Contingency Planning

(1)

22

22 --23 September, 2010, Hotel La Plaza, Brussels, Belgium23 September, 2010, Hotel La Plaza, Brussels, Belgium

Contingency Planning

Peter Sommer

London School of Economics, Open University London School of Economics, Open University

p

petereter@@pmsommerpmsommer.com.com p.m.

(2)

Assumptions

•

• Your detective and preventative measures have Your detective and preventative measures have failed

failed -- the cyber event has started and you need the cyber event has started and you need to mitigate and recover

to mitigate and recover

•

• Why?Why?

Î

Î Zero day exploitsZero day exploits

Î

Î Your system is being overloaded because of problems Your system is being overloaded because of problems

elsewhere

Î

Î You are under attack, but can’t retaliate because you You are under attack, but can’t retaliate because you

lack sufficient attribution of the source

A Contingency Plan may be your A Contingency Plan may be your best defence against Cyber Attack best defence against Cyber Attack

(3)

Experience of Contingency Planning

•

• Knowledge and experience exists in the Knowledge and experience exists in the commercial sector

commercial sector

Î

Î SubSub--industry of specialist standindustry of specialist stand--by facilitiesby facilities

Î

Î Skills in detailed planning and testingSkills in detailed planning and testing

•

• Some Governments have significant Civil Some Governments have significant Civil Contingencies experience

Contingencies experience

Î

Î Bombs, Floods, Escape of Noxious substances, Bombs, Floods, Escape of Noxious substances,

Pandemics, Industrial Unrest, Earthquakes, etc

•

(4)

Basics of Disaster Recovery

The chances of being hit have almost

nothing to do with the chances of

successful recovery

You need to understand what recovery

looks like

(5)

Disaster Recovery

The chances of being hit:

•

• Logical / Cyber attack

Logical / Cyber attack

•

• Bomb, kinetic attack

Bomb, kinetic attack

•

• Fire

Fire

•

• Flood

Flood

•

• Electrical outage

Electrical outage

•

• Computer failure

Computer failure

–

hardware, softwarehardware, software

•

• Telecoms failure

Telecoms failure

¾

(6)

Disaster Recovery

The chances of successful recovery

(commercial businesses)

:

•

• Cash flow / overheads / indebtedness

Cash flow / overheads / indebtedness

•

• Business organisation

Business organisation

•

• Perishability

Perishability

of products / services

•

• Single site / multiple site

Single site / multiple site

•

• Computer dependency

Computer dependency

¾

(7)

Disaster Recovery

The chances of successful recovery (central

government service )

:

•

• Single site / multiple site

Single site / multiple site

•

• Possibility of transfer of operations

Possibility of transfer of operations

•

• Computer dependency

Computer dependency

•

• Internal organisation

Internal organisation

–– especially speed of responseespecially speed of response

•

• Status of any outsourcing contract

Status of any outsourcing contract

•

• Quality of political leadership

Quality of political leadership

¾

(8)

Business Continuity Planning

Most BCP is carried out in two stages:

•

• vulnerability assessment

vulnerability assessment

Î

part of risk management process

•

• recovery plan

recovery plan

Î

deciding what you actually will have to

do

(9)

Shape of Disaster

Money

(10)

Shape of Disaster

Money

Time

(11)

Shape of Disaster

Profits

(12)

Shape of Disaster

Profits Time Actual Trend Recovery Scenario

(13)

Shape of Disaster

Profits

Trend

The backlog trap …..

If your business stops unexpectedly,

you must cope both with the downtime

and the additional queries generated by

(14)

Shape of Disaster

Profits Time Insurer’s Assessments.. Inception Risk Spread Risk Recovery factors

(15)

Shape of Disaster

Profits

Time

Contribution of Contingency Plan..

(16)

What You Need to Know

•

• Spread Risk

Spread Risk

Î

How might an initial event propagate

and cascade?

•

• Recovery Factors?

Recovery Factors?

Î

What is already available?

Î

What do you need to acquire / prepare

for?

(17)

Spread Risk

•

• Propagation and Cascade

Propagation and Cascade

•

• Historically cyber

Historically cyber

-

events have not lasted

very long:

Î

Î Signatures of attacks, responses to zeroSignatures of attacks, responses to zero--day day

vulnerabilities often found within a few days

vulnerabilities often found within a few days Î

Î The longer a The longer a botnet botnet exists, the greater the exists, the greater the

chance the controller will be identified

•

• But each potential threat needs to be

But each potential threat needs to be

tested out for local circumstances

(18)

Spread Risk:

Propagation and Cascade

At the level of the nation state, you also

need to think about:

•

• Impact on CII services

Impact on CII services

•

• Impact on very vulnerable people

Impact on very vulnerable people

•

• Impact on efficiency of emergency

Impact on efficiency of emergency

services

•

• Impact on politics / public confidence

Impact on politics / public confidence

•

(19)

Recovery Factors

•

• You can’t bring back a 100% service

You can’t bring back a 100% service

immediately

immediately –

–

so what should you

prioritise?

