28 October 2005

Zombies Being Hunted: Trick or Treat?

The FTC and Microsoft are going Zombie Hunting just in time for Halloween.

"The widespread use of zombie computers to commit crimes over the Internet presents a very real danger to law-abiding computer users," said Tim Cranton, the director of Microsoft's Internet Safety division.

Earlier this year, Cranton said, Microsoft set up a "clean" PC, then infected it with malicious code commonly used by attackers to turn a computer into a zombie. Researchers then monitored the PC's use of the Internet for 20 days, and tallied the number of messages sent through it.

"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.

That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.


OnGuard Online has been launched to help consumers and business become more aware and educated on digital threats. This site is in collaboration with private industry and:

U.S. Department of Homeland Security
U.S. Federal Trade Commission
U.S. Postal Inspection Service
U.S. Department of Commerce

There is a whole of common sense here yet it is encouraging to see that the Fed's are now acknowledging that ID Theft is out of control. The financial services industry is certainly at risk as long as consumers are banking online and using their PC's to pay their bills.

If haven't already, you should consider signing up for alerts from US-CERT.

25 October 2005

The Risk of A Blueprint For Action...

Now that Tom Barnett has released his newest book, Blueprint For Action: A Future Worth Creating it will be interesting to see the outcome.

However, before we make any comments or offer our own analysis, we are going to finish the entire book. Page 33 of 362. Stay tuned.

In the mean time, you can visit his web site and blog to find out more about his journey.

24 October 2005

Hurricane Risk: Floridians Take On Another Cat. 3...

The residents of Florida have learned some lessons over the past 14 months about preparedness. They have just been blasted by another Category 3 storm with over a month left to the end of the season. The estimates are now coming in that Wilma will have a significant impact with over $5B. in insured damages.

Hurrican Wilma came ashore with winds of 125 mph near Cape Romano, about 20 miles south of Naples, at about 6:30 a.m. local time. The coastal parts of Collier County, which includes Naples and nearby beach resort Marco Island, haven't been hit by a hurricane since 1960.

The state was hit by a record four hurricanes last year, causing a combined $22.9 billion in insured damages. Charley accounted for $7.5 billion, Ivan caused $7.1 billion, Frances resulted in $4.6 billion and Jeanne left $3.7 billion in insured damages.

Hurricane Katrina, which struck the U.S. Gulf Coast in August, is expected to be the most costly U.S. disaster for insurers. Storm modeler Risk Management Solutions Inc. estimated $40 billion to $60 billion in claims, as much as three times the $20.8 billion produced by Hurricane Andrew, which hit Florida in 1992.


In the wake of Hurricanes Katrina and Rita, hospitals across the United States of America are re-evaluating their disaster recovery plans. VHA, the national health care alliance, surveyed member hospitals across the country, and nearly half of those who responded are planning to modify their disaster plans - changing their evacuation plans, seeking alternative communication systems and preparing for extended periods of self-sufficiency.

More than 350 hospital leaders and managers, ranging from chief executive officers and chief nursing officers to materials managers, pharmacists and emergency department coordinators, responded to the VHA survey. According to respondents, nearly half (48.2 percent) are planning to change their disaster recovery plans.

Here are a few reminders for getting your Business Ready:

1. If you rent, lease or share office space, coordinate and practice evacuation and other emergency plans with other businesses in your building or facility.

2. Conduct regularly scheduled education and training seminars to provide co-workers with information, identify needs and develop preparedness skills.

3. Include preparedness training in new employee orientation programs.

4. Do tabletop exercises with members of the emergency management team. Meet in a conference room setting to discuss individual responsibilities and how each would react to emergency scenarios.

5. Schedule walk-through drills where the emergency management team and response teams actually perform their designated emergency functions. This activity generally involves more people and is more thorough than a tabletop exercise.

6. Practice evacuating and sheltering. Have all personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Practice your “shelter-in-place” plan.

7. Evaluate and revise processes and procedures based on lessons learned in training and exercise.

8. Keep training records.

21 October 2005

Phishing: The Takedown...

Why Phishing Incident Response Plans May Not Be Optional.

The Treasury Department’s Office of the Comptroller of the Currency issued a bulletin in July that outlines the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.

Last December, the Federal Deposit Insurance Corp. issued guidelines for how financial institutions can mitigate phishing risks. The document warns that “the financial service industry’s current reliance on passwords for remote access to banking applications offers an insufficient level of security” and describes better options, such as two-factor authentication.

Phishing as a operational risk to an institution requires effective deterence as well as detection. These comments from a recent article at CSO Online paint the picture about why a takedown is a necessary response to a phishing incident.

The Takedown
The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who've fallen for the scam. A good takedown process can slam that window shut within hours.


Nowadays, the attempt to do a takedown is standard fare—so standard, in fact, that the Treasury Department's Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)


As this article mentions, their are several very reputable firms who can assist you with the takedown. It may be even more important to have a 24 X 7 detection service monitoring the Internet for new web sites popping up and to get you ready for the barrage of spam e-mail onto the net to spoof your unsuspecting consumers. For more information on this, see Cyveillance.

