30 January 2011

Crisis Management: ORM & Public Relations Convergence...

Operational Risk Management Executives will be tuning into CBS 60 Minutes Sunday night. If you are a Bank of America stakeholder and your stock dropped 3% on November 30, 2010 because of a WikiLeaks document release, this episode should be on your mind:

(Reuters) - WikiLeaks founder Julian Assange says he enjoys making banks squirm thinking they might be the next targets of his website which has published U.S. diplomatic and military secrets.

"I think it's great. We have all these banks squirming, thinking maybe it's them," Assange told the CBS television program "60 Minutes" in an interview.

CBS released a partial transcript on Friday ahead of Sunday's broadcast of the full segment.

Bank of America Corp shares fell more than 3 percent on November 30 on investor fears that the largest U.S. bank by assets would be the subject of a document release.

Interviewer Steve Kroft asked Assange whether he had acquired a five-gigabyte hard drive belonging to one of the bank's executives, as Assange had previously asserted.

"I won't make any comment in relation to that upcoming publication," said Assange, who is under a form of modified house arrest in England, awaiting an extradition hearing to Sweden for questioning over alleged sex offences that he denies.

WikiLeaks will not be the last whistleblower web site to provide the dirty laundry on what a government agency or public company may or may not be doing as it does it's daily business. The CBS or TMZ media mechanisms remain the outlet for an information economy that fuels the behaviors of modern day paparazzi or contributors to WikiLeaks and it's future competitors.

What are Operational Risk Managers thinking about when these loss events happen? Another lost or stolen laptop by one of the thousands of corporate executives is now a major incident, not one to be taken lightly, perhaps as it has in years past. This is also why these same managers are working in a diligent strategy to emphasize the use of products that will encrypt the whole hard drive on the mobile systems that are being toted around in taxi cabs and on airplanes. The thought of a loss of these tools will be less of an issue as these programs are implemented and every bit of every data on these mobile devices is now encrypted.

The External Affairs, Public Relations and Corporate Communications strategy for a Fortune 500 company is extensive. With Social Media becoming a major component of the Web 2.0 integration and the booming number of PDA's, iPhones and other mobile devices, "Crisis Management" and "Operational Risk" will continue to be two disciplines that need each other more than ever.

Bank of America will survive just as others have before it once the information is released and people have a chance to determine how damaging it could be or not worth the hype to pay attention to it. What will perpetuate beyond the latest PR crisis is the fact that the speed of data, videos, Tweets and Blogs continues to pile up on the hard disks, Jump Drives, IronKeys and servers in "The Enterprise Cloud." How you manage it, secure it and dispose of data is an Operational Risk that will not diminish any time soon.

Who has seen the light when it comes to the utilization of Cloud Computing, and effective document encryption in transit with embedded information security compliance standards? Uncle Sam for one.

WASHINGTON – The U.S. General Services Administration announced today that federal, state, local, and tribal governments will soon have access to cloud-based Infrastructure as a Service (IaaS) offerings through the government’s cloud-based services storefront, Apps.gov. GSA’s IaaS contract award allows vendors to provide government entities with cloud storage, virtual machines, and Web hosting services to support a continued expansion of governments’ IT capabilities into cloud computing environments.

“Offering IaaS on Apps.gov makes sense for the federal government and for the American people. Cloud computing services help to deliver on this Administration’s commitment to provide better value for the American taxpayer by making government more efficient,” said federal Chief Information Officer Vivek Kundra. “Cloud solutions not only help to lower the cost of government operations, they also drive innovation across government.”

The use of new technologies or platforms such as these only provides the Operational Risk Professional with new found ways to mitigate risks, not eliminate them. Therefore, whether you are the CIO at B of A or part of the Federal CIO Council in the United States the fact remains that people will continue to use lost or leaked information to their advantage. This is a threat to the enterprise no different than the loss of power, catastrophic fire or natural disaster. When you have a known threat out there such as WikiLeaks, then you now realize that this must be addressed in your vulnerability assessments and your risk management planning.

Google Apps is now FISMA Certified. Whether the number of incidents increases or diminishes will still remain with the behavior of people and the ability for OPS Risk management to continue to be part of the executive conversation on the risks of data getting into the wrong hands. With this being an inevitable situation, the convergence of crisis management, PR and media communications will increasingly become part of the Enterprise Risk Management team. Let's just hope they keep a seat for the 28 year old IT staffer who supports the implementation of their enterprise apps and the exponential growth of their information cloud.

22 January 2011

Digital Paradox: Privacy v. Security...

The media communications and advertising industries are buzzing over the new U.S. Federal Trade Commission report and framework entitled: Protecting Consumer Privacy in an Era of Rapid Change. The Operational Risk Management implications to your enterprise could be significant if you currently do not understand how your marketing department provides disclosures or manages consumer collected data. If you think that you are protected because you outsource to a 3rd party, then think again. The power to the consumer is increasing and the data privacy laws are playing a quick game of catch-up on regulation:

Scope: The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.

