Happy New Year

The New Year, A Time of Reflection and Anticipation

The early Roman calendar was created in the 8th century B.C. by Romulus, founder of Rome, consisting of 10 months and 304 days. Each New Year began at the vernal equinox as was tradition.  Later, King Numa Pomlpilius added the months of Januarius and Februarious. Over the years the calendar fell out of synch with the sun. In 46 BC, emperor Julius Caesar consulted with prominent astronomers and mathematicians to solve this problem. The Julian calendar, which closely resembles the more modern Gregorian calendar used today, was introduced. Caesar instituted January 1st as the start of the New Year, honoring the month's namesake: Janus, the Roman God of beginnings and endings. The fitting significance of Janus' two faces allowed him to look back into the past and forward into the future.

_________________________________________

Looking back, here are events that occurred in 2018 causing widespread and significant impact: Hurricanes Florence and Michael Over-pressurized gas lines in Massachusetts that caused explosions, more than 60 fires, and months-long service interruption to 8,000 customers including many businesses Data breaches of Facebook, Marriott/Starwood, and many others Historic wildland fires in California Reputations tarnished by product liability suits (Bayer/Monsanto) and privacy concerns (Facebook and others) Geopolitical events including trade wars affecting the global supply chain and disinformation campaigns inciting the public discourse

Events thought to be "unexpected" are now clearly foreseeable. Preparing for events that threaten life, property (real, digital, and intellectual), business operations, reputations, and relationships with stakeholders is a New Year's resolution for every organization. We continue to monitor events as they unfold and work towards building better international standards and practices for preparedness and resilience.  Our goal has always been to help others understand the hazard, operational, and reputational risks that surround them and to implement plans and strategies. We wish you all the best in 2019.

Tips to Enhance Survival During an Active Shooter Incident

"Active Shooter" actor from a full-scale exercise
(photo by Preparedness, LLC)

Lieutenant Colonel (ret.) Mike Wood’s article “What cops need to tell their families about active shooters,” (PoliceOne.com) should be read by everyone venturing out into public.

• Maintain situational awareness
• Know where the exits are
• Get off the floor.
• Don’t volunteer to be deaf and blind
• Limit alcohol consumption in public
• Have a plan
• Be careful with your communication devices
• Know how to act when the police arrive
• Learn first aid basics.
• Be prepared

Personal preparedness is essential. When a hostile event unfolds, no one is going to direct you to exits, concealment, or cover. It’s up to you.

Organizations have a lot of work to do, too. Human resource practices, effective physical and operational security, threat detection, warning and communication systems, and many more elements of a preparedness program should be implemented. Read the Preparedness Bulletin “Acts of Violence” for detailed guidance.

Resilience

November is National Critical Infrastructure Security and Resilience Month. Critical infrastructure is the physical and cyber systems and assets that are so vital that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.

There are 16 critical infrastructure sectors including commercial facilities, manufacturing, financial services, food and agriculture, healthcare, information technology, transportation, communications, energy, emergency services, and more. Every organization depends on critical infrastructure and many are a part of, or support, the critical infrastructure sectors.

What is resilience?

You hear the word resilience more and more—often after a major disaster or utility outage. Merriam-Webster defines resilience as the “ability to recover from or adjust easily to misfortune or change.” Resilience is not a finish line, rather it is a continuous process that engages safety, security, human resources, operations, engineering, supply chain, IT, risk management, and others. It begins with identifying assets that are critical to the success of the organization—people, operations, facilities, supporting infrastructure and technologies, machinery and equipment, supply chain, and more. Resilience should also encompass reputation and relationships with stakeholders.

Resilience is a continuous process to gain and maintain a current understanding of:

• threats, hazards, and perils that could impact life and physical, digital, intellectual, operational, and reputational assets
• operational criticalities (production or service delivery priorities),
• vulnerabilities of assets and resources (weaknesses) that would make them more susceptible to damage or loss, and
• potential impacts to life, property, operations, the environment, and the organization’s reputation and relationships with stakeholders.

Resilience also includes the development of strategies to manage risk and capabilities to promptly respond to and recover from whatever has happened.

What does it take to achieve resilience?

Since the risk environment is not static, continuous gathering of information and the development of actionable intelligence about credible threats, foreseeable hazards, and potential impacts to critical assets is essential. THIRA (threat and hazard identification and risk assessment) and BIA (business impact analysis) are the processes that engage internal and external experts to identify hazards, their probabilities of occurrence, and assets at risk; to evaluate the adequacy of prevention and mitigation capabilities; and to develop strategies for risk management.

