RCR 026: Business Impact Analysis (Part I) - CISSP Study and Training!

Description:

Shon Gerber from ShonGerber.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Sensor panic - Why you should be concerned about Privacy; Malware targeting job seekers - LinkedIn phishing scams targeting job seekers; UK's worries about Huawei; Business Impact Analysis - Part I providing cybersecurity guidance for your Business Continuity program.

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

reduce cyber risk podcast for we provide you the training and tools you need for your cybersecurity career hi my name is Shon Gerber and I'm your host of the action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn all right reduce cyber risk and the reduce cyber risk podcast episode 26 February 25th 2019 got some great stuff going for you today and the great wonderful reduce cyber risk and it's going to be thanks to talk about as they relate to cybersecurity and businesses and with the training aspects you can get a lot of great information from the different malware of the different aspects that are affecting businesses from other podcast Focus primarily on what are things that are detailing with a business and what a security officer within an organization may be worried about my view on it impact analysis part one and these are really really important as you're relating to trying to figure out a business continuity plan and a disaster recovery plan for your company if you're studying for the cissp is also a great piece of information you'll need for the cissp test alright let's roll on alright the first one of our cyber security news is around sensor panic and yeah that's not so good when you're panicking about sensors it most places people would go why are you panicking about a sensor well guess what let me tell you what it came down to is its Singapore Airlines Singapore Airlines flight and was looking at the multimedia display that you typically get Andy's airplanes will the interesting part about it was this individual saw a circular indentation and honestly I'm half asleep when I get on an airplane and I don't pay a lot of attention but I guess if you're bored on a long flight you will look around well this individual looked around and saw this indentation in the backseat and basically than the screen that they're looking at well basically hit the twitterverse and said hey what's this and that blew things up because she's a big deal now should have always been a big deal but it's a big deal and all of these are not the droids you're looking for this is nothing but actually after little while they did come back and say no it was for future quotes enhancements that will be set up in the ability for down the road well I don't blame them in this regard is when you building an airplane airplanes cost gobs of money and when you ordered lots of airplanes that cost gobs of money you kind of want to pack them babies full of features whether they created or not right away or now really make a whole lot of sense or created at this point or whether available for the future it's the future enhancements aspect until they created this with a camera the supposedly does not work and it's not turned on but it is there and it's stationary in the event that they decide to enhance that from what I read in the article was that it was designed for when they do facial facial recognition to allow you accessing to the multimedia capability which is actually kind of scary cuz you know I have all these people going into this looking for facial and so where does that day to go and who gets copies of that so yeah it's kind of scary stuff but that is what they were concerned about was that what's happening with Google right so Google comes into and says what hey they failed to disclose the microphones are on some other Google assistants well the part of it comes into is that instead of future enhancement now there's goes two ways one is it I understand completely you got Alexa at home I've got Alexa in my house if people have Google assistants in their house but bottom line is they have ways that they want the ability to have this thing's all interconnected but in this case it was a situation where they had a microphone that was never meant to be disclosed because they just didn't think it would ever be people would notice it and it really wasn't functionality right now so we decided to keep it a secret but it never really told you about it I guess it was in the documentation around came out that there was a speaker there however the question comes into is so why didn't they. Tell you now I say all this just because privacy such a big deal it is becoming a bigger deal because now we're finally realizing how invasive some of these this technology is I've also believe in this fact for from since the beginning I got into this space is that if people are going to listen to you if you put a microphone in your room they're going to be listening at some point somebody could be listening to what's going on so if you have in your bedroom you may want to ask yourself is that a good thing or bad thing just depends right you're plotting the end of the world well then they microphone in your room now they said the Alexa is a bit concerned but I will also challenge that thought process and say that all of us take our phone wherever we go and in many cases people are taking them put them to the bathrooms right surf the web when they're doing their business so guess what cameras are everywhere microphones are everywhere so you have to decide is that a good thing or bad thing and what part of that are you going to monitor and not worry about well something else to consider is the fact that we we like to think of you know that power will use for good and not evil and when I come down to the United States is where I live and being former military I would say well you know what the US government's got my best interest at heart they have their own interests at heart and this comes down to the fact of every country out there as got their own interests at heart the purpose is to protect their citizens in most cases and the other is to protect their own interests and that's the other side of the house so understand that if you are getting sucked up by somebody somewhere whether you're in the United States with a green China Venezuela Venezuela may not have a whole lot