30 October 2006

Corporate Plausible Deniability: Is Now Extinct...

Skyrocketing Electronic Discovery (E-Discovery) costs force many organizations to prematurely settle cases or at least compromise their litigation strategy. Courts are increasingly issuing broad evidence preservation orders, mandating that computer data on up to several thousands of hard drives and servers be preserved.

Regulations and new legal statues have created a convergence of information security and legal issues. Effective governance strategy execution must include business drivers of legal and security factors to be successful. "Plausible Deniability" is now extinct.

Plausible deniability is the term given to the creation of loose and informal chains of command in government. In the case that assassinations, false flag or black ops or any other illegal or otherwise disrespectable and unpopular activities become public, high-ranking officials may deny any connection to or awareness of such act, or the agents used to carry out such act.

In politics and espionage, deniability refers to the ability of a "powerful player" or actor to avoid "blowback" by secretly arranging for an action to be taken on their behalf by a third party - ostensibly unconnected with the major player.

More generally, "plausible deniability" can also apply to any act which leaves little or no evidence of wrongdoing or abuse. Examples of this are the use of electricity or pain-compliance holds as a means of torture or punishment, leaving little or no tangible signs that the abuse ever took place.


Digital Forensic Services are specifically designed to perform efficient and effective enterprise computer investigations to address these concerns with best practices technology. This enables corporations to manage and retain control of these investigations while substantially reducing cost. In the context of E-Discovery, courts require that best practices are employed and that counsel take affirmative steps to monitor compliance and ensure all relevant data is located and preserved.

And as we approach the eve of Halloween there are all kinds of "Tricks and Treats" going on at the corporate digital battle front. Executives from most organizations are trying to keep their eye on those employees and places that are deemed significant risks to the organization and at the same time, cover their tracks. The HP scandal is still fresh on their minds.

The Privileged Executive

Her trick
The privileged executive feels responsible for every aspect of the organization, and compelled to control it. She wants to know everything about every department and project; demands root access to systems and applications, and sufficient rights to act on others’ behalf -- including sending email using other employees’ accounts. Naturally, she objects to logging of her own activities while demanding stringent audit of everyone else.

Your treat
Forward articles on prosecution of executives for insider trading, misusing data, and SOX violations, particularly ones that detail how malfeasance got pinned on the corner office because of too much access. Follow up a few days after each prying event by hinting to IT that it ought to look into apparent audit discrepancies, and suggesting to internal auditors they ought to look into IT control logs. Send monthly updates about how you’re working hard to make sure the execs aren’t exposed to excess risk; make plausible deniability your mantra.


New York state courts' are coming of age with respect to electronic discovery while U.S. federal courts already know the nuances associated with e-discovery. Notwithstanding the lack of a CPLR(Civil Practice Law Rules) or court rule specifically electronic disclosure, the recent court decisions reflect the courts' appreciation of:

(i) the search, production, de-duplication and privilege review costs that may be incurred by a party in addressing e-discovery requests and the importance in fairly determining who should bear such expense, including counsel's time in reviewing electronic documents for privilege,

(ii) the legal and business burden on the party producing electronic documents, taking into account, among other things, the purpose for which backup tapes were made and issues relating to their restoration,

(iii) a party's claimed relevance of and need for the requested electronically stored materials,

(iv) the process utilized by the producing party to identify, search for and gather electronic materials,

(v) the likelihood of whether yet-to-be searched for electronic materials actually exist and, if so, would they be duplicative of documents already produced,

(vi) a party's "true" justification for seeking and/or objecting to producing electronic documents, and

(vii) both sides to a dispute having the opportunity to retain appropriate expert forensic computer experts prior to a court ruling on e-discovery issues.


Digital Forensics in E-Discovery is evolving at the pace of lightning and many large organizations are already well entrenched. However, one thing is for certain. Corporate Plausible Deniability is almost certainly on the way to extinction.

26 October 2006

Anti-Terrorism Tools: Fido to the Rescue...

