14 September 2009

26 Wall Street: Risk Management Ground Zero...

Today President Obama speaks from the same place in Wall Street that the U.S. government has some of it's roots as a nation. The topic on this anniversary of the demise of Lehman Brothers is risk management. This ground zero of managing credit, market and operational risk in one of the financial capitals of the globe brings several topics to the discussion table. Liz Moyer makes the point:

It's been a year since the $600 billion bankruptcy filing of Lehman Brothers and the financial market meltdown that forced the government into a multitrillion-dollar rescue of the U.S. banking system.

But for all the talk and hand wringing (and billions in direct government equity stakes in major banks and loan and debt guarantees) there's also been little real progress on how, or if, Washington might regulate its way out of this kind of mess in the future. Don't expect that to change anytime soon, as markets become more, not less, complex and interconnected.

If the American public has witnessed substantial up hill battles with reform for health care, they can be assured that the "Financial Services" lobby will be even stronger. The regulation of institutions such as so called alternative investment firms (hedge funds) has many of them already leaving the U.S. for safer havens overseas. The trading will continue and the people behind the unique investment vehicles are getting even more creative. Investors are now buying up the pools of insurance products that have to payout upon peoples deaths. Life insurance settlements are being bundled and sold just as toxic mortgages and the bets are on with these products, just as they were with the housing market. Are people living longer or dying sooner? I guess that depends on where you live, what you eat and what your family history is.

The creativity of trading new and exotic products will continue and the watch dogs will have their hands full trying to figure out where to regulate and what agency should have the oversight. Free market capitalism as the regulator has already proven that it doesn't work. Consolidation of agencies that focus on the regulation and compliance enforcement of the financial services and investment industry is a tremendous risk in itself. The systemic root cause of the greed, compensation exploitation and the financial product innovation lies with some very smart people. The same people who can make a major difference in managing risk in their institutions going forward.

Regardless of the instruments that are invented for trading and the people who trade them, they all rely on one thing. Software and escalating requirements for more computing power, Terabytes and Petabytes of storage and the operational risks associated with information moving around the planet at almost light speed. Information and bits of data that can influence decisions on the buy or sell strategies, is only as good as the mathematics and the algorithms coded into software.

The oversight of future financial products and the ability to take new offers to the market must have people looking at the math and the code. The systemic risks that erupted in the world markets over a year ago are a result of a complexity of systems and the speed of change in our connected economy. All of the transparency, accountability and reform of compensation packages will not impact the zeros and ones that make up the sophistication of the trading markets.

A single consumer financial protection agency will make the consumer feel better that the government is looking after them. It will modify behavior in the innovation and it may even close the gaps in the current rule sets. However, the operational risks associated with the confidentiality, integrity and assurance of information will continue to rise. These risks are consistently displayed in the public press and websites such as the Identity Theft Resource Center:

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

  • Data on the Move
  • Accidental Exposure
  • Insider Theft
  • Subcontractors
  • Hacking

Yet operational risks such as these are only a piece of the total risk management equations as it pertains to Wall Street, International Banking and the so called systemic risks talked about today as the Washington Post says:

Warning that "history cannot be allowed to repeat itself," President Obama urged Wall Street on Monday to help jump-start a stalled effort to overhaul the U.S. financial regulatory system and head off a potential reprise of the U.S. economic crisis.

Visiting New York on the first anniversary of the nation's biggest bankruptcy, Obama used a speech at Federal Hall at 26 Wall St., site of George Washington's 1789 inauguration, to rally support for regulatory reform and call on the financial community to take responsibility for avoiding the abuses and failures that led the nation into a financial crisis last year and triggered a global recession.

Our greatest threat is complacency as was indicated today in the context that we do nothing as a result of the failures of people, processes, systems and external events.

