25 June 2008

Transnational eCrime: Leaderless Networks...

Transnational crime and the multi-phase process of Collection, Monetization and Laundering is no better illustrated than in this Citibank case of this past year. This week more arrests have occurred as the informants intelligence has been utilized in capturing those who are part of this international criminal network. Kevin Poulson at Wired writes:

The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear. Six months after the 2007 breach, Wired.com is receiving scattered reports of Citibank customers still suffering mysterious withdrawals from their bank accounts.

The FBI believes the brains behind the operation is a Russian man, who's receiving the lion's share of the profits through international wire transfers and online-payment systems. While Citibank and federal officials are being closed-mouthed about the PIN theft and the ensuing fraud, the Citibank heist provides a rare look at how a single high-value breach reverberates through the international "carding" community of bank-card fraudsters. What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry.

The case is unfolding in the media and the finger pointing will continue on where the breach occurred. Was it on a Citibank network or an outsourced third party supplier of 7-Eleven who operates the retail stores where the ATM's are located? ID Theft is not the real issue here as much as a bold database hack of accounts, PIN's and counterfeiting of ATM cards.

This facet of Operational Risk is another lesson learned about the safety and security of customer data especially when it is outside your own corporate domain. Service Level Agreements (SLA) are too often the only item that is consistently presented as evidence of the due diligence of auditing a third-party processor of customer data. The actual physical audits are few and typically are not done on a rigid schedule. Resources and funding are the excuse more often than a total lack of oversight.

Transnational crimes such as piracy, illegal traffic of drugs and humans, counterfeiting and intellectual property theft or espionage is not new to the Operational Risk Managers of global enterprises and international organizations. What the financial motivations are and where the proceeds are going is potentially the greatest challenge any investigator has on their agenda. Where does it all lead? What does the target plan to do with the money gained from these illegal activities and incidents?

The answer is that there is no single target. The target is a network. And like a starfish, it can reconstitute itself from any severed part; there is no brain. Douglas Farah captures the thinking on why leaderless networks are a continuous threat:

Any one piece of the leaderless network can reconstitute itself with little difficulty, without waiting around for someone to give an order and for that order to move down the chain of command.

Clearly, it seems, there are better and worse individuals within the network, and taking out the really good ones takes something of a toll. And leaderless groups are not highly efficient. But they survive.

If you have a system of enterprising freelance operations acting on impulses (the urge for profit, the urge to carry out attacks, the urge to acquire weapons etc.), these impulses will overlap. The actions will be taken to benefit all parties, and the networks can thrive with no one person making the important decisions.

This strikes me a perhaps the most dangerous mutation that both organized crime groups and terrorist groups (particularly Islamist terror groups, who seem more adept at moving through nerve impulses, without specific orders, than most), can take.

Successfully countering these groups and their growing reach will require a radical new assessment of both strategy and tactics in the military, intelligence community and law enforcement. But that will require a willingness to dump old assumptions and paradigms, something that has not really happened since 9-11.

18 June 2008

ESI: The Economics of Litigation...

The operational risk and complexity of eDiscovery is increasing and the economic impacts are becoming a Board Room topic of debate. This study from RAND by James N. Dertouzos, Nicholas M. Pace, and Robert H. Anderson opens up some of the serious implications of Electronically Stored Information (ESI) as it pertains to this research:

Business litigants display a mix of optimism and concern about the impact of the new federal rules on e-discovery that went into effect in December 2006. To some extent, the balkanization that marked federal decisions in this area is likely to be reduced, but the core concerns over uncertainty about what are reasonable steps to take in advance of and during litigation remain. Thus, it is apparent that further clarification and development of e-discovery rules that promote efficiency and equity for both defendants and plaintiffs are required. For example, the new federal rules require early and full disclosure of IT systems, but interviewees noted that many lawyers are unfamiliar with the modern and continuously evolving hardware, applications, and internal record-keeping practices of their clients. Lawyers risk significant sanctions for failing to properly carry out e-discovery duties that they may not be equipped to handle. Even technologically savvy attorneys voiced concerns that providing opposing parties with detailed IT “roadmaps” as envisioned under the new rules would lead to discovery demands designed solely to drive up costs. And as corporate clients increasingly move toward internalizing collection, review, and production tasks in order to limit litigation costs, their outside counsel may find themselves with reduced control over the process but nevertheless still vulnerable to sanctions.

