THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
With growing unrest in the US, there is growing concern that there will be unrest in the country following the Presidential election in November of 2020. While the country continues to deal with ongoing race riots and protests all over the country, it is important to remember that these may be localized to a particular city or even neighborhoods in which the protests are taking place. While it is important to listen to those that are protesting and what their concerns might be. It can’t be disputed that these actions continue to alienate a large part of the population. No matter where you are on the political spectrum, these civil disturbances can directly affect your business. This is not strictly effecting large or national businesses, as we have seen local independent companies effected just as much as the large chain stores. Protests vs. Large Scale Unrest When the terms protest and large scale unrest are used, they can be a little confusing. Protests may be short lived and for one political cause and may last a few hours to maybe even days. A large scales civil unrest is different in that it may encompass a large part of the country as a whole and large numbers of the population take to the streets to demand their demands to be heard. Additionally, large governmental infrastructure (power grid, Internet, supply lines, roadways) may also be impacted as protesters sabotage or disable them in order to make more of the population aware of what is going on. Also, killings of individuals may occur on a regular basis as the population on each side of the political divide fight for their cause. Business Continuity Planning As with any event that may have the possibility of impacting your business, it will be important to plan for the worst case scenario when it comes to a civil unrest situation. With a lot of things in 2020, the unexpected event is one thing you can expect this year. Within the IT Security community, we are treading on new ground as we have never been through a pandemic, and yet we find ourselves 7 months into one. We don’t know what to expect with a large scale civil unrest. Plan for Major Interruptions The one thing Business Continuity has shown us is that we can plan for those events that are most likely to happen instead of those events that may never happen. With civil unrest, the following should be the top of your list of impacting events to prepare for:
While there is not one area on the list that may directly impact your business, any combination of them surely will. Also, while other countries around the world have had to cope with similar issues or impacting events. It is important to realize that the US has not and that North America houses the largest majority of the global Internet infrastructure. So what happens on the continent could have global ramifications.
Pandemic with Civil Unrest The majority of businesses today are worried about just dealing with the global pandemic going on. But if the civil unrest were to materialize, then there will be a lot more to worry about. Just this one event could have the potential of derailing any sort of recovery effort that might be in the works at this time. Businesses should take the “lessons learned” from dealing with the pandemic and use them to potentially deal with a civil unrest scenario as most of the responses could be similar to those. Companies will find ways in which to deal with outages or interruptions, but when the violence comes to the individual neighborhoods or communities, then they may be effected in very different ways. Brining the Fight As with all disturbances, civil unrest can cause the business to be impacted in different ways compared to other potential scenarios. Choosing to fight against the opposing party may be part of that as personnel may be killed or injured. This can also cause issues if there are mass arrests that may happen as part of the rioting or protests that happen for longer than normal period of time. A company may also come under fire for supporting on faction over the other or may be forced to support one group over the other by mass crowds, or even in the media. (This is currently happening with groups like BLM, as they support Marxist and Communist ideologies, and the destruction of the nuclear family). Employees will be new the equation as most of the business continuity planning take only the company infrastructure or business operations into consideration in their recovery efforts. The loss of personnel will cause businesses to have to replace personnel or work differently than they did previously prior to the outbreak of the disturbances. Systems are easy to replace, personnel are not. Summary While this article may seem to be raising unreasonable concerns or un-needed worry. Just think a few months ago about the potential for a global pandemic, and yet here we are. Plan for the worst potential in hopes that they never materialize. I would not be doing my job if I would look the other way and not look at the potential that this time in our country could possibly impact the businesses we work for and with. Planning for a disaster is the same whether it is a man-made on or natural. It is still not too late to take action and address the various concerns that have been brought up here. Planning on how you would react if given a specific scenario helps to sharpen our skills in responding to disasters and also helps us be more confident in our recovery efforts if they may be needed. Disclaimer This article is meant to be a thought exercise on how businesses would recover in case of a large scale political unrest were to hit the US. This article in no way endorses or condones violence of any type (from any side). It is the hope of this author that all registered voters exercise their Constitutional right and vote in the upcoming election and that there may still be a middle ground in which both political sides can get together and discuss the issues affecting our country.