Another important note is the PR and communications crisis management that is necessary to keep customers informed, the public aware of your Anti-Phishing strategy and more. You see, at the end of the day 99% of online banking customers won't leave you because you had an incident. They will leave you if you don't handle the response correctly.

19 October 2005

Business Risk: Grow or Die...

In the latest issue of Corporate Board Member magazine in a PricewaterhouseCoopers survey, the question is asked:

Has your board discussed what to do if the company is hit by a major crisis?

No - 51%

Yes - 41%

Not Sure - 8%


What is the definition of "Crisis" in the minds eye of the Board of Directors today?

n. pl. cri·ses (-sz)

1. A crucial or decisive point or situation; a turning point.

2. An unstable condition, as in political, social, or economic affairs, involving an impending abrupt or decisive change.

3. A sudden change in the course of a disease or fever, toward either improvement or deterioration.

4. An emotionally stressful event or traumatic change in a person's life.

5. A point in a story or drama when a conflict reaches its highest tension and must be resolved.


How can these numbers be correct? Why don't these results make sense?

It does seem almost impossible that just over half of those surveyed said that they have not discussed what their company would do in the event of a crisis. In light of the latest corporate governance and catastrophic events any board member who would answer no is either not attending the meetings or is so new to the board that they haven't been part of the conversations yet.

The survey of 1,103 directors who responded have illustrated many of the risk management issues that are taking up much of the shareholders time. They also indicate where they wish they were spending more time as 59% hoped they could be doing more "Strategic Planning."

Is there a correlation between those who have not been part of discussions of crisis management and the wish to focus more on strategy? We hope there is.

Our experience is that corporate management and the board need a 3rd party facilitating the mechanisms for change and towards the "Big Picture" of the future. If management sees the board as an overzealous parent and not working on behalf of the shareholders the tension increases. Once the board and corporate management have found a "strategic facilitator" to guide them towards a model of Enterprise Architecture everything becomes crystal clear. The factions now see the blueprint for change and the path to implement the strategy and tactics to achieve it.

At the end of the day, the goal is to continually grow and whenever that significant crisis or "Breakpoint" occurs, the engineered resilience of the business enables it's survival and the next phase of growth to begin.

17 October 2005

Corporate Governance: Deja Vu...

This is another sad story of Operational Risks far from being managed or in this case even considered when so many "Red" flags were waving in the wind.

NEW YORK, Oct 17 (Reuters) - Financial services companies beware: The fast meltdown of futures and commodities broker Refco Inc. (RFX.N: Quote, Profile, Research) may cause investors to think twice before making bets on similar types of ventures.

The crisis at Refco in the past week has happened even as new U.S. financial reporting rules and increased auditor oversight -- the result of a wave of scandals at companies such as Enron and WorldCom in 2001-2002 -- were supposed to have better protected shareholders from such debacles.

There have also been plenty of hard looks at the behavior of executives throughout corporate America in recent years, as witnessed by the high-profile criminal trials of one-time highflyers like WorldCom's Bernard Ebbers and Dennis Kozlowski of Tyco International Ltd. (TYC.N: Quote, Profile, Research)

Still, New York-based Refco's former chief, 57-year-old Briton Phillip Bennett, managed to escape heavy scrutiny while building up Refco and even during its initial public offering of shares.

He was charged with securities fraud last week over allegations he hid about $430 million in company debt. Bennett's lawyer has said there is "no justification" for his client's arrest.


This one has lot's of people sick to their stomach and more are going to be checking in to the local clinic before this one is over. Everyone will be pointing fingers and wondering why SOX didn't save the day. The truth of the matter is Mr. Bennett is a true master at "Social Engineering" and was able to use his power to do the same thing that others in a position like his have done in the past. The finance industry is built on trust and this will be another lesson on why due diligence on a 24 x 7 basis is a harsh neccesity.

13 October 2005

ORM Tools: So Many Choices...So Little Time

As the software marketplace begins to mature with the newest systems for various facets of Operational Risk, how do you know what software tools are right for your organization?

For starters, there are dozens if not hundreds of specific tools on the market today for helping you manage everything from Risk and Control Self Assessments (RCSA) to documenting processes for SOX 404 compliance. You can benefit from building your structures for processes, business strategy and tests for procedures. This still leaves many choices to evaluate and vendors who will flog you with powerpoints.

There are several key components of the ORM Framework Management that are essential when considering software tools to assist you:

Policy
Create security policies, standards and procedures, distribute them online, educate and train employees, and track compliance, exceptions and violations.

Threat
Comprehensive and customizable early warning system providing notification of physical and digital threats, vulnerabilities and malicious code to help prevent attacks before they affect the enterprise.

Assets
Manage enterprise assets such as buildings, vehicles, inventory, servers, applications or data centers and their relationships to ensure you are protecting your critical assets according to management expectations.

Risks
Perform online risk assessments to determine the proper controls to be implemented on specific assets based on their use and risk to the enterprise.


