30 August 2015

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management (ORM) strategy. CAG: Critical Control 20: Red Team Exercises:
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 
This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:
"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."
Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:
clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"
What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization, in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes, along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far, to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise, you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:
1. Measurability - How measurable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This is how and where you extend your physical controls to the actual people, who will make the difference before and during a critical incident in your enterprise.  Revisit the Consensus Audit Guidelines (CAG) for your enterprise.  It just might help you find that one place where the continuity of the business is at risk after a significant disruption or the one threat that still is hiding in the shadows.

23 August 2015

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:
As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

16 August 2015

Decision Advantage: Operational Risk Strategic Vision...

When the Board of Directors asks for a report on the Operational Risk Strategic Vision for the enterprise, will you have it ready?  The execution of strategy with the discipline of Operational Risk Management (ORM), requires a look "Over-the-Horizon" (OTH).  Why?

You have to realize the pace at which technologies are advancing.  You have to realize how your competitors are creating a decision advantage.  How will you apply the use of new data science, advanced hardware and software capabilities to augment your Human Capital, to replace Human Cognition?  So what are some of the categories that you should be researching, testing and implementing?   New strategic systems to secure, protect and improve the situational awareness or resilience of your organization?

Many of the places you will need to address, have to do with enhanced processing and management of data, from disparate places:
  • Coping with Scale - Advanced Analytics
  • Very Large Dataset - 4D Visualization
  • Data Standards and Governance - Sensor Priority Processing, Optimized Data Movement
Bringing tools to the data, data trust and provenance tracking, are a subset of governance.  Machine translation and wire speed language recognition, are subsets of a Multi-lingual textual data processing platform.

So what?  Why is all of this innovation required in the modern Operational Risk domain and why is it so important?  The simple answer is, international competition, from your adversaries.  Dynamic, Smart Metadata, metadata relationships and data that finds the analyst, are challenging areas today.  Natural language processing techniques and wire speed data tagging are vital.

"Data Mining will bring us "Cyber Situational Awareness", "Human-Assisted Machine Learning" and "Pattern of Life modeling".  Decision and intelligence advantage, is the key to many of these strategic initiatives."

Again, from a business perspective, so what?  If your organization is in the Information Technology Sector, then of course you understand that the competition is tough and your new advanced VM and/or shiny systems "Box" does need to stand out, with it's unique features and differentiators in the marketplace.  It must have some value-proposition to the customers, that few or no one else can provide at the moment.  Otherwise, why would you spend the money on educating the market, writing a check to Gartner, advertising, sales and business development?  Right?

The Board of Directors today might just understand the concept of "Decision Advantage."  What if you went to the next meeting of the outside directors and provided a narrative and presentation on "Decision Advantage"?  You want them to authorize the substantial budget for your own Operational Risk R&D.  You are asking them to invest in the future risk mitigation of the enterprise, that they have a fiduciary responsibility to safeguard for the shareholders.

You see, you are way behind the international competition.  When you view this visual of the current state-of-play going on this hour, this minute and this second, you really don't have the time to waste on authorizing more resources, to address many of the areas previously discussed here.  The future of your enterprise and the livelihood of your country is at stake.

The Research & Development (R&D) budgets for Operational Risk Strategy execution are tremendous.  Add it all up.  The question is, how effective is it for the enterprise to spend risk management and mitigation funds in each individual department of IT, HR, Marketing, Sales, Finance and Facilities.  Without a complete understanding and vision of how the spectrum of risks, threats and mitigations, are all interconnected and what tools, processes or technology are actually interdependent.

When something such as Enterprise Risk Management or even National Security is so mutually dependent,  (depending on each other) you have to ask the Board of Directors to pause, and to require the Operational Risk Strategic Vision.  Once completed, you will see what new technologies to invest in for your total budget of Research & Development funds, and where to spend it.

Perhaps the most important reason for this vision, is also to ensure your "Intelligence Advantage"...

09 August 2015

Leadership: Adaptive Risk for an Uncertain Future...

As the political season in the U.S. starts earlier and earlier each four year cycle, the question remains consistent from the rest of the world.  Will America lead the Cyber cold war in the next four years?  Operational Risk Management (ORM) is a necessary and vital component of any mission or project, from the Situation Room, inside your company, on the flight deck or on the front lines of conflict torn regions of the Sahel.

