30 August 2015

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management (ORM) strategy. CAG: Critical Control 20: Red Team Exercises:
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 
This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:
"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."
Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:
clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"
What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization, in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes, along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far, to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise, you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:
1. Measurability - How measurable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This is how and where you extend your physical controls to the actual people, who will make the difference before and during a critical incident in your enterprise.  Revisit the Consensus Audit Guidelines (CAG) for your enterprise.  It just might help you find that one place where the continuity of the business is at risk after a significant disruption or the one threat that still is hiding in the shadows.

23 August 2015

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:
As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

16 August 2015

Decision Advantage: Operational Risk Strategic Vision...

When the Board of Directors asks for a report on the Operational Risk Strategic Vision for the enterprise, will you have it ready?  The execution of strategy with the discipline of Operational Risk Management (ORM), requires a look "Over-the-Horizon" (OTH).  Why?

You have to realize the pace at which technologies are advancing.  You have to realize how your competitors are creating a decision advantage.  How will you apply the use of new data science, advanced hardware and software capabilities to augment your Human Capital, to replace Human Cognition?  So what are some of the categories that you should be researching, testing and implementing?   New strategic systems to secure, protect and improve the situational awareness or resilience of your organization?

Many of the places you will need to address, have to do with enhanced processing and management of data, from disparate places:
  • Coping with Scale - Advanced Analytics
  • Very Large Dataset - 4D Visualization
  • Data Standards and Governance - Sensor Priority Processing, Optimized Data Movement
Bringing tools to the data, data trust and provenance tracking, are a subset of governance.  Machine translation and wire speed language recognition, are subsets of a Multi-lingual textual data processing platform.

So what?  Why is all of this innovation required in the modern Operational Risk domain and why is it so important?  The simple answer is, international competition, from your adversaries.  Dynamic, Smart Metadata, metadata relationships and data that finds the analyst, are challenging areas today.  Natural language processing techniques and wire speed data tagging are vital.

"Data Mining will bring us "Cyber Situational Awareness", "Human-Assisted Machine Learning" and "Pattern of Life modeling".  Decision and intelligence advantage, is the key to many of these strategic initiatives."

Again, from a business perspective, so what?  If your organization is in the Information Technology Sector, then of course you understand that the competition is tough and your new advanced VM and/or shiny systems "Box" does need to stand out, with it's unique features and differentiators in the marketplace.  It must have some value-proposition to the customers, that few or no one else can provide at the moment.  Otherwise, why would you spend the money on educating the market, writing a check to Gartner, advertising, sales and business development?  Right?

The Board of Directors today might just understand the concept of "Decision Advantage."  What if you went to the next meeting of the outside directors and provided a narrative and presentation on "Decision Advantage"?  You want them to authorize the substantial budget for your own Operational Risk R&D.  You are asking them to invest in the future risk mitigation of the enterprise, that they have a fiduciary responsibility to safeguard for the shareholders.

You see, you are way behind the international competition.  When you view this visual of the current state-of-play going on this hour, this minute and this second, you really don't have the time to waste on authorizing more resources, to address many of the areas previously discussed here.  The future of your enterprise and the livelihood of your country is at stake.

The Research & Development (R&D) budgets for Operational Risk Strategy execution are tremendous.  Add it all up.  The question is, how effective is it for the enterprise to spend risk management and mitigation funds in each individual department of IT, HR, Marketing, Sales, Finance and Facilities.  Without a complete understanding and vision of how the spectrum of risks, threats and mitigations, are all interconnected and what tools, processes or technology are actually interdependent.

When something such as Enterprise Risk Management or even National Security is so mutually dependent,  (depending on each other) you have to ask the Board of Directors to pause, and to require the Operational Risk Strategic Vision.  Once completed, you will see what new technologies to invest in for your total budget of Research & Development funds, and where to spend it.

Perhaps the most important reason for this vision, is also to ensure your "Intelligence Advantage"...

09 August 2015

Leadership: Adaptive Risk for an Uncertain Future...

