23 August 2010

Critical Infrastructure Resilience: Put On a "Black Hat"...

Why is a data-centric network like AboveNet, Inc. with their high bandwith solutions connecting with Terremark's NAP in the Washington, DC region? Operational Risk and Cloud Computing is the answer. Clients and customers are requesting more secure infrastructure to house and store their growing inventory of cloud-based apps and other data requirements for "Business Continuity", Disaster Recovery and Continuity of Operations.

Built to accommodate five 50,000-square-foot independent data centers and one 72,000-square-foot office building, Terremark's NAP of the Capital Region exceeds Federal standards for a carrier grade data communications and hosting facility. Customers in the Terremark NAP of the Capital Region now have access to AboveNet's high bandwidth connectivity solutions for all business data communications needs. AboveNet currently serves Terremark customers at the NAP of the Capital Region, and also connects to Terremark data centers in Miami, FL, Dallas, TX, and Santa Clara, CA.

AboveNet has the expertise and high bandwidth connectivity solutions to meet your specific business needs. Customers use high bandwidth solutions to enable their mission critical applications

  • Major Broadcasters use AboveNet’s high bandwidth connectivity solutions to facilitate broadcasting of their live shows and to store historical video content to remote datacenters
  • Pre and Post Film Production Houses are using fiber optic connectivity solutions to provide on lot virtualized post production capabilities for all new films
  • Online Gaming and Social Networking customers use AboveNet services to support content delivery for their end users
  • Online Communication, Content and Product providers use fiber networks to provide content for their on-line products such as MSN, Hot Mail, etc
  • Major Financial Institutions use WDM fiber optic connectivity to achieve their Financial Transaction Processing and Business Continuity needs
  • Hedge Funds use Ethernet networks to connect to the likes of NASDAQ and AMEX and move trading data between their offices
  • Oil and Energy customers use WDM networks to support their Geo Thermal Mapping Disaster Recovery needs
  • Internet Sales customers use high bandwidth network solutions to boast the efficiency of their sales and service

Critical Infrastructure solutions in the global economy require a robust combination of bandwith and data centers. The Virtual Corporation and the Blur of change in the connected enterprise requires that the servers that are the "life blood" of the business be available, fast and assured. Business agreements that improve the capabilities of vital critical infrastructure organizations is a vital facet of prudent Operational Risk Management. Why?

These servers are often underutilized, tying up capital in unneeded software licenses, half-empty drives and idle processing capacity. Long deployment times limit your ability to respond rapidly in an on-demand world. And dedicated servers are expensive to replace, leaving you tied to older models while new advances pass you by.

A true utility computing solution should solve both the economic and capacity-on-demand shortcomings of traditional infrastructure, allowing you to pay only for the resources you need while enabling the rapid deployment of new capacity. And it should do all of this without any performance compromise, in a secure, highly available enterprise-class environment.

The Operational Risks of owning, operating and maintaining your own computing infrastructure are growing. The risks of new threats to embedded systems is also increasing in the transportation industry. The safety and security of the traveling public is being compromised by computers that control braking on a Metro train and the proper position for the wing flaps on a departing commercial airliner:

Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware.

An internal report issued by the airline revealed the infected computer failed to detect three technical problems with the aircraft, which if detected, may have prevented the plane from taking off, according to reports in the Spanish newspaper, El Pais.

Flight 5022 crashed just after takeoff from Madrid-Barajas International Airport two years ago today, killing 154 and leaving only 18 survivors.

The U.S. National Transportation Safety Board reported in a preliminary investigation that the plane had taken off with its flaps and slats retracted — and that no audible alarm had been heard to warn of this because the systems delivering power to the take-off warning system failed. Two earlier events had not been reported by the automated system.

The malware on the Spanair computer has been identified as a type of Trojan horse.

Are you investing as much in the safety and security of your computing infrastructure as you are in the preventative maintenance of your vehicles, rail cars or aircraft? When was the last time you took them offline and audited these systems for the possibility of infections or just incorrect or outdated updates to the software?

