CYBER PREPAREDNESS

THROUGH INFORMATION
SHARING

William F. Pelgrin
Krista Montie

“Without disclosure, there is no truth. Without truth,

there is no accountability.”
- Richard Thieme

The information revolution, as many have coined it, has significantly

changed our lives forever. However, the word “revolution” is badly
chosen: there wasn’t a rebellion, a revolt or an uprising. It wasn’t a
hostile takeover – well at least not for most of us. It was more of a
transformation. If we think back just a decade ago, very few of us
even knew anything about this thing called “the Internet.” The “World
Wide Web” was nothing more than a sci-fi concept to most of us. But
here we are none the less, totally connected to each other through this
technology. This “revolution” occurred over a surprisingly short span
of time and has reached astounding proportions, whose limits are not
yet realized. Who among us could have comprehended the role the
Internet would play in our lives?

This information technology transformation has had a tremendous

impact (both positive and negative) on our culture. Some of the pos-
itive impacts include faster and more efficient ways to communicate,
conduct business and provide services. The negative impacts occur
when information technology is misused and mismanaged. The
impact is not only economic, which is staggering, but also societal.
The free flow of information available via the Internet, coupled with
the perceived anonymity of Internet use, contributes to a loss of a true
sense of what is right and wrong in the digital age. At one end of the
spectrum, we live in a time when some children believe it is not only
fair, but in fact their right, to download copyrighted music and a time
1
when some teenagers believe it is a rite of passage to be a scriptkiddie.
At the other end of the spectrum, we also live in a time when we must
recognize that there may be some individuals who wish to use cyber-
space for malicious purposes. Cyber terror is no longer a hypothetical
premise. We must treat the threats as real.
IF YOU THINK YOU ARE SECURE, THEN YOU ARE NOT SAFE
However, there are those who claim that cyber security advocates are
doomsayers who delight in trying to convince us that “the sky is
falling.” Or they claim that cyber threats are nothing more than fic-
tion dreamed up by security vendors trying to instill fear in consumers
in order to sell more products. The nay-sayers point to the fact that
there hasn’t been a “Digital Pearl Harbor” and therefore cyber
terror/threats must be all hype. But remember, pre-September 11th,
most Americans would have thought the same thing about the possi-
bility of false IDs, box cutters, and airplanes being used as a weapons
of mass destruction.
For most adult Americans, we did not grow up as part of the comput-
er generation; therefore, it is hard to argue with the apparent logic of
the statement that cyber warfare is not real. Especially since for most
of us, it is difficult to understand this new world called “cyber.” Part
of the reason is because a cyber attack is so amorphous that it is dif-
ficult to put our arms—let alone our minds—around the concept. Just
think about it: we don’t know where the cyber attack will come from
– cyber knows no geographic boundary; we don’t know who will
launch the attack – it could come from a twelve year old scriptkiddie
or a terrorist; and we don’t know who or what the target will be—
home users, businesses, or governments.
The frightening thing is that in some cases we can be a victim of an
attack and never know. It used to be that hacker targets were aimed
primarily at big entities, such as large corporations and universities—
those with the large computing power. Breaking into a home user’s
PC didn’t make much sense a decade ago, since the home user’s com-
puter did not have much power, and the few users who were connect-
2 3
ed used slow, dial-up connections. In today’s environment the home
user can and does have the computing power, and high speed connec-
tions, that were once only affordable to the largest of corporations and
universities. The home user is now becoming a target for a hacker.
Compounding this vulnerability of the home user is the fact that,
unfortunately, a high percentage of home users are unprotected by
antivirus software or basic firewalls. Given the broadband connection
analogy, it is as if the lights are on in your home, the door is open, and
no one is there to protect your privacy or valuable possessions.
In addition to the vulnerability of the home user, we also need to focus
attention on the private sector, including those small businesses that
may not have the resources or expertise for enhanced cyber security
programs. Because we are all connected through cyberspace, we are
only as strong as our weakest link. We must ensure that the links are
solid in both the public and private sectors.
While we haven’t yet seen the Digital Pearl Harbor, the opening
salvos have been fired. The recent and constant rash of worms and
viruses, as well as breaches into cyber systems throughout the world,
is sobering evidence that the damage is real, and that the time for talk
is over. It is time to act. Only through true collaboration and coordi-
nation can we be successful in our efforts to achieve readiness and
resilience. Sharing is the key.
Cyber attacks can have the same devastating impact as a more tradi-
tional physical attack and are occurring at an increasing frequency.
Whether cyber incidents are man-made—intentional or inadvertent—