Transnational Organized Crime (TOC) and their proxies are constantly waging new malware campaigns on our global economic and intellectual property ecosystems, utilizing sophisticated new toolkits.  There are three key attributes to modern day "Threat Intelligence" and Eric Olson from Cyveillance explains:

1. Relevance – The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives

2. Actionable – It must be specific enough to prompt some response, change, action or decision, or to dictate an explicit and informed decision not to act

3. Value – Even if relevant and actionable, if the data (and the action) does not contribute to any useful business outcome, there is no value

When threat activity, known actors, historical tactics, or attack information can be combined with vulnerabilities, activity data, or other particulars present in your network and environment, then the information becomes relevant, actionable intelligence.

As a leader in the private sector the waves of globalization and regulatory mandates keep you striving for the entrepreneurial spirit, yet constantly constrained by new rule-sets and compliance initiatives.  Mitigating risks to the enterprise requires leadership that can span the visions of an environment with creativity and simultaneously the spirit of autonomy.  Modern day risk management is not only a leadership challenge, it is also a cultural challenge.  How do I get my people to think like a true entrepreneur and simultaneously provide them with the skills and knowledge they will need to survive in a hostile environment?
  • First off, you have no doubt heard somewhere along the way that High Performing Teams are the way to accomplish new fixes to software code or even to ensure the last mile of due diligence to get the leveraged buy-out to become a reality.  These High Performing Teams must be diverse and they need to have the time to cross-train each other in the specific skill sets necessary, to fullfill the desired outcomes.  If one person comes down with the flu or worse; you may be the one who has to fill in and pick up the slack.
  • Second, the cultural mind set shift must take place to becoming continuously adaptive.  Being adaptive means that you have to be able to incorporate both readiness and resilience in the same effort.  Making decisions that are rapid without time for formal planning, is foreign to some on the team.  You have got to get everyone to be as adaptive as the designated leader, because they will not always be there, to tell you or show you what to do next.
  • Finally, leadership decisions on the floor of the exchange, in the EOC or sitting across the table from your newest prospective client means that you have got to practice.  This capability of assets calls for you to continuously train and experience the emotions and see the results of your actions.  Good and bad.  These skills are perishable and require a tremendous investment in time and resources to make sure that the risks of failure are mitigated almost to zero.
What are you willing and able to do, to lead America in 2015 and beyond?  Think service before self-interest and you will be leading beyond the risks of an uncertain future for yourself and our country.

02 August 2015

Trusting Women: The Future of Irregular Warfare...

The economic engine of successful countries and the single family household, is typically the result of a dedicated and conscientious woman.  If your organization is planning to be more resilient and capable of continued growth, then make sure you have women in the most strategic Operational Risk Management (ORM) roles possible.

You may already understand why and there is continuing evidence that men, are just not the ideal person to be in certain positions of decision-making and other skilled business professions of the future.  The stories and the examples flow from the most clandestine and remote regions of Africa, to the valley associated with Silicon.

Women are now breaking through new barriers in all types of roles and in places that traditionally they have been forbidden.  Here is just one example of a trend to grow rapidly from Dan Lamothe at the Washington Post:
Only the swamps of Florida stand between two female soldiers becoming the first women to ever graduate from the Army’s famously difficult Ranger School.  The women have completed the school’s Mountain Phase, and will move on to the third and final phase of training, Army officials said Friday.

The women are attending for the first time as part of an ongoing assessment by the military about how it should better integrate women into combat roles in the military. It follows a 2013 decision by Pentagon leaders to open all jobs in the military to women by 2016.
When you really think about what the future roles of the new 21st Century Army and the trends of our asymmetric threats, are not women our best strategic weapon?  Irregular warfare will be dominating most days of our human conflicts into the future and women are well equipped to be the leaders of this trend.

Yes, there is evidence that earning the "Ranger Tab" requires physical stamina.  Simultaneously, the elite Army course requires superior problem-solving skills and adaptive intuition involving teamwork, where women excel.  Now you are starting to see why, it is vital to have women on any high-performance team, whether in the Hindu Kush or on the Internet front lines of "Achieving Digital Trust" with the next generation of our youngest knowledge workers.
Irregular warfare is warfare in which one or more combatants are irregular military rather than regular forces. Guerrilla warfare is a form of irregular warfare, and so is asymmetric warfare.  Irregular warfare favors indirect and asymmetric warfare approaches, though it may employ the full range of military and other capabilities, in order to erode the adversary’s power, influence, and will. It is inherently a protracted struggle that will test the resolve of a state and its strategic partners.[1][2][3][4][5] Concepts associated with irregular warfare are older than the term itself.[6][7]
As the future conflicts evolve into our pervasive digital domains and require the collection and analysis of relevant information on the front lines, women are the strategic choice.  History tells us clearly, that this is the case.  It is this kind of intellect and patience for building and sustaining relationships, that so many policy makers have recognized, across both public and private sector operations.