The facts are that you don't have the proper manpower or resources to keep up with the "Blur of the Connected Economy" in the transportation or information technology sectors. Your Operational Risks are increasing by the day, minute and second as a result of your ignorance to the Single-Points-of-Failure in the design, implementation or configuration of your systems.

So what is on the minds of those interested in your own self-defense? See Blackhat Briefings from last month and see what might impact you and your organization.

13 August 2010

Risk Appetite: In Search of the Perfect...

Operational Risk in the corporate enterprise is on the rise and savvy CxO's recognize it. The continuous and advanced schemes, attacks, reputation crises and regulatory compliance changes has the executive suite on full alert.

The global news cycle, financial markets in turmoil and a seemingly upset weather pattern on "Planet Earth" has OPS Risk professionals on ready standby. It's 24 x 7 x 365 responding to new threats and a growing set of domino effects as incidents are more interconnected and have substantial new interdependent relationships.

Operational risk is a serious concern not only to traditional and alternative investment managers, but also to their clients and the organizations that regulate buy-side firms. In worst-case scenarios, an investment firm’s failure to identify and mitigate operational risk can result in significant direct costs and a devastating loss of reputation. It may take years to reassure investors, regulators, and trading partners that the firm is well-managed. So what exactly is operational risk? Castle Hall Alternatives calls it “risk without reward.” The Basel Committee on Banking Supervision (Basel II) defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” and states that the definition is intended to include legal risk but exclude reputational risk, and lists as examples events ranging from data entry errors to earthquakes.¹ But operational risk is not something that can be easily identified by a generic checklist, nor is there a single, universally applicable approach to mitigating the operational risks to which a given firm is exposed.

A generic check list is by all means not the way to approach most Operational Risks yet starting with a standard framework of controls and optimizing from there is a good start. Certainly the natural catastrophe risk mitigation exercise whether the tornado or earthquake has a foundation in the kinds of preparedness that can assist those caught in the vortex or the fault line of destruction. Yet how could a check list really help with a threat that is adapting to your environment on the fly and creating new obstacles to mitigate the risk before you?

Kerry Dewey was a finance officer for a small nonprofit in the Pacific Northwest. She was having a bad day, but it got worse when her local bank called her to inquire about the validity of a recent funds transfer for just under $10,000 from the nonprofit’s account to an account at an Alabama bank. Moments before, the Alabama bank had contacted Kerry’s bank because its policy is to investigate any transfer that’s close to, but less than, $10,000 – an amount that fraudsters commonly use to avoid currency transaction reporting.

Kerry’s bank stopped the transfer after she assured them that no one in her organization initiated the funds transfer. The episode prompted Kerry to review the nonprofit’s banking transactions in the past few days. She uncovered five other illegitimate transfers that totaled close to $50,000, and each transfer went to a different payee. Fortunately, her bank was able to contact the banks where the funds were transferred, and those banks were able to stop the transferred monies from being withdrawn by the fraudsters. Kerry had opened a very dangerous e-mail.
This case is fictional, but it’s representative of a relatively new “spear-phishing” e-mail scam that has recently emerged as a significant source of revenue for cyber criminals.

As you can see the Small-to-Medium-Enterprise (SME) and other businesses that might have a single person responsible for payroll, accounting and acting as corporate controller are just as vulnerable to the Operational Risks as the large hedge funds, Global Money Center institutions and Corporate Enterprises of the Fortune 500.

The pervasive and constantly evolving components of Operational Risk now require a substantial blend of people, software and management systems. Those savvy CxO's now realize that Operational Risk Management is something that is not being dealt with solely by the CFO, CRO, CIO or CSO in it's entirety. Therefore, the silo's of risk management within the organization are themselves a "substantial risk" to the overall enterprise risk management aspiration. The "Insider" who watches these silos manage their domains and fiefdoms with the goal of keeping it all within the unit or department or section realize that their scheme or attack will have little chance of detection for months, even years.

This is why the Office of Inspector General in government is so necessary and is so feared. This is why the outside auditors or independent investigators are so feared. This is why these two mechanisms for mitigating risks are typically too late and discover something that in the end, most people had a hunch was going on anyway. It's a perpetual cycle that won't end anytime soon and will keep our organizations searching for that eternal balance of a "Perfect Risk Appetite".