Critical Infrastructure Protection

Essential infrastructures produce vital benefits and services, upon which various sectors of our society depend. Our professional and experienced groups comprehend the risks to these infrastructures arising from natural and man-made calamities. While the Department of Homeland Security has identified 18 critical infrastructures resources that must be safeguarded, most of these assets are owned by the private sector.

It is critical that you have a security expert to assess your risk and create risk-reduction measures for your company. Your clients rely on this important infrastructure; therefore, it is necessary to undertake procedures to avert and properly adapt to any hazard that may adversely impact your vital resources.

According to your expectations from our company, we will undertake some or all of the steps below in order to safeguard your crucial infrastructure.

·  Evaluation: Determine the risk connected with the vital infrastructure and what is extremely significant to attaining goals and final success.

·  Analysis: Pinpoint the weaknesses, as well as their interconnection with internal or external vital resources.

·  Pre-Mitigation: Execute preventive steps and measures to reduce direct risks. This process may include physical and cyber-based expertise and resources-strengthening before an incident transpires.

·  Mitigation: Offer complete and lasting solutions to mitigate and/or remove the identified threats.

·  Implementation: Assure that the reduction strategy is being undertaken in a way that is conducive to security requirements and guidelines.

·  Incident Response: Create programs and measures to remove additional threats or the cause of an existing problem.

Winter weather has taken its toll on both sides the US and Canadian border.  One utility that has taken it in the chops from all the ice and snow has been electric companies that provide services to businesses and individuals.  Now this wasn't the only time that there have been electrical outages due to severe weather.  Power outages have become rather routine when severe weather hits.  The question is, "How much mitigation do you want to invest in to reduce the impact of outages?"

The above is the theme from a Toronto Glob editorial, see the ice storm: Why you want the lights to go out, sometimes in the piece they call attention to the fact that you can't mitigate every risk.  The costs to do so would be too high.  Thus, the focus on risk management: Dyman & Associates Risk Management Projects: Cyber Security

"What is risk? You can look here; it is the odds of suffering a loss in the future. It is a cost. And what about the reduction or elimination of that risk? Also a cost. In deciding whether to pay the price, utilities – and all of us – end up having to weigh three factors: the size of the possible damage, the likelihood of its occurrence, and the price of mitigation."

Risk management will become a greater part of the discussion as we move forward and the warming climate starts to impact our communities in varying ways.  This will be a good discussion for communities to have.  One way to reduce risk is to disperse it in the entire community (whole community).  If individuals are better prepared than the costs for organizations can be lessened, and costs of single entity preparedness reduced. Check out the post right here…

In late May, online security firm Trusteer, an IBM company, raised alarms about a new online banking Trojan it calls Zberp. According to Trusteer, more than 450 global banking institutions in the U.S., the United Kingdom and Australia have been targeted by this malware strain, which combines features from Zeus and Carberp, two well-documented banking Trojans.

Just days earlier, global cyber-intelligence firm IntelCrawler warned of new point-of-sale malware known as Nemanja, which had reportedly infected retailers in nearly 40 countries.

And news about recent evolutions in the mobile malware strain known as Svpeng also has caused concern. In May, Svpeng was found to have evolved from merely a banking Trojan to a malware strain equipped with a dual ransomware feature (see New Ransomware Targets Mobile).

But with so many alerts about new and emerging malware strains and attacks, how should banking institutions respond? It's a growing challenge for information and security risk officers because one of the keys to mitigating cyber-risks is differentiating new threats from older ones.

What's Real?

While banking institutions have to take all emerging threats seriously, they should take most alerts issued by security vendors in stride, says financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovations.

"It's mostly hype," he says. "Every time a new threat shows up in the media, this is the first filter I run. More often than not, there's a vendor or two behind all the excitement."

The influx of warnings from security firms about new malware strains has bred unnecessary concern for some banking institutions, says Andreas Baumhof, chief technology officer at malware research firm ThreatMetrix. In most cases, existing detection systems will raise flags, even when new variants of malware are detected on a network or believed to have infected an end-user's device, he says.

Pointing to the most recent announcement about Zberp, Baumhof says banks and credit unions should not rush out to invest in new detection and defensive technologies.

"There is nothing new for this Trojan," he says. Most banks' and credit unions' existing online defenses are equipped to detect Zberp and other Zeus variants, he contends.

Advice for Banking Institutions

Analysts recommend banking institutions maintain ongoing dialogues with their core service providers and vendors about the latest threats, and ensure they adequately vet new providers and vendors before signing on for service.

Among their other top recommendations:

Understand how existing detection and threat-mitigation solutions are equipped to defend the network. "There is no 100 percent solution, but banks need to understand their exposure and current capabilities before they rush to react," to alerts about new attacks, says Al Pascual, who heads up the fraud and security practice for consultancy Javelin Strategy & Research.

Put the onus on service providers and security vendors to send out notifications of possible risks, says Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite.

Always get second and third opinions before revamping a system or solution. "Always get multiple bids, research the suppliers with independent parties, such as industry analysts and vendor-neutral consultants, and check with peers," Ontrack's Wills says.

Ensure the IT and security teams have strategies in place for comprehensive risk assessments. "Refresh it [the risk assessment] at least once or twice a year to keep it current - the more often, the better," Wills says. "That way, you can make sure that any solution you buy makes sense in the context of your own company's unique threat and vulnerability landscape, and not some generic landscape. It's quite easy to buy security products that you don't really need."