So who is just one good example?  Our future strategy must include the development of armies of women with the skills and talents of leaders like Sheryl Sandberg:
Sheryl Kara Sandberg (/ˈsændbərɡ/; born August 28, 1969)[3] is an American technology executive, activist, and author. She is the Chief Operating Officer of Facebook. In June 2012, she was elected to the board of directors by the existing board members,[4] becoming the first woman to serve on Facebook's board. Before she joined Facebook as its COO, Sandberg was Vice President of Global Online Sales and Operations at Google and was involved in launching Google's philanthropic arm Google.org. Before Google, Sandberg served as chief of staff for the United States Secretary of the Treasury.
You see, the Fortune 500 is now starting to wake up, to the reality of the current state of corporate "Irregular Warfare".  The ability to erode the competitions power, influence and will, is just the beginning of the conversation in creating reliable and growing shareholder value.  When you really start to evaluate the entire success of the Silicon Valley ecosystem or even the future economic engines of unknown villages across our globe, you begin to realize how it is driven and continuously being improved, by the skills and superiority of women.

So what is just one good example?  Our future strategy must include the development of armies of women with the strategic foresight of Opportunity International:
Opportunity International Trust Groups help entrepreneurs break free from the limitations of poverty by promoting solidarity and maintaining accountability.  Trust Groups consist of 10-30 entrepreneurs, mostly women, who meet once a week to share personal and business advice, receive financial training, and vote on loan-related topics.  Trust Groups build a safety net by guaranteeing each other’s loans -- if one member defaults on a weekly payment, everyone else must cover the costs.  This method has led to a loan repayment rate of 98%.
Vicki Escarra joined Opportunity International in 2012 as US CEO. Previously she has led several major initiatives to create a long-term strategic plan, rebrand the organization, streamline operations and increase global fundraising by 30 percent in 2013 to expand the organization’s work around the world. Before joining Opportunity International, Escarra spent six years as president and chief executive officer of Feeding America, the nation’s largest domestic hunger relief organization. Prior to Feeding America, Escarra spent nearly 30 years at Delta Air Lines Inc., where she rose to chief marketing officer. As one of the highest-ranking women in the aviation industry at the time, she oversaw $15 billion in revenue and led a workforce of 52,000.
When you hear a woman like Vicki, Sheryl (or Cheryl) talk about providing our organizations large and small with the training, education and the "Trust Decisions" to create and sustain growth, you can only imagine what is really possible.  If you have ever had the lucky chance to work with a woman like these three for months or decades, you understand the multitude of advantages.  You understand the reasons, why having women on every high performance team is imperative.  You can see their outstanding results.

25 July 2015

C²: Continuous Continuity in the Enterprise...

Many enterprises today understand the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity.  Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What is less easy to analyze from a threat perspective, are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.
The sources of significant loss events are changing as we speak. Here are a few that should not be overlooked in your Operational Risk Management (ORM) Programs:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

· Fraud

· Exploitation of the 3rd party suppliers

· Failure to establish a positive culture

· Failure in post employment process to quarantine information assets upon termination of employees
Frankly, corporate directors have their hands full, helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise, as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

19 July 2015

New Horizons: Commitment to the Long War...

What new technology invention or planetary event will change our way of life forever?  As the sun rises over the water, or the high rise buildings or the dew filled rolling meadows, one can only wonder.  The "New Horizons" streaked past Pluto after nine years from it's launch and 3 billion miles from Earth this week.  What other possible achievement is mankind capable of obtaining, that provides new knowledge and insight about our origins and our future.

Operational Risk Management (ORM) has been at the core of the New Horizons mission from its Genesis, until the day the space probe stops sending us more information.  Over these past nine years the observation and collection of data across our solar system, has provided answers to so many questions as we continue our quest for discovery.

Think about that timeline for a minute.  What has your organization accomplished that requires that kind of commitment to ongoing exploration and data analysis?  How would you keep people focused on continuous learning and problem solving, to gain new understanding and perhaps more empathy in your company.  Patience is often hard to find, when the boss is asking you what you have produced since yesterday.

There are tremendous challenges to keeping the mission focus in mind, even for nine years and beyond.  Maybe that is why there are term limits on some roles in public offices and as a result elections are necessary every two or four years.  Term limits puts priorities in perspective and clarifies what should be accomplished first and foremost.

