29 July 2010

Employee Misconduct: Mitigating Insider Risks...

The new Verizon Cyber Report is a valuable read for OPS Risk professionals that focus on data breach and incident response. The full breach report can be found at this link at Verizon Business.

We have to agree with the observations made by Brian Krebs on the following topic in the report:

A key finding in this year’s report is that most companies suffering breaches missed obvious signs of employee misconduct – breaches that were either initiated or aided by employees. Sartin said in almost every case where a breach investigation zeroed in on an employee as the culprit, investigators found ample evidence that the employee had long been flouting the company’s computer security and acceptable use policies that prohibit certain behaviors, such as surfing porn or gambling Web sites on company time and/or on corporate-issued laptops.

The study found a strong correlation between ‘minor’ policy violations and more serious abuse. From the report: “Based on case data, the presence of illegal content, such as pornography, on user systems (or other inappropriate behavior) is a reasonable indicator of a future breach. Actively searching for such violations rather than just handling them as they pop up may prove even more effective.”

The "Insider Threat" continues to be under estimated and all of the monitoring tools will not be able to stop it completely. Ever. So what are some of the solutions to address the issues at hand? Here are a few ideas worth exploring if not for the Fortune 500 Enterprise but the small-to-medium enterprise (SME) who doesn't have the budget or the internal staff to engineer a robust and resilient infrastructure. They have their unique place in a layered approach to cyber defense:

Idea #1: ScanSafe

Cisco recently acquired the pioneering SWG SecaaS company ScanSafe. ScanSafe continues to execute well and has the largest market share in the SecaaS market including several organizations with well more than 100,000 seats. ScanSafe is expected to form the basis of an increasing array of Cisco SecaaS offerings, starting with the addition of e-mail. Cisco's credibility with the network operations team, the progressive development and market growth of the S-Series and the acquisition of the leading SecaaS provider moved Cisco into the Leaders quadrant this year.

Idea #2: IronKey

IronKey was chosen by the Reader Trust Voting Panel, comprised of security and technology experts from large, medium and small enterprises from all major vertical markets, representing the wide distribution of SC Magazine readers. With an unprecedented number of entries submitted the 2010 SC Magazine readers selected IronKey over competing solutions from Check Point, CREDANT, PGP and Symantec.

IronKey brings unprecedented mobile data security to enterprise and government organizations by combining the IronKey multifunction security devices with the ability to remotely manage the devices and strictly enforce security policies from a centralized administrative console. IronKey enables organizations to securely deliver complete desktop environments on ultra-secure, remotely managed devices with integrated two-factor authentication and fraud protection capabilities.

Idea #3: OpenDNS

OpenDNS has solutions that are perfect for organizations of all sizes, from small businesses to Fortune 500 enterprises. With no equipment to install, no upgrades and no maintenance, OpenDNS will reduce your costs, give you more control and make navigating the Internet on your network a safer, more secure experience.

OpenDNS provides comprehensive security for your organization's network through botnet and malware site protection. OpenDNS delivers network security services through the DNS layer, blocking known malicious or infected sites from resolving on your network. Since infected sites are prevented from resolving, malicious content is blocked from reaching your network, and thereby OpenDNS provides the most efficient protection available.

Built-in botnet protection stops trojans, key loggers and other persistent malware and viruses on machines in your network from sending out confidential data and personal information to hackers outside the firewall.

These are just three examples that we have found to be reliable, cost effective and easy for the small-to-medium size company to hedge against some of the infrastructure risks and bad behavior by employees. So what else could the savvy VP of Operational Risk inject into the organization to address some of the other types of "Insider Threat"?

Provided as a resource by the Association of Certified Fraud Examiners (ACFE), EthicsLine serves as an internal control tool through which companies can detect and deter fraud. Powered by Global Compliance, EthicsLine includes hotline, case management and analytics to empower organizations to prevent, detect and investigate instances of organizational fraud and abuse.

