Business nightmare scenarios detailed a week since #WannaCry

Speaking on the theme ‘The threats that should be keeping you awake at night’ at the FourSys SecureTour in London, independent computer security researcher Graham Cluley described the three main areas of concern for businesses in 2017.

Claiming that it is not about giving the audience nightmares, and not about nation-state hackers who “target private firms”, Cluley said that the three main problems were: ransomware, insider threat and business email compromise.

Focusing on last weekend’s WannaCry ransomware outbreak, Cluley said that this was ransomware “on a scale never seen before”, and “it hit so hard it took some hours before people came up with a logo!”

He added: “WannaCry did traditional things with Bitcoin, so what made it so different? It was not traditional ransomware; it was distributed by a worm-like feature and exploited a component in Microsoft Windows vulnerability and exploited the SMB protocol to spread very rapidly indeed.”

He went on to claim that ransomware has “truly been a threat over last few years” highlighting other instances of the NHS being hit, as well the San Francisco rapid transport being shut down, and it is also hitting mobile devices.

RELATED: Global cyber-attack: Security blogger halts ransomware ‘by accident’

In the other cases, Cluley said that in the case of business email compromise, where an attacker poses as a CFO and typically targets a junior member of staff but instead of sending malware, they just send an email to try to trick a person into sending money.

“People do this and as soon as they click on the send button, it is too late”, he said. Highlighting cases affecting major companies, Cluley said that this is effectively good social engineering.

Source: Info Security

Read entire post grey  Related Training grey

Advertisements

BCM Jobs – May Update

Please share this with colleagues who may be qualified for any of these job openings. Thanks for your interest and your help.

BC Management, a global leader in recruiting and placing continuity, resiliency, crisis management and risk management professionals, is assisting multiple clients with their personnel needs.

Seeking candidates for the following jobs:

Seeking candidates with 2 – 7 years BCM expertise.

All candidates should have a Bachelor’s degree or equivalent experience. Industry certification is highly preferred (ABCP, FBCI, CBCP). Minimum 4-6 years direct experience with conducting Business Impact Analysis (BIA), building Business Continuity and/or Disaster Recovery plans, and facilitating departmental and enterprise risk evaluation activities is required. ***All candidates will be required to pass an extensive background check. This position may require ability to have or obtain a security clearance(s).

Candidates must have 10+ years IT disaster recovery tech expertise.

Candidates must have 3+ years BCM expertise.

Candidates must have 2+ years BC/DR expertise. This position is more focused in IT/DR planning working on the corporate governance team.

Only candidates with previous 3rd party consulting expertise with a dedicated advisory practice (Deloitte & Touche, Ernst & Young, HP, IBM, KPMG, PricewaterhouseCoopers, etc) will be considered.

Only candidates with dedicated business development expertise in BC/DR consulting and/or BC/DR SaaS solutions will be considered.

  • Managing Consultant – Information Security – FTE, Permanent – Cleveland, OH or Large Metro City locations

Only candidates with previous 3rd party consulting expertise with a dedicated advisory practice (Deloitte & Touche, Ernst & Young, HP, IBM, KPMG, PricewaterhouseCoopers, etc) will be considered.

Candidates must have proven hands on dedicated expertise managing a global crisis management program within a large corporate environment.

Candidates must have exceptional business development expertise coupled with knowledge of the business continuity profession.

BC Management – Serving Business Continuity Professionals Worldwide over 16 Years!

Ransomware cyber-attack threat escalating – Europol

Friday’s cyber-attack has affected more than 200,000 victims in 150 countries, Europol chief Rob Wainwright says.

He told the BBC the act was “unprecedented in its scale”. The virus took control of users’ files, demanding payments; Russia and the UK were among the worst-hit countries.

Experts say another attack could be imminent and have warned people to ensure their security is up to date.

Mr Wainwright said that the ransomware was combined with a worm application – a program that replicates itself in order to spread to other computers. This, he said, was allowing the “infection of one computer to quickly spread across the networks”.

