31 July 2009

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

  • Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
  • Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
  • Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
  • Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
  • The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
  • Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

17 July 2009

FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

  • Business & Global Commerce
  • Personnel Security & Integrity
  • Rule of Law & Litigation
As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

09 July 2009

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.

Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.

The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.

Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only as reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.