Strategies for loss prevention, deterrence, and hazard mitigation should begin even before a building is built. By selecting a geographic site that has limited exposure to natural hazards and crime and one with reliable infrastructure and public safety services, the need and costs for building design, construction, redundant utilities, and on-site response capabilities may be reduced. Design and construction that is compliant with building codes and standards and industry best practices also can enhance resiliency. Periodic inspection, testing, and maintenance of protection systems and equipment are essential to ensure reliability.

Ongoing programs to manage risk are essential. Internal professionals including human resources manage employee risks through pre-employment screening, onboarding processes, threat assessment, critical employee backups, training, employee communications, and wellness programs.

Environmental, health and safety (EH&S) professionals partnering with human resources, operations, engineering, and others play an instrumental role with job hazard analysis, process safety, fire prevention, accident prevention, and environmental protection.

Security professionals and facilities management staff implement CPTED (crime prevention through environmental design) practices, surveillance and detection technologies, and operational security practices to deter, detect, and respond to potential threats. Communication and coordination with law enforcement is needed to promptly learn about developing threats and to increase security commensurate with the threat level.

EH&S professionals along with security, facilities, human resources and other staff must work together to develop and implement emergency response capabilities to safeguard employees, protect facilities, and prevent environmental contamination from the threats and hazard identified during the risk assessment.

Information Technology must manage the technology environment balancing access, efficiency, reliability, information security, and costs. Connectivity between internet service providers, worksites, networks, servers, and users must be reliable and have sufficient bandwidth to meet business needs. Digital information must be protected and promptly recoverable along with user applications to minimize production and service delays and unacceptable customer impacts. Information security laws require compliance. Conformity to standards and best practices for the protection of data centers and supporting infrastructure reduces exposure to loss and interruption. IT disaster recovery plans must be developed and tested to validate the ability to meet recovery time objectives.

Production managers and engineers must identify vulnerabilities in production methods, machinery and equipment, supporting infrastructure and technologies and develop strategies to overcome loss scenarios. Supply chain managers must continually assess the ability of suppliers to meet demand and logistics capabilities to deliver supplies where and when needed. Strategies for loss or damage to equipment, unavailability of essential personnel, and supply chain interruption must be developed.

Operations personnel working together with managers, supervisors, and others within the organization that possess the institutional knowledge of operations and resources must work together to complete the business impact analysis and develop business continuity strategies and documented plans for use when critical processes are interrupted or required resources are unavailable.

Role of Leadership

Resilience is elusive because of the broad spectrum of hazard, operational, financial, and strategic risks. It can be fleeting because of the short duration of institutional memory and human nature that “it can’t happen to us” or “it will never happen again.” A concerted, ongoing effort is required to understand and manage risk. Ultimately, senior management must embrace resilience as a core value of the organization and strive to embed risk management within its culture.

Reaching a threshold of “resilience” means that the organization has a clear understanding of risk and has implemented controls to manage operational, financial, and reputational risk to an acceptable level. Compliance with laws and regulations is the minimum. Meeting customer requirements is essential. Protecting the business, its employees and facilities by implementing and maintaining a mature preparedness program is no longer a luxury. There is no finish line.

From the National Cyber Awareness System: Major Online Ad Fraud Operation

https://www.us-cert.gov/ncas/alerts/TA18-331A

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.

Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Solution

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

• Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
• Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
• Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
• Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

Practical Tips for Continuity Planning

Don Schmidt presented “Practical Tips for Continuity Planning: From Impact Analysis to Executable Strategies and Plans” to the Safe+Ready Institute’s 2018 Virtual Summit.

Tips (and lessons learned) from decades of business continuity planning were shared including:

• Importance of management support and Identifying who needs to be involved in the planning process
• Planning Scope, Assumptions, Limitations, and Scenarios
• Tools & Techniques for Business Impact Analysis (BIA)
• Risk Assessment: It’s not just for emergency planning
• Continuity Strategies: Focus on Priorities
• Resources, Resources, Resources
• Continuity Plan: Putting it all together
• Incident Management: Concept of Operations
• Training, Testing & Exercises
• Program Development Resources

The presentation can be viewed here, and the recorded webinar can be viewed on the Safe+Ready Institute’s website here. While you’re visiting the Preparedness, LLC website, be sure to check out the program development resources and Preparedness Bulletins.