EthicsLine provides expertise and experience. As the power behind EthicsLine, Global Compliance introduced the original ethics and compliance hotline and is the largest provider of hotline, case management, and analytic solutions worldwide – supporting over 25 million client employees in almost 200 countries. Global Compliance also provides additional products and services that integrate with EthicsLine and protect an organization from fraud and abuse.

The employee who knows how to circumvent the "Rule Sets" as it pertains to the Acceptable Use Policy for the corporate digital assets may also be the same person who is stealing from the company. Whether they are stealing actual cash from the register, using vendor billing schemes or other occupational fraud tactics they understand how to get around the control objectives. Operational Risk Managers need to look at the employee population as an ecosystem of risk and that a certain percentage of those employees will be trying to surf Internet gambling sites and simultaneously misappropriating assets.

As you spend more time in OPS Risk, the more you understand the intersections with human behavior. The tools will assist you along the way yet it is the day to day interaction with people that will help you predict where and how someone may be increasing the risk to your enterprise.

23 July 2010

Top Secret America: Analysis of Competing Hypotheses...

Operational Risk Management Executives are still digesting the latest Washington Post investigative reporting from Dana Priest and William M. Arkin, "Top Secret America". The U.S. Intelligence Community (IC) and the Defense Industrial Base (DIB) employees in the suburbs of Virginia, Maryland and DC will be debating the impact over whispered dialogue around the weekend BBQ or over a candle light dinner in their favorite Georgetown restaurant.

The aftermath of the disclosure, increased transparency and ongoing investigation will continue for months and most likely years. New questions, new facts and new ideas will be put on the table for consideration inside the board rooms of private sector companies, law firm lobby shops and the government program management offices. Risk Management and the topics of risk exposure and the likelihood of incident categories will be the center of the conversation.

Since the Safety and Security of the United States is the foundation for the article, it makes the nexus of all the newspaper writing, blogposts, TV interviews and Internet "Tweets" relevant to Operational Risk Management.

As professionals in the IC and DIB continue to evolve their solutions on the ever changing threat to US citizens, you only have to look to the requirements placed in front of them. What risk are we trying to mitigate? What exposure do we have now? What is the likelihood that this will happen to us and how soon?

The requirements dictate the solution. The understanding of the threat dictates the requirements. The solution is not going to be implemented one time, one place and then it's over. It's going to be adaptive and it's going to evolve at the speed of the threat. The question that is always being asked by everyone is, how fast can we adapt?

Dana Priest and Bill Arkin may have done our country a great service at this point in time. The "Analysis of Competing Hypotheses" (ACH) may be utilized to ultimately prove the correct course and to make even more sound analytical judgments about our national security evolution. By actually using the data facts uncovered by their current research the process of eliminating errors in the data can begin. And once the data has been normalized and cleansed so that all agree that it is the true baseline, then the ACH can begin.

As the DNI provides the leadership and works through the governance cycles with all of the IC Director's and Secretary's, then the use of a vetted methodology such as ACH combined with the entire risk management exercise, may indeed reveal some operational risk vulnerabilities. It would be through the analytic process, risk matrix and the future enterprise architecture work that a more robust, resilient and economic model is developed and implemented.

Now about the question on whether our national security has been compromised or the risk to our private sector assets has increased as a result of the Washington Post article. Only time will tell as the possibility of future VBIED incidents, take out the facades of previously unknown or unnoticed IC or DoD facilities identified and validated in the newspaper's research.

Even now however, the vulnerability of our vital national security assets are most likely to be copied, stolen, corrupted or deleted by the logic bombs lying in wait, before major kinetic disruptions. It will no doubt be a 4GW blended attack on our homeland that combines the effects of both that experts predict is our greatest threat.

This brings us back to the quote at the top of this blog:

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke

God's Speed to the United States of America...

06 July 2010

Black Swan: Consumer Financial Protection Bureau...