One of our most effective "Anti-Terrorism" sensors may be the nose on your favorite breed of canine. Dogs are being trained and their careers are sometimes being diverted from helping the blind, to helping the general public detect the possible signs of a terrorist event in the making.

TATP is triacetone triperoxide, one of the more common liquid peroxide explosives, the kind used in last year’s London transit system bombings and found hidden in the sneakers of the would-be shoe bomber, Richard C. Reid. Experts say peroxides have become terrorists’ explosives of choice, and government agencies are trying to detect them before they are carried onto buses, trains and airplanes.


The TSA Puppy Program has been around for several years and continues to be one of our most low tech, highly efficient tools in the counterterrorism arsenal.

Our National Explosives Detection Canine Team Program prepares dogs and handlers to serve on the front lines of America’s War on Terror. These very effective, mobile teams can quickly locate and identify dangerous materials that may present a threat to transportation systems. Just as important, they can quickly rule out the presence of dangerous materials in unattended packages, structures or vehicles, allowing the free and efficient flow of commerce.

Law enforcement officers from all over the country travel to the our Explosives Detection Canine Handler Course at Lackland Air Force Base in San Antonio, Texas where they are paired with one of our canine teammates . These dogs are bred specifically for the program by our puppy program, also at Lackland AFB. German Shepherds, Belgian Malanoises, Vizslas and other types of dogs are used in the program because of their keen noses and affinity for this type of work. In addition to providing a highly trained dog and handler training, we provide partial funding for handler salaries, care and feeding of the canines, veterinary and other costs associated with the dog once the teams return to their hometowns.

After dog and handler are paired up, the new team completes a rigorous 10-week course to learn to locate and identify a wide variety of dangerous materials while working as an effective unit. This training includes search techniques for aircraft, baggage, vehicles and transportation structures, as well as procedures for identifying dangerous materials and "alerting" or letting the handler know when these materials are present.


Deutsche Bahn, the German Railway Authority continues to test biometric technology using face recognition as a deterence and detection strategy. This testing is a result of a foiled or aborted plot to bomb German trains during the World Cup last summer. We find it hard to believe that terrorists with their pictures in the database will be the actual assailants carrying a backpack or wearing the explosives.

Let's keep our "Canine Corp" growing so we can make sure they are making their rounds in every train station in every major metro city on the planet. It's imperative if we are to keep our defenses at the highest level of detection in the days and years ahead.

24 October 2006

Know Your Domain: Alias Fraud Gains Millions...

The latest Alias Fraud is a "Rogue Wave" heading towards the bow of a financial broker near you. Even in companies like E*Trade who have been advocating the use of the RSA SecureID for their clients, the losses continue. $18 Million stolen.

``Internet crimes that result in the theft of personal and financial data from consumers continue to be a significant and global problem,'' FBI spokesman Paul Bresson said. ``We work closely with our foreign law-enforcement counterparts to pursue these cases with all applicable laws.''

Bresson declined to comment on the FBI investigation. John Heine, a spokesman for the SEC, and NASD's Herb Perone also declined to comment.

Some of the losses were straight theft. In his presentation, Walsh of the SEC explained how criminals use personal information such as Social Security numbers to break into accounts. Once in control, they loot the accounts by selling securities and wiring out the proceeds far from the U.S.

`Pump and Dump'

The online version of the ``pump-and-dump'' fraud sets off few security alerts at brokerage firms because no money is withdrawn from the compromised accounts, Walsh explained.

``This is an increasingly popular variation,'' he said in Phoenix. ``If you are looking for a single `hot topic' in the world of identity theft, this is it.''

In ``alias fraud,'' a thief opens an account in an individual's name, then uses it for illegal trading or money- laundering. Because the victim's name is on the account, he or she appears responsible for the crimes.


Two-factor authentication is not a new topic to these organizations. The FFIEC has been providing guidance and now a December 31 deadline for addressing this issue. Back in August this Operational Risk Blog discussed this very topic:

One way to solve the issue is to find a company who has taken all of these technology hurdles and has found a viable solution for FFIEC compliance. See Boulder, Colorado based Authenticol to add to your short list.


