A New Era in Cybersecurity and Cyberattacks is here – Time For Action – EndZero™

Time for Action EndZero™

Time for Action EndZero™

A little over a month ago I had a conversation about the current state of Cybersecurity with Christopher Murphy. Actually, it was more about the complete lack of Cybersecurity and how everyone basically communicates and sends sensitive information in the open.

We both agreed that sooner or later we wouldn’t be dealing with ransomware anymore, but something much, much worse. What could be worse than ransomware? Especially when the threshold for major businesses has reached $1 Million U.S. Dollars in Bitcoin. I’m glad you asked.

Imagine if you will, an attack that hits you with absolutely no hope of recovery. Wipes out ALL your data and essentially turns your servers, desktops, laptops, even tablets, and phones into bricks. There is nothing on it. No Data to recover, the OS is dead, you can’t even boot up. All your devices are now very expensive paperweights.

Well, we may have to wait no longer. It seems Tuesday’s attack was something just like that. Let’s face it – Cyber-Warfare is here folks, and the players aren’t just Nation States – but All of us.

We at Continuity Co. LLC are working on a new Cybersecurity program we are calling EndZero™ taking advanced threat protection to a new level. Using a hybrid of both machine intelligence and human intelligence, as well as other advanced proprietary methodology to both prepare, mitigate, and PREVENT attacks to our clients.

We are so confident in our process – If you get hit with ransomware and we can’t restore you to a pre-attack state. We will pay the ransom. Up to $1,000,000.00 U.S. Dollars. Terms and conditions will apply – basically following our guidance.

What other company is offering this as part of their protection service? Go ahead, ask your provider. We’ll wait for you.

Remember it’s not just your security, it’s national security, and it’s WAR!

We will be posting a link to the EndZero™ Launch page soon. We will be accepting a limited number of Trial Users and Clients.

Are You Ready to Pay $1 Million Dollars to Recover Your Data?

1 Million of Dollars Paid In Ransomware Attack

1 Million of Dollars Paid In Ransomware Attack

Recently the South Korean web hosting company Nayana paid just over $1 Million U.S. worth of Bitcoin to settle a ransom demand and gain access to encrypted data. The original demand was for $4.4 Million worth of Bitcoin.

Interestingly, the variant that hit the South Korean hosting company known as Erebus was originally designed to infect Windows Operating Systems, but someone modified it to infect and work on Linux Servers.

While the servers of Nayana looked to be unpatched due to the exploit of a well-known vulnerability, this is defiantly a warning to any sizable business that ransomware will be a major threat. I also believe this successful windfall of a cash payment will increase the threat matrix exponentially.

While the threats against municipalities, hospitals, and schools will likely continue to climb due to their being easy targets. We will now see once again the threat increase among the financial, tech, and other major companies.

It’s time to take major steps to prevent becoming a victim to these attacks. Especially if you are in a sector mentioned above.

Here are some steps to take immediately:

  • Update and patch your systems.
  • Backup all CRITICAL data
  • Complete a Risk Assessment/Cyber Threat Analysis
  • Put Security Policies, Controls, and Protocols in place
  • Increase your cybersecurity posture
  • Educate employees on cybersecurity
  • Run an exercise on what you will do when breached or hit with ransomware

While the above is not meant to be a complete cybersecurity implementation, it is a good starting point. You may also want to initiate a scan to determine if you are already impacted and do not know it yet.

If you need additional help – feel free to contact me.

Don’t be the next company to pay $1 Million Dollars.

Tagged , , , ,

Will Medjacking Become the Next Wave in Healthcare Ransom Demands?

medjacking

Your healthcare facility is under attack. This time the threat isn’t to your network or even your internal systems. This time the attack is focused on Medical Devices and the threat to patient care and your reputation could be life-threatening. Will Medjacking become the next wave in healthcare ransom demands?

Medjacking is the hacking of medical devices with the intent to harm or even kill the patient. At least that was the old intent and definition. How long will it be before we see this become the new form of ransomware? Only time will tell.

In the past, the fear was that these types of hacks would be used to target specific and high profile individuals. In this current environment attacks on healthcare facilities and specific hospitals are up and the demands for ransom are as well. I fully believe that targeting of devices and holding your patients for ransom may well be next in line.