The Consumer Financial Protection Bureau has been born out of the 2,300 pages of the final US Federal Financial regulation of 2010. The tone on what and how the CFPB operates is spelled out in the legislation and Operational Risk Managers are actively scouring the fine print to determine the compliance and legal ramifications. Yet the new Director's leadership may spell out the impact more than any of the new rules. The WSJ enlightens us:

The legislation says the bureau's purpose is to "regulate the offering and provision of consumer financial products or services." Details are left largely up to the new director, who would serve a five-year term. The law creates offices for research, tracking consumer complaints, consumer financial literacy and fair lending, among others.

Among the director's first tasks will be refining the agency's mission. Critics and supporters, though agreeing on the importance of the new agency, differ on what will constitute success.

Institutions will be adjusting their behavior to the new rules and it will be adjusting to how it continues to do proprietary trading. It's hedge fund ownership is now limited to 3% and the "Volcker Rule" is the same percentage for trading Tier 1 capital. The entire financial services industry is essentially gearing up for more of the same with minor adjustments on how it implements it's various risk management strategies. So what has changed and what will change?

Large banks and their supply chains will be looking for new ways to leverage their ability to improve margins. And when you look for ways to improve margins, you raise rates add more fees and incrementally gain a tremendous avenue for increased cash flows. Enterprise Risk Management will try to find a way to hedge against the "Black Swan" event from ever happening again. Even today, the business is still in the dark on the mathematical equations that caused the last implosion of world markets and the unraveling of the financial trust that is the foundation for the system to operate with efficiency and market speed.

Going forward the risk management professionals will be dissecting the final law to determine how it will impact their business, institution or agency for the next few years. As business owners and corporate institutions begin to see what direction the new Consumer Financial Protection Bureau (CFPB) chief will be taking, they will be devoting resources and budgets to adjust to these market changes.

And while all of this is evolving in the open and transparent world of finance you can bet that the next "Black Swan" event is on the horizon. As "Operational Risk Managers" who witness the speed and the complexity everyday in the trading pits, software development units and on the white boards of countless conference rooms will tell you; the next one is out there:

"A Black Swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was." Nassim Nicholas Taleb, from his book The Black Swan - The Impact of the Highly Improbable

Sens. Chris Dodd (D., Conn.) and Blanche Lincoln (D., Ark.) are trying to calm the fury among bankers and business groups over a last-minute change to the financial overhaul bill that critics now say could upend the way companies hedge against risk.

In the early hours of Friday June 25, Democrats altered a key provision to the derivatives section of the financial overhaul bill. It has a completely different meaning depending on who you ask. Some believe the language would require all people engaging in derivatives contracts to post “margin,” or more costs to engage in a deal. Others believe it would apply only to big banks and major derivatives dealers. The difference could swing billions of dollars one direction or another.

The confusion stems from a part of the section, tucked into the 2,300-page financial overhaul bill, that says margin requirements “shall” be set against “all” uncleared swaps. Some companies believe they should be exempted because they aren’t risky derivatives speculators, and fear it will drive up their costs. Several companies and business groups have said the language is such a glaring mistake that it could undermine the entire derivatives market, particularly for companies using these products simply to hedge risk.

But the language is in sections of the bill setting rules for “swap dealers,” which are essentially banks or large derivatives traders regulators plan to place tougher restrictions on. Depending on how it is interpreted, the language could apply only to those “swap dealers.”

Regardless, the confusion has led to an uproar…

01 July 2010

Fraud Terrorism Nexus: Public-Private Partnerships...

The ACFE "Report To The Nations on Occupational Fraud and Abuse has been published in the July/August mailing of Fraud Magazine. There are some tell tale signs that Operational Risk Management is working and yet we have so far to go on this journey towards a more transparent, ethical and safe workplace environment.

