Business Continuity Planning

The Latest

14 June 2022: Meeting transcription company Otter.ai has enabled two-factor authentication for all its plans to secure all accounts at no additional cost to subscribers. Users will need to enter their password and a verification code sent via an authenticator app. For US and Canada subscribers on the Business and Enterprise plans, they also have the additional option to receive the code via SMS.

Why it’s Important

IBRS recently published an advisory on the risk of exposing critical and confidential information from recorded meetings, stored by call recording platforms that lack security controls. Otter.ai’s added security layer is a welcome development to the growing number of transcription software platforms that have yet to integrate multi-factor authentication or offer it to all subscribers, instead of just those on expensive plans. With more software developers getting into the call recording industry, these enterprises must take a risk-based approach by adding security features to their Cloud infrastructure, such as implementing encryption on all recordings and limiting the ability of users to share the recording to other platforms, or download it to their personal devices.

Who’s impacted

  • End user computing/digital workplace teams
  • Cyber security teams
  • IT teams

What’s Next?

  • Organisations must set in place governance requirements that identify which enterprise meetings can be recorded, stored, shared and transcribed.
  • Enterprises must also review potential vendors’ security layers and only purchase recording solutions that support multi-factor authentication.
  • An organisation-wide training session must be implemented to ensure all staff are aware of the risks associated with the use of recording platforms.

Related IBRS Advisory

  1. A Disaster Waiting to Happen – Meeting Recording Solutions
  2. Modern telephony: Considerations
  3. Is it safe to use Zoom?

The Latest

28 October 2021: The US Senate voted unanimously to deny Huawei and ZTE from supplying equipment to US enterprises due to national security threats that would violate the Secure Equipment Act. Once approved by Pres. Joe Biden, the companies will not be granted equipment licenses by the Federal Communications Commission (FCC) under its ‘Covered Equipment or Services List’. A few days before, the Federal Bureau of Investigation (FBI) raided PAX Technology's Jacksonville warehouse after reports of alleged transmission of malware through the Chinese manufacturer's point-of-sale (PoS) terminals.

Why it’s Important.

As a member of Five Eyes (FVEY), an alliance of countries including Canada, New Zealand, the UK and the US, for joint cooperation in signals, military and human intelligence, Australia has previously followed the US in cutting off suspicious foreign tech companies' domestic presence due to national security concerns.

  • Australia blacklisted Huawei and ZTE in 2018 from selling 5G equipment. The two firms vehemently dismissed accusations over high-speed mobile network espionage, citing discriminatory tactics even with a no-backdoor agreement. 
  • In the same year, the Australian Defence Department banned messaging and payment app WeChat for failing to meet the organisation's standards for use on networks and mobile devices but not necessarily because of security and privacy issues.
  • In late October 2021, PoS terminals from PAX were detected sending anomalous network traffic, which has seen formal requests to replace the equipment due to security concerns. 

The fundamental issue here is supply chain security - the ability of nation state actors to inject spyware (or other malware) into equipment that is broadly used globally. Even where the security risks are not validated, the potential remains. It must also be noted that in the recent past, allies of Australia have engaged in such activities.

With the current geopolitics on global telecommunications being influenced by the US, sweeping impacts on the global supply chain and reduced competition in the market are likely.  

IBRS expects this technology supply spat will expand into areas outside of telecommunications, such as industrial control systems and PoS. Any widespread technology that can be used to impact or monitor aspects of national economies are likely targets.

Who’s impacted

  • Telecommunications procurement

What’s Next?

For organisations considering foreign-manufactured tech products and services, look more closely at the implications of selecting such equipment or platforms. While there is still no public evidence on the credibility of allegations against specific state actors, senior leaders must take security concerns in their organisation and assess the risks they are willing to take when selecting any vendor.

In addition to the security risks, there are also reputational risks, and risks associated with having to replace key solutions, such as is the case with the PAX PoS hardware.

Related IBRS Advisory

  1. Choosing Huawei could be risky - but not why you think
  2. Are you FRUSTRATED with procurement? Why procurement often goes off the rails

The Latest

29 April 2021: Microsoft briefed analysts on its expansion of Azure data centres throughout Asia. By the end of 2021, Microsoft will have multiple availability zones in every market where it has a data centre.