07 September 2009

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is on every Operational Risk Management executives mind these days. The recent milestone conviction under the Economic Espionage Act of 1996 in the United States marks the starting point for accelerated investigations by the counter intelligence and OPSEC units of major public and private organizations:

A former Rockwell and Boeing engineer from Orange County was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket.

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being that exploits the vulnerabilities in the design, configuration or implementation of the layers of defense. This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the internal insurgency within the organization.

The Operational Risks that the OPSEC team is focused on these days has to do with data leakage prevention (DLP) and insider threat prevention and data exfiltration prevention capabilities. As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences can be just as effective as the newest software running on the fastest computer box. One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees? Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation, thereby allowing the investigator to focus upon the person most likely to be guilty.

Organizations spend thousands of dollars if not hundreds of thousands doing what are called background investigations. These are many times outsourced to 3rd parties to provide a level of comfort that the person they are going to hire is a person with integrity and has not committed any crimes or lives a lifestyle that is not commensurate with the policies and regulations of the organizations hiring and employment practices.

The Integrity Interview is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

Specifically, the following areas are assessed during the interview:

Employment History
Theft and Related Activities
Work Related Alcohol Use
Violations of Company Policy
Recent Use of Illegal Drugs
Criminal Behavior

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies regarding digital assets and cyberspace access to organizational data repositories. Individuals who have the characteristics associated with deception could be the target of a further investigation to determine whether any unauthorized information has been sent to a webmail account or if a 4 GB Thumb Drive happened to be plugged into a corporate laptop the night before the last day on the job.

This low tech method may be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure will not be able to thwart a diligent, patient and trusted insider. Utilizing Behavioral Interview Analysis can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their 4GW strategy on the cyberspace front of corporations and governments worldwide. Just ask Jeffrey Carr:

The Cyber Domain consists of inter-related threats (financial crimes, espionage, network warfare) that have traditionally been segmented off to different agencies with their own siloed areas of responsibility. What is needed, however, is a unified approach to collection and analysis that mimics the non-traditional, multi-faceted strategies used by non-state actors in both cyber and kinetic conflicts. Project Grey Goose was our proof-of-concept.

Economic espionage and attacks on nations states critical infrastructures requires a substantial shift in policy and taxonomy if we are ever going to be effective in defending ourselves. GreyLogic may be on the right track when it comes to educating those who need it so that they can make the leap to be "Wired for War." While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware" we can only hope that OPSEC is conducting the behavioral analysis interview. A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secret in the brief case at their feet.

01 September 2009

Social Engineering: Duplicity of Twitter Risk...

The use of commercial-off-the-shelf (COTS) software applications and the revolution of Cyberspace virtual hardware devices connected to the "Cloud" has proactive Operational Risk professionals "burning the midnight oil". How many of your Executive Management and other employees with roles and access to sensitive proprietary information are using Twitter today? Did any of them update their Facebook profile last evening indicating their next travel stop? Are any of these individuals part of the corporate Mergers & Acquisitions team?

The use of social networking tools is not new when it comes to networking with colleagues or updating the professional experience history. What is less well known is how foreign intelligence agencies and competitive intel units from commercial enterprises are utilizing these products and solutions to perpetuate their collection of human and program information.

One only has to watch Tony Gilroy's latest movie "Duplicity" with Clive Owen and Julia Roberts to better understand the risks to corporate and national security. Gilroy's sequence of the Jason Bourne series to Michael Clayton and now Duplicity and "State of Play" all have very important lessons for us. Here is the Duplicity synopsis:

Julia Roberts working for the CIA and Clive Owen working for MI6 play competing undercover corporate high level top secret business spies who may or may not be conning each other. The movie shows us what lengths mega corporations will try and go to keep their new product information out of the hands of their competitors. The spies in this case will not even acknowledge their relationship as a sly parallel to regular relationships. The implication here is that most people do not say or trust themselves in relationships, but as spies Julia and Clive have good reason to be wary. Multi continent travels, many plot twists and counter twists follow. The music is light locations are beautiful and evokes the Ocean's movies and fun is had by all even if you can't always follow the plot.