0 Comments
Just when you thought things couldn’t get worse than they already are, the area that the business operates is stuck by a natural disaster while also dealing with the pandemic (COVID-19). While IT Security is always looking for what could possibly impact the business, IT Security Pros can’t plan for everything. While the pandemic has stretched resources and stressed the staff beyond all measure, just imagine adding another significant event on top of it all. Multiple Treats While IT Security has the ability to plan for the unforeseeable, being able to deal with multiple business impacting events at the same time can be challenging to say the least. Planning for business interruptions or impacting events should be a part of every company’s Business Continuity Plan (BCP). While a natural disaster may be a onetime impacting event, and may have a short duration impact on the infrastructure of the business, add the ongoing pandemic on top of that, and now you have even more issues. The pandemic has stretched first-responder resources thin and hospitals and governmental agencies are struggling to deal with an already overloaded system. While the task may seem daunting, it can be planned for and a strategy can be developed in order to deal with multiple threats at the same time. Prioritizing the recovery efforts and planning on what a recovery will look like will be key to your planning process. Pandemic Planning While a lot of businesses were caught with no pandemic response plan prior to COVID-19 becoming one. Some actually had plans in place and had thought about how they would respond to one if it was ever declared. Companies have not been planning for a pandemic, nor did they exactly know how the government would react to the infection rates and how they planned on stopping its spread. Some businesses over the years have rolled their pandemic response plan into their BCP, while others had a standalone policy. Regardless of the method, planning for response to a virus and how it infects the population can be nerve-racking and difficult to deal with all of the variables that seem to be around the recovery process. Systematic Recovery Approach Just like any other business impacting event, it takes a systematic approach to the recovery effort in order to recover in a logical manner. The following list will help guide this process:
Returning to Normal Life during the pandemic is not normal in any definition of that word. But, the pandemic will be resolved as we fight it with the various means that we have. Whether this is in the next few months or over the next few years, this is still an unknown for the world. But we will return to “normal” and it is for that time that we continue to plan for disaster even during the pandemic. We all hope that we can put this time behind us and get back to the way things were before. But the longer this pandemic goes on, the more likely that will not happen anytime soon. Testing the Plan
While testing is one of the hallmarks of having an effective BCP, doing this during the recent state of things doesn’t make a lot of sense (in my honest opinion). That being said, there are specific things that can be done to help to solidify the plan and to identify any potential issues with the plan:
All of these different areas help to ensure that the overall plan is effective and that in case it may be needed that the company will have confidence in the plan and its ability to recover the business during a disaster. Summary While everyone is in the mindset of dealing with a disaster due to the pandemic, it may be a great time to evaluate the other established plans. Making sure that they are still effective and that they will hold up to a potential incident if the time were to come. Testing small portions of the overall plans helps to limit a potential disruption while still providing a realistic approach to the testing and evaluation process. Companies are continuing to focus on how the pandemic is impacting their business operations, but being prepared for what may be around the next corner will help to protect the business after the pandemic is over. What you learn now may help save the business, even during these uncertain times. As I write this article today, I’m sitting in my home office coughing and having some difficulty breathing. Being right in the middle of a potential pandemic hot-zone of Washington State can help bring things into focus when it comes to planning for the worst-case scenario when it comes to planning for an incident to impact your business. Taking the right course of action in a timely manner can help to protect the business, but most importantly, the community at large as well. Epidemic Tracking Right now, we are concerned with the COVID-19 (Coronavirus) and the potential impact it may have on the population since it was an unknown virus to the human population just a few months ago. When the emergence of this virus started, I started to keep track of the numbers that we were seeing and how it was spreading. As part of my IT Security role, I have a responsibility for Business Continuity Management within the company. Therefore, I keep an eye out on these sorts of things, as they have a potential to turn quickly if we are not looking. I believe that this is what happened here, and I believe that China for the most part has not provided accurate information to the world at large. No matter what the epidemic is, planning to take action as a business or other organization should be the prudent move here. Planning for what the company may do if faced with a certain situation allows for calm and calculated planning to occur instead of being reactive to what is going on around them. Any decisions that the business makes will have an impact on the company, and ultimately the work force that you employ as well. Epidemic Impact No matter how you plan, the decisions you make or plan for will always change. Flexibility is the name of the game here. Have several different levels or ways to address an issue as it arises and plan on meeting those changes as they occur and not be reactive to them. Being cautious and taking, an aggressive approach at the onset may help prevent more of an outbreak than waiting on what the state, national, or global authorities may suggest. We are seeing this play out in Seattle and in King County, Washington, as the local authorities have suggested that employees work remotely if they can for a length of time in order to prevent a further spread of the virus. Businesses in the county will have to determine how they plans to address this issue. Will they take the steps that have been requested by the local government, or will they side on their own best interests in order to preserve their business? The impact of an epidemic is not just a personal one, but also a monetary one for the company that has to make those choices. This is one of the crucial aspects of the planning process that seems to be left out for most businesses, pandemic insurance or emergency funding in case it is needed. While organizations will focus on business operations for emergency funding, pandemic funding or planning for the potential impact of it should also be in consideration as well. "The suggestion is to have at least 3 months of operating capital on hand in case of a pandemic." - Erich Barlow Developing a Plan The first course of action should be to establish and develop a Pandemic Response Plan that will be implemented in case a pandemic or epidemic is declared. This plan should have the following areas:
Plan Testing One of the core issues that plans sometimes have is that they aren’t tested as often as they should be. This will lead to plans that are out dated or inaccurate and with personnel not knowing their particular role in the plan when it is activated. It is recommended that at least once a year a tabletop test be performed in order to validate the planning process. Testing your plan is one of the best ways of making sure that it will be there when it is needed in case a pandemic hits where you are located. Summary While there are a lot of different areas that need to be addressed when planning for a potential pandemic, the time that is taken in planning for it will pay off if it ever has to be implemented. This is what we are seeing play out right now with those organizations in Washington State that have not planned for such an event. While most businesses will have plans for fire, flood, or even an earthquake. Pandemic Response Planning is one of those areas that are not really planned for. Taking the proper steps in developing a robust response plan before you have to need it will go a long way in helping the company recover from a potential outbreak. Whether it is suggesting working remotely or limiting social interaction within large groups, it is important to address these issues ahead of time. Reader’s note: Due to the rapidly changing situation and the impact that the current epidemic is having on the community in which I live. I plan to update this article through the next few weeks as we deal with this outbreak and how we are going to react to it. Working from Home During the COVID-19 Pandemic – Blog Update May 23rd, 2020 After two months of working from home (and changing jobs in the process) it has been a huge change for me and those that I work with. While I saw most of my friends be laid-off or fired due to the impact of the virus, a large majority have been able to keep working. Essential Workers While a lot of jobs were declared “essential” and we saw that they were able to keep working (although with some modifications) and were still able to earn a paycheck. While the government was able to determine who was essential and who was not, this designation was not applied equally across the board and those folks that we all depend on everyday lost their jobs because the government decided that they posed a risk to our health. Pandemic Mental Health Like most of the people that I work with, I have been impacted on a personal level with the restrictions that have been imposed on me “for my health”, but it is my belief that our mental health has been impacted in ways that we don’t fully understand. Whether it is our kids that we are now all homeschooling or those of us who are social beings, we have had to change the way that we function in the world around us. Being able to go to the gym for a good workout and helping to relieve stress has been off the table of things I have been able to do (which I have seen some weight come back) for the last two months now. Additionally, being able to practice my faith have been prevented as well, which like a lot of people, has been a great source of comfort before the outbreak, and it still is, but the practice of it has had to change. Technology Work Changed Forever
While there are a lot of issues that we all have had to endure over the last couple of months, there are some bright spots. One of them is that working from home, or at least the ability to do so has become the norm and not the rarity that it once was. While there have been some difficulties in the adjustment to it, I think that it will become the way business is done in the future, even after being able to return to the office. More and more people are seeing the benefit of working remotely (not to mention the savings we get from not being in rush hour traffic). While a lot of companies were not sure about how they could make working remotely work, they were able to figure it out. Now with that infrastructure in place and working efficiently, why dismantle it when the pandemic is declared over? I think that we are going to see more businesses adopt the model and keep on working this way, or at least have it as a full option for workers if they choose to do so. Security at Home One of the biggest issues that companies have had with going to the work from home model of business, is how do you enforce security on personnel when they are not in an office? Businesses have quickly learned that the use of encryption for communications and network connections are an important aspect of those security measures. Additionally, making sure that employees are adhering to IT Security best practices has also been an important issue that has been addressed. Providing IT Security information to the end user has been a focus of the IT Security teams around the globe that are supporting the work from home business model. Additional Updates While I live in the Pacific Northwest, the Governors here are continuing to restrict business operations and the abilities of the people to go about their normal lives. The area that I live will be under these restrictions until at least the end of summer, if not later. So, I will be posting updates as we continue to deal with the pandemic in hopes of preventing its spread. Also, updates on what are considered best practices during this unprecedented outbreak will also be posted to this blog. What seems to be all the buzz these days is the deployment of critical infrastructure or Software-as-a-Service (SaaS) applications into a cloud environment in order to provide additional security. While most businesses are looking for the benefits that this offers to them and their customers, an area of concern is the alignment of their business operations and that security meets their specific needs or requirements. Cloud Security Companies and organizations are looking for the following when it comes to the migration of their infrastructure to the cloud:
Centralized Security Cloud security is all about control. If you are able to control access requirements and resources from one online portal, the company will save on having to deploy specialized personnel to a data center. This is how services such as AWS (Amazon Web Services) are accessed and managed. The centralization of the security means that the IT Security Pro will have more time to devote to other areas of the infrastructure, like perimeter defenses or vulnerability scanning. Reduction in Costs One of the biggest reasons if not the sole reason that an organization will choose to deploy infrastructure or applications to the cloud is the cost savings they get from using the resources that are available within that environment. Whether it is the bandwidth, server resources, or just the overall cost savings from not having to pay for a capital expenditure. Businesses continue to move to the cloud in order to gain a financial benefit from the move. This can be a significant amount, so thinking about security and how it will be used within that environment should be understood before anything moves to the cloud. Reduced Administration
The reduction in costs that a company might see from moving to a more cloud centric environment is directly associated with the reduction in the administrative costs. With streamlined services and online portals to access all of the resources in the cloud infrastructure, companies may employ a fewer number of admins than they would if they had to create the environment on their own. Also, the people who do fill these admin roles are going to be crucial to the deployment and maintenance of the cloud environment after the deployment. Reliability of Services When we look at cloud services, one of the most significant aspects that we take into consideration is the reliability of the services that are offered (up-time percentage is a BIG one here). Additionally, looking at the redundancy of various services such as:
Summary While there are a lot of reasons to move to the cloud, a business should determine how they will address security and what sort of benefits they are looking for from this critical realignment of their network architecture. Whether it happens to be overall cost savings or the enhanced capabilities that the cloud offers, IT Security and how that will be addressed needs to be a part of the discussion. Understanding the security posture once the critical assets are migrated is the wrong time to try to figure out how your security posture will be effected in such a move. When it comes to backing up our servers and systems, a lot of IT Departments are not doing all they should to protect the business or the organization as a whole. Whether the business is dealing with the sheer volume of data that needs to be backed up, or whether they are dealing with a lack of resources (both human and material). All of these issues complicate the fact that protecting the company in case of a disaster means that you have a backup for all of your critical information. Basic Guidelines One of the most basic guidelines that help with business continuity preparation is that the business is backing up critical data on a periodic basis. What ends up happening is that there is a knowledge gap or a technology gap. This means that the IT Team does not have the skills to effectively backup critical systems and data. The second area is that the team is lacking the resources to do the backups effectively. Data should be backed up based on the following criteria:
Business Continuity Application Having a recent backup or restore point for systems will enable the business to recover to their previous state faster than without one. This is why it is always encouraged to test these backup and restore points on a periodic basis in order to make sure that they work as designed. If a process is not tested, it can be prone to failure or in the worst-case scenarios, not at all. It is for the reason of backups that some of those processes are automatically setup or configured within the various systems. The issues that happens is that these automated processes run into hiccups and may not function if at all. It is best to test them regularly and not be solely dependent on them in the case of an emergency, such as a disaster. When disaster strikes your business, you want to make sure that all of the processes that you have developed for dealing with the situation work as planned. Technical Gap As most IT Departments can attest to, having a technical gap is one of the hardest areas to overcome. This means that the team will have to take time and learn new skills or a group of skills. However, due to the importance of the team to the rest of the organization, this may not be as feasible as it needs to be. The additional issue is that technologies are always changing and it seems every year there are new applications that are better than what you purchased last year, so the team has to learn a completely new technology. Misconfiguration of Applications
The biggest issue that an organization will face is that there was a misconfiguration of the backup solution in the initial deployment across the enterprise. Unfortunately, this is not usually known for a length of time due to everything working as it should (for the time being) until there is someone appointed that may have better skills or a better understanding of the technology. Additionally, it may be found during a time where everything breaks (and it happens at the worst possible time too) and everything needs to be fixed. This is why it is important to test the process and the applications that will be used in the overall business continuity process. It is better to find out that there is an issue when the business is not stressed, as during the time of a disaster. Being in control will allow the company to address the issues that are found during the testing process and make the needed changes ahead of needing them. Risk Assessment Prioritization The use of a Risk Assessment (RA) in the process of prioritizing what services or data needs to be backed up is important to how the company will recover from a disaster. Understanding the potential risk will direct the resources that have been allocated for the recovery efforts. While doing an RA will provide a good overview, the understanding the impact of certain data backup requirements are going to provide a road-map on how that will be accomplished. Understanding the risk to the business will also help to identify certain data types or applications that may need to be addressed during the initial deployment and configuration process. Also identifying potential