31 May 2005

External Events: Training and Simulation to Mitigate Risk

Every so often you come across a company or technology that is worthy of consideration for your enterprise. With hundreds of vendors products in several categories of Operational Risk, the Reality Response Division of AIS is one for your training and simulation portfolio.

The risk of loss from external events is a growing emphasis by many OPS Risk Officers. Preparedness is a key strategy to mitigating hazards and minimizing the loss of property and life. Imagine for a moment that you have a complete model of your facility, building or mall. A virtual model. One that you can use to train employees, staff and other suppliers about the idiosyncratic nature of your evacuation procedures or shelter-in-place locations. Not only is this method of training smart, it is cost effective and allows for participant interaction directly with the model and the procedures.

Real-time training with people in one room or multiple locations it does not matter. The participants can be exercised without exposure to potentiall hazardous situations until they are ready for a complete and full test of the simulation with a live scenario. The other applications include your physical security teams.

In today's uncertain world, security forces are asked to combat a wide variety of public safety threats - local street crime, terrorist attacks, and international conflicts occur with alarming frequency. At AIS, we understand these threats and have developed an extensive offering of training programs to enhance the performance of security forces on the front lines.

> Judgmental Use-of-Force
> Firearms Training
> Counter-Terrorism
> Chem-bio Response
> Marksmanship Training
> Incident Command
> Tactical Carbine
> Tactical Handgun Skills
> Rifle Instructor
> Behavior Pattern Recognition
> Checkpoint Security


Advanced Interactive Systems, Inc., (www.ais-sim.com) provides comprehensive training solutions for people in positions where lives are on the line, including law enforcement, military, government, security, corrections and emergency responders. AIS manufactures PRISim training simulators that provide lethal and less-lethal weapons handling and judgment skills. The AIS Ltd. group designs and builds anti-terrorist and other special application training facilities for military and special operations groups, with installations in more than 60 countries. The Reality Response Division manufactures interactive simulation systems and synthetic environments that provide reality-based training for CBRNE (chemical, biological, radiological, nuclear, explosive) hazard response tasks. Headquartered in Seattle, Washington, AIS Inc. is a privately-owned company with offices in Washington D.C.; McLean, Virginia; Monterey, California; Orlando, Florida; Abu Dhabi, UAE; Singapore, Malaysia Farnham, England.

27 May 2005

Software Quality Risk Assurance: Feasible or Desireable?

For those of you who have never heard of the Metasploit project, now you have. This could be your worst nightmare or it could be your best ally.

This is the Metasploit Project. The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only.


In a recent presentation by Dr. Eric Cole, CTO of the Advanced Technology Research Center at Sytex, Metasploit was highlighted as a tool that could be utilized to attack your own systems. Why?

At the 50,000 ft. level, the logic goes something like this. You have to utilize the same tools that attackers use on your own networks to understand exactly where your vulnerabilities lie. If only the Chief Risk Officer or Chief Information Security Officer only knew what challenges they really face in the next phase of Information Warfare.

The ethics of providing such tools is no different than other debates that are embedded in the US Constitution. The Right to Bear Arms. At some point the topic of regulation will become louder than it is today. What really matters is that the technology companies invest more heavily in software quality assurance and they do more diligent testing. Many have realized the cost of catching a bug or vulnerability after general release costs exponentially more dollars to fix than at an early stage of software development.

And that is exactly why the Metasploit project exists. Six Sigma Software Quality Risk Assurance is neither feasible nor desirable for most companies who choose to develop operating systems and applications for the high technology sector.

25 May 2005

A Risk Strategy for Corporate Business Survival - Lesson 5 - Document

“4D”
A Risk Strategy for Corporate Business Survival
Deter. Detect. Defend. Document.

By Peter L. Higgins

Lesson 4 of a 4 Part Series


The Mission
Document the normal so you know when and where there is an unauthorized result. In order for the attacker to obtain their objective, the target must produce this unauthorized result. These might include:

· Increased Access
· Disclosure of Information
· Corruption of Information
· Denial of Service
· Theft of Resources

In order to understand that an attack is actually occurring, normal results have to be documented and a historical trend has to be established. What is normal? How do you know what normal looks and feels like? You document, store, record and analyze what normal is. If you have done this for long enough and across the potential targets the attacker is trying to exploit, then you will know the second an unauthorized result takes place.