Suspicious Packages

Suspicious Packages

Over the past week, U.S. politicians, high profile individuals, and CNN were targeted with suspicious packages/letters at their homes or places of business.  These packages, each appearing to contain a bomb, were a coordinated attempt to spread fear, injure the intended recipients, and cause destruction. Since the days of the "Unabomber" in 1978 and the anthrax containing letters sent to members of Congress in 2001, the potential dangers of threats perpetrated by mail have been realized.

What is a suspicious item?

A suspicious item is any article (e.g. package, envelope, bag, vehicle, etc.) that is reasonably believed to contain explosives, an improvised explosive device (IED), or other hazardous material that requires a bomb technician and/or specialized equipment to further evaluate it. Examples that could indicate a bomb include unexplainable wires or electronics, other visible bomb-like components and unusual sounds, vapors, mists or odors.   Anything that is Hidden, Obviously suspicious, and not Typical (HOT) should be deemed suspicious. In addition, potential indicators for a bomb are threats, placement, and proximity of the item to people and valuable assets. The term Improvised Explosive Device (IED) has long been associated with war, but easy access to instructions and ingredients has resulted in numerous incidents involving the use of IEDs in the United States. IED attacks remain the primary tactic for terrorists seeking a relatively uncomplicated, inexpensive means for inflicting mass casualties and maximum damage. A series of bombings in Seaside Park, NJ and New York City in September, 2016 targeted a charity race and a Manhattan neighborhood. Unexploded devices including a pressure cooker were found at both the New Jersey and New York City bombing sites.

Differentiating Between Unattended and Suspicious

Not all unattended items are suspicious. An unattended item is an item of unknown origin and content where there are no obvious signs of being suspicious.  If not suspicious, there is no need for facility search or evacuation. Evaluate the item using the U.S. Postal Service "Suspicious Mail" poster (below) to determine if it meets "suspicious" criteria. Consider the placement of the package and its proximity to people and valuable assets and the current threat environment. Consider the following factors: Was any suspicious activity reported when the package was left or discovered? Have any threats to the receiving organization or similar organizations been reported? Is the unattended package or bag consistent with those normally expected to be found in the building? Does the unattended package or bag have any external indicators consistent with a suspicious package? If package is not considered an immediate threat to health or safety, record the name and address of the addressee and sender; post office codes, stamps, and cancellation date; and any other markings or labels. Contact the addressee to determine if the package was expected.

Figure 1. Suspicious Mail Poster 84 (U.S. Postal Service)

Emergency Response to Suspicious Packages

If a package is deemed "suspicious," the following action should be taken: Notify security that a suspicious package has been detected. Alert everyone in adjacent areas that a suspicious letter or package has been found and direct them to clear the area.  If the suspicious item is believed to be a bomb, evacuate the building.  Anyone in contact with any powder or substance believed to have been released from the package should seek decontamination immediately and should segregate from others not exposed. Shut down the building's ventilation system if shutdown can be done safely. If package is not deemed an immediate threat to health or safety, document the reasons for identifying the package as suspicious. Without making direct contact with the suspicious item, record all available information from all sides including name and address of addressee and sender, post office codes, stamps, and cancellation date, any other markings or labels found on the item, any other peculiarities (stains, tears, tape, flaps not glued). If possible, photograph from all sides without moving. Contact the addressee to determine if package was expected. If the package cannot be verified as legitimate within a reasonable period, notify police.

Emergency operations plans should include instructions for employees as well as those responsible for managing emergencies. Procedures should be clear and concise and align with your organization's incident management system. Figure 2 is an example from Preparedness, LLC's flowchart-based emergency operations plans. Flowcharts, hazard precautions, and defined roles and responsibilities are compiled in hard-copy and digital format with hyperlinks for quick navigation to all related guidance.

Figure 2. Emergency procedures flowchart from Preparedness, LLC's emergency operations plan.