‘Patch before Monday’

Although a temporary fix earlier slowed the infection rate, the attackers had now released a new version of the ransomware, he said.

The attack was “unprecedented in its scale”. Russia and the UK were among the worst-hit countries.

What occurred was an “indiscriminate attack across the world on multiple industries and services”, Mr Wainwright said, including Germany’s rail network Deutsche Bahn, Spanish telecommunications operator Telefonica, US logistics giant FedEx and Russia’s interior ministry.

However, he said that so far “remarkably” few payments had been made by victims of the attack. BBC analysis of three accounts linked with the global attack suggests the hackers have been paid the equivalent of £22,080.

The virus exploits a vulnerability in Microsoft Windows software, first identified by the US National Security Agency, experts have said.

Microsoft released security updates last month to address the vulnerability.

RELATED: Global cyber-attack: Security blogger halts ransomware ‘by accident’

The UK security researcher known as “MalwareTech“, who helped to limit the ransomware attack, predicted “another one coming… quite likely on Monday”. MalwareTech, who wants to remain anonymous, was hailed as an “accidental hero” after registering a domain name to track the spread of the virus, which actually ended up halting it.

Source: BBC

Read entire post grey  Related Training grey

Pirates stole the new ‘Pirates of the Caribbean’ movie and are holding it for ransom

Have real-life pirates taken aim at Disney’s pirates?

Walt Disney CEO Bob Iger revealed Monday that hackers claiming to have access to a Disney movie threatened to release it unless the studio paid a ransom. Iger didn’t disclose the name of the film, but said Disney is refusing to pay. The studio is working with federal investigators.

The hackers demanded Disney pay a huge sum of money, provided in Bitcoin. The hackers threatened to release parts of the film online in increments—first five minutes at a time, then 20-minutes chunks—until the full film is published or their monetary demands are met.

The exec says the thieves demanded a ransom, which the company is refusing to pay.

Deadline reported the stolen film is Pirates of the Caribbean: Dead Men Tell No Tales, the fifth installment in the franchise fronted by Johnny Depp. The film is slated to open May 26. The other prominent film set for release from Disney in the near future include Cars 3, which is due to hit theaters June 16.

Rumors circulated online last week that a work print of Star Wars: The Last Jedi had been pirated and was being held for ransom, but days later online chatter tipped that rumor as a hoax. The studio had no comment.

While movie piracy has long been a scourge, ransoms appear to be a new twist.

The ransom demand of Disney comes only weeks after a hacker uploaded 10 episodes of the upcoming season of Orange Is the New Black to The Pirate Bay after Netflix refused to pay an undisclosed amount. The episodes were posted on Pirate Bay six weeks ahead of the series’ official June 9 launch.

Source: The Hollywood Reporter

Read entire post grey  Related Training grey

This has to be one of the most secure security code!

Do you need to find a code no one could break into? Ask Commander Data for help!

For more, see our special collection for BCAW2017 at https://resiliencepost.com/category/continuity/bcaw2017/

Which locks your phone best: Pins, Patterns or Passwords?

The popular pattern lock system used to secure millions of Android phones could be cracked within just five attempts – and more complicated patterns are the easiest to crack.

With hacking methods getting more advanced all the time, which phone lock should you be using: pin, pattern, password, or print?

Global cyber-attack: Security blogger halts ransomware ‘by accident’

A UK security researcher explained the BBC how he “accidentally” halted the spread of the malicious ransomware that has affected hundreds of organisations, including the UK’s NHS.

The 22-year-old man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate the ransomware after hearing about the global cyber-attack.

He managed to bring the spread to a halt when he found what appeared to be a “kill switch” in the rogue software’s code.

“It was actually partly accidental,” he told the BBC, after spending the night investigating.

Although his discovery did not repair the damage done by the ransomware, it did stop it spreading to new computers, and he has been hailed an “accidental hero”.

“The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation.”

Owning the web address let MalwareTech monitor where infections were happening.

What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer. But the web address it was trying to contact – a long jumble of letters – had not been registered.

