22 March 2010

Legal Risk: Forensic Intel for Investigations...

A wide spectrum of Operational Risk incidents are in the news. Executive Management in the private sector, law enforcement and the military are investigating cases of identity fraud, cyber hacking and insider digital sabotage, transnational economic crime, intellectual property theft, ACH cyber robbery, counterfeiting, workplace violence and industrial espionage. Government agencies and regulatory authorities are increasing oversight, compliance and reporting requirements with the private sector and federal contractors. Inspector Generals and Internal Affairs are addressing whistleblower claims and internal corruption. Homeland security and "Connecting the Dots" are on almost every Americans mind.

All of these Operational Risk Management (ORM) challenges require comprehensive, efficient and legally compliant intelligence-led investigations to establish the ground truth and then to enable a "DecisionAdvantage." The legal framework that establishes your organizations ability to provide a "Duty to Care", "Duty to Warn", "Duty to Act" and "Duty to Supervise" is imperative.

When does information that is collected become a violation of a persons privacy or legal rights? At the point it is collected from a source or how and when it is analyzed by a human? These questions and more will be discussed as the dialogue pursues the latest challenges in Forensic Intelligence, a fast and forensically sound data acquisition, analysis and review solution for front line officers from the corporate investigations, law enforcement and government communities.

These Intelligence-led investigations also leverage the use of new forensically sound methods and proven legal procedures for collection of digital data from a myriad of technology platforms including laptops, PDA's and cell phones and more. These methods have been tested and certified in the forensic sciences for decades and follow many of the legally bound and court tested rules associated with evidence collection, preservation and presentation. Digital Forensic tools and 21st century capabilities enable global enterprises, law enforcement and governments to not only discover what they are looking for and when to use this in a court of law to find the truth.


08 March 2010

Quants: Fear and Loathing in Computer Code...

The Operational and Systemic risk is still lurking in the zero's and one's masking itself in the mathematical blur of algorithms designed by the "Quants". Is "SkyNet" just a few lines of computer code away from creating an incident that no insider can reverse?

Jeremy Grant and Michael Mackenzie of FT are establishing an argument discussed on this blog soon after the economic meltdown began to take place:

Not long after lunchtime one day on the New York Stock Exchange three years ago, unusual things started to happen. Hundreds of thousands of “buy” and “sell” messages began flooding in, signalling for orders to be made and simultaneously cancelled.

The volume of messages sent in was so large that the traffic coming into the NYSE from thousands of other trading firms slowed, acting as a drag on the trading of 975 shares on the board.

The case was made public only last month when the disciplinary board of the NYSE fined Credit Suisse for failing adequately to supervise an “algorithm” developed and run by its proprietary trading arm – the desk that trades using the bank’s own money rather than clients’ funds.

Algorithms have become a common feature of trading, not only in shares but in derivatives such as options and futures. Essentially software programs, they decide when, how and where to trade certain financial instruments without the need for any human intervention. But in the Credit Suisse case the NYSE found that the incoming messages referred to orders that, although previously generated by the algorithm, were never actually sent “due to an unforeseen programming issue”.

It was a close call for the NYSE. Asked if the exchange could have been shut down as it was bombarded with false trades, an exchange official says: “If you had multiplied this many times you’d have had a problem on your hands.”


The Operational Risks associated with the software computer code and the development of the trading algorithms is at the center of the still untouched regulation of how financial products are designed. Once the SEC get's educated on a market practice that is creating substantial systemic risk then the wheels of monitoring and potential "Cramdown" begins to take place.


The difficulty is that responsibility for risk controls does not lie entirely with exchanges and trading platforms. Much of it rests instead with brokers, which increasingly provide access to such venues under an arrangement known as “sponsored access” whereby any trading firm that is not a member of an exchange can “piggyback” on a broker’s membership to gain direct access to an exchange. Until recently, before the SEC clamped down on the practice, traders were able to use a form of this process – “naked access” – to gain access to exchanges without brokers conducting pre-trade risk checks to ensure their algorithms were functioning properly.


In the latest books written by "Reporters" on the so called "Quant risk" going on within the ranks of trading firms across the globe, the focus is on the people themselves more than the systems. Comparing poker players to bridge players is only a small part of the issue at hand with regard to a quantitative traders point of view and mathematical orientation.