or a result of a natural disaster, a cyber impact to our critical infra-
structure can be devastating.
In 2003 alone, there were 137,529 cyber security incidents reported to
Carnegie Mellon CERT Coordination Center. The costs associated
with cyber incidents vary and are often difficult to measure. In the
2003 CSI/FBI Computer Crime and Security Survey, 75 percent of
survey respondents acknowledged financial losses, but only 47per-
cent could quantify the losses. The Computer Economics Institute
estimates that the worldwide financial impact of major virus attacks
alone is $13.5 billion for 2003. Others put that figure even higher.
While the number and financial impact of cyber incidents seem high,
it is really just the tip of the iceberg, as only an estimated 20percent
of all incidents get reported. What about the other 80percent? Why
weren’t they reported?
For the most part it is because we don’t share information. The culture
of cyberspace is such that if you are breached, you don’t tell. There
are fiscal, political, social, and selfish reasons not to tell.
Additionally, for those who have been the victim of a breach, myriad
emotions set in — a sense of being violated, feeling embarrassed, or
feeling guilty that it was somehow “my fault.”
The atmosphere of shameful secrecy that “I’ve been breached, but I
can’t tell anyone” has to give way to an atmosphere of sharing. This
will take a major shift in our culture. But we can’t be thwarted by the
size of our ultimate goal to be better prepared. We must build our
resilience as we go—one step at a time.
IT’S THE STARTS THAT STOP MOST PEOPLE
In order to modify this culture and effectuate true, long-reaching
change, we must build an environment of trust, collaboration and coop-
eration. It is critical that if we are going to be successful in our fight
against cyber warfare, the “white hats” have to coalesce to stay one step
ahead of the “black hats.”
The main reasons to share information are to reduce the risk of an inci-
dent to others and to respond to an incident that is occurring by mitigat-
ing its potential impact. One of the challenges in sharing information is
the need to balance the distribution of information to appropriate trust-
ed parties while at the same time keeping it out of the wrong hands.
Another key challenge is developing a trusted environment where
information flow can occur in a timely and effective manner. But even
if this conducive reporting structure is created, what do you share, to
whom, and when? There is so much information available that if
everything were shared, it would result in extreme overload.
None of us can approach cyber security in a vacuum: we simply can-
4 5
not do this alone. However, the interdependencies that draw us togeth-
er are also the things that push us apart, thereby potentially impeding
our ability to share. Fear of competitive edge, loss of confidence, loss
of market share, and concerns regarding liability are just a few artic-
ulated reasons for not sharing.
There are also legal hurdles to true information sharing. Anti-trust,
indemnification, and freedom of information laws can be problemat-
ic even where you have willing partners who want to share.
There are no clear and easy answers, but we must work collectively
to find the solutions. The worst action we could take is no action at
all. Together we can overcome the barriers. We must act now and
begin meaningful sharing. We don’t have a nanosecond to waste; we
must quickly seek out best practices and solutions and develop a
viable agenda to address the issues.
Cyber security awareness must become ingrained in each of us, and it
must become as second nature as buckling a seatbelt.
WHAT’S THE RUSH? WHY MUST WE BE SO
CONCERNED?
There are five reasons why we should be concerned about the risk
posed by cyber attacks:
•Cyber attacks can originate from anywhere;
•There is a perceived sense of anonymity;
•The technology to launch such cyber attacks is relatively
inexpensive and widely available;
•Sophisticated computer expertise is no longer necessary;
•The rate of infection is increasing exponentially; and
 •The mean time to exploit is decreasing rapidly. Regardless of where the attacks originate, or the motivation of the
originator, we must be on guard for vulnerability and risk both inter-
CYBER ATTACKS CAN ORIGINATE FROM ANYWHERE nally and externally. Internal security requirements must be estab-
lished and enforced, and our interdependencies and connections with
We don’t need to look to other parts of the world to find cyber crimi- external environments must be protected.
nals. Some studies indicate that much of the cyber attack activity orig-
inates from the United States (see figure below for one example). THERE IS A PERCEIVED SENSE OF ANONYMITY
However, the statistics may not be telling the complete story, as it is
often difficult to determine the true source of origin. Cyber incidents know no geographic boundaries. Every second,
someone is probing your network or your computer. The din is so loud
and has been so constant that cyber security experts now filter out this
noise as “expected” and concentrate on more anomalous activity. Will
Figure 1 the bar continually be raised as to what is anomalous or of concern?
Top Ten Attack Sources
Six Months Ending June 2003 While I am not aware of any supporting empirical data, I strongly
believe that because of the perceived anonymity of cyberspace, some
Rank Country Percent of Total individuals involve themselves in malicious cyber activity who would
not otherwise do so.
1 United States 51%