As the political season in the U.S. starts earlier and earlier each four year cycle, the question remains consistent from the rest of the world.  Will America lead the Cyber cold war in the next four years?  Operational Risk Management (ORM) is a necessary and vital component of any mission or project, from the Situation Room, inside your company, on the flight deck or on the front lines of conflict torn regions of the Sahel.

Transnational Organized Crime (TOC) and their proxies are constantly waging new malware campaigns on our global economic and intellectual property ecosystems, utilizing sophisticated new toolkits.  There are three key attributes to modern day "Threat Intelligence" and Eric Olson from Cyveillance explains:

1. Relevance – The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives

2. Actionable – It must be specific enough to prompt some response, change, action or decision, or to dictate an explicit and informed decision not to act

3. Value – Even if relevant and actionable, if the data (and the action) does not contribute to any useful business outcome, there is no value

When threat activity, known actors, historical tactics, or attack information can be combined with vulnerabilities, activity data, or other particulars present in your network and environment, then the information becomes relevant, actionable intelligence.

As a leader in the private sector the waves of globalization and regulatory mandates keep you striving for the entrepreneurial spirit, yet constantly constrained by new rule-sets and compliance initiatives.  Mitigating risks to the enterprise requires leadership that can span the visions of an environment with creativity and simultaneously the spirit of autonomy.  Modern day risk management is not only a leadership challenge, it is also a cultural challenge.  How do I get my people to think like a true entrepreneur and simultaneously provide them with the skills and knowledge they will need to survive in a hostile environment?
  • First off, you have no doubt heard somewhere along the way that High Performing Teams are the way to accomplish new fixes to software code or even to ensure the last mile of due diligence to get the leveraged buy-out to become a reality.  These High Performing Teams must be diverse and they need to have the time to cross-train each other in the specific skill sets necessary, to fullfill the desired outcomes.  If one person comes down with the flu or worse; you may be the one who has to fill in and pick up the slack.
  • Second, the cultural mind set shift must take place to becoming continuously adaptive.  Being adaptive means that you have to be able to incorporate both readiness and resilience in the same effort.  Making decisions that are rapid without time for formal planning, is foreign to some on the team.  You have got to get everyone to be as adaptive as the designated leader, because they will not always be there, to tell you or show you what to do next.
  • Finally, leadership decisions on the floor of the exchange, in the EOC or sitting across the table from your newest prospective client means that you have got to practice.  This capability of assets calls for you to continuously train and experience the emotions and see the results of your actions.  Good and bad.  These skills are perishable and require a tremendous investment in time and resources to make sure that the risks of failure are mitigated almost to zero.
What are you willing and able to do, to lead America in 2015 and beyond?  Think service before self-interest and you will be leading beyond the risks of an uncertain future for yourself and our country.

02 August 2015

Trusting Women: The Future of Irregular Warfare...

The economic engine of successful countries and the single family household, is typically the result of a dedicated and conscientious woman.  If your organization is planning to be more resilient and capable of continued growth, then make sure you have women in the most strategic Operational Risk Management (ORM) roles possible.

You may already understand why and there is continuing evidence that men, are just not the ideal person to be in certain positions of decision-making and other skilled business professions of the future.  The stories and the examples flow from the most clandestine and remote regions of Africa, to the valley associated with Silicon.

Women are now breaking through new barriers in all types of roles and in places that traditionally they have been forbidden.  Here is just one example of a trend to grow rapidly from Dan Lamothe at the Washington Post:
Only the swamps of Florida stand between two female soldiers becoming the first women to ever graduate from the Army’s famously difficult Ranger School.  The women have completed the school’s Mountain Phase, and will move on to the third and final phase of training, Army officials said Friday.

The women are attending for the first time as part of an ongoing assessment by the military about how it should better integrate women into combat roles in the military. It follows a 2013 decision by Pentagon leaders to open all jobs in the military to women by 2016.
When you really think about what the future roles of the new 21st Century Army and the trends of our asymmetric threats, are not women our best strategic weapon?  Irregular warfare will be dominating most days of our human conflicts into the future and women are well equipped to be the leaders of this trend.