The Take Away
Documenting the behavior of people, processes, systems and external events is a vital component of a complete strategy for risk mitigation. Understanding what normal “is”, begins with effective documentation and analysis. Many organizations begin to document long after it is too late or as a result of a significant business disruption. Documentation remains to be a challenge for many, and a task that attackers know is likely to be left undone or behind schedule.

Conclusion
A “4D” Risk Strategy for Business Survival is only effective if it is operating on a continuous basis. You must create the culture and the due diligence to see that it becomes part of the fabric of the organization internally and with outsourced partners or suppliers. Only then will the attacker realize that this combination to deter, detect, defend and document is alive and growing in your enterprise. This is when attackers become discouraged, afraid, uncertain and ultimately ready for a new and less formidable adversary.

Attackers use tools to exploit a vulnerability to create an action on a target that produces an unauthorized result, to obtain their objective. These “4D” lessons should put you on the way to creating a more survivable business.

Peter L. Higgins is the Managing Director of 1SecureAudit, an Operational Risk Management Solutions firm located in McLean, VA. He can be reached at higginsp@1SecureAudit or 703 245 3020.

24 May 2005

A Risk Strategy for Corporate Business Survival - Lesson 3 - Defend

“4D”
A Risk Strategy for Corporate Business Survival
Deter. Detect. Defend. Document.

By Peter L. Higgins

Lesson 3 of a 4 Part Series


The Mission
Defend the target from any actions by the attackers tools. Targets may include a person, facility, account, process, data, component, computer, Intranet network or Internet. Actions against the target are intended to produce the unauthorized result. Some action categories are labeled:

· Probe
· Scan
· Flood
· Authenticate
· Bypass
· Spoof
· Read
· Copy
· Steal
· Modify
· Delete

The Take Away
In order to understand how to defend your corporate assets, you have to attack them yourself using a continuous combination of tools and tests. Only then will you find out where your single point of failure lies and where the attacker is going to successfully exploit a vulnerability you didn’t know exists.

23 May 2005

A Risk Strategy for Corporate Business Survival - Lesson 2 - Detect

“4D”
A Risk Strategy for Corporate Business Survival
Deter. Detect. Defend. Document.

By Peter L. Higgins

Lesson 2 of a 4 Part Series


The Mission
Detect the use of tools by the attackers. These tools are what they use to assess the vulnerabilities within and throughout the organization. These tools include surveillance, physical attack, information exchange, user commands, scripts or programs, autonomous agents, toolkits, distributed tools or data taps. Some are high tech and most are the craft of social engineers.

The attackers are using a combination of these tools and tactics to exploit corporate vulnerabilities in:

· Design
· Implementation
· Configuration


The Take Away
Just about any significant business disruption can be traced back to the fact that the attacker was able to effectively exploit the organizations defenses using a systematic method and the correct tools. Detection of threats begins by detecting the use of tools. Whether it’s the surveillance of an individual or of a facility. Whether it’s the design of the building or the software code for the E-Commerce system. Whether it’s the implementation of security cameras or the firewall. Whether it’s the configuration of the controls for access to the vault or to the ERP system. You have to continuously detect the use of the attackers tools and their methods to exploit your vulnerabilities.

21 May 2005

A Risk Strategy for Corporate Business Survival - Lesson 1 - Deter

“4D”
A Risk Strategy for Corporate Business Survival
Deter. Detect. Defend. Document.

By Peter L. Higgins


Lesson 1 of a 4 Part Series

Executive Summary
Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

Here are four key lessons to create a “4D” risk strategy in your enterprise.

Lesson 1 – Deter

The Mission

Deter the attacker from launching a salvo of new threats to compromise your organizations assets. You first have to understand the value of your corporate assets to determine what are the most valuable in the eyes of your adversary. You must make it increasingly more difficult for these valuable assets to be attacked or you will find yourself under the constant eye of those who wish to create a significant business disruption.

These attackers are individuals who take on these quests or objectives for several key reasons. They include financial gain, political gain, damage or the simple challenge, status or thrill. It’s your job to create deterrence for each one of these objectives.

The Take Away
In order to effectively deter potential risks to your corporate assets, first you have to understand what they are and how valuable they are in the eyes of each kind of attacker. The more valuable the target, the more deterrence it requires.