What if you knew when you were going to die.  You knew exactly what would happen when your life ends.  It is written.  How would your thinking change, about what is important and what needs to be accomplished tomorrow.

How would you change your way of living and the vision to accomplish the promise of the future, if you did believe the stories of how it would all turn out.  Would you change the way you live your life, while you had the confidence that you would reach that promised place.  What if you had been taught this by trusted colleagues, read about it in sacred books or on the Internet and was assured that it was attainable.  If you would only believe:
Chattanooga, Tennessee (CNN)  A day after gunman Mohammad Youssuf Abdulazeez ended the lives of four Marines and wounded three other people, hundreds in Chattanooga gathered in prayer to mourn their deaths.

There were Christians. There were Muslims. A cross-section of the Tennessee community packed Olivet Baptist Church for the Friday night vigil.

Authorities are trying to figure out why Abdulazeez -- an accomplished student, well-liked peer, mixed martial arts fighter and devout Muslim -- went on the killing spree.

U.S. Attorney Bill Killian said the shootings are being investigated as an "act of domestic terrorism," but he noted the incident has not yet been classified as terrorism.

Reinhold said there is nothing to connect the attacker to ISIS or other international terror groups. Abdulazeez was not on any U.S. databases of suspected terrorists.

He was not known to have been in trouble with the law except for a DUI arrest in April. He apparently was not active on social media -- one of the common ways police investigate terrorism.
Ones mind has to flashback to the Boston Marathon bombing and the aftermath of that act of domestic terrorism in the United States.  Was this act of jihad on our U.S. citizens, the promise to the future, painted by people these terrorists trusted and respected?  Was this horrific act in Chattanooga against our military, just another blueprint for what our future holds for homegrown violent extremism (HVE) in America?  More on this from the New York Times:
Officials said there was no indication so far of any links to terrorist groups, leaving them to wonder how a young man with no known history of violence or radicalism turned up Thursday with several weapons, spraying bullets at Americans in uniform. Some “lone wolf” attacks have been carried out by people who had no direct contact with extremist groups, but they were influenced by messages online, like those from the Islamic State urging Muslims to take up arms and attack American military sites.

“This attack raises several questions about whether he was directed by someone or whether there’s enough propaganda out there to motivate him to do this,” said a senior American intelligence official, who spoke on the condition of anonymity because the investigation was still underway.
The Charlie Hebdo attack in Paris again was a location with meaning to the actual terrorism act itself by these two brothers inspired by Al-Qaeda in the Arabian Peninsula (AQAP).  It was a target put on a list by people who have a long-term focus and are able to accomplish their goals, even without a nation states resources.  The priority for any nation is to continue a long-term view, on what domestic terrorism and homegrown violent extremism really means, for a local community, in any country.

What is one of the most rewarding ways to connect with the local First Responder community in your U.S. county?  Look no further than your Community Emergency Response Team (CERT) and also your nearest Infragard chapter.  As a new "Citizen Soldier" you will need to learn new skills.  You also have to keep yourself aware of the latest natural or asymmetric threats to your particular community, whether it is a geographical city or a virtual domain in cyberspace.  You can, make a difference.

"Compassion will cure more sins than condemnation”

-Henry Ward Beecher-

It means a renewed commitment to building more resilience into your community.  From the bottom up, at every family household and small business in the town, city or Metroplex.  Operational Risk Management (ORM) doesn't end when you leave your role at the workplace in the warehouse, the cubicle or the executive office of the CSO, CISO or Chief Risk Officer.

Do you remember how you felt on September 12, 2001?  That uncertainty and the feeling you had, about the welfare of your closest loved ones or neighbors.  This was the catalyst for a 14+ year battle.  Just as the "New Horizons" hurtles millions of miles past Pluto, this commitment to the "Long War" is not over, and probably never will be.

12 July 2015

Data Rupture: The Risk of Over-Classification...

As a result of the latest "data rupture" at the U.S. Office of Personnel Management (OPM), there are several Operational Risk factors.  The issues that most people are focused on, dwells on a lack of proper information security controls or antiquated technologies, that have not kept up with the speed of the modern day asymmetric threat.

However, this is not the primary problem that needs to be resolved.  The problem definition has been discussed in the wings of government for many years.  The root of the discussion is really a personnel hiring process combined with a human resource function.  The next level of the debate has to do with the classification of information.  The process by which certain types and kinds of information is classified at different levels of sensitivity.

