28 October 2005

Zombies Being Hunted: Trick or Treat?

The FTC and Microsoft are going Zombie Hunting just in time for Halloween.

"The widespread use of zombie computers to commit crimes over the Internet presents a very real danger to law-abiding computer users," said Tim Cranton, the director of Microsoft's Internet Safety division.

Earlier this year, Cranton said, Microsoft set up a "clean" PC, then infected it with malicious code commonly used by attackers to turn a computer into a zombie. Researchers then monitored the PC's use of the Internet for 20 days, and tallied the number of messages sent through it.

"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.

That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.

OnGuard Online has been launched to help consumers and business become more aware and educated on digital threats. This site is in collaboration with private industry and:

U.S. Department of Homeland Security
U.S. Federal Trade Commission
U.S. Postal Inspection Service
U.S. Department of Commerce

There is a whole of common sense here yet it is encouraging to see that the Fed's are now acknowledging that ID Theft is out of control. The financial services industry is certainly at risk as long as consumers are banking online and using their PC's to pay their bills.

If haven't already, you should consider signing up for alerts from US-CERT.

25 October 2005

The Risk of A Blueprint For Action...

Now that Tom Barnett has released his newest book, Blueprint For Action: A Future Worth Creating it will be interesting to see the outcome.

However, before we make any comments or offer our own analysis, we are going to finish the entire book. Page 33 of 362. Stay tuned.

In the mean time, you can visit his web site and blog to find out more about his journey.

24 October 2005

Hurricane Risk: Floridians Take On Another Cat. 3...

The residents of Florida have learned some lessons over the past 14 months about preparedness. They have just been blasted by another Category 3 storm with over a month left to the end of the season. The estimates are now coming in that Wilma will have a significant impact with over $5B. in insured damages.

Hurrican Wilma came ashore with winds of 125 mph near Cape Romano, about 20 miles south of Naples, at about 6:30 a.m. local time. The coastal parts of Collier County, which includes Naples and nearby beach resort Marco Island, haven't been hit by a hurricane since 1960.

The state was hit by a record four hurricanes last year, causing a combined $22.9 billion in insured damages. Charley accounted for $7.5 billion, Ivan caused $7.1 billion, Frances resulted in $4.6 billion and Jeanne left $3.7 billion in insured damages.

Hurricane Katrina, which struck the U.S. Gulf Coast in August, is expected to be the most costly U.S. disaster for insurers. Storm modeler Risk Management Solutions Inc. estimated $40 billion to $60 billion in claims, as much as three times the $20.8 billion produced by Hurricane Andrew, which hit Florida in 1992.

In the wake of Hurricanes Katrina and Rita, hospitals across the United States of America are re-evaluating their disaster recovery plans. VHA, the national health care alliance, surveyed member hospitals across the country, and nearly half of those who responded are planning to modify their disaster plans - changing their evacuation plans, seeking alternative communication systems and preparing for extended periods of self-sufficiency.

More than 350 hospital leaders and managers, ranging from chief executive officers and chief nursing officers to materials managers, pharmacists and emergency department coordinators, responded to the VHA survey. According to respondents, nearly half (48.2 percent) are planning to change their disaster recovery plans.

Here are a few reminders for getting your Business Ready:

1. If you rent, lease or share office space, coordinate and practice evacuation and other emergency plans with other businesses in your building or facility.

2. Conduct regularly scheduled education and training seminars to provide co-workers with information, identify needs and develop preparedness skills.

3. Include preparedness training in new employee orientation programs.

4. Do tabletop exercises with members of the emergency management team. Meet in a conference room setting to discuss individual responsibilities and how each would react to emergency scenarios.

5. Schedule walk-through drills where the emergency management team and response teams actually perform their designated emergency functions. This activity generally involves more people and is more thorough than a tabletop exercise.

6. Practice evacuating and sheltering. Have all personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Practice your “shelter-in-place” plan.

7. Evaluate and revise processes and procedures based on lessons learned in training and exercise.

8. Keep training records.

21 October 2005

Phishing: The Takedown...

Why Phishing Incident Response Plans May Not Be Optional.

The Treasury Department’s Office of the Comptroller of the Currency issued a bulletin in July that outlines the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.

Last December, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that “the financial service industry’s current reliance on passwords for remote access to banking applications offers an insufficient level of security” and describes better options, such as two-factor authentication.

Phishing as a operational risk to an institution requires effective deterence as well as detection. These comments from a recent article at CSO Online paint the picture about why a takedown is a necessary response to a phishing incident.

The Takedown
The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who've fallen for the scam. A good takedown process can slam that window shut within hours.

Nowadays, the attempt to do a takedown is standard fare—so standard, in fact, that the Treasury Department's Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)

As this article mentions, their are several very reputable firms who can assist you with the takedown. It may be even more important to have a 24 X 7 detection service monitoring the Internet for new web sites popping up and to get you ready for the barrage of spam e-mail onto the net to spoof your unsuspecting consumers. For more information on this, see Cyveillance.

Another important note is the PR and communications crisis management that is necessary to keep customers informed, the public aware of your Anti-Phishing strategy and more. You see, at the end of the day 99% of online banking customers won't leave you because you had an incident. They will leave you if you don't handle the response correctly.

17 October 2005

Corporate Governance: Deja Vu...

This is another sad story of Operational Risks far from being managed or in this case even considered when so many "Red" flags were waving in the wind.