The answer for the banks and financial services companies are out there. What is more difficult to address are the processes and the enterprise architecture to accomplish the goal of reduced operational risks. Whether these be external fraud by foreign transnational crime syndicates or the stealth employee walking out the door with a 2GB Jump Drive on their keyring with proprietary client information. Do you really believe that all of these hackers are just getting lucky that the trojans and key loggers they have propagated end up on the home desktop of E*Trade consumers?

"Insider Information" comes in all kinds of forms. Whether it be the stolen client information or the loose lips of a person with access to vital M & A information.

The bulk of the money allegedly made in the case by two former Goldman Sachs employees resulted from tips from an analyst with information about Wall Street deals and a grand jury member who knew about a probe of accounting fraud accusations against Bristol-Myers Squibb Co. and several of its executives, the government has said.

The case came to the attention of authorities when regulators noticed unusually high trading volume before a merger announcement and discovered that a 63-year-old retired seamstress in Croatia -- the aunt of one of the defendants -- had made more than $2 million.

The plot involving Schuster, however, showed the lengths to which those involved in the insider trading plot would go to gain an edge in the market.


In the words of one very respected and experienced investigator we recently had the company of speaking with, his wisdom is this. "Know Your Domain". In a recent survey by the Privacy Rights Clearinghouse and the National Association for Information Destruction Inc.:

Percentage of business executives who do not know what their companies do to ensure the destruction of information on obsolete computers = 77%

20 October 2006

SOX 404: Auditors vs. Empowered Employees...

In the November/December issue of Corporate Board Member 100 Board Directors have sounded off. The PricewaterhouseCoopers Survey on "What Directors Think 2006" asked some tough questions and got some revealing answers.

How effective is your board at monitoring the company's "Risk Management Plan?

Very Effective - 12%

Effective - 47%

Somewhat Effective - 36%

Would you like to spend more, less or the same time on Sarbanes-Oxley Section 404?

The Same - 64%

Less - 33%

More - 3%


If we try to interpret what these two questions mean in relationship to each other we guess it makes sense. Almost two thirds of the Board Directors polled want to spend more time on Section 404 and at the same time are saying that they are not very effective at managing the company's risk management plan. Logical? The Board of Directors are looking for answers in the wrong places, the auditors.

The company’s external auditor must report on the reliability of management's assessment of internal control (Section 404).

Colossal and recurring external auditor failures around the world regularly demonstrate the difficulty of providing opinions on the reliability of financial statements. Positive audit opinions are regularly issued on materially false financial disclosures in spite of the fact that the U.S. has developed thousands of pages of rules on how they should be prepared to “fairly” present the company's financial status. The difficulty of providing an opinion or an assertion that internal control is “adequate” or “effective” to ensure the reliability of external financial disclosures is exponentially greater. There are very few guidelines to help auditors decide when there are “adequate” internal controls. Field research done by CARD®decisions with hundreds of groups of senior level internal audit and management personnel has consistently demonstrated that, given the exact same circumstances in a case situation, few groups and few individuals in those groups agree on the combination of control elements from a predetermined control design menu that would provide an “effective” or “adequate” level of control. This is true in spite of the fact that internal audit departments around the world routinely give opinions to clients on whether the clients’ internal controls are “adequate”. It takes very little applied research to demonstrate conclusively that audit opinions on what constitutes an “adequate” level of control involve a huge amount of highly subjective judgment. These findings suggest that reporting these highly subjective opinions on whether controls are “adequate” or "effective" to key stakeholders does not meet the goals of comparability, reliability, and repeatability, key criteria for sound assurance and audit methods.


The Basel Capital Accord II is the first breath of fresh air on the modern management systems for identifying and controlling process variability and driving down errors and rework. Although Basel has clearly recognized that a risk focus is far superior to a fixation on controls compliance, the management and the Board of Directors hasn't figured that out just yet. When they do, they will be calling in their favors from the legislators.