19 May 2005

Cyber-Crime & E-Forensics...

Companies such as Intelligent Computer Solutions are making the Computer Forensic investigators more effective. In fact, they are making it more difficult for those hackers, attackers and others to steal corporate information and assets, abuse acceptable use policies and to harm the reputation of organizations.

Intelligent Computer Solutions (ICS) is the technology leader in the design and manufacture of high-speed Hard Drive Duplication equipment, Software Cloning Solutions and Diagnostic Systems. Having developed the hard drive duplication technology (and holding a US Patent C,131,141), ICS has gained international name recognition for 14 years of customer service and for providing its customers with cutting edge solutions.

Intelligent Computer Solutions is a prominent supplier of Law Enforcement & Computer Forensic Systems to Law Enforcement personnel ranging from local police departments to Federal and International agencies. ICS units are being used today by government agencies in the US, Canada, Europe, the Middle East, China, Australia and New Zealand.


Online Fraud and other internal mischief is keeping the industry busy working with clients on a number of issues including:

"Consumers and businesses alike must remain constantly vigilant about personal and financial information," said Patricia Kachura, senior vice president for ethics and consumer affairs at The DMA. "E-mail scams are becoming more sophisticated and scammers are becoming more organized, and efficient in exploiting illegally obtained personal information to the fullest extent possible."

Financial fraud, for example, costs consumers and businesses billions of dollars annually. Based on a 2004 poll of 5,000 people in the U.S., the industry analyst firm Gartner calculated that $2 billion a year is lost to banking scams, including online fraud and phishing.

The top five spam scams for April as identified by the NCFTA include:

1. Web Mobs: Web mobs are well organized groups of computer-savvy criminals who form hierarchical networks on the Internet in order to commit identity theft and fraud with personal identification and financial information. After gathering victim information via phishing schemes, the Web mob buys and sells the information among its members or through online auctions. They use Web sites and chat forums to discuss and exchange techniques and tools.

2. Cross-Site Scripting (CSS): CSS vulnerability is caused by the failure of a Web site to validate the intended address of user input, such as personal or financial information supplied to make an online purchase, before returning that data to the client's Web-browser. Instead, that information is sent to another, unauthorized site. This is called cross-site scripting and is caused when an intruder causes a legitimate Web server to unknowingly send a page to a victim's browser that contains malicious script or HTML. The malicious script runs with the privileges of a legitimate script originating from the legitimate Web server and redirects the information to the intruder's Web server. More information on this practice is available at http://www.cert.org/archive/pdf/cross_site_scripting.pdf.

3. Pharming Attacks: Pharming is the redirecting of a Web request to another location entirely. On a computer hijacked by pharmers, for example, a user will type a URL (such as their bank's Web address), but will unknowingly be redirected to a designated phishing site that looks very familiar. Because the user did not click on any obscure link, the site will appear to be legitimate.

4. Phishing: Phishing is by far the most abundant scam witnessed by the NCFTA to-date., Bank and credit card phishing scams are constantly evolving, making it more difficult to identify the forgery. Source codes which have been used to determine where "phished" information was being sent after it was harvested, are now being hidden by phishers. Phishers are also disabling mechanisms such as 'right-click' on the phishing sites for the purpose of masking the compromised URL.

5. Spyware - Trojans & Malicious Code: This is software that surreptitiously performs certain tasks on your computer, typically without the user's consent. This may include collecting personal information about you, or infecting your computer with a Trojan or malicious code. Such instruments can cause your computer to be used for other criminal conduct, such as Denial of Service attacks, or to act as part of a spam relay network.

Spyware and Trojans are downloaded onto a user's computer in two ways. First, the most frequent way is by accessing Web sites containing them. Secondly, such tools can infect a computer through a spam e-mail that includes a link to a site containing spyware or Trojans. In some instances a user need not even open the e-mail attachment for it to execute or load to your computer without one seeing it occur.

These identified spam scams are based solely on limited NCFTA data. However, this information is shared with the FBI, which, with assistance from The DMA's Slam Spam project, provides law enforcement authorities with a much more robust understanding of the top spam scams.

06 May 2005

Offshoring: Audit Processes and Facilities

Thanks to Christopher Koch for his article on "Don't Export Security".

U.S.-based companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with Western practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."