RELATED: Massive ransomware cyber-attack hits 74 countries

MalwareTech decided to register it, and bought it for $10.69 (£8). Owning it would let him see where computers were accessing it from, and give him an idea of how widespread the ransomware was.

By doing so, he unexpectedly triggered part of the ransomware’s code that told it to stop spreading.

Source: BBC

Read entire post grey  Related Training grey

Business Continuity Awareness Week 2017: it’s here!

2 out of 3 organizations have experienced at least one cyber security incident during the last year.

Cyber attacks and data breaches have proven to be two of the greatest concerns for business continuity professionals for several years running. The latest research from the Business Continuity Institute has shown that:

  • 88% of BC professionals have expressed concern about the prospect of these threats materialising
  • In the last year, 66% of organizations have reported at least 1 cyber security incident
  • 15% of organizations have experienced at least 10 cyber security incidents in the previous year.

Looking at the trends that have evolved out of this research, it is no surprise that cyber security was selected as the theme for 2017’s Business Continuity Awareness Week. As the world becomes more digitally-led we must address the new threats the virtual world presents.

Some may even ask if Business Continuity and Information Security are converging!

How to get involved in BCAW 2017

Just as we need to protect our organizations from disruptions that occur in the physical world, so it is important that we also have plans in place to deal with disruptions in the virtual world.

BCAW COLLECTION
Browse and share our collection of Information Security and Business Continuity publications

Ways to get involved in BCAW 2017:

  • Download the free poster series below and display them around the office and on social media to raise awareness.
  • Follow #BCAW2017 to join in the conversation on Twitter and @resiliencepost for leading thought pieces and interesting videos throughout the week.
  • Browse and share the collection of Information Security and Business Continuity publications we have assembled for you!
  • Discover how can an ISO 27032 Lead Cybersecurity Manager certification can make your life a lot easier!

So what will you do to raise awareness of business continuity and the importance of cyber security? Please, share your original ideas in the comment section below!

Time for a Checkup… Business Continuity Training

There is general agreement that training is an essential element of a Business Continuity Program. An ongoing cycle of training, exercises, and tests is critical to maintaining and continually improving organizational business continuity capability. And, as with all other components of your Program, periodic reviews and updates of your training are necessary.

Start by asking some questions.

Q. Do all employees know what programs are in place and at a minimum, the purpose of each?

Any plan, any procedure will be of limited value if employees do not know it exists, its purpose, and what it means for them. Perception is reality, and the perception of employees who are not aware of the BC Program is that it does not exist. For them that is their reality.

Q. Does your training program include the appropriate training for all levels of the organization?

Start with the basics at new employee orientation; include annual refreshers. Every employee should be aware of the mutual expectations – what they are to do, what the organization will do. For some, the plan states that they are to wait to hear from their supervisor with instructions for when and where to report.

While it sounds simple, employees who do not know this is the case may show up at their normal workplace, possibly creating confusion and unnecessary work.

Q. Do you include a review of the organization’s continuity-related policies?

For example, if policy dictates that employees are not to make statements to the media, make sure they know that is the case and provide the name and contact information of the person(s) to whom media representatives are to be referred.

Q. Does training for BC team members – primary and alternates – go well beyond handing someone a plan document or checklist and assuming they understand and can carry out the assigned duties?

Not only must they know what to do, in addition, they should have an in-depth understanding of how their actions fit in the overall picture. This awareness has been shown to be the largest factor contributing to compliance with established continuity-related policies and preparedness activities prior to an event and to following established procedures when a disruption occurs.

Q. Is there a big picture approach to the training… an annual schedule of orientation and refresher sessions, training, exercises, and tests?

This all-inclusive approach gets BC training opportunities on everyone’s calendar well ahead of scheduled dates, helping to ensure the availability of people and training facilities. Establish a curriculum outline for each training component… training goal, information to be covered, to whom it is directed, training duration, how often it will be conducted, and outside resources required. Poll BC teams to learn what additional training would be helpful.

