26 February 2006

eDiscovery: New Threat or Opportunity?

In the midst of the Enron trial there are many CISO's and CEO's scratching their heads while they grab another pack of TUMS off the desk. eDiscovery is a compelling threat and opportunity for the organization. In either case, it will cost millions of dollars.

Conducting effective internal investigations and even thorough incident response requires a robust Governance Strategy. Just ask Morgan Stanley about it's $1.45 billion verdict in a default judgement when the bank failed to respond plaintiff's discovery requests for computer-based information.

An outsourced process for eDiscovery is quickly becoming a real board room issue. Not only because of the financial impact, $7K to $12K per hard drive but also the number of cases that are settled prematurely. Outside counsel handles the eDiscovery process on a per-case basis and is not typically interested in what the company must do internally to create and establish a long-term governance and risk management strategy.

The CISO who directs a system of consistent Information Security Risk Management will have the foundation for an in-house eDiscovery team and who can work side-by-side General Counsel for compliance and incident response.

Paul French is a computer forensics consultant with a few TIPS:

Ensuring Compliance

A good digital document retention policy is, of course, only as good as the method in which it is implemented. Here a few compliance guidelines you should have your clients consider:

* Establish a records compliance task force, so there are easily identifiable “go-to” people regarding retention activities.

* The compliance task force should create detailed logs of record-purging and back-up activities.

* Archiving procedures should be periodically reviewed and tested. More times than your clients would care to admit, electronic record back-ups are not properly performed or aren’t being performed at all. Incompetence is not a sound defense strategy! If back-up tape hardware is updated, be sure that there’s a back up plan for accessing data on old tapes--these likely will not work with newer hardware. Old back-up tapes stored in a seldom visited closet could pose an unpleasant surprise if they appear suddenly in discovery proceedings, particularly if your client is unable to find the hardware needed to review them.

* Make certain that all media are considered and accounted for in the purging policy. This includes not only servers, desktops, and laptops, but also PDAs, BlackBerries, and various removable media devices.

* It’s a good idea to have an objective third party periodically review and validate that policies are being followed. In doing so, the vendor should interview key personnel and review a sampling of data using forensic tools.

CISO's are seeing their budgets and powerbase grow yet the goal remains the same, Enterprise Risk Management. The Board of Directors now recognizes the significance of having a CISO with an established team for eDiscovery, no matter who may be asking for the timely information.

24 February 2006

OPS Risk: From Basel to the Hearing Room...

The Basel Committee on Banking Supervision, an arm of Switzerland-based Bank for International Settlements, has defined the Basel II capital adequacy requirements for global banks. One of the committee's principal goals is to reduce risk in the financial system worldwide by aligning each banks capital requirements to more accurately reflect its credit, market and operational risks.

Archer Technologies (Archer), a leader in enterprise security and compliance solutions, has announced the release of its Vendor Management solution. Vendor Management enables organizations to consolidate disparate vendor information into a single application to optimize resources and reduce risk. Archer also announced its expansion into operational risk management with the introduction of the Sarbanes-Oxley (SOX) Compliance Management solution. This new offering complements Archer's Vendor Management product and enables companies to dramatically decrease the cost and effort associated with SOX compliance.

The significance of the new modules from Archer could be summed up in one or two words.



Due to the number of financial institutions currently utilizing these solutions for Enterprise Security Management it makes sense to add the modules that intersect with the Enterprise Risk Mission Critical Activities. Operational Risk Management is converging with some of the elements of the traditional CISO job function. Just ask any CISO (Chief Information Security Officer) at a public institution about the number of times the audit teams have been knocking on the door trying to get access.

The relevance of supply chain management and SOX Management modules for the CISO has to do with the real essence of what Operational Risk is all about. Three years ago just managing threats to the desktop PC's, Web Servers and other vital E-Commerce functions was enough. Not anymore.