It is a dark thought, but I do believe this is where things are progressing. So, what are you doing to stop these and other cyber threats at your facility?

Here Are Some Tips:

  • Establish a Cybersecurity task force and attach it to your Board of Directors if you have not already done so.
  • Question and work with your medical device vendors about flaws, security concerns and what to do if a device is breached.
  • Set up an in-house lab where medical devices will be tested and scrutinized internally.
  • Establish protocols to prevent unnecessary  placement of devices onto the network, WiFi, or other unneeded communications.
  • Establish protocols to keep medical devices from communicating needlessly with other devices.
  • Turn off all needless wireless communications with implanted or other devices.

The above list is not meant to be exhaustive or to be the only steps put into place, but just a starting point. Have your internal cyber security task force look for and establish additional security flaws and protocols as needed.

Tagged , , , ,

Risks and Impacts of Rapid Technology Implementation

internet-of-ransomware-things

Over the last few months, I have pondered the risks and impacts of moving too fast to implement new and bleeding edge technologies. While much of these technologies make our lives better, make no mistake, I believe we are moving too fast.

Looking back to just over 27 years ago computers were not in nearly every household, there were no smartphones, there weren’t really even mass users of cellphones – also known as bricks back then, and for good reason. Most people did not carry a camera with them everywhere they went either.

Fast-forward to today. These technologies and more exist, and they are everywhere. We are also seeing the emergence of driverless vehicles (cars, trucks and even aircraft), robotic food servers, smart devices making up the Internet of Things (IoT), and much, much more.

What worries me is not the technology itself. It is the unchecked, ubiquitous, implementation and the level of security that is being implemented with the use of the devices. Or as I should say, the lack thereof.

According to Gartner 6.4 Billion connected “things” will be in use in 2016 and up to 50 Billion is forecast by 2020, though others cite that number will be closer to 30.7 Billion. Though many of those leave off things like smartphones, tablets, and computers. The numbers of connected and interconnected devices is staggering. In addition, anyone can purchase their own micro-controllers, set a device up through WiFi, Ethernet, or even through cellular networks, it is hard to maintain an accurate account of all the devices.

We’ve already seen small scale attacks and malware infections of these devices, and some have been used to launch DDoS attacks as well. Corporate cybersecurity initiatives are failing in a big way, and now there is just more to protect. Just imagine when your Fridge, TV, and Car fail to work until you either pay ransom or is used to launch devastating attacks against your own corporate network using your home network.

But it is not just the IoT’s to worry about. At a time when unemployment is a major issue for most countries around the globe and those who have jobs are demanding more for their employment, the trend is quickly moving to automation.

We see automated delivery trucks already in service. As I mentioned before, the driverless cars and cabs are expanding. Self-checkout at the grocery store, restaurant based kiosks, fast-food automation, drone-based deliveries. And it doesn’t end there. Artificial Intelligence is also making a huge surge.

My prediction is of increased unemployment and adoption of automated systems will grow at a rapid pace. What our future will hold is uncertain. Some will retrain to service these devices, while the future for others will remain uncertain.

I was recently at a marketing seminar and heard much the same there with the same worries. That can’t be good if others are seeing it too.

Tagged , , , , ,

Hacking the Election

voting-machine

Can an election be hacked? The short answer. Yes. I’d like to say it is more difficult than some suggest, but more and more reports point to it occurring.

Over the last several weeks we have watched security experts on both sides of this issue comment about the potential of electronic voting machines to be hacked. But the most interesting and telling thing in all of this is how the Department of Homeland Security wants to take control of the elections.

The most compelling arguments on both sides show how difficult it would be to pull off a successful hack. Why? Because each State utilizes its own systems and methods for one. Election machines are usually off-line, locked in a secured room, and have security cameras on them.

In another case, some security professionals have proven that elections and voting machines are vulnerable and can be hacked in just 7 minutes. With that said, it has been reported that hackers have already targeted election systems in 20 States.

My take on this is that yes, voting machines can be hacked, and new additional controls need to be implemented in securing both the machines and the electoral process. Though having DHS taking control over that process eliminates current controls and adds another scary factor.

