will be a lot more to worry about. Just this one event could have the potential of derailing any sort of recovery effort that might be in the works at this time. Businesses should take the “lessons learned” from dealing with the pandemic and use them to potentially deal with a civil unrest scenario as most of the responses could be similar to those. Companies will find ways in which to deal with outages or interruptions, but when the violence comes to the individual neighborhoods or communities, then they may be effected in very different ways. Brining the Fight As with all disturbances, civil unrest can cause the business to be impacted in different ways compared to other potential scenarios. Choosing to fight against the opposing party may be part of that as personnel may be killed or injured. This can also cause issues if there are mass arrests that may happen as part of the rioting or protests that happen for longer than normal period of time. A company may also come under fire for supporting on faction over the other or may be forced to support one group over the other by mass crowds, or even in the media. (This is currently happening with groups like BLM, as they support Marxist and Communist ideologies, and the destruction of the nuclear family). Employees will be new the equation as most of the business continuity planning take only the company infrastructure or business operations into consideration in their recovery efforts. The loss of personnel will cause businesses to have to replace personnel or work differently than they did previously prior to the outbreak of the disturbances. Systems are easy to replace, personnel are not. Summary While this article may seem to be raising unreasonable concerns or un-needed worry. Just think a few months ago about the potential for a global pandemic, and yet here we are. Plan for the worst potential in hopes that they never materialize. I would not be doing my job if I would look the other way and not look at the potential that this time in our country could possibly impact the businesses we work for and with. Planning for a disaster is the same whether it is a man-made on or natural. It is still not too late to take action and address the various concerns that have been brought up here. Planning on how you would react if given a specific scenario helps to sharpen our skills in responding to disasters and also helps us be more confident in our recovery efforts if they may be needed. Disclaimer This article is meant to be a thought exercise on how businesses would recover in case of a large scale political unrest were to hit the US. This article in no way endorses or condones violence of any type (from any side). It is the hope of this author that all registered voters exercise their Constitutional right and vote in the upcoming election and that there may still be a middle ground in which both political sides can get together and discuss the issues affecting our country. Just when you thought things couldn’t get worse than they already are, the area that the business operates is stuck by a natural disaster while also dealing with the pandemic (COVID-19). While IT Security is always looking for what could possibly impact the business, IT Security Pros can’t plan for everything. While the pandemic has stretched resources and stressed the staff beyond all measure, just imagine adding another significant event on top of it all. Multiple Treats While IT Security has the ability to plan for the unforeseeable, being able to deal with multiple business impacting events at the same time can be challenging to say the least. Planning for business interruptions or impacting events should be a part of every company’s Business Continuity Plan (BCP). While a natural disaster may be a onetime impacting event, and may have a short duration impact on the infrastructure of the business, add the ongoing pandemic on top of that, and now you have even more issues. The pandemic has stretched first-responder resources thin and hospitals and governmental agencies are struggling to deal with an already overloaded system. While the task may seem daunting, it can be planned for and a strategy can be developed in order to deal with multiple threats at the same time. Prioritizing the recovery efforts and planning on what a recovery will look like will be key to your planning process. Pandemic Planning While a lot of businesses were caught with no pandemic response plan prior to COVID-19 becoming one. Some actually had plans in place and had thought about how they would respond to one if it was ever declared. Companies have not been planning for a pandemic, nor did they exactly know how the government would react to the infection rates and how they planned on stopping its spread. Some businesses over the years have rolled their pandemic response plan into their BCP, while others had a standalone policy. Regardless of the method, planning for response to a virus and how it infects the population can be nerve-racking and difficult to deal with all of the variables that seem to be around the recovery process. Systematic Recovery Approach Just like any other business impacting event, it takes a systematic approach to the recovery effort in order to recover in a logical manner. The following list will help guide this process:
Returning to Normal Life during the pandemic is not normal in any definition of that word. But, the pandemic will be resolved as we fight it with the various means that we have. Whether this is in the next few months or over the next few years, this is still an unknown for the world. But we will return to “normal” and it is for that time that we continue to plan for disaster even during the pandemic. We all hope that we can put this time behind us and get back to the way things were before. But the longer this pandemic goes on, the more likely that will not happen anytime soon. Testing the Plan
While testing is one of the hallmarks of having an effective BCP, doing this during the recent state of things doesn’t make a lot of sense (in my honest opinion). That being said, there are specific things that can be done to help to solidify the plan and to identify any potential issues with the plan:
All of these different areas help to ensure that the overall plan is effective and that in case it may be needed that the company will have confidence in the plan and its ability to recover the business during a disaster. Summary While everyone is in the mindset of dealing with a disaster due to the pandemic, it may be a great time to evaluate the other established plans. Making sure that they are still effective and that they will hold up to a potential incident if the time were to come. Testing small portions of the overall plans helps to limit a potential disruption while still providing a realistic approach to the testing and evaluation process. Companies are continuing to focus on how the pandemic is impacting their business operations, but being prepared for what may be around the next corner will help to protect the business after the pandemic is over. What you learn now may help save the business, even during these uncertain times. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|