Incidents

Report incidents, manage their escalation, track investigations and analyze resolutions.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM software solution programs:

1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective operational risk program;

3. Lack of decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to suport the programs.


The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:

1. Is your policy enforced fairly, consistently and legally across the enterprise.

2. Would our employees, contractors and partners know if a violation was being committed?

3. Would they know what to do about it if they did recognize a violation?


If you don't know the answers to these questions then there is much more work to do and much more strategic planning necessary before any software system is implemented for Operational Risk Management.

11 October 2005

The Impact of Katrina: A Look Into The OPS Risk Crystal Ball...

The impact of hurricane Katrina is only beginning and it's easy to see how many institutions may be starting the battle with their insurance companies.

These "Expected" external events the likes of Katrina and Rita have impacted about 280 financial institutions in the Gulf Coast of the U.S.. These institutions represented around $270B. in assets and many are now looking to the insurance industry for payouts on those policies that transfered some of their risks.

Looking into the crystal ball, let's consider the public testimony of Steven G. Elliott, Senior Vice Chairman Mellon Financial Corporation before the Subcommittee on Financial Institutions and Consumer Credit Committee on Financial Services - U.S. House of Representatives in 2004:

"Banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognize and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk)."

"Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high-frequency, low-severity losses into low-frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank’s immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardize an institution’s ability to conduct key business activities."


While overall the Fed and the institutions resilience is to be commended compared with other major critical infrastructures such as the Energy sector, we still have a long way to go with contingency planning. The regulators and insurance industry is looking at Business Crisis and Continuity Management with a new found diligence especially with the institutions outsourcing and supply chain partners.

Outsourcing of activities can reduce the institution’s risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialized business activities. However, a bank’s use of third parties does not diminish the responsibility of management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.


Beyond the impact of Katrina, talking and listening to the OCC, FDIC and the Federal Reserve this week at the Risk Management Association (RMA) Annual Conference in Washington, DC produced some additional views and questions in the operational risk crystal ball:

1. Regulators are reinforcing the need for a comprehensive risk framework.

2. Does the amount of capital that I hold support the risks that we are engaged in?

3. Does our institution have excess capital?

4. How do I differentiate our risks by industry or geography to address concentrations and impact from cycles?

5. How do I integrate risk management into the Strategic Planning Process to make sure the methodology is understood and objectives are being communicated from the Board?

There must be the development of new risk management models that allow for the addition of new risk events and the elimination of those factors that may no longer be relevant.

07 October 2005

The Risk of Pandemic: A Global Threat...

Pandemic: A Worldwide Outbreak of Influenza is now getting attention on many global fronts including a plea by U.S. President George Bush to vaccine manufacturers to step up their production and R & D. In recent weeks, senior officials here have embarked on a public information campaign, warning of the possibility of a lethal pandemic which could claim millions of lives.

Mr Bush has even suggested that the US military would be used to quarantine affected areas of the United States in the event of an outbreak. What exactly is a pandemic?

An influenza pandemic is a global outbreak of disease that occurs when a new influenza A virus appears or “emerges” in the human population, causes serious illness, and then spreads easily from person to person worldwide. Pandemics are different from seasonal outbreaks or “epidemics” of influenza. Seasonal outbreaks are caused by subtypes of influenza viruses that are already in existence among people, whereas pandemic outbreaks are caused by new subtypes or by subtypes that have never circulated among people or that have not circulated among people for a long time. Past influenza pandemics have led to high levels of illness, death, social disruption, and economic loss.


And where there is a threat like this, the criminal minds begin to see opportunity for unsuspecting prey. Roche is now on alert and you should be also.

Swiss drug maker Roche urged consumers on Friday not to buy its flu drug Tamiflu over the Internet to avoid the risk of purchasing potentially counterfeit pills as they build stockpiles in case of a bird flu pandemic.

With experts predicting that millions could die if the bird flu strain H5N1 mutates into a human flu virus, some consumers appear to be building up their own reserves of the drug, doubling up on governments' efforts to prepare for a pandemic.

05 October 2005

CyberCrime: What is the Real Truth?

The CSI/FBI Computer Crime and Security Survey is now published and some of the results are enlightening to say the least.

Since this is not a research paper, we can't publish the statistics of our main interest in the survey. Please see Table 1 on Page 14 for the next comment to have any relevance regarding the percent of respondents who "Don't Know" how many incidents they have encountered.

If one quarter don't know the number of security incidents, then that is around 175 companies who are flying blind or don't care about measuring the frequency, nature or cost of breaches. This is why we don't buy the general trend in Figure 14 that attacks or misuse detected are declining over the past 12 months.

03 October 2005

The "New" Age of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning is the same as change from a different worldview.

Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks. How would your risk profile change if the following scenario took place at your business?

Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't use SSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.


What potential operational risks exist today with this particular business process?

1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.

2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.

3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.

4. The privacy policy may not have been updated and amended to reflect the new business process and to document that a security code is not needed as of (date.)

The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.

In the words of Charles Handy:


"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."


"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."