25 January 2015

Insider Threat: Trusted Systems of the Future...

In the Defense Industrial Base in particular, corporate executives are on edge these days, anticipating the next game changing crisis phone call from the General Counsel.  The conversation is one that every CxO expects to have at some point in their career, yet the pace of multi-million dollar incidents is rapidly increasing.  The origin typically begins somewhere within the Operational Risk Management (ORM) landscape including People, Processes, Systems or External events.


The Board of Directors are evaluating the current funding levels for Operational Risk Management programs.  The focus on "Insider Threat" is a renewed area of scrutiny in light of the number of intellectual property thefts and national security classified information leaks.  This means increased funding potential for programs of Defensive Counterintelligence.  Next we shall look at the strategic challenges involving Homeland SecurityDomestic Intelligence and Technological Innovation.


You may have heard that Corporate Security and Operational Risk Officers are consistently using the acronym M.I.C.E. to describe the motivations for rogue insider employees. Money, Ideology, Compromise and Ego are the main categories that human behavior can be associated with, when the realization that an incident has occurred.

The "Why" question is asked early on by the General Counsel and the Chief Risk Officer (CRO), to try and understand the motivation by the employee.

One challenge is the current ecosystem of Homeland Security in the United States. Consistently oriented on the protection of catastrophic threats to the homeland in general and not to an individual company, much of the Homeland Security Intelligence (HSI mechanism is myopic and not predictive.  The laws associated with U.S. persons and the current state of employee protections is a white paper in itself. However, the scrutiny of laws associated with the theft of intellectual property and corporate trade secrets is gaining momentum.

The challenges of "Domestic Intelligence" and the intersection of "Technological Innovation" is now on a collision course in the courts.  Previous legal decisions such as United States v. Jones, 132 S. Ct. 945, 565 U.S. ___ (2012) was a Supreme Court Case that sets an example.  As interpretations of the constitutional rights of U.S. citizens are decided where the legal evidence of metadata is collected from technology innovations and is deemed to violate those rights, the challenges for domestic intelligence applications become more apparent.  This includes law enforcement and internal corporate security programs within the private sector enterprises.


There are three competing perspectives within the enterprise organization that present a continuous cultural tug-of-war:
  • Human Resources
  • Privacy & Legal Governance
  • Security & Risk Management
In a recent break out session of a private industry focused "Information Sharing Initiative" workshop, the comments were heard by all of us present.  A Chief Security Officer in the room came right out and admitted that his team does everything they can to avoid interaction with personnel from the Human Resources department.  This "Elephant-in-the-Room" topic is one that most corporate officers need to get out on the table.  The cultural friction between a Human Resources department tasked with protecting the privacy and integrity of the employees personal data, typically clashes with those charged with securing the assets of the organization.

Even though the U.S. does not have anything close to the EU Data Protection Directive, the legal precedents are being played out in the courts.  In the U.S., workplace privacy is a rapidly evolving spectrum of technology, metadata and big data analytics:
Employees typically must relinquish some of their privacy while at the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. Although, with this problem of monitoring of employees, many are experiencing a negative effect on emotional and physical stress including fatigue and lack of motivation within the workplace.

The "Insider Threat" and Defensive Counterintelligence strategies are up against the employee privacy and data governance legal battles in the U.S..  However, there is a a way forward to design the future architecture for this particular Operational Risk Management domain, beyond more legally detailed "Acceptable Use Agreements".

Just as any agreement on standards or rules takes a process and a dedicated architecture, so will this arena of human behavior, technology innovations and vital digital information assets.  Effective and transparent "Trust Decisions" that become embedded in the architecture to enable application of the agreed upon rulesets, is the ultimate goal.  Once humans have the confidence in a mechanism for making these Trust Decisions consistently and with integrity, the presence of prudent risk management will then be realized.

The private sector will lead this effort in collaboration with government, yet it will design it's own protocols and rulesets to plug-in to new federal standards.  The application of continuous monitoring of threats within the private sector workplace will evolve quickly by using these new frameworks and new tools.  Trust Decisions will be made in milliseconds, as systems execute the rules that have been coded into software and the latest big data analytics logic.