Here are some of the highlights and findings from this annual survey:

  • 5% of annual revenues are lost to fraud
  • 25% of the fraud incidents involved losses of $1,000,000.00 or more
  • Frauds lasted a median of 18 months before being detected
  • Small organizations are much more likely to be victims
  • Fraud perpetrators often display warning signs they are engaging in illicit activities

While these are consistent with previous years results the article in this latest issue that caught our eye is worth further investigation and analysis. "The Fraud-Terror Link: Terrorists are Committing Fraud to Fund Their Activities."

The threat of terrorism has become the principal security concern in the United States since 9/11. Some might perceive that fraud isn’t linked to terrorism because white-collar crime issues are more the province of organized crime, but that perception is misguided. Terrorists derive funding from a variety of criminal activities ranging in scale and sophistication – from low-level crime to organized narcotics smuggling and fraud. CFEs need to know the latest links between fraud and terror.

Credit card fraud, wire fraud, mortgage fraud, charitable donation fraud, insurance fraud, identity theft, money laundering, immigration fraud, and tax evasion are just some of the types of fraud commonly used to fund terrorist cells. Such groups will also use shell companies to receive and distribute illicit funds. On the surface, these companies might engage in legitimate activities to establish a positive reputation in the business community.

Financing is required not just to fund specific terrorist operations but to meet the broader organizational costs of developing and maintaining a terrorist organization and to create an enabling environment necessary to sustain their activities. The direct costs of mounting individual attacks have been relatively low considering the damage they can yield.

The nexus between those who wish to attack our physical or digital infrastructure assets are after the same outcomes. High number of victims and media exposure. The threshold for financing overt attacks is coming down and the face of terrorism is changing. It has morphed into a pattern of behavior that requires the OPS Risk professionals to see the link and to study the reasons why the Fraud-Terror convergence is happening now.

Small groups of people who are doing pre-operational surveillance on targets in both physical locations and online Internet points of presence are in need of funding. Yet it doesn't take much. The London Bombings of 2005 were financed with a budget of around $15K. Now let's go back to the stats from the latest survey for a minute.

"Internal controls alone are insufficient to fully prevent occupational fraud. Though it is important for organizations to have strategic and effective anti-fraud controls in place, internal controls will not prevent all fraud from occurring, nor will they detect most fraud once it begins."

So where is this wave of fraud schemes coming from and attacking the average person on the street. Actually it's in cyberspace. This is where a tremendous amount of non-profit, charitable and other mechanisms for generating revenue and funding for terrorism occurs. Identity Fraud, Mortgage Fraud, Insurance Fraud and Immigration Fraud all are the precursors to the collection and potential dissemination of funds to those who are planning to harm people and our economic way of life.

We have found in that the best approach to this threat is education, awareness and sharing of best practices. To jump start the conversation in your metro area of the United States you only have to look to your local InfraGard chapter. This is a good first step in opening up the dialogue on topics such as transnational economic crime and who is behind these operations. Here is a good example of what's happening in the Washington, DC area:


"The Communication Infrastructure and Organization of Transnational Cyber Criminal Syndicates"

This Intelligence Briefing will address the tradecraft employed by cyber criminals who participate in private, organized transnational criminal operations using self-created and self-maintained infrastructures rather than the tradecraft of those in traditional underground forums that exist on the Internet. Included in the briefing will be discussion of technical infrastructures, communication methods and division of labor of cyber criminal organizations.

Once the Certified Fraud Examiner, IT cybersecurity professional and the intelligence analysts finish their brown bag lunch, you can see the collaboration wheels turning. In the grand scheme of millions and billions of dollars that are spent on sensors, anti-terrorism technologies for homeland security or the dollars wasted on procurement, the simple public-private partnership wins every time. Again, reflecting on the latest Occupational Fraud survey:

Occupational frauds are much more likely to be detected by tip than by any other means. This finding has been consistent since 2002 when the ACFE began tracking data on fraud detection methods.