Consider using expert external trainers who bring new insights and experience or who can provide specialized training for employees seeking advanced training or professional certifications.

Q. Is consideration given to how adults learn?

Research on adult learning (e.g., Malcolm Knowles’s work on “andragogy”) has shown that there are some characteristics that are typical of most adult learners. Here are five to consider.

  1. While adults can learn from reading, listening to lectures, and watching, they learn more from interactive learning that allows them to be involved. Exercises, group discussions, and activities lead to improved learning.
  2. They want to know how the training will help them. Can they apply what they learn in real life? Does the training help them advance their career? When employees see the value the training has for them, they are more motivated and committed to the training.
  3. Actual life experiences of trainers and trainees are a meaningful resource. Both bring knowledge into the room and make the training collaborative. Beyond formal training content, information that is current and relevant keeps the topic fresh, up-to-date, and relatable.
  4. While managing disasters is serious business, training need not always be grim. Used appropriately, humor is an excellent teaching tool.
  5. Avoid overusing jargon and acronyms (e.g., BCP, BIA, RTO) that may seem like a foreign language for those new to business continuity. Define special terminology; provide a glossary.

Q. Does your business continuity program include the appropriate level of training for all employees… from the mail room to the executive offices?

A well-designed training program helps ensure that everyone is aware of the part they play. The result is greater program maturity, a better prepared organization, and a stronger line of defense against future disasters.


Betty A Kildow

ABOUT THE AUTHOR – Betty A. Kildow has been a business continuity management consultant for more than 20 years. She is an ISO 22301 Master and an ISO 28000 Lead Implementer and Lead Auditor and member of the ContinuityLink Training Team.

Don’t think your company’s information is worth stealing? Think again

Last year Goldcorp, a Canadian mining company with approximately 15,000 employees, became suddenly aware that its internal network had been compromised. The perpetrators had successfully obtained 15 gigabytes of corporate data including tax returns, personal information, financial and operational data, and even copies of expired passports belonging to some of the directors.

Part of this data had been publicly leaked online in an apparent attempt at extortion. The RCMP were contacted and are investigating. Goldcorp reacted quickly with its own security team; however, by then much of its corporate laundry had already been hung out for all to see.

Less than a year earlier, Detour Gold Corp. had the displeasure of a similar experience. Accessing and exposing business data is a profitable endeavour and, according to the Global Risk Institute, it’s one that has grown 38% since 2014, impacting $1 trillion. Considering the heightened risks and sensational consequences due in part to these actions being committed by international criminals and state-sponsored agents, businesses often overlook the risk potential that exists within their own backyard. Understanding security and risk involves looking at the entire organization.

THIS MIGHT ALSO INTEREST YOU: Google and Facebook confess to being victims of a $100 million corporate scam

When good employees go bad

Consider that the many technologies designed to keep external intruders out also permit the authorized users to operate daily based only upon trust to do the right things. This intersection of individual staff access, working business data, and business technology can become an equally potent risk to any shadowy hacker from far away. It’s important to also identify these risks and take necessary precautions that anticipate the actions that may occur when good employees go bad. Business technology can be used to increase productivity, but also can be used to wipe tracks clean. Internal process and technical controls can also serve to rapidly identify when data exfiltration is occurring.

Mitigate your business’ security risks

Maintaining an organizational security posture that includes people, processes and technology is key to making sure your organization is at reduced risk of having a really bad day. Every organization should seriously consider preparing an enterprise-wide security plan that establishes structure, policy, training, incident response and regular reviews. Knowing just where to start can seem daunting, but, like any other IT-related process, security can follow a lifecycle model.

The Security Lifecycle is an ongoing process of defining, refining, verifying and prioritizing security policy. The lifecycle defines practices, controls and tasks that aim to secure business data and ensure business continuity. The beginning of this process starts with the definition of security policies, which should generally include both high-level and detailed information, depending on the size and complexity of the organization. The method of policy development can vary, but should involve identifying some important known risks and key information assets to protect as part of the first pass through the lifecycle. For each risk or security priority, there should be a defined set of security controls mapped.