issues with how the applications were configured will be important at this step as well. Most companies will be able to configure their backup application or settings in a reasonable manner, but it is something that will need some technical expertise in order to accomplish. Backup & Recovery After the business has determined what type of data or what specific systems need to be backed up, it will be important for the testing of the processes and systems that have been put into place. This is the most important step that the company can take in their recovery efforts. Testing takes a leap of faith, both in the individuals that have configured it, and secondly in the systems that will be used to do it. Some companies will shy away from this step due to having a potential impact on their customers or the services they provide. The recovery process should be as smooth as the plan that has been developed for the process. If it is not, then the plan and process should be reworked so that it is. At this point, automation will be important to implement within the overall process. Having automated detection or switch-over in case if a failure is detected will allow the company to quickly respond to an outage or some other incident. Recovery Effort After the business, affecting incident has passed and the company starts to recover from the impact of the incident on the business. The most important thing will be to recover the business operations as soon as possible with minimal impact to the customers or clients of the business. This is where the RA that was done earlier in the development process for the business continuity planning efforts will pay off. The prioritization list will have which systems and applications should be recovered and in which order. Summary After all is said and done, recovery of business applications and data should be a smooth process (that is if it was tested) which will help recover the business to a point to prior to the incident impacting the business. Business Continuity Management comes down to planning and testing. Failure to effectively address either area will lead to a difficult if not impossible process for the company when it comes to disaster recovery. The backup and restore process for your business should be tested regularly and should provide a robust response to a potential disaster scenario. The practice and planning that should happen will give the management team the confidence in the overall solution as well as the customers and the clients. If the solution is an unknown, then there ends up being a lot of questions about the effectiveness. This is why the recovery and backup process is the cornerstone of your business continuity planning process. When most security professionals think of Business Continuity Planning (BCP)you think about how to back up your systems or creating a hot site in which to work and backup your data in case of a disaster. While all of these are crucial components to creating a successful recovery plan, it is important to remember that most businesses currently employ some sort cloud services technology in their day-to-day business operations. Why not use that already created infrastructure for business continuity? Cloud Infrastructure When planning to create this type of plan, it is important to understand your infrastructure and how it is currently being utilized. The second critical component is to understand the criticality of the various systems and processes. The reason for this is that they will be your drivers for which systems or services get top priority in your planning process. You have a Business Impact Analysis (BIA) right? Securing the cloud infrastructure that you already have will be an important first step. Some cloud service providers already do this for you automatically, but others may not do so. Therefore, it is important that you backup all of your critical cloud systems and processes first. Backup & Storage When using the cloud for your business continuity planning, it is important to remember that you want to use the capabilities of the service to your advantage. Using the various physical locations that you are able to have data stored will help to provide a diverse geography in which your data is stored physically. This data in some cases can also be mirrored from one location to another, giving you additional redundancies if it is needed. Flexibility One of the key benefits of using the cloud for business continuity management is its ability to be flexible with the amount of data that is stored. This information can grow and be moved around as needed within the cloud infrastructure as well. Additionally, long-term cold storage can also be used for data that may not be accessed on a regular basis. This provides a depth of continuity that if you were to create within your company would cost more to implement than to use what you already have access to. Automated Processes
An important factor that companies will look at is if they can automate the process for data backup. While in most instances this is a manual process (meaning hands on by the staff employed to carry out the specific tasks). In most instances with using the cloud infrastructure, you are able to automate the following areas:
Recovery Time Objectives One key aspect that any business will have to take into consideration when looking continuity planning is how long it will take to recover the data in case of an incident. Whether this is driven by service level agreements or by customers, it can be a critical data point in which to achieve. Meeting these objectives will be challenging, but using the cloud to achieve them is easier due to how the infrastructure is created and deployed. Downloading and requesting data from your backup storage site may take a few hours to request from the cloud service provider, but due to already being a part of the infrastructure, it will be easier than working with an outside service provider and requesting data tapes from a secured location some hundreds of miles away from your recovery site. When time is of the essence, getting the information you need in a timely manner is the name of the game. Summary While most business continuity planning involves thinking outside the box, it is important to remember all of your resources that you have at your disposal for the planning process. Thinking of new ways to use current or existing technologies will enable the business to have a cost effective solution without having to sacrifice more capital. Being able to use the cloud to store your data and as a recovery repository in case of a business impacting event will save you both time and effort in the end. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|