In terms of the private sector vetting of an employee for employment vs. the government employee (contractor) it is very similar for non-executive personnel at the "Secret" level of classification.  You could leap to the analogy, that once you move to an executive level in the private sector, you may be vetted more thoroughly including more extensive looks into references, interviews with others and a deep dive into financial affairs.  This is more in line with the "Top Secret" level clearance in the government.
Call it a “data rupture”: Hack hitting OPM affects 21.5 million
Highly personal data from background clearances are a data bonanza to spies.


by Dan Goodin - Jul 9, 2015 6:10pm EDT

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.
 The tagging of information at the point of creation, inside the walls of the private enterprise or government is the key problem set.  Then making the decision on who and why a person needs this information for them to do their job, is the secondary factor.  We all need information to do our assigned jobs and tasks.  When information is tagged as "For Official Use Only", "Confidential" "Secret" or "Top Secret" in the government, there is a reason.  The Classification system:
The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic.[1] Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.[2]
The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to national security that the release of the information would cause. The United States has three levels of classification: Confidential, Secret, and Top Secret. Each level of classification indicates an increasing degree of sensitivity. Thus, if one holds a Top Secret security clearance, one is allowed to handle information up to the level of Top Secret, including Secret and Confidential information. If one holds a Secret clearance, one may not then handle Top Secret information, but may handle Secret and Confidential classified information.
When you work as an employee of a private company, there is a documented personnel hiring process.  The early part of the process in some cases is outsourced to recruiting agencies, just as the government uses contractors to process many of it's back ground investigations.  In both cases, the reason is evident.  Does this person being considered for employment, pose a risk to the enterprise?

 The purpose of the discussion now is to look at the information.  The tagging of information at its origin.  Whether in the private sector or government.  Who decides what sensitivity to put on the document, picture, video, spreadsheet, text, audio or other data element?  How do you keep only certain people from viewing and reading or listening to the information with the correct level of security clearance? (Access Controls)  Certainly the viewing of the salary levels of all employees inside the private sector company is sensitive and only certain people have the authority and need to see this information.  The assurance of information is critical:  Confidentiality, Integrity and Availability.  No different in the government.  So what is the common thread?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).[1]
The failure at OPM is complex and no different than the complexity of the data breach failure at Target Corporation.  Both incidents were and are the basis for case studies in Information Security classes at the academic level.  Each has idiosyncrasies, in terms of the actual data breach methodologies and the tools used by adversaries.  So what?

One has to question the need for so many people to have "Top Secret" security clearances in the government.  When you look at the numbers it is staggering.  It almost seems that the process for hiring good people in the government made it a requirement, that someone have the ability to obtain a "Top Secret" clearance.  Even though the likelihood that this person would ever be exposed to or asked to review "Top Secret" information was low.  The failure is that so many people were required to obtain Top Secret clearances, when it was not really a factor for the job they were doing or would ever do.

Now that the "Chinese hackers" (the so called suspects) have our SSN, DOB, previous addresses, (same for family members), financial and other references in their database, time will only tell what individuals will be targeted and for what.  So for those "Chinese hackers," here is a news flash:

"NOT ALL THE PEOPLE WITH GOVERNMENT TOP SECRET CLEARANCES HAVE REVIEWED TOP SECRET INFORMATION"

This is why, much of the hiring and background process that is part of the human resources systems is out of synch, with the information classification process and what someone needs to do their particular tasks in the enterprise.  The level of security clearance has unfortunately become a badge of acceptance and of perceived importance.  Just look at the number of "Linkedin profiles" today, where someone openly declares their "particular level of security clearance" with the government.  Why do people do this?

What is part of the solution to the defined problem set?

1.  Thoroughly address the defined problem of over-classification.

2.  Depends on the success of solving #1.

Operational Risk Management (ORM) is about the risk of loss resulting from inadequate or failed processes, people and systems or from external events.


04 July 2015

July 4: Framework for Liberty...

On this July 4, we can reflect.  In 1776, a courageous man named Thomas Jefferson would never know how the United States would endure.  239 years later, the United States of America is a historical example that the entire world studies.  This Republic, has certainly changed since the design was created by the "Founding Fathers".

As this Independence day unfolds across America, our Operational Risk Management (ORM) professionals are on watch.  They are celebrating in spirit and yet also worried, behind the facade of all the weekends festivities.  Why are so many across the globe in fear of the United States?  What are their motivations, for attacking our people and systems; what are they afraid of?

