26 February 2006

eDiscovery: New Threat or Opportunity?

In the midst of the Enron trial there are many CISO's and CEO's scratching their heads while they grab another pack of TUMS off the desk. eDiscovery is a compelling threat and opportunity for the organization. In either case, it will cost millions of dollars.

Conducting effective internal investigations and even thorough incident response requires a robust Governance Strategy. Just ask Morgan Stanley about it's $1.45 billion verdict in a default judgement when the bank failed to respond plaintiff's discovery requests for computer-based information.

An outsourced process for eDiscovery is quickly becoming a real board room issue. Not only because of the financial impact, $7K to $12K per hard drive but also the number of cases that are settled prematurely. Outside counsel handles the eDiscovery process on a per-case basis and is not typically interested in what the company must do internally to create and establish a long-term governance and risk management strategy.

The CISO who directs a system of consistent Information Security Risk Management will have the foundation for an in-house eDiscovery team and who can work side-by-side General Counsel for compliance and incident response.

Paul French is a computer forensics consultant with a few TIPS:

Ensuring Compliance

A good digital document retention policy is, of course, only as good as the method in which it is implemented. Here a few compliance guidelines you should have your clients consider:

* Establish a records compliance task force, so there are easily identifiable “go-to” people regarding retention activities.

* The compliance task force should create detailed logs of record-purging and back-up activities.

* Archiving procedures should be periodically reviewed and tested. More times than your clients would care to admit, electronic record back-ups are not properly performed or aren’t being performed at all. Incompetence is not a sound defense strategy! If back-up tape hardware is updated, be sure that there’s a back up plan for accessing data on old tapes--these likely will not work with newer hardware. Old back-up tapes stored in a seldom visited closet could pose an unpleasant surprise if they appear suddenly in discovery proceedings, particularly if your client is unable to find the hardware needed to review them.

* Make certain that all media are considered and accounted for in the purging policy. This includes not only servers, desktops, and laptops, but also PDAs, BlackBerries, and various removable media devices.

* It’s a good idea to have an objective third party periodically review and validate that policies are being followed. In doing so, the vendor should interview key personnel and review a sampling of data using forensic tools.


CISO's are seeing their budgets and powerbase grow yet the goal remains the same, Enterprise Risk Management. The Board of Directors now recognizes the significance of having a CISO with an established team for eDiscovery, no matter who may be asking for the timely information.

24 February 2006

OPS Risk: From Basel to the Hearing Room...

The Basel Committee on Banking Supervision, an arm of Switzerland-based Bank for International Settlements, has defined the Basel II capital adequacy requirements for global banks. One of the committee's principal goals is to reduce risk in the financial system worldwide by aligning each banks capital requirements to more accurately reflect its credit, market and operational risks.

Archer Technologies (Archer), a leader in enterprise security and compliance solutions, has announced the release of its Vendor Management solution. Vendor Management enables organizations to consolidate disparate vendor information into a single application to optimize resources and reduce risk. Archer also announced its expansion into operational risk management with the introduction of the Sarbanes-Oxley (SOX) Compliance Management solution. This new offering complements Archer's Vendor Management product and enables companies to dramatically decrease the cost and effort associated with SOX compliance.

The significance of the new modules from Archer could be summed up in one or two words.

Convergence

Relevance


Due to the number of financial institutions currently utilizing these solutions for Enterprise Security Management it makes sense to add the modules that intersect with the Enterprise Risk Mission Critical Activities. Operational Risk Management is converging with some of the elements of the traditional CISO job function. Just ask any CISO (Chief Information Security Officer) at a public institution about the number of times the audit teams have been knocking on the door trying to get access.

The relevance of supply chain management and SOX Management modules for the CISO has to do with the real essence of what Operational Risk is all about. Three years ago just managing threats to the desktop PC's, Web Servers and other vital E-Commerce functions was enough. Not anymore.

Now you must add your inteligence feeds from providers such as iJet, OSAC, iDefense, Shavlik, and Stratfor. Then you combine your Real Estate assets including facilities, Gulfstream G5's and create a correlation of real-time enterprise risk to give you a 360-degree view. Combine this with a monitoring system for the ever changing controls in your ERP system and now you have a holistic mechanism for mananging Operational Risk in your enterprise.

That's the easy part. The hard part is yet to be done. The correlated information still requires the grey matter to make faster and more relevant decisions to accept, transfer or mitigate this threat. What are the implications of each? When do I act? How do I execute? All the knowledge from your tools and systems still leaves the most difficult aspect of Enterprise Risk Management.