Now you must add your inteligence feeds from providers such as iJet, OSAC, iDefense, Shavlik, and Stratfor. Then you combine your Real Estate assets including facilities, Gulfstream G5's and create a correlation of real-time enterprise risk to give you a 360-degree view. Combine this with a monitoring system for the ever changing controls in your ERP system and now you have a holistic mechanism for mananging Operational Risk in your enterprise.

That's the easy part. The hard part is yet to be done. The correlated information still requires the grey matter to make faster and more relevant decisions to accept, transfer or mitigate this threat. What are the implications of each? When do I act? How do I execute? All the knowledge from your tools and systems still leaves the most difficult aspect of Enterprise Risk Management.

Just ask all of the people sitting in SOC's, JFO's or any center where a fusion of information is creating the knowledge necessary to make these decisions. They all have the same answer:

You must create a “culture of preparedness” in which all people share responsibility for corporate risk management and homeland security. This includes strong partnerships between federal, state and local governments and especially the private sector. You never know where or when your next incident is going to occur:

The Phoenix hostage incident began about 3:30 p.m. (5:30 p.m. ET) when a man entered the offices of the National Labor Relations Board, grabbed a secretary and took her into a room where a hearing was being held, said Gordon Jorgensen, who retired last month from the board and had spoken with some of the NLRB employees.

"The guy was apparently in our reception area and wanted to talk to someone and ... one of our secretaries walked by. He pulled a gun on her" and escorted her into the room, where a hearing was being held.

One woman escaped early in the evening and a second woman was released about an hour before the man surrendered.

Dozens of police and fire crews were on the scene, and authorities evacuated the building and sealed the area.

15 February 2006

Battle-Tested Strategies for Mission Critical Activities...

Mission Critical Activity (MCA)

Critical operational and/or business support, service or product related activity (provided internally or externally), including its dependencies and single points of failure, which enables an organization to achieve its business objective(s), taking into account seasonal trends and/or critical timing issues.

The trend to create "virtual" organizations raises a number of new issues as it pertains to interdependencies and single points of failure. The ability to provide sourcing alternatives in the event of a catastrophic failure of an MCA provider is a key priority. As the trend becomes more operational and logistically complex organizations must exercise more often to determine where processes or systems weaknesses occur.

An organizational Business Crisis & Continuity Management (BCCM) strategy ensures resilience and high reliability of MCA's. At the process level is a documented framework that identifies the organizations MCA's in the context of products or services. Each MCA should have it's own BCM strategy that provides clarity of how the organization will provide protection for the MCA.

One key outcome is the definition of the BCCM relationship, positioning and connection with other risk related functions, e.g. Operational Risk Management (ORM) A critical component of getting this BCCM relationship connected with the risk management culture is through awareness and education training. Merely documenting a strategy and plan provides a narrow and limited method of fully developing a true BCCM culture.

Ownership of BCCM by organizational lines of business, especially where Operational Risk originates and resides is paramount. No matter how well designed a strategy may be, exercising and testing on a regular basis is necessary to identify potential issues during a real incident. Good quality exercises rely on specific and relevant scenarios in the actual locations, facilities and with normal personnel in place.

And no BCCM is complete without measurement and audit. You must verify compliance independently to highlight key material deficiencies and issues to ensure their resolution. Each stage of the BCCM life-cycle may require a unique audit process depending on that stage of the life cycles maturity.

At the end of the day, the question is this. Has the organization introduced risk management controls to eliminate, mitigate, reduce, transfer the effects of identified threats, vulnerabilities, exposures or liabilities to MCA's?

10 February 2006

Economic Espionage: Chasing 0's and 1's...

What do corporate executives worry about these days? The same thing Chief Security Officers and General Counsels have nightmares about. They all realize that globalization is truly upon us. Rapid transportation, open borders and the Internet have opened new doors for criminals and terrorists to move information quickly, deploy orders and even post stolen assets for sale in an underground world of ubiquitous trade.