The fabric and infrastructure of our country is more diverse than ever.  The rule of law that governs all citizens are still capable of change, through a documented and proven process.  Change is attainable and civility is alive and well.  The power base of government is held in check, by systems designed to give the people a voice.  The United States is a complex invention that the papers written and agreed upon by Jefferson, Madison, Adams, Franklin and 56 delegates, still remain true to the mission.

When you think about the entire design of the system today in your hometown USA parade; look around.  What do you see and hear?  People of all religions and ethnic backgrounds expressing their ability to assemble and show their signs of affiliation.  Playing their own favorite music.  Celebrating their particular favorite American freedom.  Some by the original nations design and others by the Supreme Court of the United States.

Surrounding all of the expression of these freedoms are those who are on 24/7 watch.  These First Responders are waiting for your call.  Some in uniform and others in the shadows.  Perhaps it is your Mother or Father with Atrial Fibrillation, that may need an EMT in a moments notice.  Perhaps it is a need for assistance when an armed bandit robs your retail establishment.  Perhaps it is your tip or information, that intervenes with those evil-minded people who would attack our churches, public events or even the growing digital infrastructure.

You see, this ecosystem of people operating across America, in pursuit of their own dreams and their daily needs is what many across the world are unable to experience.  Many do not truly understand it, until they have had the chance to experience its feeling for real; to comprehend the emotions of people who are expressing their rights and their liberty.  The United States of America and other nations who are blueprints for democracy, know the vision and understand why it is worth defending at all costs.
 "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness."

27 June 2015

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:
  1. Security policy - management direction
  2. Organization of information security - governance of information security
  3. Asset management - inventory and classification of information assets
  4. Human resources security - security aspects for employees joining, moving and leaving an organization
  5. Physical and environmental security - protection of the computer facilities
  6. Communications and operations management - management of technical security controls in systems and networks
  7. Access control - restriction of access rights to networks, systems, applications, functions and data
  8. Information systems acquisition, development and maintenance - building security into applications
  9. Information security incident management - anticipating and responding appropriately to information security breaches
  10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
  11. Compliance - ensuring conformance with information security policies, standards, laws and regulations
Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

21 June 2015

IP Theft: The Erosion of Homeland Security...

"Above all, watch with glittering eyes the whole world around you, because the greatest secrets are always hidden in the most unlikely places. Those who don’t believe in magic will never find it." —Roald Dahl
What is the latest headline to get your attention this past few weeks?  As an Operational Risk Management (ORM) professional you have to be amazed and in shock from several of the global loss incidents.  Was it from the Financial, Technology, Energy or Government sector or just a tragic crime or terrorist event with significant loss of life somewhere?

The people, processes, systems and external events that make up your particular Operational Risk ecosystem are dynamic.  The threats are evolving both in the physical world and even more so in our data hungry processor driven virtual workplace.  You probably can't remember the last time your organization required you to operate the whole day without the use of computer systems; to operate the business in a manual mode over a Saturday in an orchestrated and scenario-driven Business Continuity exercise.

If you can't remember, then as a corporate leader or head of a Board of Directors audit committee you are in denial.  The attitude that your organization will never have a data breach or become the victim of a natural disaster such as an earthquake, flood or hurricane is naive.  What about the rogue "Insider" who has perpetuated an act of industrial espionage or a long term fraud scheme?  The continued theft of Intellectual Property to the United States has been well documented since 2013:

Key Findings
The Impact of International IP Theft on the American Economy Hundreds of billions of dollars per year.

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.”
When you really sit down and think about the risk to the Homeland Security of the United States today, this has to be at the top of the list.  The reason is that the "IP Theft" threat is not like ICBM's coming over the horizon suddenly.  This metastasized problem set, is eating away at the economic security and our U.S. national security simultaneously.
"While IP theft is not new to the planet, today’s scale of economic impacts—with national security ramifications, international dimensions, significant foreign-state involvement, and inadequacy of legal and policy remedies and deterrents—makes for an unprecedented set of circumstances."  
 CHAPTER 1: THE NATURE OF THE PROBLEM- The Commission on the Theft of American Intellectual Property

What are the solutions?  The answer is plural because there is no single way to address the magnitude and the severity of the threat.  The security of the U.S. Homeland begins with intelligence.  The degree to which the intelligence gathered, analyzed and shared is capable of being absent of bias is a start.

