Frequently asked questions

Business resilience and continuity

What is a Business Continuity Plan?
A Business Continuity Plan (BCP) is a primary set of instructions of what to do, and when to do it, when declaring an incident. It should contain important named contacts, both internal and external, including telephone numbers, email addresses and job functions. It should also set out clear roles, responsibilities and a list of a series of actions which will ensure that key business activities continue in the most difficult circumstances. There should be paper copies available which are stored in more than one location, together with any emergency supplies such as torches, spare cash, building diagrams and local maps. The BCP is prepared after reviewing the company strategy relating to crises and disasters and after carrying out a risk assessment.

How does a business continuity plan differ from a disaster recovery plan?
A disaster recovery plan traditionally refers to IT recovery of data and related operational aspects, while a business continuity plan details all of the important activities need to keep the business running. It should include processes to keep disruption to customers, suppliers and employees, to a minimum and show how to bring the business back to full operation within a given timescale. Depending on how complex your BCP is, it may also contain disaster recovery and business resilience information.

What type of incidents are usually covered in business continuity management (BCM)?
An incident or crisis can threaten the survival of a business at any time. The most likely incidents to plan for include:
severe weather and transport disruption | theft and vandalism | fire or flood | loss of utilities, including heat, light and power
IT system failure | restricted access to premises | long term sickness and pandemics affecting staff

How long will it take to create a business continuity plan?
This would normally depend on the size of your business or company and its complexity. A typical plan for an SME normally takes three to five days. The smaller the size of your business generally the less time it will take to create. Camtek CSI can either carry out this work for you or provide external or in-house training workshops to give you the techniques to carry this out for yourself.

How much will it cost to create a BCP?
The cost will be relatively small compared with the cost of recovering from an unpleasant crisis. The price of not planning could be a lot higher than many companies anticipate. A typical cost would be in the region of £2,500 - £5,000 for an external consultant to prepare a plan after carrying out a risk assessment. A recent Chartered Management Institute survey put the average cost of recovering from a major crisis (weather disruption due to heavy snow fall in 2013) at more than £50,000.

Is my business too small to invest in a BCP?
No, even a sole trader is advised to have systems in place to be able to recover his livelihood, in case of theft, fire, flood, IT and utility failures. Any incident, no matter how small, is capable of impacting your business profitability. If you are involved with tendering for contracts with local or central government or similiar institutions they normally require you to have a BCP as you will be in their supply chain which will in turn affect their recovery. You may also need one if you are a business that has to be compliant by legislation e.g. financial, legal and accountancy services.

But I don't think I can afford to engage someone to create a plan for me?
You should have a BCP to show that you are protecting your stakeholders, customers and suppliers against your business having to close. If you business requires statutory compliance, you may legally need one, and if you are a charity that looks after children or provides elderly care, then you owe it to your carers and end users to ensure your business can resume as soon as possible. If you are a first responder then you are required to have a BCP under the Civil Contingencies Act (2004). The Companies Act (2006) requires all company directors to exercise reasonable care, skill and due-diligence in managing their company. If you wish to prepare a plan you should seek advice as to the minimum items you should cover in such a plan. Important areas to consider include recovery of IT, facilities and utilities as well as the need for a temporary workplace for your key staff.

A copy of this is available in pdf form
from this link.


Malware definitions

Personal computers, Macs, smart phones and tablets, running various operating systems are all vulnerable to a variety of malicious software programmes often known as malware. This is the reason your computer should be protected with the latest software patches, operating system updates and have anti-virus software which is up-to-date and not time expired. Malware examples are:
                                   •   Viruses
                                   •   Macro viruses embedded in software such as Microsoft Word and Excel | Boot sector viruses | Scripted viruses - including batch files, windows
                                       shell modifications, Java and others
                                   •  Key-loggers
                                   •  Malware that is designed to steel passwords
                                   •  Trojans
                                   •  Worms
                                   •  Backdoor Trojans
                                   •  Spyware and Adware

Computer viruses - are types of malicious code that can replicate themselves and spread from file to file, computer to computer, over networks, from USB drives and other flash drives such as the one you may have in your digital camera. The longer the virus remains the more damage it can do and it will continue to spread and infect anything connected to it. These types of viruses can infect your email programme and contacts list and send information to contacts in your list and send emails that replicate the virus and send it into the wild.

A worm is a malicious programme that replicates itself but does not infect other files. Once installed it finds ways of spreading to other computers. A worm exists as a separate entity while a virus adds code to an existing file.

A Trojan ( as in Trojan Horse from Greek mythology), is a programme that pretends it's a legitimate piece of software - but when launched will perform a harmful action. They do not spread by themselves but are installed secretly and deliver a malicious payload without the users knowledge. Criminals use many forms of Trojan to perform specific functions such as: backdoor Trojans including key-loggers, Trojan spies, password stealing Trojans and Trojan proxies - that convert your computer into a spam generating device.