right now but they may future countries are out looking out for their own bed so privacy needs to be a concern well recently was a situation with the Facebook privacy issues which were all well aware of the Russian hacking Panda Chinese Espionage as well yield version 2 all these things are well known and I guess what the Russians did try to hack probably the election and they probably tried multiple elections since the beginning that they've been able to hack they're trying to take advantage of whatever they can save the Chinese government they all are trying to take advantage of whatever they can around the globe but we have to be concerned about about privacy so therefore you need to be understand as you're going into all of this stuff one of their you're dealing with Facebook whether you're dealing with your phone whether you're dealing with the Google Assistant Alexa you name it everywhere there are microphones now and now that we get into 5G and wants five G's in place there's going to be a sensor on every Tower everywhere these are not like these are all basically millimeter wave antennas and they're designed to have very short distances to give you high bandwidth capabilities so outside of the environmental effects that that may cause you to put that aside the bottom line is that there's going to be at cameras and microphones everywhere watching everything you do just like right now as I'm recording this podcast has a camera look at me straight in the eye everyone is listening but you need to keep that in the back of your mind and always be cognizant of it and the next news we have a malware campaign targeting job Seekers this is primo awesome I said it not from a standpoint of it people are getting targeted in the fact that if you are a social engineering person that thinks like a bad guy and maybe potentially is a bad guy or gal this is a great way for you to Target people now if you are a security professional and you are trying to protect your individuals this is a great opportunity for you to talk to your people about what they need to put on LinkedIn now I'm on LinkedIn that's not bad if you check me out Shon Gerber find me on LinkedIn now the question comes around that though is if you reach out saying hey I'm interested in getting partner with you and I don't know you from Adam probably highly likely that I will reject that conversation why cuz either hi you're probably trying to scam me or your vendor trying to sell me something... just saying the fact that you got to be very wary of Who You soliciting information for you in this case here they're using LinkedIn as a direct messaging tool to contact individuals building a rapport with the individual with the goal that they will then visual trying to hack into your information I have a follow-up they have fake websites they have emails you name it all the stuff is in place I'm going to go back to the time back of the rollback time back time back machine that doesn't make a lot of sense but see my third grade education is coming out and in a previous life my name is Jessica yes and I used a lot of social media platforms to take advantage of Airmen not in that kind of way but in a way that I would dry social engineering and then that would get them to disclose all kinds of interesting things the point of that was was that it's it's a topic that's been around forever and the interesting part around Facebook and and all these social medias I'm not targeting one of these as bad or good you have to be a buyer beware you have to be aware that there are people on the internet that may not be who exactly they say they are the commercial where the guy that is a picture does not look like the person that there's that young lady sitting with that's a perfect example of that she got to be very careful if you are using LinkedIn and you're looking for jobs guess what you're hungry you're looking for opportunities so if you're looking for opportunities what's going to happen is that you bring to be more susceptible potentially for a social engineering fish so again you need to think about that and teach your employees what to look out for again if they're going to have their stuff out there do you need to tell them to be careful of who soliciting information on them and if they need to do their research if there's somebody that ask for a job LinkedIn profiles you need to provide the information for they provide basic what ended up happening was they would send them delicious on different topic they would send a malicious email with a malware payload so this payload will be set up so that would end up happening is is they would go and they would Target them to click on the link a pelo would drop and then they would end up owning that machine again these are very sophisticated the original ones weren't so super sophisticated than the fact they have lots of information on the individual so they could beat make the spear phishing attempt much more palatable and look much better but his bottom line is is that they liked it was about now they've been moving beyond that though it from a basic fishing to a more sophisticated remote access tool called a rat and these rats are allowing people to once you click on the link payload is just is installed and therefore now they own the machine that you're working on that this is again targeting 101 social engineering I like to call the psychological operations with military does people to think what may or may not actually be true so against moving beyond the basic fishing to a more sophisticated make sure again that you teach your employees and you teach the people that work with you what to look out for these type of scams alright the next topic UK officials are worried about huawei's presents All rights if you're not familiar with Hue what's going on with them they are Chinese company and they have been in the news lately for having some Espionage Act aspects around their company I have can't say was right or wrong don't know the intelligence all I know is that the US government has banned way products from within the US I also have a situation out for the Chinese company around stolen IP that was stolen from T-Mobile so those are some key things that the US government's not real keen on way now they are Chinese company that has I don't know I'm definitely not I got the Chinese children but I am not Chinese by any stretch