Are you following someone on "Twitter" that is with one of your competitors? Do you know all of your followers personally? Who is in your supply or customer chain that may be leaking vital information before it's ready for "Prime Time"? What is the point. Hypothesis? Let's see if this makes any sense:

Lockheed Martin has thousands of suppliers. Each of those suppliers is interested in selling their products or services to LMT's competitors to increase their own market share. VirTra is one of those suppliers and provides the following capabilities to Lockheed:

(OTC:VTSI.PK), today announced
that VirTra has received another order from Lockheed Martin Simulation Training
and Support business for VirTra`s newest and smallest Threat-Fire device, the
Threat-Fire II.

The Threat-Fire II is a clip-on return fire simulator, similar in function to
the Threat-Fire belt; however, the Threat-Fire II is designed to clip-onto an
officer or soldier`s duty belt. The Threat-Fire II is not only small and
lightweight to be unobtrusive, but it is also rechargeable and compatible with
VirTra`s wireless system.

"We are thrilled that Lockheed Martin has ordered our very latest Threat-Fire
II. Our Threat-Fire line of return fire are highly effective simulation training
aids and it is an honor that an industry pioneer like Lockheed Martin Simulation
Training and Support continues to order VirTra`s unique training devices,"

You can get to this press release from following this Twitter page and you ask yourself why would this person be tweeting about Lockheed Martin or VirTra's deal with them?

1,691 Following 1,313 Followers

VirTra Receives Fourth Order from Lockheed Martin Simulation ... http://bit.ly/1ZNuVz

A quick Open Source search reveals that she is a Sales Manager at Harrahs/Rio in Las Vegas. Whether she got this information on the VirTra deal because she is following someone or one of her followers sent her this "Tweet" on the press release does not matter. She could have read this information in the local newspaper or on the RSS feed she has set up for tracking the Defense Industrial Base companies doing business together. What matters is the relevance of this information and the speed that it is currently being known by many, not just a few.

There is no law prohibiting the "Tweeting" of public information as long as the so called public information is not subject to some national classification scrutiny or some kind of insider information for the review of the SEC. What is more likely is that she is like millions of others on the web who are using social networking to drive you to a web site that is being driven by advertising or some other multi-level marketing offer.

This is just one small illustration of the power and the vulnerability that exists with the COTS software operating in our planet's virtual digital cloud today. How we apply it's use for the good or the bad of humanity is up to each of the humans behind the keys on the PDA, Blackberry or PC. Therefore, just as the Internet has spawned the age of transnational economic crime, child pornography and cyber extortion plots so too will these same tools on our mobile devices be leveraged to do us potential harm or good.

Viral Marketing is here to stay and the use of these new age tools to spread the word on a new product, a new stock offering or the sighting of a celebrity on Rodeo Drive in Beverly Hills is exploding:

  • The Ponzi scheme and related investment Pyramid schemes, are early examples of viral marketing. In each round, investors are paid interest from the principal deposits of later investors. Early investors are so enthusiastic that they recruit their friends resulting in exponential growth until the pool of available investors is tapped out and the scheme collapses.
  • Multi-level marketing popularized in the 1960s and '70s (not to be confused with Ponzi schemes) is essentially a form of viral marketing in which representatives gain income through marketing products through their circle of influence and give their friends a chance to market products similarly. When successful, the strategy creates an exponentially growing network of representatives and greatly enriches adopters. Examples include Amway and Mary Kay Cosmetics among many others.

Tom Olzak offers us some great perspective on how to deal with the inevitable digital wave upon us:

Defending against the inevitable

Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company’s acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:

  1. Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.
  2. Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.

Keep your eyes and ears open to what you are saying at the local restaurant or on the phone in the lobby of that big metro area hotel. It could be known to your competitors or your enemies within a matter of minutes.