2 China 5% THE TECHNOLOGY REQUIRED TO LAUNCH ATTACKS IS RELATIVELY

INEXPENSIVE AND WIDELY AVAILABLE
3 Germany 5%
The tools required by hackers are readily available. A quick tour
4 South Korea 4% through the Internet reveals a plethora of hacker “starter kits” which
provide the resources needed to do damage.
5 Canada 4%

6 France 3% SOPHISTICATED COMPUTER EXPERTISE IS NO LONGER NECESSARY

7 Great Britain 2% Not only can hackers readily find the tools they need, as noted above,
but those tools are becoming increasingly easy to use. Thus, the level
8 Netherlands 2%
of sophistication of an attack that a hacker can achieve is increasing
9 Japan 2% greatly, while the knowledge required to launch these attacks is
decreasing. It’s so easy that even I could do it.
10 Italy 2%

In addition to the recognition that cyber events can originate from

anywhere, including inside our borders, one must also be as con-
cerned about the fact that malicious cyber attacks can occur from
inside an organization.

6 7

THE RATE OF INFECTION IS INCREASING EXPONENTIALLY
We have seen a rapid progression in the rate of worm and virus infec-
tions. In 2001, Code Red infected more than 350,000 devices in less
than fourteen hours, spanning the globe. Two years later, in January
2003, Slammer dwarfed Code Red’s rate exponentially by infecting
90percent of all vulnerable servers worldwide within ten minutes.1 In
August 2003, SoBIG.F became the fastest spreading worm, and held
this title until January 2004, when MyDoom claimed the title.
The threats—and the resulting damage—are real:
•Code Red (July 2001): Infected 359,000 devices in less
than 14 hours. It spread at a rate of 2,000 devices a minute
at its peak.2 It is estimated the worldwide cost of Code
Red was $2.62 billion.3
•NIMDA (September 2001): Infected more than 2.2 mil-
lion servers and PCs in a 24 hour period.4
8 9
•Klez (April 2002): Surfaced and was still a major threat
a year later, representing 34.3percent of all attacks world-
wide.5
•Slammer (January 2003): Affected servers running
Microsoft software that had not been updated with a patch
- issued months prior - to fix the vulnerability. Slammer
took down ATM machines for a major bank, disrupted 911
emergency services in Seattle, shut down certain systems
within Houston International Airport, hindered the opera-
tions of hundreds of thousands of computers and slowed
Internet traffic. Slammer peaked in just three minutes, at
which point it was scanning 55 million targets per second.6
•SoBig.F (August 2003): Accounted for one out of every
17 e-mail messages,7 and infected 200 million email mes-
sages across the Internet during its first week of activity.8
• MyDoom (January 2004): Accounted for approximately
one in every 12 messages.9 Approximately 20 to 30per-
cent of all worldwide emails were infected with
MyDoom10, and estimates indicate it is the most expensive
computer virus ever.11
At this rate of propagation, it becomes an ever-increasing challenge to
take evasive actions before you get hit with an infection. This situation
cries out for all of us to deploy intrusion prevention in addition to
intrusion detection.
THE MEAN TIME TO EXPLOIT IS DECREASING RAPIDLY
Not only are worms and viruses spreading at an alarming rate, the
mean time to exploit is decreasing. By the time the software patch is
released, some hacker has developed a program to take advantage of
the vulnerability. Again, as with the increased rate of propagation, the
decrease in mean time exacerbates our ability to take defensive maneu-
vers to patch or block the attack.
Mean Time to Exploit is Decreasing