We recommend that the private sector continue to establish a consortium of cross-sector companies to interface with the new ISE.gov framework entitled "The Data Aggregation Reference Architecture."
The need for greater interoperability is clear. To protect national interests, intelligence and law enforcement agencies must be able to collect, accurately aggregate, and share real-time analytical information about people, places, and events in a manner that also protects privacy, civil rights, and civil liberties. The President’s National Strategy for Information Sharing and Safeguarding (NSISS) recognizes this as a priority national security issue, and speaks directly to this challenge. The Data Aggregation Reference Architecture (DARA) is in direct response to NSISS Priority Objective 10, “Develop a reference architecture to support a consistent approach to data discovery and entity resolution and data correlation across disparate datasets,” The DARA provides a reference architecture that can enable rapid information sharing, particularly for
correlated data, but also for raw data, by providing a framework for interoperability between systems, applications and organizations.
These private sector companies need to standardize across sectors, just as the government is embarking on the mission to improve this across agencies.  You see, the blind spots that the government has discovered in sharing information across it's own departments and agencies is no different in private industry.  The failure of Energy companies sharing information with other Energy companies or the same within the Financial Services industry ISAC model is not new.  However, the speed and integrity of future "Trust Decisions" on Insider Threats will always depend on the timeliness and quality of the data.

The international agreements on ISO standards has a long history.  Quality and Environmental standards are most common.  The 21st century has delivered us privacy and information security "management system" standards established and agreed upon internationally.  The standards and rulesets integrated with government shall have interoperability with the private sector.  The private sector shall collaborate with government on the architecture for information sharing.  The future state outcomes will enhance our trust in the management systems that have been designed from the ground up, to execute the rules.  A good example from ISO follows:
Cloud computing is quite possibly the hottest, most discussed and often misunderstood topic in IT today. This revolutionary concept has reached unexpected heights in the last decade and is recognized by governments and private-sector organizations as major game-changing technology.

In the January/February 2015 ISOfocus issue, we address some of the basic questions surrounding cloud computing (including the savings and business utility the technology can offer). We also explore security concerns of the cloud services industry and how these are addressed by ISO/IEC 27018, the first International Standard on safeguarding personal data in the cloud.

 The future of the "Insider Threat" solutions will not be designed by just one company or one government.  Just as the Internet standards that have evolved to support billions of IP addressable devices using data science and machine learning, so too will the private sector discover the way forward on transparency and data governance.  What are the odds that an "Insider Actor" hired at company "A" may then move to Company "B" once and if they determine the controls and processes are too difficult or will catch them in their unauthorized activities?

The safety, security and privacy of our organizations in concert with an international community is imperative.  People must believe in the integrity of the "Trust Decisions" being made each second by the Internet devices they hold in their hands and simultaneously by the organizations they devote their working lives to each day.

18 January 2015

Blackhat: Corporate Counterintelligence Capability...

If you are an Operational Risk Management (ORM) professional you should invest time to see the latest movie on Information Security this weekend.  Michael Mann's latest production is entitled "Blackhat" and it has a few lessons learned including several stark reminders of the current state of industrial asymmetric warfare.

While you may laugh at some of the scenes, there are some effective learning points along the way.  Even better, consider inviting one of your corporate executives to the movie with you.  They could walk away with a better understanding of the active cybercrime and cyberterrorism syndicates that have global operations.

The motivations for these continuous cyber attacks in most cases can be described in one word, "Greed".  The human factors associated with greed continue to become more exemplified in the digital Internet of Things (IoT) domain year-to-year.  So what does Wired Magazine and Cade Metz have to say about this latest hacker movie?
For Parisa Tabriz, who sits at the center of the info-sec universe as the head of Google’s Chrome security team, it’s a Hollywood moment that rings remarkably true. “It’s not flashy, but it’s something that real criminals have tried—and highlights the fundamental security problems with foreign USB devices.” 
Tabriz will also tell you that such accuracy—not to mention the subtlety of the scene with the coffee-stained papers—is unusual for a movie set in the world of information security. And she’s hardly alone in thinking so. Last week, Tabriz helped arrange an early screening of Blackhat in San Francisco for 200-odd security specialists from Google, Facebook, Apple, Tesla, Twitter, Square, Cisco, and other parts of Silicon Valley’s close-knit security community, and their response to the film was shockingly, well, positive. 
Judging from the screening Q&A—and the pointed ways this audience reacted during the screening—you could certainly argue Blackhat is the best hacking movie ever made.
Hollywood, California is getting closer to understanding how to reach a broad audience who are interested in the commercial cyber thriller.  The cyber themed movies have been around for years including "Sneakers" with Robert Redford in 1992.  So what has changed, after all of these attempts to help illustrate the spectrum of Operational Risks impacting the corporate enterprise?  Sabotage on critical infrastructure is ever more present.  So what has remained the same?