Homeland Security Intelligence (HSI) is quickly evolving beyond the group think of a catastrophic physical terrorist event.  The focus now is on counterintelligence, as much as on counterterrorism and for all of the interdependent connections to the rest of the world.  As your organization begins it's next strategic planning cycle or engages in the thought of a continuity of operations exercise you should think wider and deeper.  The survival of your business and organization is dependent upon your internal counterintelligence mechanism.

As one example, take a minute to better understand the diversity of languages being spoken within your organization.  Who are the people within the enterprise who have the fluent ability to speak and to translate English to some other foreign language?  How does your enterprise engage with other countries to engage in International business?  The degree to which you have multiple languages being translated, or utilized for business transactions and necessary for daily operations is both a risk and an opportunity.

The secrets inside your organization are knowable.  The ability to hedge the Operational Risks to Intellectual Property within your enterprise is greater than you may realize.  The interdependency with U.S. Homeland Security is evident.

13 June 2015

4D: A Risk Strategy for Business Survival...

Executive Summary

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a "4D" risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away

In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

Lesson 2 – Detect

The Mission


Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.


The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:
  • Design
  • Implementation
  • Configuration
The Take Away

Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

Lesson 3 – Defend

The Mission


Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
The Take Away

In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

Lesson 4 – Document

The Mission


Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away

Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal "is", begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion

A "4D" Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

"Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These "4D" lessons should put you on the way to creating a more survivable business."

07 June 2015

Startup Risk: Design of ORM Architecture...

How wonderful it would be to be able to redesign our current work culture and the systems that support it.  Only those new startup companies with the two co-founders sitting around the kitchen table have that real luxury.  When should the Operational Risk Management (ORM) framework for this new business entity be developed and staged for implementation?

All too often when a startup company forms its basis for existence, the focus is 100% on the product solutions and the "Go-to-Market" plan.  It isn't until the firm is leasing it's first office space that all of a sudden it becomes a reality.  The Operational Risk Management (ORM) components of the company design has been given back burner status.  The viability and the longevity of the business model could be in jeopardy.

Six months later, you might have two dozen employees moving into the new open plan office suite. Do the co-founders and senior management realize the business problem before them?  The culture of the organization is well underway and also what the norms are and what the rules will be. The employees and contingent contractors are operating almost 24 x 7 at this stage to launch new products and establish market presence campaigns.  How could there be any real serious operational risks to consider at this point?

The implementation of the rules-base and the company policies are now a necessary stage of the startup. This is also when the co-founders realize that maybe it is time to start handing over the day-to-day management of the company.  It could even be the time to add the professional CEO and other key executives including the Chief Technology Officer, Chief Financial Officer, General Counsel and Chief Information Officer, Chief Human Capital Officer and the Chief Risk Officer.
The organizational enterprise architecture is now operating in full swing.  These stewards of the new company have a vital and delicate opportunity now.  Will the company build a system-of-systems that are trustworthy?
Will the people interacting within the rule-based environment of the NewCo begin to feel burdened, restricted and even under the magnifying glass?  Or will the new enterprise architecture be so adaptive, so resilient and so capable of predictive behaviors that employees feel free.  They feel innovative and capable of operating just as the early days of the birth of the company.

The Mission

The mission as a co-founder of a new startup is to ensure the survival of the organization.  We all know the failure rate for new companies.  Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days.  So beyond just the survival of the NewCo, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new business endeavor.  The earlier the ORM design begins in the company evolution, the more resilient you will ultimately become.  The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake.  Take the time and include the expertise to work on the systems foundation of your new enterprise.

Ensure the survivability of the new products and solutions that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your startup and allow it's presence while it preserves all that you have worked for and dreamed of...

31 May 2015

Trust Decisions: Human-to-Human Open Transaction Systems...

"Let us not look back in anger, not forward in fear, but around us in awareness"
-James Thurber-

When you become independent of the core group and the impact of your own bias, a whole new world unfolds before you.  The truth is discovered and the true reality becomes clear.  How often does the Board of Directors convene an emergency meeting as a result of a surprise Operational Risk loss event?

When you start listening to the explanation and you hear words such as "complex" and "3rd parties" this should sound an alert.  From the "Boardroom to the Battlefield" executive management is still flying blind on many fronts.  They have become so risk adverse, that in many cases the automated machines have taken over group think with their sophisticated high technology sensors.