Chart courtesy of P. Elias
We cannot rely on the fact that these exploits will never occur concur-
rently. Don’t forget about that one tough week in August 2003. In that
week we were hit with Lovsan,W32/MSBlaster, SoBig.F and
Welchia/ Nachi. No matter how bad that week was, we were all for-
tunate that these worms did not carry a malicious payload.
How long before we see multiple malicious attacks? Will they coin-
cide with physical attacks? Will they attempt to thwart our response
to a physical attack?
WHAT CAN WE DO TO CONTINUE TO IMPROVE
OUR PREPAREDNESS?
We are still, for the most part, in a responsive, fire-fighting mode,
reacting to problems as they occur. Clearly, the time to react is
decreasing. We need to focus resources on becoming more proactive.
This can be accomplished by the following:
•Creating stronger relationships between and among the
10
public and private sectors to facilitate true information
sharing;
•Expanding security awareness to wider audiences
including home users;
•Employing more preventative methodologies and auto-
mated technologies such as patch management tools;
•Building language into vendor contracts to enforce good
security practices;
•Expanding the use of intrusion detection and intrusion
prevention technologies;
•Employing stronger, enforceable security policies and
procedures;
•Fostering stronger relationships with software vendors to
facilitate timely notification; and
•Requiring greater responsibility of vendors to fix vulner-
abilities before they can be exploited.
The remainder of this paper will address the first bullet which, in my
opinion, is one of the most essential if we are going to be as prepared
and resilient as we collectively can be.
STRONG COLLABORATION WITH THE PRIVATE SECTOR
Because an overwhelming majority—more than 80percent—of criti-
cal infrastructure is owned or controlled by the private sector, trying
to address cyber security and critical infrastructure readiness without
including the private sector would leave us vulnerable to potential
disastrous consequences.
In New York State, our Public/Private Sector Cyber Security
Workgroup includes representatives from critical State agencies and
11
private sector companies. We have identified high-level executives
and commissioners to represent critical industry sectors, including
chemical, education/awareness, financial/economic, food, health,
public safety, telecommunications, and utilities. Additional critical
industry sectors will be included in the Workgroup as it moves for-
ward. The Workgroup is examining the current state of cyber readi-
ness throughout the entities within each sector, working to identify
and assess vulnerabilities and identify mitigation strategies. The
Workgroup meets in person quarterly and monthly via conference
call with each sector.
The Workgroup has published two reports: Cyber Security:
Protecting New York State’s Critical Infrastructure, which details
the on-going efforts in New York State to address cyber security
readiness and response, in both the public and the private sectors;
and the Best Practice Guidelines for Cyber Security Awareness
which includes a number of useful tips and practical advice, along
with links to additional information for all New Yorkers on how to
become more “cyber security aware.”
One of the next phases of the Workgroup is expanding participation
within each of the sectors to include more entities within the sector.
I invited the major stakeholders within the industry sectors to meet
with me, along with the Director of our State’s Office of Public
Security and the Workgroup Sector chairs. The goal was to discuss
the efforts of the Workgroup, identify areas for collaboration, and
engage these major stakeholders as we collectively move forward in
securing our cyber assets.
During 2003, this next level of outreach was conducted with the
Education, Financial and Telecommunications Sectors. Each of
these meetings was extremely successful. Initially, and not surpris-
ingly, some of the entities expressed concern as to how the informa-
tion they shared with the Workgroup would be handled. We engaged
in honest and straightforward dialogue with the entities, and allayed
their fears. All of the entities with whom we met expressed support
for the work we are doing in New York State through the
Workgroup, and were eager to participate in our efforts. All of the
entities we met with agreed to become involved in the Workgroup
12
and are now on the monthly sector conference calls. In addition,
these entities receive all of the cyber advisories that are distributed.
These entities will work closely with the established sector chairs
and my Office to more fully engage those critical entities to share
information and build important communication relationships. This
mutual information sharing arrangement will prove to be an invalu-
able factor in helping to ensure the readiness and resilience of New
York State’s critical infrastructure assets—both public and private.
The participation in this Workgroup has been tremendous, and the
information sharing relationship with the private sector serves to
better prepare and protect New York State.
An excellent example of information sharing between the public and
private sectors can be seen in the Telecommunications and Utilities
Sector. When a cyber advisory gets distributed to the NYS
Public/Private Sector Workgroup from the my Office, that informa-
tion gets distributed to the Utility Sector through its Sector chairs,