Economic Espionage is the #2 issue at the FBI and for good reason. The recent indictment of Suibin Zhang illustrates just one example of a crime happening all too often and right under the corporate executives nose.

The United States Attorney for the Northern District of California announced that Suibin Zhang, 37, of San Jose, California, was charged late yesterday by a federal grand jury in San Jose in a nine-count indictment alleging computer fraud; theft and unauthorized downloading of trade secrets; and the unauthorized copying, transmission and possession of trade secrets.

The maximum penalties for each of the computer fraud counts is 5 years imprisonment, a $250,000 fine or twice the gross gain or loss and 3 years supervised release. The maximum penalties for each of the trade secret counts is 10 years imprisonment, a $250,000 fine or twice the gross gain or loss and 3 years supervised release.

An indictment simply contains allegations against an individual and, as with all defendants, Mr. Zhang must be presumed innocent unless and until convicted.

The people who work for your organization need to have a greater awareness of what the Economic Espionage Act of 1996 is all about. Whether the information that was presumed to be stolen is Mr. Zhang's property or the property of his employer will be at question here. Corporate Information Security Policy will have covered this yet the motivation and the lack of understanding of what constitutes intellectual capital or trade secrets is what needs the most clarification with employees.

VIII.B. The Economic Espionage Act of 1996, 18 U.S.C. �� 1831- 1839
VIII.B.1. Overview of the statute The Economic Espionage Act of 1996 ("EEA") contains two separate provisions that criminalize the theft or misappropriation of trade secrets. The first provision, codified at 18 U.S.C. � 1831(a), is directed towards foreign economic espionage and requires that the theft of the trade secret be done to benefit a foreign government, instrumentality, or agent. It states: (a) In general. -- Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly - (1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret; (2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret; (3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization; (4) attempts to commit any offense described in any of paragraphs (1) through (3); or (5) conspires with one or more other persons to commit any offense described in any of paragraphs (1) through (3), and one or more of such person do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined not more than $500,000 or imprisoned not more than 15 years, or both.

07 February 2006

Grass Roots Risk Management...

When you set your organizational direction and adopt a common language and framework for managing risk you must include the measurable categories associated with credit, market and operational risk. Many choose to adapt the COSO Guidelines to create their unique risk management and control framework.

The question remains, Is that enough? Do you have enough categories to truly address the methodical management of all material risks?

The Board of Directors must be able to understand the framework to begin any meaningful programatic approach to identifying, assessing, managing and mitigating risks. Now what would happen if you added a few more categories to include:

1. Compliance
2. Legal
3. Strategic
4. Reputation

Certainly the Board understands that these are real and important categories to include in the framework. However, these are much more difficult to measure and merge with the new governance culture found in most SOX oriented organizations.

Creating the right environment for employees and supported by the correct processes is not enough these days. Now the front line must also have the right tools to help in performing risk assessments and analysis as change takes place in products and the market place. Creating a risk culture that is effective is a balancing act for employees who are trying to decide if they have a material risk to mitigate or an opportunity that has yet to be realized. Employees need to be able to embed this kind of decision making into the fabric of their daily work routines as opposed to a quarterly or annual exercise.

The largest institutions that have already established the framework, support processes and tools along with the staff are well on their way to meeting the goals of prudent corporate governance. Developing a more comprehensive and pervasive adoption rate across the Tier II and small to medium-sized intitutions is far from reality. We are just beginning this long and difficult journey.

Maybe the biggest question for these evolving risk management cultures is how and where to begin? The answer might be found in your current abilities to deal with "Change" itself. At the end of the day, any Operational Risk Management program is going to be about the ability to address the velocity of change. If you haven't been getting an "A" in this part of your report card then you can be sure that managing your new found material risks will be far from excellent.

A "Loss" is a financial impact from an event that shows up on the companies financial statements. This financial impact shows up as "write-downs" or other entries in the annual report. As you build a Loss Event Database to record losses across the organization you expose the organization to new risks that have never been known before. This is where resources are invested and where management realizes the beauty of having a "Grass Roots Risk Management" initiative.