With 500 Million plus people who are self-profiling themselves on Facebook these days, you might wonder if they even truly think about their privacy. See Controlling How You Share, Facebook
A variety of business models involve practices that fall outside the proposed “commonly accepted practices” category. These include, for example, a retailer collecting purchase information directly from a consumer and then selling it to a data broker or other third party that may be unknown to the consumer. Other examples include online behavioral advertising, in which an online publisher allows third parties to collect data about consumers’ use of the website, as well as social media services, where the service or platform provider allows third party applications to collect data about a consumer’s use of the service. In addition, as noted above, using deep packet inspection to create marketing profiles of consumers would not be a commonly accepted practice.

The new framework and panel discussions has focused on the Operational Risks associated with collecting, storing and sharing data on consumers. The regulations that change going forward to assist in consumer protections and disclosures may not have much impact on whether the consumers "Personal Identifiable Information" (PII) is disclosed to nefarious transnational criminal syndicates without their permission.

If you are a U.S. government military employee you may have received notice lately from your PenFed Credit Union that you too may have your PII in the hands of people that will use it for monetary gain. The continuous loss of data by institutions has now been verified as just another criminal business enterprise by organized crime and in many cases sanctioned by nation states. The data protection and data theft game is the modern equivalent of bank robbery yet it is moving at the speed of electrons across fiber optic networks world wide.

And now that this accelerating consumer issue of cybersecurity has made it's way to The White House, one can only wonder what may change. The cost to business is now $204.00 per record according to well respected research by Ponemon Institute. The MOU with DHS, Department of Commerce and the Financial Services Sector Coordinating Council (FSSCC) remains the window dressing on another unfunded effort to deter the cyber plague before us.

There is no shortage of people reporting about the breaches (this blog included), the hacks and the data leakage via employees using Peer 2 Peer file sharing software within the walls of their Fortune 500 company or government agency. Some people who are disclosing the information are doing it with alternative motives and rarely try to provide a potential solution to the problem.

So what can a PenFed or major U.S. Government agency do, to stem the tide of the growing digital tsunami of data thefts and transnational economic crime or acts of espionage? There is not one solution nor is there ever going to be a day when it all comes to an end. Which brings us to the mind set shift that is necessary to make a difference.

The Security vs. Privacy legal topic is somewhere in the mix of the solution. The education of our digital natives at a young age is another. Many kids know how to type with their thumbs better than they can write a legible letter to grand mother. And finally, the implementation of new technologies that will enable law enforcement to their jobs more effectively.

Now back to the mind set shift. Cecilia Kang of the Washington Post reports:

As the United States looks at ways to better protect Internet users’ privacy, Europe is going through its own update of online privacy rules. The 27-nation European Union is taking a more aggressive approach to privacy by setting higher bars for how data can be collected on Web users.

European laws prohibit Web sites from tracking users without their permission. The E.U. is also weighing legislation that would let users delete all their information from a Web site, such as Facebook, and transfer data from one wireless provider to another without leaving profiles behind.

Viviane Reding, the vice president of the E.U. Justice Commission and head of privacy regulation, visited The Post on Wednesday to talk about her approach to protecting users in the age of Internet over-sharing. On Thursday, she is scheduled to meet with U.S. Attorney General Eric Holder to discuss ways the E.U. and U.S. can cooperate on safeguarding consumers' personal information, including data on travel and finances. The talks may also touch on the recent disclosure of classified documents by Wikileaks.

17 January 2011

4th Generation Warfare: Insider Risk...

Several months ago, this blog discussed the implications of the "Stuxnet" malware that was being investigated by international authorities. Yesterday, the New York Times published a more detailed set of facts and a hypothesis that the sophisticated "worm code" was tested in Israel.

William J. Broad, John Markoff and David E. Sanger.
The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.
Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.
Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

4th Generation Warfare (4GW) and the implications for global critical infrastructure organizations is obvious. The Operational Risks associated with targeted infiltration of systems that control machines, manufacturing processes and software that manages transportation has now changed the baseline for where to begin mitigating this asymmetric threat.

Executives now realize the requirement for improved focus on the "Insider Threat" to their systems operations. Why? This particular worm was initially delivered by a USB Thumb Drive according to various reports. This means that someone would have to have been inside the facility targeted for the attack to introduce the malware to the actual system controller. A person within the perimeter of the organization with this single device could set the chain reaction in motion.