The expansion is driven in part by a need for additional Cloud capacity to meet greenfield growth. Each new availability zone is, in effect, an additional data centre of Cloud services capability.

However, the true focus is on providing existing Azure clients with expanded options for deploying services over multiple zones within a country.  

Microsoft expects to see strong growth in organisations re-architecting solutions that had been deployed to the Cloud through a simple ‘lift and shift’ approach to take advantage of the resilience granted by multiple zones. Of course, there is a corresponding uplift in revenue for Microsoft as more clients take up multiple availability zones.

Why it’s Important

While there is an argument that moving workloads to Cloud services, such as Azure, has the potential to improve service levels and availability, the reality is that Cloud data centres do fail. Both AWS and Microsoft Azure have seen outages in their Sydney Australia data centres. What history shows is organisations that had adopted a multiple availability zone architecture tended to have minimal, if any, operational impact when a Cloud data centre goes down.

It is clear that a multiple availability zone approach is essential for any mission critical application in the Cloud. However, such applications are often geographically bound by compliance or legislative requirements. By adding additional availability zones within countries throughout the region, Microsoft is removing a barrier for migrating critical applications to the Cloud, as well as driving more revenue from existing clients.

Who’s impacted

  • Cloud architecture teams
  • Cloud cost / procurement teams

What’s Next?

Multiple available zone architecture can be considered on the basis of future business resilience in the Cloud. It is not the same thing as ‘a hot disaster recovery site’ and should be viewed as a foundational design consideration for Cloud migrations.

Related IBRS Advisory

  1. VENDORiQ: Amazon Lowers Storage Costs… But at What Cost?
  2. Vendor Lock-in Using Cloud: Golden Handcuffs or Ball and Chain?
  3. Running IT-as-a-Service Part 49: The case for hybrid Cloud migration

The Latest

18 March 2021: Veeam released a report which suggests that 58% of backups fail. After validating these claims, and from the direct experiences of our advisors who have been CIOs or infrastructure managers in previous years, IBRS accepts there is merit in Veeam’s claim.

The real question is, what to do about it, other than buying into Veeam’s sales pitch that its backups give greater reliability?

Why it’s Important

Sophisticated ransomware attacks are on the rise. So much so that IBRS issued a special alert on the increasing risks in late March 2021. Such ransomware attacks specifically target backup repositories. This means creating disconnected, or highly-protected backups is more important than ever. The only guarantee for recovery from ransomware is a combination of well-structured backups, coupled with a well-rehearsed cyber incident response plan. 

However, protecting the backups is only useful if those backups can be recovered. IBRS estimates around 10-12% of backups fail to fully recover, which is measuring a slightly different, but more important situation than touted by Veeam. Even so, this failure rate is still far too high, given heightened risk from financially-motivated ransomware attacks.

Who’s impacted

  • CIO
  • Risk Officers reporting to the board
  • CISCO
  • Infrastructure leads

What’s Next?

IBRS has identified the ‘better-practice’ from backup must include regular and unannounced, practice runs to recover critical systems from backups. These tests should be run to simulate as closely as possible to events that could lead to a recovery situation: critical system failures, malicious insider and ransomware. Just as organisations need to rehearse cyber incident responses, they also need to thoroughly test their recovery regime. 

Related IBRS Advisory

  1. Maintaining disaster recovery plans
  2. Ransomware: Don’t just defend, plan to recover
  3. Running IT-as-a-Service Part 59: Recovery from ransomware attacks
  4. Ransomware, to pay or not to pay?
  5. ICT disaster recovery plan challenges
  6. Testing your business continuity plan

The Latest

28 March 2021: AWS has a history of periodically lowering the costs of storage. But even with this typical behaviour, its recent announcement of an elastic storage option that shaves 47% off current service prices is impressive. Or is it?

The first thing to realise is that the touted savings are not apples for apples. AWS’s new storage offering is cheaper because it resides in a single-zone, rather than being replicated across multiple zones. In short, the storage has a higher risk of being unavailable, or even being lost by an outright failure. 

Why it’s Important

AWS has not hidden this difference. It makes it clear that the lower cost comes from less redundancy. Yet this architectural nuance may be overlooked when looking at ways to optimise Cloud costs.

