1 / 22

COMP3357 Managing Cyber Risk

Richard Henson University of Worcester May 2018. COMP3357 Managing Cyber Risk. Week 12: Using Risk Assessment for BCP…. Objectives: Use the risk treatment plan to create a useable Business Continuity Plan

jlandry
Download Presentation

COMP3357 Managing Cyber Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Henson University of Worcester May 2018 COMP3357Managing Cyber Risk

  2. Week 12: Using Risk Assessment for BCP… • Objectives: • Use the risk treatment plan to create a useable Business Continuity Plan • Apply the results of business continuity planning (BCP) to allow a business to contemplate 100% uptime, 24-7! • Use RTP/BCP/certification to help a business gain market share

  3. Stages in BCP… • Where to start? • Internal systems need to be working smoothly • for safety & security keep separate from any online operation until this is a reality • External systems (e.g. managed website and Internet connection) need also to be working smoothly • software failure (system or app)

  4. Transformation Strategy? • More efficient to integrate website with internal processing system • no digital>analogue and vice versa • BUT… One thing at a time… • put together a BCP to keep them working smoothly as aligned separate systems • back up plans in place for: • environmental disasters • hardware failure

  5. Align BCP withInformation Security Policy • Information management should be central to organisation’s strategic plan… • therefore part of organisational policy… • security of data and BCP part of same policy • Large organisations… • easier to align via ISO27001 & ISO22301 • Small organisations… • align with simpler standards e.g. PCI-DSS, IASME

  6. Asset Register for BCP • Refer to asset register used in risk assessment… (incl. information assets) • Risks for BCP purposes may not be the same as risks regarding data loss • malicious code introduced by virus in an email attachment may bring the system down but not cause loss of data • a hacker may sneak in and copy data without appreciable difference in system performance • could go on for months without being detected (!)

  7. Using the Asset Register • Create another column in the asset register stating how a back up for each category H asset can be put in place efficiently • make sure a plan is in place to quickly replace that asset if damaged! • make sure that plan is put to the test on a regular basis! • no good if replacement resources not working or compatible • better to use a scenario when several assets compromised • design a rehearsal accordingly…

  8. BCP and Trust • People generally trust each other • BUT other people can exploit their trusting nature • This is not a new phenomenon… (!) • example… • https://www.youtube.com/watch?v=Yjgf-HQKRcE • https://www.youtube.com/watch?v=ShE27Hst_NM

  9. Who to Trust? • Is everybody a potential an “Honest John” or “Big Bad Wolf”? • good for children to be wary of strangers… • should adults be equally wary? • Many psychology experiments show how effective some techniques can be for making one adult trust another… • Terms & Conditions? (who reads them?)

  10. Trust of an authority • One of the most effective tactics with adults… • deceiver pretends to be a manager or senior manager • employee says a lot more than they should • especially effective on the telephone! • Organisations need to train employees to be wary of an authoritative voice seeking information!

  11. Trust of a Facebook Friend • Anyone can get a facebook account • some will be criminals… • People want to befriend people with views that agree with them • could be genuine, but maybe not! • Many tactics for gaining peoples’ trust online! • especially to find out their password!

  12. Passwords • 128 ASCII characters available… • 8 character password has 8 x 128 = 1024 possibilities (not much!) • “brute force” algorithm would be able to guess quite quickly • each extra character makes it more difficult… https://howsecureismypassword.net/ • Better to use a longer password • the longer the better! • don’t tell anyone what it is!

  13. Social Engineering • Confusing term used to indicate being deceived using modern technology: • Email message • Web page • Social media • Telephone call • Conning & deceiving people… illegal: • passwords: Computer Misuse Act (2012) • money: The Fraud Act (2006)

  14. Social Engineering Techniques and Fraud • People ARE still being conned! • techniques increasingly subtle! • websites/email messages designed to look plausible, not to look suspicious • telephone callers well practised to be plausible • People don’t know what to do if they have been conned… • Get in contact immediately with Action Fraud https://actionfraud.police.uk/

  15. Communicating The BCP Plan • All employees need to know what to do if a failure occurs: • e.g. IT systems failure: • IT staff switch to backup • If an Environmental Problem: • switch to external backup • Assumes that such backups are in place… • no backup, no hope! • Macron: “There is no Planet B”

  16. Checking everyone knows the BCP Plan… • Equivalent of a fire drill! • all employees should know the warning signs.. • and what to do next… • Strategy: • stage a “mock” attack and see how everyone behaves! • have a “wash-down” and learn lessons so better prepared for the real thing!

  17. CIA (a recap…) Confidentiality (secure) Integrity (not hacked) Availability (I want it… now) All ESSENTIAL for online trading (BCP focus on availability)

  18. BCP and Competitors… • Good service to customers depends on IT not failing • good BCP, shouldn’t happen… • steal a march on competitors (!) • Customers don’t think about IT… • expect it to work… • if does, &good experience… may well return • when things go wrong • NOT much loyalty… • go to a competitor’s website

  19. BCP and Reputation • Business relationships… like all human relationships… • can take 25 years to build… • and 5 minutes to knock down! • Good BCP should ensure that the business doesn’t lose reputation because of failing IT • won’t stop hackers altogether (need information assurance) • may delay their effects…

  20. ISO27001 and BCP • BCP protects availability… • confidentiality and integrity of information also essential • Confidentiality continuity fundamental to business continuity • whole section A17 • Integrity continuity essential for GDPR • whole section A12 (Operational Security)

  21. BCP and Business Success • All online businesses must aim for 24-7 trading • customers free to choose! • 24-7 uptime may depend on business partners… (see context diagram) • if so, should be subject to BCP and BCP rehearsals as well! • not funny for competitiveness to be hindered by matters beyond their control… (!)

  22. BCP and Success • If it can go wrong, it will! • Planning, planning, planning! • One lost customer could (via social media) become many… • bad news travels fast! • need to manage media • otherwise reputation may be trashed

More Related