Just ask all of the people sitting in SOC's, JFO's or any center where a fusion of information is creating the knowledge necessary to make these decisions. They all have the same answer:

You must create a “culture of preparedness” in which all people share responsibility for corporate risk management and homeland security. This includes strong partnerships between federal, state and local governments and especially the private sector. You never know where or when your next incident is going to occur:

The Phoenix hostage incident began about 3:30 p.m. (5:30 p.m. ET) when a man entered the offices of the National Labor Relations Board, grabbed a secretary and took her into a room where a hearing was being held, said Gordon Jorgensen, who retired last month from the board and had spoken with some of the NLRB employees.

"The guy was apparently in our reception area and wanted to talk to someone and ... one of our secretaries walked by. He pulled a gun on her" and escorted her into the room, where a hearing was being held.

One woman escaped early in the evening and a second woman was released about an hour before the man surrendered.

Dozens of police and fire crews were on the scene, and authorities evacuated the building and sealed the area.


21 February 2006

4GW: Strategic Risk vs. Tactical Insurgencies...

Fourth Generation Warfare (4GW) is upon us in the E-Ring, The West Wing and the PGP Keyring. Information Assets and the knowledge that is the key to wealth is not a physical debate any longer. Thomas X. Hammes articulates this in his book, The Sling and The Stone:

Fourth-generation warfare (4GW) uses all available networks -- political, economic, social, and military -- to convince the enemy's political decision makers that their strategic goals are either unachievable or too costly for the perceived benefit. It is an evolved form of insurgency. Still rooted in the fundamental precept that superior political will, when properly employed, can defeat greater economic and military power, 4GW makes use of society's networks to carry on its fight. Unlike previous generations of warfare, it does not attempt to win by defeating the enemy's military forces. Instead, via the networks, it directly attacks the minds of enemy decision makers to destroy the enemy's political will. Fourth-generation wars are lengthy -- measured in decades rather than months or years.


The Mission
The global business landscape has known for all to long the power of marketing. Knowledge is not a fixed asset in a fixed physical location. Intellectual property, patent applications and new formulas can be reduced to zeros and ones and sent to anyone in the world almost instantaneously. Encrypted data flows through the veins of the Internet and has changed the playing field for governments and for your organization.

While nations states and growing adversaries wage their respective political and economic battles, the private sector and the Fortune 500 are in another and parallel conflict to keep their Intellectual Property and Information-Based Assets safe and secure from a growing threat spectrum. Modern digital insurgents and other 4GW opponents are part of a virtual network that has no specific location found in longitude latitude or geocode. The money center bank or transnational pharmaceutical company is all to familiar with the hijacking of trade secrets or personal identities, held for ransom or sold to the highest bidder.

The Take Away
Yet this is not about technology and it is even more apparent that it is not about the Internet. It is about how people are able to operate in a wide variety of countries, cultures and operating environments. These human networks are the most powerful forces to governments and to marketers. Whether it's a brand being endorsed by a superstar rocker like Paul McCartney or a book being recommended by Oprah Winfrey this 4GW strategy is exactly what this sharing of human knowledge and intelligence is all about. And let's not forget the power of Aljazeera and The New York Times.

The risk of operating your enterprise across the planet requires a "4GW" mentality and toolkit to help ensure your success. What is your organization doing to retool and retrofit your work force to compete on an operational level with more educated people and superior human capital?

18 February 2006

Predictive Profiling: The Human Firewall...

In Harrison Ford's new movie Firewall the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes. There is even a degree of deception and conspiracy mixed in to spice up the story line. The plot is full of social engineering lessons that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy. In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe. Those attackers using new and increasingly sophisticated strategies are consistently giving financial institutions new challenges to secure their real assets, binary code.

In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers has been circulating in security circles since late last year after warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.


In this case and even in the movie, the "insider" is a 99.9% chance. A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur. The people who work inside the institution are far more likely to be the real source of your crime rather than the skilled hacker using key logging software. More and more the real way to mitigate these potential risks is through behavior profiles and analysis.

The human element, which relates to awareness, can't be ignored any longer. And this can only be changed through education, training, and testing of employees. An organization that procures technology worth millions is naive if you don't invest in educating your employees to make the investment worthwhile. Sometimes the human element stands alone. Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredient for security. Predictive Profiling comes into play as organizations recognize that detecting threats starts long before the firewall is compromised, falsified accounts established and bribes taken.

