|
Risky Thinking - June 2011 |
| Should You Include Zombies in Your BCP? |
|
There's been quite a lot of publicity given to emergency planning recently
as a result of a CDC blog entry
on how to prepare for the Zombie apocalypse. Undoubtedly more people are
aware of emergency planning than before, so should you include a Zombie
apocalypse in your business continuity plan?
A problem for all planners is to get people to read their plans.
Let's face it, there's only so much interest that can be generated
by the prospect of a backhoe cutting through your electricity cables,
or of a burst pipe flooding the server room. Given that similar
preparation and responses are required whatever the cause of
an incident, wouldn't our plans be more fun to read if we could
deal with some fictional risks at the same time as the real ones.
After all, it seems to have worked for the CDC. A blog entry
on preparing for the zombie apocalypse went viral and gained emergency
planning worldwide publicity. Presumably some of the people who read
the blog entry became more prepared for an emergency as a result.
If an amusing fictional risk was included, wouldn't more people read
the plan?
The answer, of course, is yes. But including fictional risks into the
plan isn't a good idea for a number of reasons:
- You need to cost justify your plan. While the actions taken
to prepare for and respond to your building being flattened by an
alien spaceship may be identical to those required for a more
prosaic fire, hurricane or tornado, the probabilities of the latter
happening (and thus the amount your organization should be prepared
to spend to mitigate the risk) are significantly different.
- Most people will remember the interesting stuff, and
forget the rest. Did you read the CDC blog entry? What
advice did it contain on emergency planning? If you're like
most people, you will remember the zombies (and the controversy they
caused) and little else. So despite the publicity, did the CDC blog
entry actually work in promoting emergency planning?
- A CDC blog entry and a Business Continuity Plan aren't comparable.
If the CDC had been including a zombie apocalypse in their real world
plans for dealing with pandemics, we would all be questioning what
they were doing. There's a big difference between a light hearted
blog entry and a serious plan.
- You need the reputation of the CDC for this to work.
If the blog entry had been produced by a lesser organization, who
would have noticed? Indeed, the humor might have been taken seriously,
leading to the organization being lumped together with end-of-the-world
predictors and conspiracy theorists. The people reading your plan
don't necessarily hold you in as great esteem as the CDC, and there
is a serious risk of the joke falling flat as a result.
So although our business continuity plans may be suitable for
keeping our company going during the future zombie apocalypse,
it's not a good idea to tell anyone about it. Let's just
keep it a secret between ourselves so that when those flesh
eating zombies stagger into view, we are ready for them. |
| News of the World: 2011 - Year of the Hacker |
|
2011 seems to be turning into a year when security breaches become
everyday events. There has never been a better time to encourage
everyone to (a) use non-trivial passwords, (b) not use the same password
on different accounts, (c) read every email with skepticism about its
authenticity.
Trapster disclosed 10 million emails and passwords:
http://www.theregister.co.uk/2011/01/21/trapster_website_hack/
Lush UK disclosed its users credit card details:
http://www.theregister.co.uk/2011/01/21/lush_cosmetics_hack_attack/
Early in the year, security company HBGary Federal had its entire
email archive published. The inside story of that hack is here:
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/
The Canadian government had the computers in at least three major
ministries hacked. Departments were temporarily disconnected from
the internet as a result:
http://www.cbc.ca/news/politics/story/2011/02/16/pol-weston-hacking.html
Despite government denials at the time, it appears that
secret data was stolen:
http://www.cbc.ca/news/canada/ottawa/story/2011/06/02/pol-cyber-attacks.html
Sony had its PlayStation Network breached and revealed data on more
than 100 million customers:
http://www.theregister.co.uk/2011/05/24/sony_playstation_breach_costs/
This took the network down for over a month. This was followed by
SonyBMG in Greece:
http://www.theregister.co.uk/2011/05/23/sony_bmg_greece_hacked/
Then Sony's move division in the US revealed data on another 50,000 users.
http://www.theregister.co.uk/2011/06/03/sony_pictures_hacked/
Not to be outdone, SSL certification authority Comodo had problems with
tits resellers being hacked, allowing the issue of "genunine" security
certificates for Skype, Yahoo, Windows Live, and Google.
http://www.theregister.co.uk/2011/03/23/gmail_microsoft_web_credential_forgeries/http://www.theregister.co.uk/2011/03/30/comodo_gate_latest/
Then we learned that RSA Security, manufacturer of a two-factor authentication
system SecurID , was subject to an APT or "Advanced Persistent Threat" - security
parlance for having a long term penetration.
http://www.pcworld.com/businesscenter/article/222555/rsa_securid_hack_shows_danger_of_apts.html
RSA statement:
http://www.rsa.com/node.aspx?id=3872
People still use poor passwords on websites. An analysis of the passwords used
on some of Sony's websites can be found in Troy Hunt's excellent analysis below,
although we should note that there is probably a difference between the password
somebody might choose on their bank website and the password they did choose
on SonyPictures.com. But note in particular the statistic that 67% of people
re-used their passwords between Gawker and Sony websites:
http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
These are only the well-known incidents, and the year is only half way through!
Remember: a password is only as secure as the weakest site it is used on.
|
| Book Review: Beautiful Security |
|
It's unusual to find a book filled with thoughtful essays on security. Too many security books are concerned with latest vulnerabilities (which are generally old news by the time the book is published) or contain bland statements on security policy ad hoc security measures.
This book is refreshingly different. It contains essays looking at many of the key concerns of security professionals today, written by acknowledged experts in the various areas. It stays in the middle ground of the general and applicable, avoiding the extremes of technologically obscurity or feel-good generalities. Essay topics include the psychological traps on which social engineering is based; the practical use of security metrics to identify and fix internal security weaknesses; the cybercrime economy; click-fraud and the problems with internet advertising (read this if you pay for clicks!); security by design; and many more. I found particularly interesting Phil Zimmerman's essay on the PGP web of trust, which discusses many of the practical issues in establishing public key infrastructures.
Even though security is my interest, rather than my career, I found lots of valuable ideas in it. The link below will try and redirect you to the appropriate Amazon website where you can find further information, read excerpts, etc.
Royalties from the book go to the Internet Engineering Task Force (IETF).
|
| Administrivia |
|
RISKY THINKING is a free newsletter providing essays, analysis, insights, and
oddities related to Business Continuity, Disaster Recovery, and Risk Management.
You can subscribe on the web at
http://www.RiskyThinking.com/newsletter.
Please feel free to forward RISKY THINKING to colleagues or friends who will
find it valuable. You may reprint this newsletter providing it is reprinted in
its entirety.
Copyright Michael Z. Bell / Albion Research Ltd. 2011
|
{!contact_address} |