Lawyers who are modernizing their efforts to review documents are partnering with new boutique firms to accomplish this because they have the tools and the technology subject matter expertise. However, these efforts may be increasing the cost of litigation to corporate clients even though the automation and outsourcing is enhancing their process of review and relevancy. This is because the lawyers are still charging their clients for manual review by associates in the firm who charge by the hour in most cases in excess of $300/hr.

eDiscovery and the costs and benefits of litigation are a constant dialogue on the golf course, the skybox and the private rooms of fine dining in New York, Washington, DC and most major metro areas. The reason has to do with the "Mathematics of Litigation".

The previous discussion makes it clear that e-discovery, by changing costs, creating new risks, and altering the flow of information, could alter litigant incentives to file suit, settle cases, and go to trial. For example, several interviewees claimed that the significant burdens of e-discovery outweighed the benefits of going to trial, especially in low-stakes cases. Thus, they were fearful of an increase in lawsuits of questionable merit in which defendants would settle rather than incur the costs of discovery. Viewed from another perspective, plaintiffs may choose to settle cheaply, dismiss their own cases, request less, or refrain from filing in the first place if their own costs of discovery (whether as producer or requestor) overwhelm the value of their claims.

The trend line for eDiscovery is clear. Corporations are bringing the eDiscovery mechanism in-house and are integrating the legal department with savvy staff in the IT ranks. Outside counsel will continue to remain a key aspect of the litigation process but are quickly being asked to take more traditional roles in the case. Outsourcing the automation tasks to the law firm will only increase the complexity and the potential liability of ESI related episodes or incidents.

06 June 2008

Critical Infrastructure Resiliency: + The Lone Wolf...

The convergence of law enforcement and homeland security professionals this week at the US CERT GFIRST conference was apparent. The agenda was full of topics and training focused on the protection of our critical infrastructures and new asymmetrical threats:

"Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the President’s Critical Infrastructure Protection (CIP) Board identified several critical infrastructure sectors:

• banking and finance
• information and telecommunications
• transportation
• postal and shipping
• emergency services
• continuity of government
• public health
• food
• energy
• water
• chemical industry and hazardous materials
• agriculture
• defense industrial base

The National Strategy to Secure Cyberspace emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security. Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry. The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held."

The InfraGard National Congress was held the first day of the conference and was well attended from 86 chapters and with over 25,000 members. These citizen soldiers are focused on working in the local metro areas to help assist private sector partners in their CIP activities.

We realize that there are many facets of CIP, yet where should we be allocating resources? The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.

Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat".

The magnitude of the interdependencies of our critical infrastructures hit home this past week in the Washington, DC National Capital Region. Strong thunderstorms, tornadoes and severe weather dealt the region another lesson in our vulnerabilities. More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode waiting to strike.

Further, the networks of our global superinfrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others. Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than human managers can respond.

The potential asymmetric attacks that are being planned may have specific triggers such as natural hazards or more mother nature mischief. Imagine the following scenario after the chaos a few massive thunderstorms created in the suburbs of Washington, DC:

Another growing threat to our cities, commonest so far in the developing world, is gangs challenging government for control. For three sultry July days in 2006, a gang called PCC (Primeiro Comando da Capital, “First Command of the Capital”) held hostage the 20 million inhabitants of the greater São Paulo area through a campaign of violence. Gang members razed police stations, attacked banks, rioted in prisons, and torched dozens of buses, shutting down a transportation system serving 2.9 million people a day.

The gangs’ rapid rise into challengers to urban authorities is something that we will see again elsewhere. This dynamic is already at work in American cities in the rise of MS-13, a rapidly expanding transnational gang with a loose organizational structure, a propensity for violence, and access to millions in illicit gains. It already has an estimated 8,000 to 10,000 members, dispersed over 31 U.S. states and several Latin American countries, and its proliferation continues unabated, despite close attention from law enforcement. Like the PCC, MS-13 or a similar American gang may eventually find that it has sufficient power to hold a city hostage through disruption.

And while the scenario could be well contained with calling out the National Guard, the timing could create opportunities for the "Black Swan" outlier inside your enterprise:

"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

It's never to early to plan for the unimaginable all happening in the same geography and the same time frame. These mock scenarios are the beginning of public / private coordination and exercises for "Enabling Critical Infrastructure Resiliency" in the NCR.