The Israeli Airline El Al has known for a long time the power of humans as a force in security. An empowered, trained and aware group of people will contribute to the layered framework as a force multiplier that is unequalled by any other technology investment. Firewall The Movie, was a wake-up call for those institutions who still have not given their employees more of the skills and tools for detecting human threats long before any real losses occur.

15 February 2006

Battle-Tested Strategies for Mission Critical Activities...

Mission Critical Activity (MCA)

Critical operational and/or business support, service or product related activity (provided internally or externally), including its dependencies and single points of failure, which enables an organization to achieve its business objective(s), taking into account seasonal trends and/or critical timing issues.


The trend to create "virtual" organizations raises a number of new issues as it pertains to interdependencies and single points of failure. The ability to provide sourcing alternatives in the event of a catastrophic failure of an MCA provider is a key priority. As the trend becomes more operational and logistically complex organizations must exercise more often to determine where processes or systems weaknesses occur.

An organizational Business Crisis & Continuity Management (BCCM) strategy ensures resilience and high reliability of MCA's. At the process level is a documented framework that identifies the organizations MCA's in the context of products or services. Each MCA should have it's own BCM strategy that provides clarity of how the organization will provide protection for the MCA.

One key outcome is the definition of the BCCM relationship, positioning and connection with other risk related functions, e.g. Operational Risk Management (ORM) A critical component of getting this BCCM relationship connected with the risk management culture is through awareness and education training. Merely documenting a strategy and plan provides a narrow and limited method of fully developing a true BCCM culture.

Ownership of BCCM by organizational lines of business, especially where Operational Risk originates and resides is paramount. No matter how well designed a strategy may be, exercising and testing on a regular basis is necessary to identify potential issues during a real incident. Good quality exercises rely on specific and relevant scenarios in the actual locations, facilities and with normal personnel in place.

And no BCCM is complete without measurement and audit. You must verify compliance independently to highlight key material deficiencies and issues to ensure their resolution. Each stage of the BCCM life-cycle may require a unique audit process depending on that stage of the life cycles maturity.

At the end of the day, the question is this. Has the organization introduced risk management controls to eliminate, mitigate, reduce, transfer the effects of identified threats, vulnerabilities, exposures or liabilities to MCA's?

10 February 2006

Economic Espionage: Chasing 0's and 1's...

What do corporate executives worry about these days? The same thing Chief Security Officers and General Counsels have nightmares about. They all realize that globalization is truly upon us. Rapid transportation, open borders and the Internet have opened new doors for criminals and terrorists to move information quickly, deploy orders and even post stolen assets for sale in an underground world of ubiquitous trade.

Economic Espionage is the #2 issue at the FBI and for good reason. The recent indictment of Suibin Zhang illustrates just one example of a crime happening all too often and right under the corporate executives nose.

The United States Attorney for the Northern District of California announced that Suibin Zhang, 37, of San Jose, California, was charged late yesterday by a federal grand jury in San Jose in a nine-count indictment alleging computer fraud; theft and unauthorized downloading of trade secrets; and the unauthorized copying, transmission and possession of trade secrets.

The maximum penalties for each of the computer fraud counts is 5 years imprisonment, a $250,000 fine or twice the gross gain or loss and 3 years supervised release. The maximum penalties for each of the trade secret counts is 10 years imprisonment, a $250,000 fine or twice the gross gain or loss and 3 years supervised release.

An indictment simply contains allegations against an individual and, as with all defendants, Mr. Zhang must be presumed innocent unless and until convicted.


The people who work for your organization need to have a greater awareness of what the Economic Espionage Act of 1996 is all about. Whether the information that was presumed to be stolen is Mr. Zhang's property or the property of his employer will be at question here. Corporate Information Security Policy will have covered this yet the motivation and the lack of understanding of what constitutes intellectual capital or trade secrets is what needs the most clarification with employees.

VIII.B. The Economic Espionage Act of 1996, 18 U.S.C. �� 1831- 1839
VIII.B.1. Overview of the statute The Economic Espionage Act of 1996 ("EEA") contains two separate provisions that criminalize the theft or misappropriation of trade secrets. The first provision, codified at 18 U.S.C. � 1831(a), is directed towards foreign economic espionage and requires that the theft of the trade secret be done to benefit a foreign government, instrumentality, or agent. It states: (a) In general. -- Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly - (1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret; (2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret; (3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, obtained, or converted without authorization; (4) attempts to commit any offense described in any of paragraphs (1) through (3); or (5) conspires with one or more other persons to commit any offense described in any of paragraphs (1) through (3), and one or more of such person do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined not more than $500,000 or imprisoned not more than 15 years, or both.


