24 August 2008

FACTA: Red Flags & eCrime...

The "Red Flags" rule has some banks and financial institutions scrambling to get compliant by the upcoming November deadline. The corporate governance and compliance teams are working hard to make sure the Operational Risks associated with the rule are being addressed in a timely and prudent manner:

Federal Trade Commission (FTC) and five Federal financial regulatory agencies published a series of final rules and guidelines entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act (FACTA) of 2003." Red Flags are relevant indicators of a possible risk of identity theft and Section 114 of FACTA specifically explains rules about the development and implementation of a written identity theft prevention program. The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers' accounts are prone to identity theft, and mandates that they then implement a program to identify, detect and respond to its indicators.

Organizations who have many of the Information Security and Enterprise Risk functions under the CISO or CIO will have to make sure that they are communicating effectively with the Board of Directors, just as they did with SOX. Senior management is on the line when it comes to the security and safety of the vital information on clients and customers.

"Financial institutions or creditors could look at this as a governance strategy to get the Operational Risk objectives on the Board Room agenda," said Peter L. Higgins, Managing Director and Chief Risk Officer of 1SecureAudit. "When Board Members themselves are having their own personal identities compromised by Transnational eCrime Syndicates, senior management can bet that they will have to have their house in order, especially by November 1st." "Our advisory teams are recommending integrated enterprise solutions alongside software tools such as Norkom Technologies, Memento and Actimize to mitigate these specific compliance and eCrime business problems," Higgins said.

And just when the financial institutions have their hands full with ID Theft, so do the health care and medical sectors:

To be sure, the most recent data available suggests medical ID theft affects a relatively small number of people. In 2005, more than 8 million Americans were victims of identity theft, and 3% of them, or about 249,000, had their personal information misused for the purpose of obtaining medical treatment, supplies or services, according to a 2006 study from the Federal Trade Commission.

But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised.

In May, the U.S. Health and Human Services Department's Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to Booz Allen Hamilton to study the extent of the nation's medical identity theft problem.

The last to know?

Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said.

"Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues."

18 August 2008

Risky Business: Global Cyberwarfare...

OPEN SOURCE WARFARE: Cyberwar is here to stay. Think about the leverage. Imagine the impact on global commerce from the Board of Directors perspective. Is it possible to disrupt business operations on a regular or targeted basis? The Russian -Georgia Digital Conflict started on the Internet and has spread to Atlanta, GA USA where the Georgian President's web site has been relocated.

John Robb sums this up nicely. Transnational eCrime is being fueled by knowing individuals and governments that:

  • Engage, co-opt, and protect cybercriminals.
  • Seed the movement.
  • Get out of the way.

We have heard the term "plausible denial-ability" in the years past when a world event occurs and somehow the proof is just too far from reach. Those days are soon to be over as new mechanisms are integrated with diplomacy and defense leadership to provide the evidence necessary to show culpable entities.

One such exploit has been out there for months and is being perpetuated by the transnational crime syndicates use of tools such as NeoSploit:

One obvious fact is that Web exploitation toolkits are only going to get more professional and advanced. Some sources state that a NeoSploit kit sells for $1,500‐3,000 USD, based on the features requested. that kind of money, the developers behind these packages have every incentive to make their product as tamper‐resistant and full featured as possible, trying to extend life not only to their own exploits evading detection and analysis), but also to the creations of the virus writers who utilize them.

The business longevity of your organization and it's ability to remain resilient in the face of cyber-warfare depends upon your ability to provide countermeasures and the effectiveness of your digital counterterrorism strategy execution. Without these in place, your organization faces the inevitable aftermath of any conflict when you are too close to the action.

Attacks by Russian hackers against Georgian Web sites, including one hosted in the United States, continued Tuesday even as Russian President Dmitri Medvedev ordered a halt to hostilities against Georgia.