Imagine for a moment the complexity of the software systems that now control the trading mechanisms across the world. From Hong Kong to Wall Street, London to Tokyo, the software is written to accomplish tasks that the human is not capable of executing in the multi-split seconds that it takes for buyers to match sellers. One only has to spend a few weeks or a month inside the software coding life cycle management process within the walls of a JP Morgan, Goldman Sachs or Credit Suisse to better understand the Operational Risks that exist for the market as a whole.

The sheer complexity of the systems software code alone is enough to give an uneducated eTrader worry over whether the portfolio they are managing with their retirement nest egg is going to get destroyed by the likes a a super "Cyber Algorithm" designed to out smart and out think that last strategy from the previous nights episode of MSNBC's "Jim Kramer."

The next economic crisis will not be a war of who had toxic assets in their asset portfolio's. It will be a single line of computer code that initiated a sequence of risk mitigation strategies to hedge against another previously executed trade the month before. And because of the error that creates this cyber incident, the market detects a new "Fear Factor" on the horizon.

How about a little Deja Vu:

All of us have been watching the gyrations of Wall Street and the stock market in recent days. With the collapse of Bear Stearns and Lehman, the "rescue" of the failing Fannie Mae-Freddie Mac, and the bail-out of AIG, many people wonder, "Have investors completely lost their minds?" Well, the answer may be, "Sometimes". Here's how we might look at anxious investing during a time of market volatility, uncertainty, bad news, and fear.

How does the anxious investor think? Let's consider two possible investors--- one who is reasonably optimistic and the other who is pessimistic.

02 March 2010

ID Risk Management: Dubai Investigation Links to Workplace Violence...

What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.

These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what? It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.

SOCA is in the midst of interviewing people who had their identity stolen. This investigation is about a form of ID Theft that goes beyond the international scandal associated with the Dubai homicide incident. The Washington Post reports:

Agents from Britain's Serious Organized Crime Agency are in Israel investigating the use of forged British passports by people who Dubai officials allege were part of an assassination squad run by Israel's Mossad spy agency. The 27 members of the group used European or Australian passports -- some forged -- to enter Dubai, officials say. In several cases, the names and other information on the passports matched those of Israeli citizens who hold dual nationality and who claim that their identities were "borrowed" by those involved in the operation.

Two SOCA agents will interview the 10 British-Israelis who were affected and issue them new passports, a British Embassy spokesman said. According to Israeli news reports, Australian investigators are planning a similar visit. The European Union last week condemned the use of forged travel documents in the killing of Hamas commander Mahmoud al-Mabhouh, without mentioning Israel specifically.


Whether you are the UAE, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are. Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.

When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.

What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States? The FTC's latest report gives you a better idea of the breadth of the privacy problem trying to be solved:


The Federal Trade Commission released a report listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted.

The top complaint was Identity Theft, which accounted for 21% of all complaints for the year.

A complete list of complaints can be found at: http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2009.pdf.


What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers. The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?

In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective. It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why continuous monitoring is critical especially in information systems:

Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:

"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation"


Whether you are the United Arab Emirates or the University of Alabama-Huntsville the Identity Management problem is much the same. David Swink at Psychology Today has this to say on the other growing virus named "Workplace Violence" that is invading corporate America:


In the aftermath of school and workplace attacks, it is often discovered that there were warning signs that the perpetrator was moving down a path toward violence. In some circumstances, people reported the troubling behavior and the information was not forwarded to the people who could prevent an attack. Sometimes the troubling behavior didn't reach a threshold, in the judgment of the person receiving the report, that something needed to be done. There is often confusion about what information can or cannot be shared under privacy laws like FERPA or HIPPA.

Threatening behavior may come to the attention of multiple departments within an organization that generally don't share information with each other. Without clear policies, procedures, and training, large organizations may find it challenging to channel widely dispersed information about potential threats to a central reporting entity.

With a single report of threatening behavior, the situation may not look that bad, but when the other "dots" are connected, a clear image emerges that this person is someone that needs to be assessed and managed in order to prevent violence.


Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace. Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit and Threat Assessment Team. Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life. It could cost you your global reputation.