As we have seen in the past it is possible to rig or even hack elections. In 1968 a major glitch or error occurred giving Dick Gregory millions of votes. While an investigation failed to find any issues the blame was placed on programming. There is or was no REAL explanation of what happened. In fact, that election was so close – it may have just been a successful hack of the election for all we really know. Though that is speculation on my part.

In recent years we have seen the voting of cartoon characters, the deceased, and now illegals. We have also seen more votes cast than exists in the precinct population.

As I mentioned before there are sudden calls to have the entire Election process to now be controlled by the DHS. So who is trying to control the election?

What if it is people within our own Government or other actors within our Country that want to hack the election? Putting All the machines and the entire election process under DHS makes it easier if you ask me. Perhaps it is already being done.

Tagged , , , , ,

You Don’t Have a Continuity or Contingency Plan? What’s Your Excuse?

CaD-ZyBUMAAzIJ-Sometimes I feel like an Underdog more than The ProtectEr™ and Superhero some people tell me I am to them.

I get to hear a lot of excuses why businesses don’t implement full business continuity programs. When I say full programs I am talking about BCM Programs that cover the business in wide areas – such as supply chain events, reputational issues, good data backups, and workforce solutions.

Some of the excuses I have heard go like this:

  • I don’t have to worry because my data is in the cloud.
  • Our cloud provider takes care of everything.
  • We outsource, so we don’t worry about the manufacturing of our products, or our supply chain.
  • We’ll just set up a tent in the parking lot.
  • That kind of thing just doesn’t happen around here.
  • Our IT vendor will get us up and running again in no time.

Do any of these sound like you or your company? Those are real statements I have had come from past and prospective clients alike. The reality is if you have a business, especially one that you are passionate about, that provides you income that you need to live off of (which is most of us) yes, you need to worry about that. Let’s examine each one on a case by case basis.

I don’t have to worry because my data is in the cloud. First, it’s great you have your data in the cloud. That is an excellent first step to protecting your data. But, what if you lose your internet connection or telecommunications goes down? Do you have alternate means of communications? One of the things I always say is this – “You can have the best data backup plan in the world, but if you or your team and clients can’t access it, it doesn’t do you any good.”

Our cloud provider takes care of everything. Here is another one that we hear often. But, after we do a little digging or talk to our clients more and it turns out, data backups are not what the cloud provider is doing.

In both of these cases, we recommend a cost effective hybrid solution that stores data backups at the main site and in the cloud. This way the client is protected from communications disruptions as well as site-specific disruptions.

We outsource, so we don’t worry about the manufacturing of our products, or our supply chain. You may not be the originator of the finished product, but if your company or brand name is on the product, you need to worry about the final delivery, quality, safety, and reputation of the product. Any impact to these areas will be immediately felt by your company and its stakeholders. To think otherwise and you’re just doing yourself a disservice and you will likely be impacted sooner rather than later.

We’ll just set up a tent in the parking lot. Ok. Sounds good. Where are you going to get power? Are your employees willing to work 8 hours in a tent? In the rain? In the Snow? In the heat? How long are you planning on doing this for? Two or three days? A week? A Month or more? Where are you going to get a tent that size? Where will everyone park if it’s in the parking lot? What about bathrooms? Did you really think this through?

Now, I am not saying you can’t use a tent effectively. I am just asking a) did you really give this a lot of thought and b) You do know there are better more cost effective solutions right?

That kind of thing just doesn’t happen around here. It never does, until it happens to you. Floods, fires, earthquakes, crime scenes, break-ins, vandalism, it happens every day to someone. Better to be prepared than not at all. Let me give you some examples that have happened to real businesses.

  1. A Car hit a fire hydrant outside of a building. That building was owned by an antique book dealer. Damage to 1,500 antique books, repairs and restoration costs totaled $300,000.00
  2. Vandals cut fiber optic cables. Complete loss of ALL communications to an entire region including 911 services.
  3. Bad database upgrade. Transaction processing on the database idled for seven days resulting in the loss of two major clients.
  4. Normal systems upgrade resulted in orders being unable to be taken or products shipped for four days.
  5. Vendor/supplier had a fire in a trashcan inside of a clean room. Resulted in a Q2 operating loss of $200 Million.
  6. Power Outage. Trader Lost $70,000.00 by not being able to move out of a trade after the outage occurred.