Tom Burling, acting chief executive of Atlanta-based Web-hosting firm Tulip Systems Inc., said the Web site of the president of Georgia was the target of a flood of traffic from Russia aiming to overwhelm the site. Burling said bogus traffic outnumbered legitimate traffic 5000 to 1 at president.gov.ge.

"Literally, our people aren't getting any sleep," Burling said.

Tulip's firewall was blocking most of the malicious traffic. The site has been periodically inaccessible, though it was working midday Tuesday. Burling said the attacks have been reported to the FBI.

The transnational UNSUB's may be beyond the reach of the legal systems of these nation states. Or are they?

11 August 2008

ESI: Federal Civil eDiscovery...

The San Francisco DA "Operational Risk" factors have spiked now that they have released passwords in public documents for their internal VPN networks.

The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

Mr. Childs is a good example of the "Insider Threat" that any savvy CSO has on their mind today. As a result of the case evidence being gathered and the eDiscovery involved with proving the case in court, now we have additional exposures to the City of San Francisco. A system administration nightmare only if the city has not implemented tools such as Multi-Factor authentication and encryption of sensitive personal identifiable information or classified data.

Childs faces four felony counts of computer network tampering and one penal-code violation for causing losses in excess of $200,000. He has pleaded not guilty but remains in custody in lieu of $5 million bail.

The ordeal has spurred the city's IT department to bolster network oversight and to consider hiring outside auditors to monitor a security upgrade. City officials also will review all access to its FiberWAN network, the hub through which payroll, e-mail and criminal files flow.

It has also persuaded other cities to scrutinize their own systems.

As more cases like this one enter our legal system it is imperative that attorneys for both the plaintiff and defense realize the implications of their search for justice. The identities of people who may be witnesses in an upcoming trial have a sensitivity just as the ID's or login credentials for city employees and officials. As these types of cases become more prevalent there will be new procedures and controls invoked by judges who have learned their lessons about releasing sensitive information such as network passwords to the public record.

So What! What does Operational Risk have to do with a criminal case? What would eDiscovery have to do with this? Where do you think they got all of these passwords? Inside a paper notebook sitting on a shelf?

In a case that did not receive a lot of publicity the Court in United States v. O'Keefe, 537 F. Supp. 2d 14, 18-19 (D.D.C. 2008) applied the federal civil ediscovery amendments to a federal "criminal" case. This was a significant decision in that DOJ's federal prosecutors (over 4000), defense counsel, and others have some guidance from a federal magistrate regarding ESI in the criminal area. The Court stated:

In criminal cases, there is unfortunately no rule to which the courts can look for guidance in determining whether the production of documents by the government has been in a form or format that is appropriate. This may be because the "big paper" case is the exception rather than the rule in criminal cases. Be that as it may, Rule 34 of the Federal Rules of Civil Procedure speak specifically to the form of production.

The Federal Rules of Civil Procedure in their present form are the product of nearly 70 years of use and have been consistently amended by advisory committees consisting of judges, practitioners, and distinguished academics to meet perceived deficiencies. It is foolish to disregard them merely because this is a criminal case, particularly where, as is the case here, it is far better to use these rules than to reinvent the wheel when the production of documents in criminal and civil cases raises the same problems.

02 August 2008

People Risk: Protective Security Professionals...

How long does it take for a lethal attack to occur against an at-risk person? Just 2 Seconds is the latest book by Gavin De Becker. Along with his long time colleagues Tom Taylor and Jeff Marquart they document how to use time and space to defeat adversaries.

There are some compelling insights gained from their research:

  • In the US, attacks are most likely to be undertaken by lone assailants 87% vs. outside the US where attacks are typically the work of multiple assailants 71%.
  • Attacks in the US are about as likely indoors (53%) vs. outdoors (47%)
  • However, 64% of attacks happen when the protected person is in or around the car and 77% of these attacks are successful.