Still to this day there remains a tremendous amount of complacency on the risk of "Insider Threat." To illustrate this further; what are some of the common factors in all espionage incidents in the U.S. since 1950?
  • More than 1/3 of those who committed espionage had no security clearance. 
  • Twice as many “insiders” volunteered as were recruited. 
  • 1/3 of those who committed espionage were naturalized U.S. citizens. 
  • Most recent spies acted alone. 
  • Nearly 85% passed information before being caught. 
  • Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate malicious contact.
What can a corporation do in an environment of competing resources for talent, new tools and an increasing focus on consumer privacy?  Having an effective counterintelligence program within your organization is paramount to preserving your intellectual property and the integrity of the U.S. industrial supply chain.  So where should you start?

Begin your organizations awareness building with a robust program on cyber security:
Welcome to the InfraGard Awareness Security Awareness Course - We all have a role to play in protecting ourselves and the nation from the impact of cybercrime and identity theft, and that role can begin in the workplace. 
The better you are at protecting your own workplace from cybercrime and identity theft, the fewer opportunities criminals, petty thieves, and even terrorists will have to exploit security vulnerabilities for their own purposes.
  1. "What technologies do you want to protect from your competitors (e.g., R&D, supply chain, pricing and customer service information, contracts, production and maintenance records, etc.)  Do you believe you are adequately protecting them?  Can you rank these items by level of importance?  
  2. What information or technology (including expertise in manufacturing, production, or operations) are foreign competitors lacking that keeps them from being competitive?  Identify the various applications (both military and commercial) of your product or service.
  3. Do you have a reporting program in place to track how and where your critical/emerging technologies are being targeted by domestic and foreign adversaries?  If so, what trends have you seen?"
  • Source:  FBI SPIN:  15-001
The genesis of any mature insider threat program beings with the strategic development of a robust counterintelligence capability within your Operational Risk Management (ORM) framework.  The future of your organization and the safety and economic security of the entire nation is at stake.

11 January 2015

Legal Risk: Forensic Analysis of Supply Chain...

Corporate environments where a dedicated Chief Information Security Officer (CISO) works along side the General Counsel (GC) to tackle Operational Risk Management (ORM), continues to be a significant challenge.  The introduction of court certified tools for forensic analysis of information on both desktop and mobile devices to include phones, tablets and anything with a storage capability (USB Jump Drives) has created an executive level debate.  "What" information will we perform forensic analysis on, "why" and "when" will we do it?

The "Why" question is most obvious, like the analysis of DNA, the zeros and ones (0's and 1's) that make up the digital fingerprints (user names, passwords), blood-type (e-mail, SMS) and other behavioral evidence is important to associate the identity of the person(s) using a certain digital device. In addition, the ability to track the whereabouts of a particular digital device via GPS metadata or IP address, can also provide additional context and evidence, to be considered in the forensic examination.

The "What" information is in many cases going to be preceded by the "When" and has much to do with the policy in place within the corporate environment.  Modern "Acceptable Use Policy" may spell out that any device can be examined at any time, if it is a corporate issued and owned product.  Personal devices allowed in the workplace may be subject to a completely different set of policy doctrine, that falls under state and federal statutes.

The "When" question could be on a continuous basis and tied to a particular event, such as an employee who has given notice to leave the organization.  The event could also be as a result of an alarm or alert that the Information Security team receives from an automated system, within the corporate network.  So back to the challenges faced by the CISO vs. the GC on the Operational Risk Management process and addressing all of these issues.  Is it a legally sound manner that also achieves a "Defensible Standard of Care?"
Now imagine all of this going on oblivious to the confines of a small-to-medium size enterprise (SME). These organizations are typically defined as under 1000 employees yet can be defined further by the type of business and industry.  Now imagine that this particular SME, is operating within the Defense Industrial Base and is in the professional services supply chain of the top three U.S. government contractors, who are bidding on the next generation bomber for the U.S. Air Force.  What do we mean by supply chain?  This particular SME, is one of the outside counsel for Lockheed Martin, Boeing or Northrop. Yes, this law firm is in the information supply chain, working on legal matters associated with a top tier defense contractor.
If you are the GC and CISO at LM, Boeing or Northrop, what controls and policies do you have in place or service level agreements (SLA) that spell out the process to forensically examine the mobile devices of the lawyers and associates of your outside counsel? When?  Why?  The public disclosure of law firms and their associates being the target of nation states espionage is several years old.  When was the last time as a GC or CISO you had a closed door summit with the information supply chain of law firms working for your Defense Industrial Base (DIB) corporation in the U.S.?  If you are a SME law firm, working in the supply chain of the DIB, What, Why and When are you using Forensic Analysis with all of your Partners, Associates, Paralegals and other people in your legal ecosystem?

