Monday, 18 August 2014

Organisational Resilience - yet another buzz word?

Businesses are usually in operation to make money and deliver a service or provide a product.  To be successful there are many traits required and by ensuring your business is dynamic, adaptive, efficient and cost effective are all good starting points.  Who would want a business that is passive, rigid, ineffective and expensive?
The same is true when talking about good management disciplines and recognised international standards and best practice.

So why don’t we evolve these disciplines and channel our way of thinking to change the way in which we deploy them. Adapt the methods in which we operate to one of ‘Organisational Resiliency’ - an all-encompassing comprehensive management discipline that ‘ticks all the right boxes’, provides success, growth, strength, security and a return on our investment.

Within my industry, there has long been an ongoing discussion and debate with regards to the future of Business Continuity and whether or not ‘Organisational Resilience’ is the way forward.  The fact that we are still not getting a concrete answer could be the answer itself.  Yet again I’m hearing the phase being more commonly discussed and thought I would consider my own opinions on the topic and open this up for further discussion.

Is ‘Organisational Resilience’ just another buzz-word being branded around, a way to help ensure professionals in the field are seen as a valuable commodity and retained in employment or is this the direction we should be focusing on to ensure we can continually drive our business forward and improve the way in which we operate?

Reviewing many online discussions and papers on the subject I’ve not been able to obtain a conclusive shared understanding.  The topic seems to divide the population of industry experts into two clear camps.  Those that believe in change and think that Operational Resilience is the future of similarly aligned management systems and those that firmly disagree thinking each is unique in their own right and should continue to remain so.

Each management discipline has an important part to play and requires a range of skills, expertise and experience to implement and manage successfully.  Simply reading a book or taking an exam doesn’t mean you’re qualified.  When looking at many of my well respected peers in the industry, they’ve earned my respect and of others because they’ve taken the time to learn about the subject and continually improve their level of understanding.  They’ve applied their knowledge in the field and most importantly have practical experience of helping to ensure an organisation has continuity measures in place; can respond to and handle an incident successfully; can assess and take mitigating action against risks; can help to ensure information is secure and can continually adapt their approach to the changing needs of the business.

However, on the other hand, if we could learn the skills and experience for each management discipline, could we not mould ourselves into something of ‘Superman’ status that would allow us to look after the organisations we work for and within, in a new, interesting and more dynamic way?  Or, could this become too much of a risk where we could become more like a ‘cowboy builder’, reverting to ‘jack of all trades and a master of none’!

So what are my thoughts on the subject?  I think a review and assessment of the strengths and weaknesses of Organisational Resilience and whether or not we should be looking to change the way in which we operate, to allow change within these management disciplines should be considered.  After all, mainframe computers used to be the size of a house and now you can fit more processing power and storage within a system the size of a postage stamp!  Well not quite, but I’m sure you can picture the comparison.  Disaster Recovery used to be about the large backup tapes, old-fashioned media cartridges which were used to back up critical data and would take an age to restore - now we have instant failover capabilities and extremely efficient recovery times.  Therefore, why not consider change for our management disciplines?  After all change can be positive but only when it’s done correctly, in the right circumstances and with the right skill sets and knowledge.

I attended a presentation recently talking about Business Continuity and change, a term I heard and liked was that of ‘adaptive resiliency’.  I’m not one that likes to use lots of acronyms and confusing terminology, after all the old adage about ‘KISS’ is so true.  Focus should be about keeping it simple without losing the importance, quality and value that it brings to business activities.  Operational Resiliency is a strategic approach, a way of thinking, an objective to aim for which in turn would result in the combination of the ‘doing’ activities of management streams which are already easily ‘standardised’ and move Business Continuity from being seen as an overhead or cost to the business and something that can facilitate revenue streams and continue to protect our business.

Organisational Resilience can exist and should be encouraged but as with all the management disciplines mentioned earlier, we need to have a standardised approach for implementing something that is strategically focused.  I would like to be able to deliver something that can be truly seen as a value-add activity, not something that’s seen like insurance – something we don’t like paying for until we actually need it, then we’re grateful.  I would like to see improved collaboration of skills, utilising the expertise of others around you who have real practical experience of the disciplines, working together towards a single goal, not competing against each other, but thinking and understanding about each other’s area of expertise and combining efforts to allow us to build upon something truly special.  Moving to being more proactive than reactive will help us ensure monies are efficiently spent and our organisations become more resilient. So, is Organisational Resilience just another buzzword – I don’t think so, do you?