Whether you are a major manufacturer or an electric utility doesn't matter. The person you trust to access systems inside the organization is the basis for mitigating this type of attack. Most important is the scrutiny associated with the extended supply chain of semi-trusted contractors or others known to the organization. All of the back ground checks and other methods for determining someone's character will not be the major deterrent to a worm introduced internally to an Intranet with the use of a USB thumb drive.

So what is the answer to address this threat? A TSA-style check, scan and pat down at the entrance to every commercial enterprise that has computers inside with open USB ports? This is very unlikely in the near term for most facilities.

What about disablement of the technology itself, that turns off the ports themselves on each system inside the organization perimeter? This solution is more likely to deter many opportunities for this type of USB style attack to occur, yet still doesn't remove all of the risks against another possible entre to the network through a CD drive as an example. Regardless of the method or the controls you employ to mitigate this risk, it will not eliminate the entire threat from your organization. Even the use of a "Digital Sandbox", Endpoint security measures or other methods to disable ports on systems will entirely lock down your organization.

There is only the ability to create a more resilient and durable environment to survive a significant business disruption. The mind set shift to durability and the latency to recover now becomes the new strategy for these kinds of risks. Using a strategy for resilience is one that requires significant resources and a committed management team. The ability to survive is the first part of the process and how soon you return to full operational capability is the metric. How long does it take to bounce back to normal in your organization?

The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption will be a competitive differentiator for companies and countries alike in the 21st century.

Homeland security is often seen as a protective, even defensive, posture. But Maginot lines are inherently flawed. Fences and firewalls can always be breached. Rather, the national focus should be on risk management and resilience, not security and protection. Resilience—the capability to anticipate risk, limit impact and bounce back rapidly—is the ultimate objective of both economic security and corporate competitiveness

09 January 2011

Cyber Theft Rings: A Nexus with Terrorism...

BSA/AML compliance is an Operational Risk that continues to plague even the largest institutions. The ability to effectively program information systems to address "Politically-Exposed Persons" (PEP) and the risk to the banks reputation are still a challenge for some executives.

Why is this still an OPS Risk issue? In many cases, the lack of procedures being followed by adequate staff in the alert investigations unit where backlogs are prevalent. This becomes a business risk because there continues to be a lack of closure on these alerts. The simple monitoring of funds transfers to ensure timely reporting of suspicious activity associated with PEP's should be AML 101.

Retaining and deploying an independent consultant to review compliance and systems controls is the primary responsibility of an Audit Committee chair of the Board of Directors. For those institutions that have found themselves under the recent oversight of the OCC in the United States, many realize they have underfunded this obligation and the staff requirements to stay in pace with the expanding volume of electronic transactions.

Monitoring accounts of current or former senior political figures is well within the PEP definition and includes their families and any close associates. Therefore, the BSA officer will require even more robust budgets, staffs and systems programming to continue to be effective in regulatory compliance of the Bank Secrecy Act and Anti-Money Laundering statutes. And this just covers the risks associated with the banks regulatory obligations in the United States and many other countries of the world.

Yet this is the area that has traditionally been the foundation for the 20th century criminals and other entities who need to move money to places in large sums or to perpetuate fraudulent activities. Now what about the 21st century asymmetric threat, "Cyber Theft Rings"?

Malware exploiters purchase malware on the black market Internet and use it to steal victims banking credentials. They launch attacks from systems that are already compromised across the globe in small businesses and other commercial or government organizations. This allows the transnational cyber criminal to transfer stolen funds and deter the tracking of their activities. Money Mule networks then transfer funds to other accounts or get cash from ATM's and then buy stored value cards before they ship them back overseas to the crime syndicates.

The victims remain the financial institutions and the owners of the infected systems. So how large is this method of cyber theft? In 2010 the FBI reported close to 400 cases that had attempted loss of $220M and actual losses of $70M.

Today's (October 1, 2010) coordinated operation demonstrates that these 21st-century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat and bring cyber criminals to justice."

Most of the accused hailed from Eastern Europe; many were based in Ukraine, where several worked as Web developers. Ten suspects were arrested in New York on Thursday, with another 10 having been arrested previously. The FBI is still seeking 17 others .

Where is the money going and what is it being used for? In a recent study by officials at the New York State Intelligence Center titled: "The Vigilance Project: An Analysis of 32 Terrorism Cases Against the Homeland", the statistics are the face of the US challenges with money laundering and terrorism:

  • 82 % were between the ages of 18 and 33.
  • 61 % attended some college and of these 64% of the educated terrorists were engineering majors.
  • 50 of the 80 suspects in the study whose citizenship could be identified were born in the U.S. .
  • 11 of the 32 cases studied happened in the past two years. In these cases, 17 of the 19 defendants were in the United States legally.
The banking community understands that it has to remain vigilant when it comes to BSA/AML regulations. Not only to avoid the millions of dollars in potential fines, but also because of the potential nexus with counterterrorism.