of the imagination and so one thing I do know is that the Chinese government typically will like to partner with companies within China and if you are a Chinese run company then that's even better for them and they all work together they work for the betterment of their of the party of the society so it a company that is in Hawaii name has the ability to partner with Chinese government well their allegations are that they are basically eavesdropping for the Chinese government fantastic said I can't answer what that's right or wrong don't know the UK is struggling with a decision on what they're going to do their new 5G rollout that they're planning on doing within you the United Kingdom and so therefore a lot of the receivers are coming from way why they're coming tonight, and the challenges that do they Implement those within their organization and like I said 5G to censor basically on every street corner if that's the case they now have basically put sensors everywhere and if there's a feed going back to the Chinese government you now have put sensors all over your country feeding for the Chinese government what a great way to get intelligence if you are a warring Countrywide to take over global domination not saying that they're doing that taffy from it it's pretty amazing so that's one of the things that is the UK government is trying to understand is is that a good thing or is that a bad thing I don't know it'll be interesting to see where it goes for the United Kingdom but I know for me to ask US government has not worked out so well for way however I will say this the Chinese government probably cuz one of the bigger is a big bushes that we're seeing that the Chinese government is moving into is the third and second world which basically means some of the more little areas that have opportunities for improvement Africa's is got a lot of Chinese influence as well as other Asian countries so guess what China will just end up taking over the rest of the globe with all of their technology while the US says we will not do it that's good that's bad I'm all for us go us red white and blue if you're not from the US you may go whatever color you're countries from however the key point of it is is that's what the UK's worried about at this point so if your professional you may want to consider what you put within your organization if you are dealing with stuff that is really pretty benign maybe it's not a big deal if you're dealing with stuff that is more along the lines of maybe High intellectual property and something that's concerned you may want to think twice about using that product but I will also caution you the fact that most everything comes from all over the globe its source everywhere so unless unless you have a Foundry and you are stunning from your supply chain aspects and you control it from beginning to end you're going to struggle with this spot because you got to ask the question is who else is code is in there so just something to consider as you are trying to protect your organization in your company computerworld that's one of the part that I came back with sensor Panic dark reading and then there is about campaign targeting job Seekers and then SC magazine is getting into basically security news and government all these lights will be on my website at reduce cyber risk and before you run with the training I was going to put a plug in there for reduce Everest make sure you check it out we got some great free stuff for you just got to sign up with me on my email list and I have a job of information that movie pass it on to you as well so check meowt reduce cyber-risk you going to check that on YouTube at Shon Gerber Shon yes I know it's Unique Gerber baby food or toilet all right moving on your training is the cissp supplement training that I put out there again not just for Security Professionals this is our for Security Professionals that can business owners can take advantage of this training as well to help protect your business but if your small or medium-sized business and you can't afford a security professional this a great place to start business impact analysis part one okay in this training will be getting into a business impact analysis or known as a Bia this is part 1 of a two-part series and we're going to focus on this aspect of this how you deal with business continuity planning and it also rolls into come Disaster Recovery as well but a business impact analysis as it relates to cyber operations now we're first going to get into what is business continuity and a part of my cissp training that is available at you will see a the ability for you to get into some level of business continuity and is you're talking to is run try to understand cybersecurity and the different ways that you can protect your business you can protect your company or you can learn the cissp there's some key things that you need to keep in mind one of those his eye is a business continuity plan identify the need and this is what it comes down to is what do you need to do to keep your business operational in the event of a disaster or something else that may happen to it so if you have a disaster that occurs can you order the processes that are going to need to be in place to ensure that it stays operational and some people made it all you know what is a tornado rolls through their town and takes out their business they their business continuity plan as they operate out of her house it could be where do you know what they did take a. And then they come back up but there needs to be a plan of how you going to maintain your operations and at least continue to consider this is what are you going to do how you going to handle that and what should you put in place from a plant standpoint just need to understand is there any requirements from a regulatory or regular need or potentially even a business need that you cannot have any data loss or if the data loss that occurs during the incident is very small and easy to manage if that's the case then that that will help you with understanding your business continuity plan as well so the amount of loss of data is a very cute pet points and we talked about the amount of data also the time in which it was lost are there be a couple points that we'll talk about with RTO and RPO which is recovery time objective and Recovery Point objective each of those have a play-in