representing the NYS Public Service Commission (PSC), the New
York Power Authority, the New York Independent System Operator,
and Consolidated Edison. The PSC also forwards the cyber advi-
sories out to sixteen major electric, gas and electric generation enti-
ties. Some of the utilities are now asking to be placed directly on the
Public/Private Sector Advisory Distribution list because of the
tremendous value-add of getting the advisories in a timely manner.
The information gets distributed to the major telecommunications
entities, including Verizon, AT&T, Frontier and MCI.
Let’s take a closer look at how this public/private relationship with-
in New York’s Telecommunications and Utilities Sectors is working
toward the goals of enhanced cyber security preparedness.
In August 2002, the New York State Public Service Commission
(PSC) ordered major telecommunications providers and utilities that
PSC regulates to conduct third party vulnerability and risk assess-
ments. Each provider retained a consultant to assess the state of its
physical and cyber security, and the ability to prevent or respond to
acts of terrorism. Subsequently, the PSC retained a security consult-
13
ing firm to review each assessment and to ascertain whether or not the
reports were thorough and covered the scope of work determined in
the Order. In August 2003, a final overall report was issued to reca-
pitulate the state of cyber readiness of the regulated telecommunica-
tions and utility providers. Later in August 2003, the PSC directed the
same major telecommunications and utility companies to prepare
security management action plans detailing how the recommenda-
tions of the final report would be effectuated.
The Department of Public Service Office of Utility Security, estab-
lished in mid 2003 by the Public Service Commission, has been
tasked to review the security reports and following action plans, and
to verify that each provider is following the recommendations made
for improvement in cyber aspects of readiness, as well as adhering to
industry best practices for security, or is formulating definitive plans
to do so.
The Office of Utility Security will act as a liaison to the telecommu-
nications providers and utilities, maintaining continuous outreach to
assist in addressing the ever-increasing demands of security readi-
ness. Beyond its responsibility to enhance security through its regu-
latory oversight responsibility, the Office will undertake a broadly
proactive role in strengthening security. Through close coordination
and partnership with federal and other state security and public safe-
ty agencies, the Department of Public Service Office of Utility
Security is providing a uniquely focused perspective on the informa-
tion sharing needs required by the current threat situations.
Interacting on a daily basis with security personnel at the State’s ener-
gy and communications utilities, the staff of the Office of Utility
Security is working toward implementation and maintenance of the
highest practicable security standards and practices.
This task will be realized by providing a balance of education, threat
awareness briefings, advocacy, technical guidance, as well as tradi-
tional monitoring and inspection.
2003 brought a major event that has further prompted the scrutiny of
cyber security in New York’s energy infrastructure – the blackout in
14
August. On August 20, 2003, the PSC initiated a formal inquiry into
the circumstances surrounding the electrical blackout of August 14.
In the course of this inquiry the Office of Utility Security has been
reviewing actions and policies at the utilities to determine the extent
to which information systems failures may have played a role in exac-
erbating the spread of the blackout in New York, or added delay to the
recovery from it.
Out of this inquiry we will acquire a better understanding of the ade-
quacy of cyber security systems that could prove useful in preventing
or thwarting an attempted malicious act against the power grid. The
realization of the need for the expanded focus on cyber security in the
energy and telecommunications industries is evident. The northeast
electric blackout served to underscore what we already understand –
that our energy generation and transmission grid is increasingly
dependent on reliable cyber systems, and that our telecom networks
are at the heart of the accelerating interdependency of all our critical
infrastructures. In 2004, some telecommunications providers have
expressed interest in sharing best practices in cyber security with
providers across industry lines, specifically with the energy providers.
All companies are making stronger efforts in enhancing their security
posture by including more vigorous employee awareness programs,
understanding that the first line of defense is circumspect and atten-
tive personnel.
STRONG COLLABORATION WITH OTHER STATES
Another key initiative underway in New York State is the coordina-
tion of a Multi-State Information Sharing and Analysis Center (MS-
ISAC). The MS-ISAC currently includes participation from forty-
nine states and the District of Columbia. Because cyber incidents
know no geographic boundaries, the MS-ISAC is critical to fostering
communication and information sharing among all states regarding
cyber and critical infrastructure readiness and response efforts. By
being aware of what is occurring outside New York State which may