Claire Phipps, MBCI

Monday, 4 August 2014

Can you ever look at USB sticks the same?

For years now many of us have benefited from the convenience of moving data easily between many systems and networks with ease thanks to cheap and plentiful USB sticks, thumb drives and removable disks.  The array of USB devices has made floppy disks and CD/DVD’s almost redundant.  Many of us have until recently given little thought to sharing sticks with anyone, passing them around with little to no concern.  Not so long ago we would move data using floppy disks, 1.4Mb at a time (if you were lucky), we moved onto ZIP disks with a heady 100Mb available and when CDs and CD writers became cheaper we relished the delights of being able to move 600-700Mb at a time on a single disk. DVDs moved the bar up to 4.7Gb and even that paled into insignificance compared against USB thumb drives; 8Gb, 16Gb, 32Gb, 64Gb and beyond, they were given away in varying sizes, cheap 256Mb sticks still litter the backs of peoples drawers and I’ll bet many marketing departments still covet their stock of branded sticks.  The convenience of the USB format has made keyboard / mice PS/2 ports obsolete on most of not all recent computers.  USB is the port of choice for most peripherals and that convenience and usability has a dark fairly unexplored secret that may make you reconsider how you use and share USB sticks and devices going forward.
The threat from USB sticks used to be limited to autorun virus’s that would be triggered when you put the stick into a vulnerable machine; many security professionals have used this as an infection technique as it needed little to no interaction.  The autorun infection methods were quickly stopped and modern antivirus can protect against the malware but the new and emerging threat is potentially much worse and a bigger long term threat.
At Blackhat 2014 two security researchers will be presenting a talk on BadUSB “On Accessories that Turn Evil”, Jakob Lell & Karsten Nohl will present research that will define a new form of malware that can reside on a stick hidden from antivirus scanners and is capable of compromising systems as well as replicating the problem to other USB devices.
The new threat to be outlined lies in the USB device themselves; due to the way the memory works USB sticks have a controller chip that allows them to function even when the memory becomes corrupt or unusable, their stated capacity isn’t the full picture, your 4Gb USB stick may actually contain 8Gb or more actual storage managed by these controller chips.  The chips themselves can be compromised and subverted and this is where the new threat resides, the controller chips themselves have been compromised and in some cases can be rewritten to deliver malware and further spread infection.  They can become self-replicating and can deliver or harbour key loggers, can steal data or further infect USB devices.  The nature of the USB controllers don’t allow anti-virus software to be able to test or check for this emerging threat; a key logger or data stealer could remain dormant and kick into life stealing data and keystrokes without anyone being aware. 
We cannot continue using USB sticks and devices across multiple machines without first giving thought to the threat and the risk, has the stick been compromised?  Where has it been and who used it?  We will need to start protecting the sticks and USB peripherals with more reverence, no longer accepting them from strangers and more importantly will need to identify new ways of secure disposal of old USB devices.  The size and convenience of them has until now made them almost indispensable for storing and sharing information, disposing of them needs to be a consideration.  How many companies have already suffered data loss from removable media?  Even when using caution we cannot guarantee data is deleted from USB sticks and they need to be considered with much more concern as the data they once held may be retrievable using simple tools and techniques.
As end users we need to protect our own USB sticks and devices, give thought to the ‘what if’ scenario and not be so willing and keen to share them to all and sundry.  USB data-less cables are a thing and a good investment if you need to charge your phones as many smartphone owners do.  Do you want your smartphone and its stored data (photo’s, emails, contacts) stolen or damaged by the machines you plug into?
In the meantime you can buy data-disabled USB cables to charge your smartphone without sharing data (intentionally or otherwise) as well as “USB condoms” which create a similar data gap in cables. 
How long will it be before office shredders have a slot for USB sticks? How do you dispose of your USB sticks when they become too small, too slow or broken?  What data breaches are around the corner from BadUSB?
I would recommend old USB sticks are smashed with a hammer (outside whilst wearing safety glasses) to ensure data cannot be retrieved; Invest in a data only cable for charging your smartphone in less trustworthy environments and be aware of the risk when the smiling stranger offers you their USB stick next time.
Jamie Duxbury, Senior Security Specialist