Bottom line. Anything can happen to anybody at any time. Be Prepared.

Our IT vendor will get us up and running again in no time. I hope that is the case. Recently I worked with someone that said this exact thing. When we questioned the vendor – the response we got which the client was copied on went something like this: “This is not one of our biggest or best clients, and they do not produce a lot of revenue for us. If they are still one of our clients when something happens, we will get to them when we get to them.”

Not exactly the kind of thing you want to hear from your IT vendor is it? But, if you don’t get down to hard tacks and just assume they will take care of you without asking the right questions, this may be just the kind of response you get.

Now, I don’t run your business, and whether or not you implement a good solid business continuity program is up to you, in the end, you’ll wish you had. And either way, you’ll pay in the end.

FEMA To Deny Disaster Relief Funding To States Without Climate Change Preparedness

66202622_5dc76215df_z

Photo by: Daniel Lobo

FEMA recently took the unprecedented step of announcing that States (Governors), that deny climate change, and have not taken steps to incorporate climate change into their disaster planning may denied federal disaster funds after a disaster declaration. Though I say this all the time, it is not reality, but it should be, – Disaster Preparedness and FEMA should not be involved in politics. All this does is hurt people, endanger lives and livelihoods, and renders FEMA incapable of optimal performance.

While climate change does exist, and we have seen evidence of climate change throughout earth’s history, the framers of the so called climate change debate (of which they say is over) lump climate change and anthropogenic (man-made) climate change together as one and the same. They are not.

In fact there is overwhelming evidence that the supporters of climate change have changed and manipulated data to support their arguments. Recently in Davos (2015) the head UN Climate Chief Christiana Figueres, admitted that this movement is a hoax and nothing more than something to change the worlds economic model (the destruction of capitalism).

Here is a direct quote from her Davos Statement:

“This is the first time in the history of mankind that we are setting ourselves the task of intentionally, within a defined period of time, to change the economic development model that has been reigning for at least 150 years, since the Industrial Revolution, this is probably the most difficult task we have ever given ourselves, which is to intentionally transform the economic development model for the first time in human history.”

We often here about the “98% (some say 96%, 97%, or even 99%) of climate scientists who agree” on climate change, though we are never shown any evidence. And, just who is a climate scientist anyway?

Interestingly enough, here are 31,000 plus (and growing) scientists who have signed an actual petition that Rejects Global Warming (Climate Change).

Regardless of how you feel about this topic or which way you lean, FEMA has no business in getting involved in political action.

Tagged , , , , , , , , , ,

Largest Asteroid Impact Ever Recorded Recently Discovered In Australia

Meteor Crater

Photo: Meteor Crater by: Sean McMenemy on Flickr

While this has little to do with Business Continuity, the recent discovery of the largest Asteroid Impact to hit earth does have significance. It represents what are known as Extinction Level Events or ELE’s. There have been approximately 25 ELE’s throughout earth’s history.

I’ve always had a fascination with ELE’s, but this find is interesting in that it has yet to be matched to an ELE and scientists are still debating an accurate date. The current estimated date is about 300 Million years old.

Tagged , , ,

Risk Assessment or Business Impact Analysis, Which Comes First?

This is a topic of great debate, and is the chicken or the egg question for contingency planners everywhere. Recently, I was asked to share an infographic that placed the Business Impact Analysis before the Risk Assessment. While there is nothing wrong with the graphic, and you can see it, Disaster Recovery infographic by Singlehop I am in some disagreement with the placement.

Interestingly enough, I just had a conversation with a colleague, whom I respect, and that works for another large company that provides business continuity and disaster recovery services, on this very topic.

With the creation of the ISO 22301, which does not specifically address the order, but does mention BIA’s first, many businesses are now conducting the BIA first. Here is my personal and professional opinion on why this is both wrong, and a mistake.