Ken Wheatley is correct and more companies need to have offshoring due diligence that makes sense. Here are a few key questions for any organization considering an outside supplier relationship.

What is the importance of the function or process being performed to the mission critical components of our daily operations? If the answer is high, then you know that your first risk mitigation step may be to re examine whether this should ever be outsourced!

If the answer is medium or low, you should ask for the last audit results on these key areas of ISO 17799. And if these haven’t been audited, then why risk handing over any activities to any supplier without thorough due diligence.

A.12.1- Compliance with legal requirements to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

A.11.1 - Business continuity management to counteract interruptions to business activities and to protect critical business processes from the effects of major failures and disasters.

A.7.1 - Secure areas to prevent unauthorized physical access, damage and interference to business premises and information.

A.6.1 – Security in job definition and resourcing to reduce the risks of human error, theft, fraud or misuse of facilities.


All the controls and standards don’t mean a thing until someone tests their effectiveness. Sadly, many organizations still have a long way to go to becoming compliant with even their most fundamental security policies

03 May 2005

E-Mail and Digital Discovery: What is Your Policy?

The interpretations of "E-mail Retention" policy is still an issue in managing legal risk and many are still scratching their heads for answers. What is a Chief Compliance Officer(CCO) to do these days to conquer the data and records retention explosion?

The Sarbanes-Oxley Act of 2002
All public companies are required to save records relevant to the audit process, including e-mails, for seven years. The real-time disclosure rule, will force companies to monitor the contents of e-mail for material events.

Securities and Exchange Commission Rule 17A-4
Stemming from the Securities Exchange Act of 1934, this rule requires brokerages to save e-mails in an easily accessible place for two years.

The Health Insurance Portability and Accountability Act of 1996
Privacy rules dictate what information health-care companies can and cannot include in e-mails.

Medicare
Health-care companies are required to retain e-mails that are especially important during audits.

Other legislation
The Can-Spam Act of 2003 for marketers, the Tread Act of 2000 for the automotive industry, the Gramm-Leach-Bliley Act of 1999 and the USA Patriot Act of 2001 all force companies in many industries to change the way they manage e-mail.


The four aspects of good e-mail management: storage, archiving, indexing and policy enforcement are where the CCO, CIO and General Counsel are all converging with their current conversations. What remains to be done, is for the technologies to catch-up and to assist especially in indexing and policy enforcement. You can bet that some organizations are making a copy of every single e-mail sent and putting it into a vault. And others who will retain e-mail only for 30 days before it is deleted forever. The policy is different depending on the type of organization and the number of times you are served with "Discovery" requests from legal counsel.

Jeffrey Schwarz, an Information Technology Partner from McDermott, Will & Emery, was quoted in the January 15 issue of CIO in an article addressing how federal regulations, from HIPAA to Sarbanes-Oxley, have moved e-mail management to a top priority for CIOs. "E-mail has become the primary medium for how we communicate," Mr. Schwarz commented. "Four years ago we used paper and FedEx. Now almost everything is done over e-mail." He continued saying, "We are trying to make a system do something that it wasn't designed to do. E-mail wasn't designed to be a document repository. It was meant to be send, read, delete. But now you can't delete. There are regulations that don't let you do that."


Regulatory Compliance is not a traditional IT training ground until now. It's critical that an information management policy and regulatory procedure fusion take place at the board level to insure against the risks associated with e-mail retention or lack there of. But still, what is the Chief Compliance Officer going to do to mitigate these risks sooner than later?

E-Evidence and Digital Forensics are sought after disciplines these days at large law firms and other specialized consultancies. E-mail litigation is fueling this fire. The "E-Mail Trail" called by some is the "Smoking Gun" that gets juries convinced and plaintiffs huge awards or convictions.

The demand is only likely to increase as the volume of cases with digital evidence increases, according to the Department of Justice.

"Cyber-crime is obviously something that is a national priority," said Steve Bunnell, chief of the criminal division at the U.S. attorney's office in Washington, D.C., which recently established a cyber-crime division.

"Computer crimes are something that crosses borders. ...There is really a premium on getting the right and left hand working together," Bunnell said.

Courtrooms and universities are welcoming more lawyers specializing in electronic crime. They are setting the stage for the evolution of "cyber-law" as the debate over digital evidence -- and what limits may be put on it -- is raging among legal scholars and law enforcement, Brenner said.