•

• What is already available that can be

What is already available that can be

deployed?

Î

Î BackBack--up dataup data

•

• What do you need to acquire / prepare

What do you need to acquire / prepare

for?

Î

Î Management structureManagement structure

Î

Î A PlanA Plan

Î

Î Recovery SitesRecovery Sites

Î

(20)

Business Continuity Planning

In order to save an organisation from

extinction after a disaster...

•

• We need to know how it operates

We need to know how it operates

Î

what are its essential functions?

•

• operationaloperational

•

• managerialmanagerial

Î

(commercial) where does its income

come from?

Î

(21)

Business Continuity Planning

This is essentially a business and/or social

science type analysis

•

• (Commercial):

(Commercial):

immediate revenue generation immediate revenue generation and confidence building with customers, trading and confidence building with customers, trading partners, staff, bankers, etc usually a priority over partners, staff, bankers, etc usually a priority over R&D and marketing

R&D and marketing

•

• (Nation State)

(Nation State)

Impact on very vulnerable Impact on very vulnerable people; impact on efficiency of emergency people; impact on efficiency of emergency

services; impact on politics / public confidence services; impact on politics / public confidence

(22)

Business Continuity Planning

•

• We need a plan:

We need a plan:

Î

to identify priorities based on business

need

Î

a dedicated team, distinct from the main

management team

Î

detailed recovery procedures against

likely disaster scenarios

Companies recover from disasters in

complex, unexpected ways ...

(23)

Business Continuity Planning

The chances of successful recovery:

•

• the backlog trap

the backlog trap

•

• the return to normal from a “system

the return to normal from a “system

down” takes 5 x the downtime period

--

if you are able to increase the

effective workflow rate by 25%

immediately

During recovery you must both recover and carry on normal activity – and deal with enquiries about “lost”

(24)

Business Continuity Planning

(Commercial) The chances of successful

recovery:

•

• the longer recovery takes the greater the

the longer recovery takes the greater the

chance of failure because of:

Î

Î loss of staff motivationloss of staff motivation

Î

Î customer defectioncustomer defection

Î

Î pressures on credit positionpressures on credit position •

• difficulty in getting credit from suppliersdifficulty in getting credit from suppliers

•

• difficulty in collecting debtsdifficulty in collecting debts

•

(25)

Business Continuity Planning

(National State) The chances of

successful recovery:

•

• the longer recovery takes the greater

the longer recovery takes the greater

the chance of failure because of:

Î

Loss of public confidence

Î

(26)

Business Continuity Planning

•

• Total instant recovery implies a fully

Total instant recovery implies a fully

duplicated set of computer and network

resources

–

plus instant mirroring

•

• Most people settle for less than that

Most people settle for less than that

–

you

have to decide how much less is

“acceptable”

•

• You can give different priorities to

You can give different priorities to

different parts of your organisation

(27)

Shape of Disaster

Profits

Time

Contribution of Contingency Plan..

(28)

Shape of Recovery

90% 90% Within 3 months Within 3 months 50% 50% Within 7 days Within 7 days 25% 25% Within 24 hrs Within 24 hrs 10% 10% Within 2 hrs Within 2 hrs

Levels of

Functionality

by time

What you can achieve What you can achieve

is a function of how is a function of how much you spend, how much you spend, how wisely you spend, and wisely you spend, and the quality of your plan the quality of your plan

(29)

Managing the Recovery

•

• Dedicated team reporting to top

Dedicated team reporting to top

management (top management need to

concentrate on welfare of organisation as

a whole, not the detail of recovery)

•

• IT, telecoms

IT, telecoms

•

• buildings facilities

buildings facilities

•

• human resources

human resources

•

• legal

legal

•

(30)

Business Continuity Planning

Detailed recovery procedures against likely

disaster scenarios

•

• buildings

buildings

•

• equipment

equipment

Î Î officeoffice Î Î computerscomputers Î Î telecomstelecoms Î Î machinerymachinery

•

• people

people

(31)

Disaster Recovery Facilities:

what the market can offer

•

• Computer Resources

Computer Resources

•

• Network Resources

Network Resources

•

• Resilient Web

Resilient Web

-

servers

•

(32)

Computer Disaster Facilities

•

• Instant RestartInstant Restart

Î

Î Fully duplicated systems Fully duplicated systems –– very high costsvery high costs •