03 February 2006

Managing Strategic Change for Operational Risk...

There have not been more sweeping changes in business regulation and compliance since the Great Depression. The fall of Enron Corporation provided much of the catalyst for new laws and new corporate governance oversight. The Board of Directors and senior management are now tasked with the continuous risk of “operational volatility” with people, processes, systems and external events. Effective Operational Risk Management begins with an effective strategy to manage change in your organization.

What institutional fraud presents the greatest operational risk to companies? In a recent poll by Oversight Systems of 200+ Certified Fraud Examiners:

63% - Conflict of Interest

57% - Fraudulent Financial Statements

31% - Billing Schemes

29% - Expense and Reimbursement Schemes

25% - Bribery/Economic extortion

20% - Inventory and Non-Cash Asset Misuse

From the conviction of former WorldCom CEO Bernie Ebbers to the acquittal of HealthSouth’s Richard Scrushy, corporate fraud continues to make headlines. Four years after Enron’s collapse, financial integrity remains a key issue for corporate America.

The 2005 Oversight Systems Report on Corporate Fraud surveys certified fraud examiners to report the trends, risks and major concerns that businesses face today.

While most fraud examiners view Sarbanes-Oxley (SOX) as an effective tool in fraud identification, few think it will change the culture of business leaders. Nearly two-thirds of respondents (65 percent) indicate that SOX has been somewhat or very effective in identifying incidences of financial-statement fraud. Only 19 percent of those surveyed found SOX to be ineffective or serve to prevent fraud identification.

·What are the consequences of ignoring need for change related to operational risks?

·What will be a starting point for initiating changes related to operational risk management?

·Is your organization ready for managing changes in order to manage operational risk? If yes, at what readiness level? If no, how can it become ready?

Are you a boardroom director or senior corporate manager? Does your organization have a culture that avoids an examination of organizational processes such as decision-making, planning and communication concerning the risk of change? Are you an executive who would like your organization to accept, adapt and therefore institutionalize and legitimize these processes related to operational risk?

If you said yes to any the questions above and nodded positively to the possibility for a change in your organization, then first you must effectively
"Manage Strategic Change for Operational Risk".

01 February 2006

Internet Crime Pandemic: The Botnet Outbreak...

If you thought that your INFOSEC team was busy last year, they haven't seen anything yet. The rise of Trojans & Botnets is becoming an Internet Crime Pandemic.

"Cyber-crime nowadays takes many forms, and perhaps even more dangerous than botnets are the targeted attacks that we have witnessed recently," explains Luis Corrons, director of PandaLabs. "The biggest problem lies in their secrecy: a large company could be serving the interests of a group of malware creators without realizing it. Many of their computers could be at the disposal of these cyber-crooks, with all the legal implications that this might have for the company itself." Until now it is a risk that companies have not considered sufficiently, but one which is no longer possible to ignore."

Most of the successful attacks exploit the most vulnerable facet of every companies defense. It's people. Targeting executives within a specific industry group such as the savings and loan sector is a good example. The global marketplace for reselling data about people is now showing exponential growth. Once the executive clicks on a link inside what looks like a legitimate email he has opened his network to a potential new "Zombie".

Why do the spammers, pharmers and spear phishers continue to invest in these types of attacks? It's good for their criminal business.

The FBI recently snared a 20-year-old hacker (Jeanson James Ancheta) whom they believe wrote computer code to assemble botnets and sell access rights after he was lured into a trap. Ancheta in his plea accepted responsibility for selling botnets and directing zombie machines to surreptitiously download adware besides intruding into government computers.

Ancheta is understood to have as a result benefited by $3,000 from botnet sales and $60,000 from the clandestine adware downloads. With close to 400,000 machines under his control, Ancheta was doing well enough to gift himself a BMW.