08 February 2006

Four Steps to Wisdom...

If you are reading this weblog you might be interested in what other people were searching for before they arrived here. The statistics can provide us with a few observations:

Search Engine: search.yahoo.com
Search Words: operational risk crisis management
Lagos, Nigeria Africa

Wikipedia Search: Operational Risk
ABN*AMRO Services Co
Chicago, IL USA

Search Engine: google.com
Search Words "world health organization" 27001 17799 iso
Bern, Switzerland Europe

Search Engine: search.yahoo.com
Search Words: risk management and hostile work environment and dangerous posts
London, United Kingdom

Search Engine: hk.search.yahoo.com
Search Words: pr and marketing program for tackling avian flu
Hong Kong, Asia

Search Engine: google.com
Search Words: coso orm
Hoofddorp, Netherlands Europe

Search Engine: it.search.yahoo.com
Search Words: managing operational risk
Belgrade, Serbia Europe

Search Engine: search.yahoo.com
Search Words: operational risk management mitigation definition
SunTrust Service Corporation
Atlanta, GA USA

It's obvious that Operational Risk is a global issue and becoming more of a refined discipline. And based upon the country or city on the planet, the queries provide a little relevance or even some insight.

This kind of analysis is not new and happens every day in your company, organization and other interested parties. Selling this data to marketers to provide trend analysis or new innovative ideas has been going on since the birth of the Internet.

What people are searching for is answers, or insight. To make more informed decisions. Some might call this intelligence. Others call it surveillance. Your definition depends on your reason for searching for the data in the first place. The speed of change in the connected economy requires faster answers and greater insight. Whether it is for a research paper, news article, or even threats to your corporate assets.

What the logs and the statistics won't tell you is why. Why is this person searching for this piece of data at this moment? One can only wonder how data mining and sophisticated algorithms make sense out of Petabytes of data. Text, Images, video, voice and more.

Excalibur Web Search is a private label search service for online publishers and other organizations seeking more authoritative and relevant results from the World Wide Web. It's the latest innovation from Convera Corporation, a leader and visionary in enterprise search and categorization.

Excalibur indexes and organizes the Web into millions of distinct categories, delivering professional quality search results tailored to individual needs. These personalized views of Web information - unique to Excalibur - lead to greater insight, new perspectives and more confident decisions in critical areas. Excalibur's exceptional accuracy and authority will ensure Web users locate the information they're seeking, whether it's related to science, technology, law, finance, health, medicine or travel, pop culture and world events.


Four Steps to Wisdom - From "The Monster Under The Bed" by Stan Davis & Jim Botkin

Data--->Information--->Knowledge--->Wisdom

"Each step up in learning requires a new technology platform. The technology platform that will make possible the leap from Information to Knowledge is the blending of computers and telecommunications with human actions. By the time the knowledge phase matures, around a decade from now, billions of people will use computers with no training at all. Can we imagine the technology platform that will enable us to take the final step to wisdom?"


Stan and Jim wrote this book and it was published in 1994. Getting to wisdom is now upon us in managing operational risks.

07 February 2006

Grass Roots Risk Management...

When you set your organizational direction and adopt a common language and framework for managing risk you must include the measurable categories associated with credit, market and operational risk. Many choose to adapt the COSO Guidelines to create their unique risk management and control framework.

The question remains, Is that enough? Do you have enough categories to truly address the methodical management of all material risks?

The Board of Directors must be able to understand the framework to begin any meaningful programatic approach to identifying, assessing, managing and mitigating risks. Now what would happen if you added a few more categories to include:

1. Compliance
2. Legal
3. Strategic
4. Reputation

Certainly the Board understands that these are real and important categories to include in the framework. However, these are much more difficult to measure and merge with the new governance culture found in most SOX oriented organizations.

Creating the right environment for employees and supported by the correct processes is not enough these days. Now the front line must also have the right tools to help in performing risk assessments and analysis as change takes place in products and the market place. Creating a risk culture that is effective is a balancing act for employees who are trying to decide if they have a material risk to mitigate or an opportunity that has yet to be realized. Employees need to be able to embed this kind of decision making into the fabric of their daily work routines as opposed to a quarterly or annual exercise.

The largest institutions that have already established the framework, support processes and tools along with the staff are well on their way to meeting the goals of prudent corporate governance. Developing a more comprehensive and pervasive adoption rate across the Tier II and small to medium-sized intitutions is far from reality. We are just beginning this long and difficult journey.