• Hot restartHot restart

Î

Î (A few hours): Stand(A few hours): Stand--by systems, updated by systems, updated

configuration information plus up

configuration information plus up--toto--date backdate back--up, plus up, plus technical support

technical support •

• Warm restartWarm restart

Î

Î (24(24--48 hours) Stand48 hours) Stand--by systems, may require specific by systems, may require specific

configuration information plus up

configuration information plus up--toto--date backdate back--upup

•

• Cold restart Cold restart

Î

Î (48 + hours) Stand(48 + hours) Stand--by system of agreed specification, by system of agreed specification,

but no pre

(33)

Computer Disaster Facilities

•

• Hot restart

Hot restart

•

• Warm restart

Warm restart

•

• Cold restart

Cold restart

These are based on the nation of facilities shared

between a number of clients and in the hope that

only one at a time will need them:

Î

Î Ratio of facilities to potential usersRatio of facilities to potential users

Î

Î How does this fit in with your disaster scenario?How does this fit in with your disaster scenario?

If your system is very large or unusual you

may not be able to get commercial standby facilities

(34)

Network Recovery Facilities

•

• Dual Source / Routing supplyDual Source / Routing supply

•

• Your own infrastructure facilities: switches, Your own infrastructure facilities: switches, modems, telecommunications hubs etc: you modems, telecommunications hubs etc: you

need to have documents for potential emergency need to have documents for potential emergency configurations

configurations –– plans to operate from alternate plans to operate from alternate premises

premises

•

• Unless the network supplier is also hit by a Unless the network supplier is also hit by a catastrophe, purchasing additional capacity catastrophe, purchasing additional capacity should be relatively easy

should be relatively easy

•

• If you are a very large customer you may need to If you are a very large customer you may need to make enquiries about “upstream” facilities

(35)

Resilient Web

-

Servers

•

• Problems:

Problems:

Î

Î Likely attack is via Likely attack is via DDoS DDoS / / Botnets Botnets or poisoned or poisoned

addressing/routeing

addressing/routeing Î

Î If you change the IP address of If you change the IP address of uyour uyour webweb-

-server, customers will not be able to find it.

server, customers will not be able to find it.

(Or when they do, so will the attackers)

•

• Solutions:

Solutions:

Î

Î distributed computing platform for global distributed computing platform for global

Internet

Internet content and application deliverycontent and application delivery

Î

(36)

Particular Problems for Nation States

•

• Reliance on Out

Reliance on Out

-

sourcing

Î

Î Failure of Government ServiceFailure of Government Service

Î

Î Overload of Government Information facility Overload of Government Information facility

during a disaster

during a disaster Î

Î What does contract say? What compensation What does contract say? What compensation

for loss of service?

for loss of service? Î

Î If outIf out--sourcer sourcer fails, can government tale over?fails, can government tale over?

•

• Contractual issuesContractual issues

•

(37)

Particular Problems for Nation States

•

• How to manage?How to manage?

•

• Legal bases / authorityLegal bases / authority

•

• Is this a job for the military or civilian parts of Is this a job for the military or civilian parts of government?

government?

•

• How, and how far, is political control exercised?How, and how far, is political control exercised?

Î

Î Political, democratic accountabilityPolitical, democratic accountability

•

(38)

Particular Problems for Nation States

•

• Public Private Partnerships

Public Private Partnerships

Î

Î Much of the CII / CNI is in private ownership Much of the CII / CNI is in private ownership

but provides services the public rely on

but provides services the public rely on Î

Î How far can a Government require a CII/CNI How far can a Government require a CII/CNI

business to plan to serve a broad public safety

agenda

agenda –– as opposed to protecting as opposed to protecting revenue/profit?

revenue/profit? Î

(39)

International Contingency Plans

•

• Most “international” work relates to law

Most “international” work relates to law

enforcement

–

CoE Cybercrime

Treaty

•

• Almost nothing is being done on

Almost nothing is being done on

international contingency plans

–

any

required action would be completely ad

hoc

Î

Î Many countries have yet to determine their Many countries have yet to determine their

own

own cybersecurity cybersecurity and cyber contingency plan and cyber contingency plan strategies

(40)

Finally

•

• Contingency Plans are essential becauseContingency Plans are essential because

Î

Î some attacks will succeedsome attacks will succeed

Î

Î You will not know who is attacking and you You will not know who is attacking and you

cannot therefore deter by threat of retaliation

•

• The chances of successful recovery have no The chances of successful recovery have no connection with your vulnerability to being hit connection with your vulnerability to being hit

•

• You need to understand the spread risk –You need to understand the spread risk – the the extent to which an initial event may propagate extent to which an initial event may propagate

•

• You need to prioritise what you want to recover You need to prioritise what you want to recover and at what speed

and at what speed

•

• You need a great deal of pre-You need a great deal of pre-planningplanning

•

(41)

22

22 --23 September, 2010, Hotel La Plaza, Brussels, Belgium23 September, 2010, Hotel La Plaza, Brussels, Belgium