Yes, there is evidence that earning the "Ranger Tab" requires physical stamina.  Simultaneously, the elite Army course requires superior problem-solving skills and adaptive intuition involving teamwork, where women excel.  Now you are starting to see why, it is vital to have women on any high-performance team, whether in the Hindu Kush or on the Internet front lines of "Achieving Digital Trust" with the next generation of our youngest knowledge workers.
Irregular warfare is warfare in which one or more combatants are irregular military rather than regular forces. Guerrilla warfare is a form of irregular warfare, and so is asymmetric warfare.  Irregular warfare favors indirect and asymmetric warfare approaches, though it may employ the full range of military and other capabilities, in order to erode the adversary’s power, influence, and will. It is inherently a protracted struggle that will test the resolve of a state and its strategic partners.[1][2][3][4][5] Concepts associated with irregular warfare are older than the term itself.[6][7]
As the future conflicts evolve into our pervasive digital domains and require the collection and analysis of relevant information on the front lines, women are the strategic choice.  History tells us clearly, that this is the case.  It is this kind of intellect and patience for building and sustaining relationships, that so many policy makers have recognized, across both public and private sector operations.

So who is just one good example?  Our future strategy must include the development of armies of women with the skills and talents of leaders like Sheryl Sandberg:
Sheryl Kara Sandberg (/ˈsændbərɡ/; born August 28, 1969)[3] is an American technology executive, activist, and author. She is the Chief Operating Officer of Facebook. In June 2012, she was elected to the board of directors by the existing board members,[4] becoming the first woman to serve on Facebook's board. Before she joined Facebook as its COO, Sandberg was Vice President of Global Online Sales and Operations at Google and was involved in launching Google's philanthropic arm Google.org. Before Google, Sandberg served as chief of staff for the United States Secretary of the Treasury.
You see, the Fortune 500 is now starting to wake up, to the reality of the current state of corporate "Irregular Warfare".  The ability to erode the competitions power, influence and will, is just the beginning of the conversation in creating reliable and growing shareholder value.  When you really start to evaluate the entire success of the Silicon Valley ecosystem or even the future economic engines of unknown villages across our globe, you begin to realize how it is driven and continuously being improved, by the skills and superiority of women.

So what is just one good example?  Our future strategy must include the development of armies of women with the strategic foresight of Opportunity International:
Opportunity International Trust Groups help entrepreneurs break free from the limitations of poverty by promoting solidarity and maintaining accountability.  Trust Groups consist of 10-30 entrepreneurs, mostly women, who meet once a week to share personal and business advice, receive financial training, and vote on loan-related topics.  Trust Groups build a safety net by guaranteeing each other’s loans -- if one member defaults on a weekly payment, everyone else must cover the costs.  This method has led to a loan repayment rate of 98%.
Vicki Escarra joined Opportunity International in 2012 as US CEO. Previously she has led several major initiatives to create a long-term strategic plan, rebrand the organization, streamline operations and increase global fundraising by 30 percent in 2013 to expand the organization’s work around the world. Before joining Opportunity International, Escarra spent six years as president and chief executive officer of Feeding America, the nation’s largest domestic hunger relief organization. Prior to Feeding America, Escarra spent nearly 30 years at Delta Air Lines Inc., where she rose to chief marketing officer. As one of the highest-ranking women in the aviation industry at the time, she oversaw $15 billion in revenue and led a workforce of 52,000.
When you hear a woman like Vicki, Sheryl (or Cheryl) talk about providing our organizations large and small with the training, education and the "Trust Decisions" to create and sustain growth, you can only imagine what is really possible.  If you have ever had the lucky chance to work with a woman like these three for months or decades, you understand the multitude of advantages.  You understand the reasons, why having women on every high performance team is imperative.  You can see their outstanding results.