Whenever I work with a business, and we are conducting an analysis on their risks and associated impacts, we always do the risk analysis/risk assessment first. I have a great many reasons for doing it in this way, but let me share just a snippet of why we do it this way.

First, let’s look at the Risk Assessment. The Risk Assessment looks at a given hazard. It measures both, the potential likelihood of the hazard occurring, and the potential impact it may have on the business. This provides you with some system of measurement on how great the risk to your business the hazard will be.

I just want to mention here that there are many methods of scoring the actual measurement to achieve, or arrive at a final hazard score. For instance the National Fire Protection Association (NFPA) 1600 utilizes a method of scoring of High (H), Medium (M), Low (L) for probability of occurrence and the same H, M, L for impact. This provides a score, such as, ML which would be equal to Medium probability of Occurrence with a Low impact.

I use a slightly modified version of the NFPA 1600 model that I developed over the years, but it is generally the same idea. Once we look at all the potential known hazards we take the top 10, top 5, and top 3 hazards respectively to know which hazards are the biggest known threats to the business.

This process allows us to have a high-level overview of what the greatest risks are to the business, and what the potential impact will be.

Once we arrive here, it is time to take a deep dive into the impact the top threats will have on your business. It also provides us a potential outline of events that are likely to cause major disruptions to the business. This provides us with a scenario to use for context during the Business Impact Analysis.

During the deep dive into the Business Impact Analysis you will look at each individual process, individuals and applications that support each process, the interdependencies between departments and each process has upon each other, the financial impact to the business if this process is disrupted, additional financial impact of fines, penalties, SLA’s, and contractual agreements. Does this process need to be recovered immediately? Can it wait? Should it be on hold indefinitely until operations return to normal? What is the recovery costs associated with each process?

The Business Impact Analysis gets into such fine details of each business process and business unit that it can itself become a disruption. This is why they are done only every couple of years. Usually two years being the norm, but some companies may do them only every five years.

The Risk Assessment, being such a high-level overview can be done monthly, quarterly, or even yearly, with little to no disruption to the businesses normal operations. It also provides an excellent way of tracking emerging and future threats to the business.

I hope with this you can see where I am coming from, and why a risk assessment should be done both first, and more frequently. Also, as a big proponent of the NFPA 1600 standard, if you have the book, Implementing NFPA 1600 National Preparedness Standard, turning to page 12, and page 19 respectively provides an ordered list where the Risk Assessment comes before the Business Impact Analysis.

The NFPA 1600 Section number 5.3 on Risk Assessments also provides an ordered list of steps that includes identifying hazards, Assess the vulnerability, Analyze the potential impact, and then lastly to conduct a Business Impact Analysis to determine business continuity and recovery strategies.

Tagged , , , ,

The True Cost of Downtime and Release of the Cost of Downtime Calculator

Cost of Downtime Calculator

Cost of Downtime Calculator

One of the most common measurements of downtime comes from lost revenue. Many organizations stop looking at the costs of downtime here. Lost revenue can be significant, but it is not the only cost to your organization from downtime or other business disruptions. Some of the other costs that result from downtime are obvious. Such as the cost of the recovery, employee wages, and even consulting fees. While other costs can be hidden or not so obvious such as lost productivity and lost clients. To track these I recently developed the Cost of Downtime Calculator.

In addition to these costs there is also potential fines, legal fees, fees based on SLA’s or contractual agreements that will be paid or penalize the business. Calculating and tracking all of these costs can be cumbersome.

I have studied several methods for calculating losses based on disruptions and downtime.  Unfortunately I have also found many of them to be lacking. Sometimes they leave out lost productivity, sometimes they miss several things.

After studying these for a while I developed my own Cost of Downtime Calculator that did not leave out any of these things. I’ve also included an area in the formula to include other unforeseen costs that is the final piece of the puzzle. In addition I have added an enterprise version of this formula that allows for minimum and maximum losses based on variables. This version is also more highly detailed than the basic version.

After playing around with the formula and testing it for accuracy I developed an App called the Cost of Downtime Calculator (the enterprise version will be released later this month).  It is currently available on iTunes for iPhone, iPad, and the iPod Touch. Android versions will be available soon as well.

The best part is the basic Cost of Downtime Calculator App is available for FREE.