One of the major benefits of moving to Platform-as-a-Service offerings is the increased resilience and availability of the architecture. Cloud vendors, including AWS, do suffer periodic failures within zones. Examples include the AWS Sydney outage in early 2020 and the Sydney outage in 2016 which impacted banking and e-commerce services.  

But it is important to note that even though some of Australia’s top companies were effectively taken offline by the 2016 outage, others just sailed on as if little had happened. The difference is how these companies had leveraged the redundancies available within Cloud platforms. Those that saw little impact to operations when the AWS Sydney went down had selected redundancies in all aspects of their solutions.

Who’s impacted

  • Cloud architects
  • Cloud cost/contract specialists
  • Applications architects
  • Procurement leads

What’s Next?

The lesson from previous Australian AWS outages is that organisations need to carefully match the risk of specific application downtime. This new announcement shows that significant savings (in this case 47%) are possible by accepting a greater risk profile. However, while this may be attractive from a pure cost optimisation/procurement perspective, it also needs to be tempered with an analysis of the worst case scenario, such as multiple banks being unable to process credit card payments in supermarkets for an extended period.

Related IBRS Advisory

  1. VENDORiQ: AWS second data centre in Australia
  2. Post COVID-19: Four new BCP considerations
  3. Running IT-as-a-Service Part 55: IBRS Infrastructure Maturity Model

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

The Latest

16 February 2021: Veeam continues to expand its footprint across the hyperscale Cloud vendors with the introduction of Veeam Backup for Google Cloud Platform. This follows its December 2020 announcement when Veeam announced the general availability of AWS v3 Backup and Azure v4 Backup. As a result, Veeam now provides backup and recover capabilities across - and just as importantly between - the three major hyperscale Cloud vendors. 

Why it’s Important

During a briefing with IBRS, Veeam detailed its strong growth in the Asia Pacific region. It also discussed its strategy for providing backup and recovery capabilities over the major hyperscale Cloud services: Azure, AWS and Google. The demand for Cloud backup and recovery is growing with greater recognition organisations adopting hybrid Cloud (the most likely future state for many organisations) demands more consistent and consolidated approaches to management - including backup and migration of data between Clouds. VMWare is seeing growth in its hybrid Cloud management capabilities as well, and the synergy between Veeam and VMWare productions is no coincidence.  

Who’s Impacted

  • Cloud architects
  • Business continuity teams

What’s Next?

Backing up Cloud resources appears to be a simple process. Taken on as service-by-service, this might be true. However, in reality the backup becomes increasingly challenging. As more and more applications are made up of a myriad of components, this leads to a rapidly evolving ecosystem of solutions. Hence, data recovery and restoration are also getting more complex. This is further exacerbated by the growing adoption of hybrid Cloud. 

Organisations need to explore backup and recovery based on not only current state Cloud architecture, but possible migration between Cloud services and where different integrated applications reside on different Cloud platforms.

Related IBRS Advisory

The latest

14 December 2020: FireEye announced it had been breached. An extremely comprehensive overview is available from FireEye. This blog post includes timelines, technical recommendations, and IoCs (indicators of compromise). 

FireEye, a company that exists to track and thwart advanced and persistent adversaries, was itself compromised by an advanced and persistent adversary. FireEye was compromised through a product from SolarWinds. 

What now?

There are four main areas worth exploring. 

1) Check your SolarWinds instance(s) 

The FireEye blog post includes instructions for what to look for. Good asset management will be useful in this verification process. One CISO noted they found an unmaintained SolarWinds instance in one of their OT environments. 

A core lesson that many security executives drew from the MobileIron vulnerability (CVE-2020-15505) was that anything an organisation has that is internet facing needs to consistently receive critical patches quickly, even out of cycle. 

This will require a process to identify critical patches, but for the process to actually be executed. Citrix, VPNs, staff home routers (see FF no.02), and now MDMs have all been leveraged this year for compromise. Everything is up for grabs, so logically, anything internet facing needs to be aggressively maintained. This relates to patching but also asset management. 

Further, it's an opportunity to review privilege. Just because a product can do something, doesn't mean it should. Does SolarWinds really need to talk to the Internet? There are technical controls like host firewalls and properly profiled application allow-listing that will significantly frustrate an adversary in this scenario. It’s a great example where a zero trust architecture would make a big difference.