potentially impact the State, we will be better prepared.
The MS-ISAC members meet monthly via teleconference to discuss
security issues and share information from a cyber perspective. The
15
MS-ISAC is working toward the adoption of a common cyber alert
level protocol and incident reporting process. The Multi-State ISAC
has conducted five incident reporting exercises, two of which includ-
ed reporting the impact of the Blaster and MyDoom.
New York State, in its coordination of the Multi-State ISAC, is work-
ing to develop strong relationships with the private sector on a nation-
al level. For example, we’ve developed a collaborative relationship
with Microsoft to facilitate better information sharing between
Microsoft and the State of New York. Microsoft readily agreed to our
invitation to participate in the August 2003 Multi-State ISAC confer-
ence call to discuss the recent Microsoft vulnerabilities occurring at
the time and hear concerns from the States. The White House and
Department of Homeland Security, along with approximately 40
states, participated in this call.
Microsoft has invited the Multi-State ISAC to participate in its
monthly teleconference calls. These calls are held after security bul-
letins are released and are designed to give experts access to
Microsoft developers who understand the vulnerability and the patch.
This represents a tremendous step forward in helping the States better
prepare against future cyber attacks.
Through the MS-ISAC, we are also reaching out to build relationships
with the private ISACs. In 2003, an introductory letter was forward-
ed to the chairs of the major national ISACs on behalf of the MS-
ISAC members, to inform them of the MS-ISAC’s existence and
objectives, and to request that the private ISACs consider developing
a relationship with the MS-ISAC.
As the majority of critical infrastructure assets are maintained in the
private sector, the benefit to each of the states in this information shar-
ing arrangement is clear. The benefit to the private ISACs is that the
Multi-State ISAC can serve as a coordinated point of contact with
them, and the entities within it, in dealing with the states. One of our
goals is to share information — with the Multi-State ISAC providing
information, as appropriate, to the private ISACs, and vice versa.
The response from the ISACs has been tremendous. In January 2004,
16
the MS-ISAC joined the National ISAC Council as a non-voting
member (liaison). Additionally, we currently send communications,
alerts, advisories and informational bulletins to several of the largest
national private ISACs, including: Telecom ISAC, Chemical ISAC,
Electric ISAC, Emergency Fire Services ISAC, IT ISAC, Surface and
Water Transportation ISAC, Water ISAC and Financial Services
ISAC.
New York State, through the Multi-State ISAC, is working collabora-
tively with the federal government in advancing the National Strategy
to Secure Cyberspace. The Department of Homeland Security supports
the MS-ISAC and participates on the monthly conference calls as well.
The MS-ISAC was recently recognized by the Department of
Homeland Security for its proactive role in bringing the states together.
CONCLUSION
It is clear that the Information Age is upon us and this new Age ush-
ers in a new era of connectivity and interdependence. This connectiv-
ity allows us to communicate in many positive ways, but also creates
a new era of challenges. In order to protect ourselves and our critical
assets, we must be aware of—and understand—the vulnerabilities and
risks, and how to protect, detect, respond and recover.
Each individual is responsible for taking security seriously. Each
individual must be totally committed and involved and set the exam-
ple in the fight against cyber threats.
Each vendor is responsible for providing more secure products, better
methodology to upgrade, and more timely notification to consumers
of vulnerabilities.
All users are responsible for understanding and employing sound
security practices. Training for each of the above-mentioned groups is
critical in order to ensure success. These practices must become part
of our culture, and ingrained in each of us
17
Strong relationships between the public and private sectors must be ENDNOTES
fostered.

We live in a digital age where we all interconnected, all mutually 1 CAIDA-the Cooperative Association for Internet Data Analysis
dependent and thus suffer the consequences of the failures of our
2 CAIDA-the Cooperative Association for Internet Data Analysis
weakest link.
3 BitDefender.com
Two key principles that we must employ in our fight against cyber 4 Computer Economics
attacks are vigilance and resilience.
5 Central Command, Inc.
Vigilance – The need for security is constant—we can never be 100 6 CAIDA-the Cooperative Association for Internet Data Analysis
percent secure. Good security is never one layer deep, rather it is 7 CNET News
multiple layers. For example, a firewall is one layer; not just good,
but strong passwords is another layer. Cyber security is a journey, not 8 The Register
a destination and the job is never finished. 9 CNET News
10 Internet Week.com
Resilience – The point is not whether you’ll be the victim of a cyber
incident, but how well you respond if you are a victim. 11 TechWeb News

While change is difficult and changing a culture is daunting we must

take the first steps. And we must remember that security is everyone’s
responsibility. You are never done.

18 19