Most of these happen within a distance of 25 feet or less using a handgun. Corporate executives and their Protective Security Detail (PSD) already know these statistics and have trained together for these increasing risks. Many have adopted the LADDER model from Gavin de Becker & Associates training academy:


The study of the motives and the psychology of why these actors pick their targets and choose the time and place has become a science. The methods and tools to assist corporate security in predictive analytics requires a substantial baseline of historical data and real-world experience. Over 20 years ago Gavin and his team developed the MOSAIC Threat Assessment system. It is now in use with dozens of police and government agencies to help authorities and Protective Security Details to be more proactive and preemptive.

Protective Security Specialist's today are certified professionals utilizing intelligence in combination with the attributes of Time, Mind and Space to provide safe and secure travel for their clients. The science and the art have converged to provide a fusion of data, strategy and ad hoc tactics to ensure the mission is completed without incident. As one example, in the state of Virginia, their training is extensive and encompasses a rigid certification process that begins with:

  1. Administration and Personal Protection Orientation - 3 hours

  2. Applicable Sections of the Code of Virginia and DCJS Regulations - 1 hour

  3. Assessment of Threat and Protectee Vulnerability - 8 hours

  4. Legal Authority and Civil Law - 8 hours

  5. Protective Detail Operations - 28 hours

  6. Emergency Procedures - 12 hours
    • CPR
    • Emergency First Aid
    • Defensive Preparedness

  7. Performance Evaluation - Five Practical Exercises

Golden Seal Enterprises is just one of the certified training schools providing the core and advanced work for becoming a PSS professional in Virginia:

Course Description: Using proven protective detail models, from the real world experience of GSE’s cadre of EP, PSD and PPS Instructors students will learn to use a pro-active process to prevent threats while maintaining the ability to use reactive skills when a threat is present. This is designed to enable students to operate in self-supporting details but will also encompass interfacing with other details, law enforcement, and other security personnel.

Graduates will be able to provide a secure environment for a client through identifying and controlling potential risks while the client is on foot, in a vehicle, or within a structure in dynamic situations. Graduates will also learn procedures to control the effects of unusual incidents in a professional manner to maintain the client's safety and image and a consistent proper working relationship with the client, client's family, and staff. The course content includes classes and discussions as applied to permissive and semi-permissive environments. Includes VA DCJS 32E certification.

Topics Covered: Protective Operations, Terminology, Case Studies, Advances, Detail Organization, Formations, Route Surveys, Surveillance Detection, Communication & Equipment, Transportation, Vehicle Dynamics, Evasive Maneuvers, Motorcades, Vehicle Search, Technical Security, Details Abroad, Protective Detail Firearms, Assassinations, First Responder Medicine, CPR & AED Certifications and Defensive Tactics.

The profession doesn't stop there. Some risk management firms who have these certified individuals on staff go much further in their training and their vetting of employees. We agree and recommend that you add these questions to your due diligence when obtaining Request for Proposals:

  • Review all policy documents the firm has their personnel sign to become a PSS on staff.
  • Review the firms hiring process and the prerequisites to join the firm.
  • Review the operational standards and operating procedures to ensure 24 x 7 x 365 capabilities.
  • Review the 3rd party agreements that encompass any transportation and private aviation suppliers (Netjets)
  • Review the firms technology and communications infrastructure including radios, information systems security controls and privacy countermeasures.

The profession has come a long way and people like Gavin de Becker & Associates have established the baseline for others to compete. High net worth individuals, movie stars, public officials and corporate executives have much at stake and require comprehensive strategy execution.

Think of every assassination you've ever heard about. For most people, a few of these major ones come to mind: Caesar, Abraham Lincoln, John Kennedy, Martin Luther King, Mahatma Gandhi, Indira Gandhi, Anwar Sadat, John Lennon, Israel’s Prime Minister Rabin, Pakistan’s Benazir Bhutto.

From start to finish, all of these attacks — combined — took place in less than one minute. And the hundreds of attacks studied for this book, all of them combined, took place in less than a half-hour. Those thirty minutes, surely the most influential in world history, offer important insights that can help today’s protectors defeat tomorrow’s attackers.