Source: Business Vancouver

Read entire post grey  Related Training grey

Business recovery should be simple enough to teach an 8-year-old

The future entrepreneurs and leaders are communicating and engaging with the world, using the technology of today. Children are smart and can learn new things very quickly.

Today’s technology is so amazing that we have instant access to information to entertain and educate ourselves; it’s in the palm of our hands.

We depend on businesses and industries to help us live. We also use them to help develop our life and family ambitions. Our livelihoods are intrinsically linked to work and the work life balance is key to all of us.

The (often dark art) subject of business resilience, business recovery, disaster recovery, business continuity management (BCM) and organizational resilience (OR), are full of complexities. Sometimes they need to be because businesses can be complicated.

But these subjects are not the easiest to explain to an adult let alone convince the future generations that resilience is needed to protect our livelihoods. The subjects are somewhat shrouded in negativity rather than positivity. That had to change and it has.

If the future generations can understand and
recognise the value of resilience in life and in
business, then there is a greater opportunity it
will happen and be achieved in the future.

If the next generations can develop resilience and recovery simpler than before, then so can the business leaders of today. 100% optimism.

Do you share Paul optimism? Do you agree with this post? Please share your thoughts in the comment section below.


Contributor photo Paul

ABOUT THE AUTHORAn international business resilience leader, Paul Kudray is a Fellow of the EPC and a Fellow of the Institute of Civil Protection and Emergency Management (FICPEM). He is a Lead Auditor for ISO 22301. In 2014 he founded his own consultancy and he is an excellent forward thinking resilience innovator and blogger. paul@kudrayconsulting.com

If you have ‘nothing to hide’, here’s where to send your passwords!

If you believe that you have “nothing to hide” from the prying eyes of the NSA, you shouldn’t mind letting a stranger rifle through your bank statements, emails, and photos — right?

Nearly every week, I hear someone shrug off privacy issues with a claim that they’re not worried because they have “nothing to hide” from the government.

Let’s put a cork in it, once and for all.

Journalist Glenn Greenwald, love him or hate him, offered attendees at his October TED talk a bulletproof argument (as far as I can tell) against the “nothing to hide” argument.

He said:

“Over the last 16 months, as I’ve debated this issue around the world, every single time somebody has said to me, ‘I don’t really worry about invasions of privacy because I don’t have anything to hide,’ I always say the same thing to them.

I get out a pen. I write down my email address. I say, ‘Here’s my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.’

Not a single person has taken me up on that offer. I check that email account religiously all the time. It’s a very desolate place.”

Throwing out that poor attempt of an excuse that you have “nothing to hide” just doesn’t work. It never has, and it never will. It’s lazy, naive, and borderline idiotic. Everyone has something to hide.

Even if it’s just your password.

Do you remember that time you had that sexy webcam session with your then-partner? So does the NSA. How about that drunken email you sent to your work colleague, which you apologized for and was swept under the rug, and was forgotten about the next day? The NSA remembers. What about that phone call you made last year, which you don’t remember the full details of, but you told that person something about work you really shouldn’t have? It’s fine because the NSA does.

Every search you make in Google, Facebook, or Bing can, will, and is being used to build up a profile on you. That’s not a secret. It’s their business model. They sell it to advertisers for clicks, and they generate money based on your information.

Everyone has something they are embarrassed, ashamed, or frightened of. Everyone has secrets.

But even if you think you are entirely immune from government surveillance because you’re protected by the Fourth Amendment, which restricts unwarranted searches and seizures?

You may not believe you’ve broken any laws, but with a vast profile in your name residing on a server somewhere, how can you possibly know? Could you be unknowingly aware of a person connected with crime, and be subject to searches without your knowledge?

And if you really, truly, whole-heartedly believe that you don’t have anything to hide? You clearly won’t mind someone rifling through your emails, your photos, your documents, your bank statements, and even your household trash — not to mention your usernames and passwords.

Source: ZDnet

Read entire post grey  Related Training grey