NEW YORK, Oct 17 (Reuters) - Financial services companies beware: The fast meltdown of futures and commodities broker Refco Inc. (RFX.N: Quote, Profile, Research) may cause investors to think twice before making bets on similar types of ventures.

The crisis at Refco in the past week has happened even as new U.S. financial reporting rules and increased auditor oversight -- the result of a wave of scandals at companies such as Enron and WorldCom in 2001-2002 -- were supposed to have better protected shareholders from such debacles.

There have also been plenty of hard looks at the behavior of executives throughout corporate America in recent years, as witnessed by the high-profile criminal trials of one-time highflyers like WorldCom's Bernard Ebbers and Dennis Kozlowski of Tyco International Ltd. (TYC.N: Quote, Profile, Research)

Still, New York-based Refco's former chief, 57-year-old Briton Phillip Bennett, managed to escape heavy scrutiny while building up Refco and even during its initial public offering of shares.

He was charged with securities fraud last week over allegations he hid about $430 million in company debt. Bennett's lawyer has said there is "no justification" for his client's arrest.

This one has lot's of people sick to their stomach and more are going to be checking in to the local clinic before this one is over. Everyone will be pointing fingers and wondering why SOX didn't save the day. The truth of the matter is Mr. Bennett is a true master at "Social Engineering" and was able to use his power to do the same thing that others in a position like his have done in the past. The finance industry is built on trust and this will be another lesson on why due diligence on a 24 x 7 basis is a harsh neccesity.

11 October 2005

The Impact of Katrina: A Look Into The OPS Risk Crystal Ball...

The impact of hurricane Katrina is only beginning and it's easy to see how many institutions may be starting the battle with their insurance companies.

These "Expected" external events the likes of Katrina and Rita have impacted about 280 financial institutions in the Gulf Coast of the U.S.. These institutions represented around $270B. in assets and many are now looking to the insurance industry for payouts on those policies that transfered some of their risks.

Looking into the crystal ball, let's consider the public testimony of Steven G. Elliott, Senior Vice Chairman Mellon Financial Corporation before the Subcommittee on Financial Institutions and Consumer Credit Committee on Financial Services - U.S. House of Representatives in 2004:

"Banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognize and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk)."

"Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high-frequency, low-severity losses into low-frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank’s immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardize an institution’s ability to conduct key business activities."

While overall the Fed and the institutions resilience is to be commended compared with other major critical infrastructures such as the Energy sector, we still have a long way to go with contingency planning. The regulators and insurance industry is looking at Business Crisis and Continuity Management with a new found diligence especially with the institutions outsourcing and supply chain partners.

Outsourcing of activities can reduce the institution’s risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialized business activities. However, a bank’s use of third parties does not diminish the responsibility of management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.

Beyond the impact of Katrina, talking and listening to the OCC, FDIC and the Federal Reserve this week at the Risk Management Association (RMA) Annual Conference in Washington, DC produced some additional views and questions in the operational risk crystal ball:

1. Regulators are reinforcing the need for a comprehensive risk framework.

2. Does the amount of capital that I hold support the risks that we are engaged in?

3. Does our institution have excess capital?

4. How do I differentiate our risks by industry or geography to address concentrations and impact from cycles?

5. How do I integrate risk management into the Strategic Planning Process to make sure the methodology is understood and objectives are being communicated from the Board?

There must be the development of new risk management models that allow for the addition of new risk events and the elimination of those factors that may no longer be relevant.

07 October 2005

The Risk of Pandemic: A Global Threat...

Pandemic: A Worldwide Outbreak of Influenza is now getting attention on many global fronts including a plea by U.S. President George Bush to vaccine manufacturers to step up their production and R & D. In recent weeks, senior officials here have embarked on a public information campaign, warning of the possibility of a lethal pandemic which could claim millions of lives.

Mr Bush has even suggested that the US military would be used to quarantine affected areas of the United States in the event of an outbreak. What exactly is a pandemic?

An influenza pandemic is a global outbreak of disease that occurs when a new influenza A virus appears or “emerges” in the human population, causes serious illness, and then spreads easily from person to person worldwide. Pandemics are different from seasonal outbreaks or “epidemics” of influenza. Seasonal outbreaks are caused by subtypes of influenza viruses that are already in existence among people, whereas pandemic outbreaks are caused by new subtypes or by subtypes that have never circulated among people or that have not circulated among people for a long time. Past influenza pandemics have led to high levels of illness, death, social disruption, and economic loss.

And where there is a threat like this, the criminal minds begin to see opportunity for unsuspecting prey. Roche is now on alert and you should be also.

Swiss drug maker Roche urged consumers on Friday not to buy its flu drug Tamiflu over the Internet to avoid the risk of purchasing potentially counterfeit pills as they build stockpiles in case of a bird flu pandemic.

With experts predicting that millions could die if the bird flu strain H5N1 mutates into a human flu virus, some consumers appear to be building up their own reserves of the drug, doubling up on governments' efforts to prepare for a pandemic.

05 October 2005

CyberCrime: What is the Real Truth?

The CSI/FBI Computer Crime and Security Survey is now published and some of the results are enlightening to say the least.

Since this is not a research paper, we can't publish the statistics of our main interest in the survey. Please see Table 1 on Page 14 for the next comment to have any relevance regarding the percent of respondents who "Don't Know" how many incidents they have encountered.

If one quarter don't know the number of security incidents, then that is around 175 companies who are flying blind or don't care about measuring the frequency, nature or cost of breaches. This is why we don't buy the general trend in Figure 14 that attacks or misuse detected are declining over the past 12 months.