Really understanding and documenting the processes that feed the disclosures and reporting has to begin with each employee and manager owning it and understanding it themselves, not just internal audit or the external auditor. Only then will the employees become more aware and capable of detecting where controls need to be turned into Total Quality Management objectives.

The Board of Directors only has to look at the risk management accumen of the middle management ranks to really get an accurate "litmus test" of the effectiveness and the adequacy of the companies overall Enterprise Risk Managment (ERM) quality score. This is where the true health and the resilience of the company can be found to verify or question, SOX 404.

17 October 2006

Buyer Beware: The Risk of Private Data...

Operational Risks are being found in places that a CxO would not have at the top of their list when it comes to mitigating threats to the institution. Human Resources, Information Systems, Accounting make the list near the top yet Marketing always seems to be a few steps down. This is a big mistake and a renewed interest in auditing the sales and marketing organization could open up a real "Pandora's Box".

Fidelity Federal Bank and Trust (West Palm Beach, Fla.) has been ordered to pay a $50 million settlement for buying more than half a million names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The Electronic Privacy Information Center (EPIC), which filed an amicus brief in favor of the plaintiffs in the case, announced the decision in late August.

EPIC said the $4 billion-asset bank bought 565,600 names and addresses for use in direct marketing, claiming that the purchase violated the Drivers Privacy Protection Act. The federal law was enacted in 1994 to prevent the distribution of drivers' personal information.

From 2000 to 2003, Fidelity purchased the data containing the personal information of drivers living in Palm Beach, as well as Martin and Broward counties, for only $5,656, or a penny per driver record, according to papers filed in Kehoe v. Fidelity Federal Bank and Trust. The bank sought the information for car loan solicitations, according to the class-action lawsuit.


When this is one is all over you can bet that many organizations will be reexamining where they get their marketing data. The direct marketers sell and resell data on a daily basis including some companies you would not think are even in that business, namely your own state. Buying your drivers license information should be highly accurate as we are all required to report change of address to DMV shortly after we move to a new location. That is why this data is valuable to the direct marketers, fewer pieces of returned mail.

Where does your marketing department get all of the information that they use for outbound direct marketing? Via postal mail, e-mail, outbound phone calls and even personalized content on the web site each time I log in to get my latest statement. These days a valid e-mail address may be even more valuable than a phone number due to the "Do Not Call" list and the fact that people just don't answer their phone if they don't have the person calling in their personal contact list.

As an example, this one hit the in-box the other day from Equifax:

Your entire credit history in one easy-to-read report plus your FICO® credit score for only $29.95

Taking charge of your credit standing could pay big dividends when applying for a loan or negotiating an interest rate down the road. Because you are one of our most valuable customers and understand the importance of actively monitoring your credit, we are offering you our deepest discount - $10 off your 3-in-1 Credit Report with Score Power® - which includes your credit history as reported by all three credit reporting agencies plus your FICO® credit score - the score lenders use most.

When you apply for a loan, lenders can pull your credit file from any or all of the 3 major agencies, so it's important to know what information they have about you. Your 3-in-1 Credit Report allows you to see your entire credit history in one easy-to-read report. A quick and convenient way to ensure that your credit history is in order!


Where Equifax obtained this e-mail address is anybodies guess. They must have bought a list from a company that was doing a survey for a client who was selling products to people in the zip code 22102 and drive black SUV's. At the end of the day the marketing and sales organizations in your enterprise are just doing what you expect of them in generating new market share and revenues. Be careful what you wish for because all of those new found customers and sales could be erased in an instant with a well planned plaintiff class-action lawsuit.

13 October 2006

A Renewed Sense of Courage: Readiness, Response, Recovery...

Upon finishing the last 3 days at The All Hazards Forum and attending the Regional Critical Infrastructure Interdependencies Workshop, we have some new insight. There is a major mind set shift from protection to resilience.