Operational Risk Management (ORM) spans every department and every employee.  It requires prudent application of the use of forensic analysis, as a vital component of a comprehensive counterintelligence program.  And remember the why.  Spear Phishing of law firms has been a major warning since 2009 and over six years later, it is still growing because it remains so effective.

05 January 2015

2015: Risk of Trust Decisions 25 Years Later...

Operational Risk Management (ORM) in 2015 will encompass a higher degree of focus on the corporate enterprise privacy debate.  The "Privacy vs. Security" battlefield has been gaining momentum, as a result of the rapid pace of data breaches and massive corporate data espionage.

General Counsel in collaboration with outside law firms are developing new legal strategies for data loss incidents. "Incident Attribution" and proving harm by nation states is going to be a new defense, as the sophistication of malware payloads approaches the intent of "Stuxnet."

"Trust Decisions" are being made at light speed by a system-of-systems to operate the global banking and e-commerce infrastructure.  Connected globally by billions of computing machines, each of these digitally enabled humans are making dozens if not hundreds of digital trust decisions on a daily basis. Those trust decisions incorporate a number of rulesets known and unknown to the decision maker. The potential legal consequences of the wrong privacy policy or gap in compliance can cost your enterprise millions of dollars:
In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.
In this particular legal case of Facebook, the $6,000,000 in fees to further educate youth, understand socioeconomic status and privacy, assess digital abuse and enhancing privacy technologies will not solve the problem at hand.  This brings us back to "Trust Decisions."

Jeffrey Ritter believes in "Building Digital Trust" and he captures the essence of where the future solutions to help solve the global privacy problem will be found:
I discovered that, to build digital trust, I had to first stop and learn how humans achieve trust itself. In doing so, I figured out that trust is not an emotion; trust is an outcome of a complicated calculus that each of us performs countless times each day as we interact with the world around us. Trust is a decision process. The process is based on catalogs of rules we assemble and the information we gather with which to evaluate whether our assembled rules are being satisfied by the person, the tool, the system, or the information we are deciding whether to trust.
 A "Trust Decision" by a machine, involves the interpretation of a ruleset (databases of rules) that are established for a set of semiconductors and microprocessors to execute.  In most cases the initial ruleset was written in code by a human. Therefore, the software computer code that was written for the machine to execute, will therefore have flaws.  It will be capable of failure, errors or omissions. These instructions query other rulesets (laws, policies, historical precedence) that assist the human in making trust decisions.  This is just one of the reasons for the existence of data breaches.

2015 and beyond will be an opportunity to further define and debate our "Trust Decisions."  The years and decades ahead will be full of asymmetric warfare, that is fought by criminal syndicates for hire and implemented by rogue nation states themselves.  All accomplished utilizing this invention, we call the "Internet."  The same "Zeros and Ones" ecosystem we built to connect our billions of man-made machines.

A recent visit to the Computer History Museum in Mountain View, CA is a reminder about how far we have come and yet how much we are still in our infancy.  The Internet history timeline begins in 1962:
This Internet Timeline begins in 1962, before the word ‘Internet’ is invented. The world’s 10,000 computers are primitive, although they cost hundreds of thousands of dollars. They have only a few thousand words of magnetic core memory, and programming them is far from easy.

Domestically, data communication over the phone lines is an AT&T monopoly. The ‘Picturephone’ of 1939, shown again at the New York World’s Fair in 1964, is still AT&T’s answer to the future of worldwide communications.

But the four-year old Advanced Research Projects Agency (ARPA) of the U.S. Department of Defense, a future-oriented funder of ‘high-risk, high-gain’ research, lays the groundwork for what becomes the ARPANET and, much later, the Internet.
By 1992, when this timeline ends,

  • the Internet has one million hosts
  • the ARPANET has ceased to exist
  • computers are nine orders of magnitude faster
  • network bandwidth is twenty million times greater
We are now arriving at the 25th anniversary of Tim Berners-Lee's first proposal for the World Wide Web.  Little did Tim know, that it would become the core focus for Operational Risk Management (ORM) in our digital enterprises in the year 2015.