A key-logger is a programme that is installed maliciously onto your computer and can record what key strokes you type and can obtain passwords and other confidential data. They can through the use of a backdoor Trojan send this information to a remote site. These may be contained within emails often purporting to be from banks and credit card companies.

What is spyware?
This is a piece of software designed to collect data and send it to a third party without your knowledge or permission, quite often it will incorporate a key-logger, harvest your email addresses and track your internet use. It can also use up processor power and slow your computer down. Sometimes it is malicious other times it's a piece of software incorporated into a legitimate programme to gather information about how you use the product.

What is adware?
These programmes, which may be incorporated into software, either stand-alone or part of a 'toolbar', will launch adverts such as pop-up banners and redirect you to promotional websites. Often they are downloaded with free software - shareware and they may be installed on to your computer without your knowledge. They can be associated with Trojans and browser hijackers. You are susceptable if you do not have the latest software updates and if your internet browser is out of date. Do not allow programmes to install their own custom tool bars - always use the custom install option if available, when installing the software, rather than the default install option.

What is a rootkit?
This is malicious code that installs itself stealthily and cannot normally be seen. They are often used to hide Trojan activity. Most people log on to their computers using 'administration rights' which helps rootkits to install.

What is a 'drive-by exploit'?
This is when you visit a website that has been infected by malicious code, you just need to visit the site and take no other action in order for your computer to become infected. Cyber-criminals inject their own malicious code into unsuspecting web sites because their servers are not protected sufficiently.

What is a botnet?
This is a network of computers controlled by cyber-criminals using Trojans to infect your computer to set up a network. This will slow your computer down and allow your computer down and allow your computer to be used in a wider network. Check your router internet lights are not flashing when you are not using your network.

What is a DoS attack?
This is a denial-of-service attack. These will bring web sites down, hinder or stop their functioning because the server is bombarded with many requests in a short space of time. There are many ways of doing this, and also can be caused by a distributed denial-of-service attack which use multiple networked computers.

What is an exploit?
Defined as 'using something to one's own advantage', is a piece of software code or sequence of commands that takes advantage of vulnerability in order to cause unintended or unexpected behaviour. Such behaviour often includes trying to take control of a computer system or allowing privileged escalation.

A copy of this is available in pdf form
from this link.

Digital forensics

If I suspect something about a company computer, that it may have been misused, how do I examine it for evidence?
Firstly, get management permission to proceed, then if the device is turned off - not just hibernating or in sleep mode, then pull the power cord out, then any other connection. Bag it up if it is a laptop or wrap it up if it is a desktop and place a seal over any securing tape with the date, your name and signature on it. Lock it away in a secure place until you can consult someone with the necessary skills to advise you on how to proceed.

If the device is switched on then seek professional advice, switching it off will remove any suspect evidence that may be in memory or cache memory - dealing with a computer that is still switched on and connected to a network requires specialist help. However, you need to take a view, if company secrets are being uploaded to a third party as a fraud, you may need to disconnect it from your network - but you need to seek advice, or risk an uncertain outcome. If you need to switch the computer off, do not go through the normal shutdown proceedure but unplug it from the back - pull the lead out. Do not touch the keyboard or mouse or remove any devices connected to it. If the suspect computer is already off - do not turn it on.

Can I take a quick look to see if I can find any damming evidence?
No, do not touch it. Do not allow any internal IT staff to conduct a preliminary investigation. By accessing it you change what is happening on the PC and will damage any chances of a successful outcome if recourse to legal action is necessary.

Do you need to secure all of the equipment associated with a suspect user?
Provided the computer is switched off and disconnected, if possible any peripherial assets such as external hard drives, USB sticks, CD's and secure any backup server data. If the suspect has a company laptop, smart phone or tablet, seize that as well. You need management clearance to do this preferably at senior manager/director level.

How do I secure the (crime) scene?
Make sure you secure the crime scent and take full notes on what actions you take, inform your management chain. If you have a forensic readiness plan in force then invoke it. If a suspect has been caught-in-the-act of doing something to the company computers then you should ensure they returns any company equipment such as a laptop or mobile phone. Start an incident log to contain all actions giving name, date and time. These must be contemporaneous and if you make any mistake strike them through, do not attempt to rub any notes out or use any correcting fluid.

If we call you in, what will you do?
We will collect all the evidence and transfer it to our laboratory, examine and log the material carefully. One of the things we will do is to safely remove the hard drive and make a forensic image of the drive using write blocking techniques to ensure that the original data is not altered or changed in any way. We will use a forensic copy to analyse the information contained on the original hard drive.

These are generic answers to the most common questions that we get, they should not under any circumstances be considered advice.

A copy of this is available in pdf form
from this link.