Maybe the biggest question for these evolving risk management cultures is how and where to begin? The answer might be found in your current abilities to deal with "Change" itself. At the end of the day, any Operational Risk Management program is going to be about the ability to address the velocity of change. If you haven't been getting an "A" in this part of your report card then you can be sure that managing your new found material risks will be far from excellent.

A "Loss" is a financial impact from an event that shows up on the companies financial statements. This financial impact shows up as "write-downs" or other entries in the annual report. As you build a Loss Event Database to record losses across the organization you expose the organization to new risks that have never been known before. This is where resources are invested and where management realizes the beauty of having a "Grass Roots Risk Management" initiative.

03 February 2006

Managing Strategic Change for Operational Risk...

There have not been more sweeping changes in business regulation and compliance since the Great Depression. The fall of Enron Corporation provided much of the catalyst for new laws and new corporate governance oversight. The Board of Directors and senior management are now tasked with the continuous risk of “operational volatility” with people, processes, systems and external events. Effective Operational Risk Management begins with an effective strategy to manage change in your organization.

What institutional fraud presents the greatest operational risk to companies? In a recent poll by Oversight Systems of 200+ Certified Fraud Examiners:

63% - Conflict of Interest

57% - Fraudulent Financial Statements

31% - Billing Schemes

29% - Expense and Reimbursement Schemes

25% - Bribery/Economic extortion

20% - Inventory and Non-Cash Asset Misuse


From the conviction of former WorldCom CEO Bernie Ebbers to the acquittal of HealthSouth’s Richard Scrushy, corporate fraud continues to make headlines. Four years after Enron’s collapse, financial integrity remains a key issue for corporate America.

The 2005 Oversight Systems Report on Corporate Fraud surveys certified fraud examiners to report the trends, risks and major concerns that businesses face today.

While most fraud examiners view Sarbanes-Oxley (SOX) as an effective tool in fraud identification, few think it will change the culture of business leaders. Nearly two-thirds of respondents (65 percent) indicate that SOX has been somewhat or very effective in identifying incidences of financial-statement fraud. Only 19 percent of those surveyed found SOX to be ineffective or serve to prevent fraud identification.


·What are the consequences of ignoring need for change related to operational risks?

·What will be a starting point for initiating changes related to operational risk management?

·Is your organization ready for managing changes in order to manage operational risk? If yes, at what readiness level? If no, how can it become ready?

Are you a boardroom director or senior corporate manager? Does your organization have a culture that avoids an examination of organizational processes such as decision-making, planning and communication concerning the risk of change? Are you an executive who would like your organization to accept, adapt and therefore institutionalize and legitimize these processes related to operational risk?

If you said yes to any the questions above and nodded positively to the possibility for a change in your organization, then first you must effectively
"Manage Strategic Change for Operational Risk".


01 February 2006

Internet Crime Pandemic: The Botnet Outbreak...

If you thought that your INFOSEC team was busy last year, they haven't seen anything yet. The rise of Trojans & Botnets is becoming an Internet Crime Pandemic.

"Cyber-crime nowadays takes many forms, and perhaps even more dangerous than botnets are the targeted attacks that we have witnessed recently," explains Luis Corrons, director of PandaLabs. "The biggest problem lies in their secrecy: a large company could be serving the interests of a group of malware creators without realizing it. Many of their computers could be at the disposal of these cyber-crooks, with all the legal implications that this might have for the company itself." Until now it is a risk that companies have not considered sufficiently, but one which is no longer possible to ignore."


Most of the successful attacks exploit the most vulnerable facet of every companies defense. It's people. Targeting executives within a specific industry group such as the savings and loan sector is a good example. The global marketplace for reselling data about people is now showing exponential growth. Once the executive clicks on a link inside what looks like a legitimate email he has opened his network to a potential new "Zombie".

Why do the spammers, pharmers and spear phishers continue to invest in these types of attacks? It's good for their criminal business.

The FBI recently snared a 20-year-old hacker (Jeanson James Ancheta) whom they believe wrote computer code to assemble botnets and sell access rights after he was lured into a trap. Ancheta in his plea accepted responsibility for selling botnets and directing zombie machines to surreptitiously download adware besides intruding into government computers.

Ancheta is understood to have as a result benefited by $3,000 from botnet sales and $60,000 from the clandestine adware downloads. With close to 400,000 machines under his control, Ancheta was doing well enough to gift himself a BMW.