National Preparedness Month

September is National Preparedness Month     National Preparedness Month serves as an annual reminder to review your organization's preparedness program-- loss prevention and hazard mitigation, emergency preparedness, business continuity, information technology disaster recovery, and crisis management including crisis communication.    Ten Critical Preparedness Program Elements   1. Program Management: Senior management commitment, direction and support is critical for any program. Management must have a clear understanding of risk, identify/confirm preparedness priorities, ensure that adequate and capable resources are available, and ensure the program can be executed on a moment's notice.  Those vested with the authority for all aspects of the program must also have knowledge, skills and abilities to undertake this task.   2. Risk Assessment:  Understanding hazard, operational, and reputation risk is essential to plan loss prevention, hazard mitigation, response and recovery efforts. A comprehensive risk assessment should identify hazards, their potential magnitudes, assets at risk and their vulnerabilities, and potential impacts on people, property, business operations, the environment, and your reputation and relationships.  Comprehensive guidance is provided in our Preparedness Bulletin: Risk Assessment.   3. Business Impact Analysis: Prioritizing business processes by revenue, profit, or importance to the organization's mission helps define the scope of business continuity planning. Costs and impacts on customers, along with identification of the people, facilities, systems, equipment, technologies, information, and supply chain required to execute priority processes defines the requirements for continuity strategies. Guidance is offered in our Preparedness Bulletins Business Impact Analysis as well as Supply Chain Risk.   4. Resource Needs Assessment: AEDs, emergency generators, alerting, warning and communications systems are examples of resources. People are your most important resource. Information gleaned from the risk assessment and business impact analysis, regulations, and decisions about the level of response and recovery time for priority operations should help define resource needs. Without adequate resources, response and recovery efforts will be delayed or may fail. 5. Prevention & Mitigation: A fire that is quickly detected and suppressed by automatic systems should not jeopardize life safety and should minimize business interruption. Multiple, protected connections to internet service providers that enter the property and building from opposite directions can provide high availability of connectivity to applications and data in the cloud.    Prevention and mitigation begin with land use planning, building and process design and protection, and validation of proper installation. Safety, including physical, operational, and information security, and environmental protection programs are essential. Ongoing inspections, testing, maintenance, and training of these systems are critical to maintain up-time and minimize failure and downtime.  6. Emergency Preparedness: Emergency preparedness requirements vary based on location, type and size of building, hazards within or on-site, and many other factors and variables. Different threats or hazards require different capabilities. Protective actions for life safety (e.g., evacuation, sheltering, lockdown, and "run, hide, fight") vary based on the nature and location of the threat or hazard. Determining whether it is necessary to organize and train teams for medical response, firefighting, and hazardous materials response depends on regulations, severity of the threat or hazard, and the availability, capability and response time of assistance. Read Preparedness Bulletin: Protective Actions for Life Safety. 7. Business Continuity: Does your business continuity plan prioritize the recovery of your business processes? Are the resources required for executing continuity strategies available when needed, and will they support the strategy to the extent needed? Does the plan define strategies for prompt reporting of an incident, alerting of team members, declaring a "disaster," and executing the plan-- -at any time day or night? Are there manual workarounds to be employed when technology fails?  Guidance on these issues is provided in Preparedness Bulletin: Business Impact Analysis. 8. Information Technology Disaster Recovery Planning: Is all vital information backed up? Are employees complying with your information security policy? IT disaster recovery planning begins with ensuring all vital records are backed up and restorable in the event the facility is destroyed. Vulnerabilities and potential failures of computing and information backup strategies should be assessed. Physical protection and security of server rooms, equipment, and information is essential. Protection of infrastructure supporting server rooms including power, connectivity, and climate control should be commensurate with the importance of the technology to the organization's mission.  9. Crisis Management and Crisis Communications: A crisis is a low frequency, high impact situation with many potential causes--  a physical incident at a site, allegation, employment practices, product or service issue, criminal activity, information security breach, geopolitical events, or litigation. A crisis has the potential to cause very significant impacts on the corporation, its security, financial standing, reputation, and relationships with stakeholders. Are processes in place to identify and report issues that surface as well as events that occur? What are the potential issues and what are the current and potential impacts on stakeholders? Who constitutes the crisis management team? How will the crisis be managed, including the execution of communications strategies?  10. Testing, Training & Exercises: If a major incident were to occur, would employees know how to protect their own safety? Would team members be able to carry out their assigned responsibilities? Would the resources and procedures for continuity and recovery work? Testing of continuity and recovery strategies for IT and business processes as well as testing of any physical resource (e.g., a generator) is essential to ensure reliability in time of need. Basic training for all employees to protect their safety and security as well as protect the organization and its physical, digital, and intellectual property is essential today. Every team member needs training so they can execute their job on emergency, continuity, or crisis management team. Exercises are needed to evaluate plans and capabilities, and familiarize those responsible for executing the plan.   Help make your organization more resilient, conduct a self-assessment of your preparedness program using our Comprehensive Self-Assessment Checklist.  This checklist is based on NFPA 1600, our National Preparedness Standard, and references important regulations.   For further guidance read our Preparedness Bulletin: Auditing Your Preparedness Program.   Be sure to check out the hundreds of curated links to preparedness resources provided on our Resources Page.