2) Organised crime 

The ACSC has noted that once a vulnerability is disclosed, threat actors can develop an exploit within 48 hours. We've seen this timeline achieved this year, with both F5 and MobileIron vulnerabilities. Now that the advanced and persistent actor has been ejected from FireEye (and hopefully from SolarWinds) it could be a matter of time before organised crime tries to exploit unpatched SolarWinds instances. 

FireEye will recover, and have an even better story to tell. At this early stage it seems that FireEye was the last target compromised by this adversary, and probably compromised for the shortest duration before the adversary was detected and ejected. It sounds like FireEye was targeted as a source for further intel on government agencies.  

I've got no evidence for this, but I wouldn't be surprised if FireEye was the last, trophy, "let's see if we can do this" target. 

3) Supply chain

The critical point about FireEye being breached, is it points to what industry has been saying for years - "it's not if, it's when". What matters after bang (or 'right of bang'), is how the organisation responds and FireEye is giving a master class on how to respond. But FireEye is only able to do this on the back of years of refining their art. 

However, going left of bang will encourage technology and security executives to look at their supply chain. What other products have access to systems, data and privileges that would be a nightmare if you did not have sole occupancy?

What other software has pervasive access like SolarWinds? What protocols are my service providers following when they use tools like SolarWinds on my environment? We cannot boil the ocean but, as Kevin Mandia said at a CISO Lens gathering in 2016, "protect most what matters most". 

4) Cyber insurance

I've not heard anyone talking about cyber insurance regarding this whole hostile campaign. It seems inevitable that public attribution will end up pointing to a particular nation. If this is the case, many insurers will likely point to exclusion clauses that indemnify the insurer from costs incurred through nation-state activity.

If you have cyber insurance, it may be worth getting a position from your insurer on whether you would have been able to make a claim against your policy if your organisation had been compromised.

The Latest

8 Dec 2020: Veeam announced the general availability of AWS v3 Backup. This is a timely endeavour with the continuous growth of multi-faceted Cloud apps built in AWS that necessitates backup and disaster recovery solutions.

Veeam offers automated backup and disaster recovery solutions that provide additional protection and management capabilities for Amazon EC2 and Amazon RDS. There are two options to consider:

  • Veeam Backup for AWS - protects data housed on AWS using its standalone AWS backup and recovery solution.
  • Veeam Backup & Replication™ - safeguards and consolidates AWS backup and recovery with another Cloud, virtual or physical, across different Cloud platforms with unlimited data portability. 

Why it’s Important

Cloud backups are no longer an option. Competition now requires additional redundancy and security for businesses. This ensures that their important data is available and retrievable if and when disasters strike.

Backing up Cloud resources appears to be a simple process. Taken on as service-by-service, this might be true. However, in reality the backup becomes increasingly challenging. As more and more applications are made up of a myriad of components, this leads to a rapidly evolving ecosystem of solutions. Hence, data recovery and restoration are also getting more complex.

Who’s Impacted

  • Cloud architects
  • Business continuity teams

What’s Next?

Tech management should explore which Cloud services, both IaaS and SaaS, need to be backed up. Establish strategies and choose the appropriate interplay between these services. For a growing Cloud usage or a forecast usage growth, evaluate how the services can be backed up reliably. This is possible through knowing beforehand the important parts that may be reconstructed into a recovered state if needed. 

Related IBRS Advisory

IBRS advisor Dr Wissam Raffoul, who specialises in transforming IT groups into service organisations, said legacy tech stacks had a lot of 'single point failures' which could bring whole systems to their knees.

Full story.

Conclusion: Covid-19 has already had severe global impacts even though the total impact is yet to be fully dimensioned. Further restrictions are foreseen in Australia. Its implications will be long term and disrupt the way we conduct business in future and the way we interact socially and a ‘new normal’ will emerge. No business will be immune and during this dislocation both challenges and opportunities will arise.

At IBRS we believe that it is critical to take the long view on how the crisis will evolve and be prepared for the waves of change which will follow.

Download your COVID-19 Survival Kit Covid-19-Survival-Kit.pdf