how we understand business continuity planning also that you deal with a fully audible Trail so is it something that you need to audit now is there some regulatory requirements at force you to do this or just the fact of good business sense you want to be able to audit this capability so that's another part of looking at the need for around business, annuity Geographic BC plans are based on external factors you may have a situation where your business so you have an earthquake zone and you need to have some level of understanding about what would happen and how would you deal with an earthquake if it was in your in your environment also there are regulatory requirements that may force you to do this it may be saying that the regular regulations say because you live on a fault line you have to have a strong business continuity plan in place because let's just say you're a financial institution or you deal with regulatory requirements form of those are key aspects that you may have to work through another thing to think about from an external factors as your building at your business continuity plan is bandwidth do you have solid van within your environment are or in your location that in the event that your business goes away can you get a circuit stood up so that you can go out and start working right away those are things you may have to negotiate as you're going through your Disaster Recovery planning but you need to understand do you have the capability to even do operate from home one thing to consider is if they like in the case of a disaster say you're in a town and a earthquake hits and it takes out half the town well one electricity going to be a challenge so if electricity is going to be a challenge earthquake takes it out and you have electricity do you have is their capability of their the circuit isn't disrupted during that earthquake so all of those pieces you need to consider as you're doing business continuity planning so what's the purpose of a business continuity while purpose of business continuity is the overarching plan around your execution of a business continuity plan which is how you want to keep your business operational then you have to have a PCP a business continuity plan in place and it is a part of how you do your Disaster Recovery how you recover your organization in the event of a disaster also provides a cost-effective approach to operating and how is does is it basically allows you to do decide if you want to purchase equipment have it ready ready to go like in hot spare or it's already running it's already operational it's just actually waiting for somebody to go to it or do you just have a plan in place that goes you know what I'm going to buy this equipment off the shelf at the time of the disaster to operate because I know what my tolerance is our for my business so it also helps you understand what are your available how do you want to manage the solutions and then assigns responsibilities to the individual so having at the end of the day you have all these great things in place but if you don't have responsibilities from the individual who has responsibility for what it makes it very very hard to have a good plan in place and also allows you to set up a place or a way to educate your employees on what they need to do what is their part in this whole aspect listings that you can help you with this business continuity planning there's ffiec organization with the United States that government there's ISO IEC 27031 those are standards that are set up specifically around this aspect in the UK British standards 2599 Nine-Nine 6 these are actually standards that are said about organizations in by the government to allow to set up a standard around business continuity in business management and a lot of times they build these into the financial institutions I just because the simple fact of the matter is as they people's money and they want they have the ability for there needs to be a plan a place that if if a disaster occurs in have to do some level of business continuity planning or to maintain the business that they thought through these things and that there's been some level of due diligence around understanding what a business needs to do to make sure that they're operational in the event of a disaster now you're dealing with another part is is analyzing so is your dealing with we talk about the purpose now or something to do with ice business continuity is going to analyze and this is a complete analysis of the business impact so who talked with business as the business continuity is the beginning in the plan will you be doing a business impact analysis of specific systems that you deem are high-risk and you complete this analysis of the business impact of the affected unit or system so if you have a system or unit that is has is critical to your organization and you know that it needs to be addressed what'll happen if you complete a Bia what is the overall impact to your I'm it could be less an Erp system which is your employee kind of Records thing I could be a financial software application that for your business has to be up and operational for this all to work these things need to be in place risk-based approach to the specific problem so rather than trying to fix everything and every potential issue you may have with every application or every system it's a risk-based approach on these specific systems to help you determine do I need to do it or do I not need to do it as an example of just say you have a time card system well that time card system may not be a critical system or application in the event of a disaster it may be a situation where you go you know what I don't really care about that so I'm not going to worry about it you may do a Bia on it and say you know what it's the recovery time objective it's not a big deal so those are things you need to consider as you're doing a Bia he also need to have key stakeholders involved who's going to be involved in who are the main people that will be involved with it and this is how the Bao help it'll help determine who are the owners business the line with a path for is the business for moving forward with a pad that they understand what a business continuity plan is for do they understand how to deal with it those are all aspects of business continuity and then funding necessary to complete and continued is the