The state and local governments are still pressed to do more with less and to continue to keep such a vigilant force emotionally engaged. There is still frustration with the lack of public-private coordination, yet is is improving one step at a time. Most of our focus was on the following sessions:

> Data Sharing Initiatives in the Mid-Atlantic Region

> A Balanced Critical Infrastructure Strategy: Protection, Resilience and Private Sector Outreach.

> Regional Fusion Centers and Their Role in Preparedness

> Improving Asset Data Collection

> Continuity of Operations Planning: What are Private Businesses Doing to Prepare?

> The Anti-Terrorism Advisory Council of Maryland Training Workshop

> Combating Terrorism: Actions Needed to Improve our Domestic Ports


The focus on Critical Infrastructure resilience programs centers upon these four objectives:

1. Prevention Planning

2. Impact of Loss Analysis (Economic/Local)

3. Cycle Time to Recovery

4. Understanding Interdependencies


The diverse set of stakeholders who own and operate these assets were in attendance and opening new doors of trust and cooperation. Yet the private sector is still timid to reveal it's greatest vulnerabilities and share in the risk with the public domain to work on mitigating or reducing this exposure. One only has to look no further than BP and their deteriorating pipeline in Alaska or a consistent breakdown of our power grids to know that a simple lack of maintenance is sometimes the only culprit, not a natural or man-made disaster.

So predicting the rate of failure or loss on future networks, pipelines, bridges, tunnels and rails could be as simple as the rate of reinvestment in repair, up keep and preventive maintenance. Yet that is not our greatest fear. Remaining vigilant requires a more thorough understanding of threat and the myriad of tools being utilized by criminals and nation states to attack us. Once you understand this, you realize that your greatest fear is, the unknown. The low probability, high consequence event. That is what keeps all of us awake at night and what keeps us getting up in the morning to do it all over again. We are all searching, detecting and monitoring in hope that we are not too late once more.

And maybe even more important than this, is the hope that when that day, hour or minute does arrive, that we have the courage to respond, recover and revive ourselves even faster than the last incident. To be better. And more resilient than we ever have been before.

09 October 2006

Business Resilience: Asia Braces for a Nuclear North Korea...

What metaphor or symbol has your organization identified with to represent who you are or what you stand for? Some companies do this through their logo and others like Business Resilience Group (BRG) have done it with both.

BRG has chosen Bamboo, the Chinese symbol for resilience, as its logo as it embodies the key elements of our resilience framework and services.

Bamboo is the most versatile plant that is used for a vast range of purposes. Its leaves and shoots are used for food, and its stems can be utilized for sewing needles, writing implements, cooking utensils, furniture, for house and boat building, etc. Thus the many uses of the Bamboo plant represent its adaptiveness and are signified by the virtues of strength, uprightness, integrity and service. The Bamboo has long been regarded as a symbol of longevity due primarily to its resilience and ability to stay evergreen through the four seasons, especially during the adversity of the harsh winter months. The spiny bamboo, which signifies longevity and prosperity that lasts for generations, and the solid stemmed bamboo, which signifies a life free of illness and disease, are the varieties associated with good health.

The Bamboo is known to "bend without breaking" - like resilient organisations it exhibits Strength through flexibility.


We like the metaphor and agree that "adaptiveness" is a key attribute of a resilient organization. And the core ability to run your Information Technology (IT) department as a business is a challenge like no other. Running IT as a Business creates several questions all large enterprises are asking themselves on their respective quests to address their Business Resilience Adaptibility:

* How do IT strategic and operational plans relate to and support strategic line of business plans? Where is there conformity? Where are there gaps?

* How do IT strategic and operational plans guide IT business processes and performance improvement priorities? In other words, what does IT have to do better in the delivery of services it provides to meet the needs of the business? What is IT doing to shore up those gaps? How well is IT meeting its commitments related to service level agreements?