Trusted sources from a human perspective are still the basis for vital decision support and monetary transactions.  Human-to-human information transfer via a trusted chain of sources is still thriving.  Trust is at the center of systems for significant transfer of information and assets to this day:
Hawala or Hewala (Arabic: حِوالة‎, meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent, operating outside of, or parallel to, traditional banking, financial channels, and remittance systems.
Does the Hawala have an emerging digital variant?  Why is the understanding of a blockchain-enabled digital ledger important in this day and age?  The reason becomes more apparent as we study how it works and where it is being utilized and for what purpose:

Example A
Silk Road was an online black market, best known as a platform for selling illegal drugs. As part of the Dark Web,[7] it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring. The website was launched in February 2011; development had begun six months prior.[8][9] Initially there were a limited number of new seller accounts available; new sellers had to purchase an account in an auction. Later, a fixed fee was charged for each new seller account.[10][11]
 Example B
NEW YORK, May 11, 2015 (GLOBE NEWSWIRE) -- Nasdaq (Nasdaq:NDAQ) today announced plans to leverage blockchain technology as part of an enterprise-wide initiative. Nasdaq will initially leverage the Open Assets Protocol, a colored coin innovation built upon the blockchain. In its first application expected later this year, Nasdaq will launch blockchain-enabled digital ledger technology that will be used to expand and enhance the equity management capabilities offered by its Nasdaq Private Market platform.

Importantly, the creation of a securities distributed ledger function using blockchain technology will provide extensive integrity, audit ability, governance and transfer of ownership capabilities.

"Utilizing the blockchain is a natural digital evolution for managing physical securities," said Bob Greifeld, CEO, Nasdaq. "Once you cut the apron strings of need for the physical, the opportunities we can envision blockchain providing stand to benefit not only our clients, but the broader global capital markets."
 Whether the "Digital Hawala" continues to thrive in the years ahead will depend on several key market issues.  Transparency, accountability and documentation.  Accurate record keeping.

At the center of this evolving system are two key attributes.  Speed and trust.  That is why you now see the private equity and venture capital community investing in companies such as Ripple Labs:
Ripple Labs (formerly OpenCoin) developed the Ripple protocol. Its team of experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans contributes code to the open-source software and works with financial institutions and payment networks to accelerate the growth of the protocol. The team shepherds a movement to evolve finance so that payment systems are open, secure, constructive and globally inclusive.
"Trust Decisions" are at the heart of the future of trading, decision support and the speed of human knowledge.  The fusion of ancient and modern protocols for global commerce and achieving digital trust are on our door step.  Let your awareness begin...

23 May 2015

Memorial Day 2015: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2015, we reflect on this past year.

In order to put it all in context, we looked back 24 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2015, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

17 May 2015

Feeling Vulnerable: The Risk of the Unknown...

There are Operational Risk Management (ORM) professionals down range today.  They operate in the shadows continuously in some facet of the OODA Loop.  Whatever the specific mission may be and from most any Lat/Long on the planet, these professionals are paid to "Think-Outside-The-Box" as the cliche says.  What is it that these ORM professionals fear the most?  Feeling vulnerable.

You may have had this feeling in your life at some point.  Whether those early days in high school when the jocks are ganging up on the geeks in between classes or in that special relationship with the opposite sex.  What about all those days, weeks or years when you were aspiring to get that next great job in the organizational hierarchy?

Were you ever politically vulnerable?  When you have the feeling that you are vulnerable, that could have several implications.  Psychologically and physically.  The question has to be asked.  As a person, what is vulnerable?  Your Ego.  Emotions.  Relationship.  Finances.  Health.  Career.  Reputation.  Or even your life, or the lives of people you are charged with to keep safe and secure?

Feeling vulnerable is not what humans like to have swirling around in their head when they go to sleep at night or wake up in the morning.  As an Operational Risk Management (ORM) professional, our job is to experience all of those feelings on a select and continuous basis.  We do this so that we know what impact these feelings will have on us, our family, friends, neighbors and co-workers.  How will each and all of us behave, under each of these special circumstances of vulnerability?

Why do we want to experience and record the behavior of individuals, systems and even the unexpected natural event from mother nature?  So that we can be more predictive and ever more resilient.  This improves our self-confidence and our ability to become more adaptive.  In life and in our chosen vocations, in your local town or the federated state.  In the nation or continent we live. The Operational Risk Management (ORM) professional is forever learning and testing, in order to survive another day.

When the sounds and smells of your particular battlefield have dissipated, or the feelings of the intravenous (IV) needles taped to the inside of your forearm are gone, your vulnerabilities are changing. When the touch of your loved one on your shoulder makes you cry, you realize that you too are now on your way to surviving another day.  Together.

Godspeed!