funding their necessary to complete this and move it forward do you have the money available on the people of the state key stakeholders involved all of those pieces are key aspects around setting up your business continuity and analyzing what you need to do for it now you're next aspect is prioritizing how are you going to prioritize all of this what you comes back to the business with waste of the highest need where is the highest need in your organization that needs to be a this needs to be addressed so if your cyber security professional you need to understand that not everything needs to be protected so that you need to chat with the business and this is where that relationship comes into play where you visit with key stakeholders to understand what is their biggest need you also may need to bring in contractors to support the implementation of any product or service you put in place so that you saved something is extremely important let's just say for example it is your your Erp or your your HR System EHR system is critical you need to have it in place in the event of a disaster I wanted available because I'm an HR company that's how I do business well if you know that you have to have that and you know that you will need some level of whether it's documentation with her say application if you don't have the resources internally to do that you may have to call a third party or contractor to help you with that that's that's a contractor support the service solutions that provide TurnKey products you may want to have a solution that is just turn key right now your HR System may be something that is a total built pre-built application that you guys have all view developed in-house it's all ready to go or it's something that you just did on your own however in the event of a disaster that's application will not be available you have no way of transferring it so you may want a turnkey solution that is in place the moment that something bad happens you can just turn it on that that maybe that maybe a bad example I don't know what did you need something to decide do you want a predefined or pre-built application or do you want something that you can just turn on if it's prebuilt or if it's an older application maybe that you customize they may not work well with new operating system so it's something you may have to consider their on-premise vs off-premise Solutions do you want it in your in a data center where you physically control it or are you willing to let a software-as-a-service a solution be available for you so those are different aspects you need to consider when it comes to prioritizing your overall plan testing you look at tabletop testing other small groups that are affected on specific aspects of the BCP so now this is when we get into your overall setting up the test and how you're going to go down this path you need to consider what are tabletop exercises see-through and its focus specifically on aspects of the BCP of your business continuity plan are there medium-sized exercises which are there several departments are teens or disciplines on multiple BCP items this is where you have a larger group you're bringing them instead of having one system which should be a small tabletop now you have multiple systems that are part of the overall business continuity plan that you may have to bring on so instead of having just your HR System you not have your payroll system you also have your SharePoint systems that are set up where all your data is stored I'm all these pieces may be in place and you may have to return all those on so now you have multiple systems involve multiple key stakeholders incise exercise when you have your complex exercises all the aspects of a medium but now it's no notice or a full swap over to like say friends since you have your operating out of this HR System right now but in the event that there's a disaster you want to do some planning you're going to maybe swap over every 6 months to this new system I've seen that happened as well or they will have the system in place they utilize this one for 6 months then they turn around a flopping over and then utilize another system for 6 months testing that are available until you just need to ask yourself is that where you're at now to get to that point you really got to have some good sensibility what you're trying to accomplish because and you've built up this I would not go there from Zero to Hero you'll probably be looking for a new job because people that it caused a lot of disruption and you have to have some stakeholders involved in your decision-making get a summary of our business continuity of this includes recovery is what you need to consider is that it's a recovery resumption and maintenance of all the different aspects when you're considering a business continuity plan it's not just a technology so you may have the best technology in the world to allow you to have a plan however if it's not in place or if it's not a solution that is just focus on specific on technology and not the processes behind it you will have you'll have issues you'll start on it is also is it the Enterprise or the individual it really depends so do you want to have a business continuity plan at set up specifically on individual needs or is it for your entire Enterprise the Enterprise really will your want to go long term but that may be a bridge too far initially you may have to focus on just individual plans for individual HR System versus the entire Enterprise or an individual application that is specific for a small group of people versus something that affects the entire Enterprise regular updates must be incorporated as the business changes so has these changes you need to go in and make modifications and changes to it document it's not something that you just stick can you call it up when the time comes for a short. Of time after you created it but in reality 6 months to a year and get pretty stale pretty quick so those are things need to consider around your business continuity planning I'll BC planning also include ongoing or cyclical approaches with your business impact analysis which went over and talked about how your Bia tourist monitoring / testing so this is your business continuity overview I'll just kind of goes into where we going to come from this kind of Duty standpoint now we're going to roll into what is a business impact