* How do IT project portfolios relate to strategic and operational plans? What is the cost of projects? What is the scope of the projects as it relates to the IT porfolio? How are the projects related to one another? Where are there strategies with no project support? Where are there projects with no strategy/ performance improvement objective to justify the effort?

* What are all elements of the IT technology portfolio - applications, data and infrastructure? How are all elements of the IT Portfolio related? How is this portfolio related to IT Services? What are the costs of whole categories such as Hardware, Licensing, Maintenance, Data Center, Network and Help Desk?

* What IT Portfolio elements support IT business processes, such as application development, service delivery, service support, configuration management and change management? What are the rolled up costs of these elements and how does this relate to the budgets?

* What IT Portfolio elements support the Business processes that make the Business run?

* How are current IT Portfolio elements being impacted by IT projects? Where are the dependencies?

* What is changing? What is our change profile? What are the growth patterns? What are the trends?


Yet Information Technology (IT) including communication systems is just one major facet of an organizations overall Business Resilience factor. What are you doing to simultaneosly address these components in your organization?

1. Essential functions and key personnel;
2. Vital records, communication systems and equipment;
3. Alternate work sites and relocation planning;
4. Training, testing, and exercises.


And today, this list has taken on a whole new urgency:

Outcry at N Korea 'nuclear test'

North Korea's claim that it has successfully tested a nuclear weapon has sparked international condemnation.

The White House called for a swift response from the UN Security Council, calling Pyongyang's move "provocative".

Japan and South Korea also condemned the test and even Pyongyang's closest ally China expressed its "resolute opposition", calling the move "brazen".

Diplomats say there will be an emergency Security Council meeting on the issue shortly.

The underground test, which South Korean media said took place in Gilju in Hamgyong province at 1036 (0136 GMT), has still to be confirmed.


02 October 2006

Operational Threat Matrix: The Mission Ready Many...

The results of the latest Global State of Information Security 2006 study are out, and much of the insight is not surprising.

The study by CSO, CIO and PricewaterhouseCoopers (PwC), with 7,791 respondents in 50 countries, indicates that an increasing number of executives (CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security) across all industries and in private- and public-sector organizations continue to make incremental improvements in deploying information security policies and technologies, although the rate of improvement is slower than in previous years. They're becoming more financially independent, with some security budgets increasing at double-digit rates. And they say they're more confident in their level of security, perhaps because their networks have not had a serious virus or worm in the past 12 months.


What you don’t know can hurt you. For the fourth consecutive year, there was an increase in the percentage of respondents throwing their hands up and saying they have no idea how much money their companies lost due to attacks. It's now up to 50 percent. Measuring an incident first requires defining a taxonomy on what an "incident is" and what an "incident is not". In other words, how can you measure something that has not been sufficiently defined in your organization. How do you know when an incident has occured?

Our corporate assets are under attack by a continuous barrage of new laws, new employees, new competitors and new exploits. Business survival in the next decade will require a more effective and robust risk strategy to deter, detect and defend against a myriad of new threats to the organization.

Modern day attackers include hackers, spies, terrorists, corporate raiders, professional criminals, vandals and voyeurs. Simply said, these attackers use tools to exploit vulnerabilities. They create an action on a target that produces an unauthorized result. They do this to obtain their objective.

The Mission
The organization shall develop, implement, maintain and continually improve a documented operational risk management system. Identify a method of risk assessment that is suited for the organizations business assets to be protected, regulatory requirements and corporate governance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

The Take Away
While you were in the Board of Directors meeting, your Operational Risk Profile changed. When you were asleep last night it changed again. The people, processes, systems and external events are interacting to create a new and dynamic threat matrix for your organization. Who is responsible for Operational Risk Management in your business? Everyone is. You see, if everyone in the organization was able to understand and perform the mission flawlessly, then the business could stay in contstant control of how much incidents are costing the enterprise. Only a guarded few understand the mission of operational risk management in your company. Only a guarded few can do it flawlessly. If you want to protect your corporate assets better than you do today, then turn those guarded few into the mission ready many.