Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…

bon voyage: Web3 Generation Security...

Software developers must have a few thoughts in 2022 and beyond, about the design of public web sites or internal corporate systems.

Many of them are taught these software architectures over the course of a long career in information technology. Or a few hours watching YouTube.

When you setup your particular login account with an online site for the first time, do you ever ask yourself how they decided on this particular process step-by-step for your login credentials?

For example, is the sign-in page to your account requesting an E-mail address for your user name? Or your phone number?

Why?

OR is the sign-in page to your account requesting that you create a unique User Name that is “NOT” your E-Mail address?

Why?

In either case, most login info is validated, before you get to see the box to type in your password. Or Maybe not.

So what about the login page that has your E-mail Address and your Password fields both on the same page? One underneath the other.

You see, software developers have designed their site a particular way for a reason. Is it standardized rules in the company, city, state, or GDPR country?

Or is it something else. :)

Now, we all should have something called Multi-Factor Authentication (MFA) enabled ON for your login as well. If your site does not have it or does not require it, you have to ask yourself.

Why?

Perhaps some of you carry around a little device on your key ring (or not allowed) that has a PIN number to open it, then a little LCD window that shows a 6 or 7 digit number that is constantly changing. You know who you are. “I am not using an Authenticator that is on my phone, designed by the same people who created the web site.”

"And then there is this: You'll receive only one verification code each time you request two-step identity verification by text. See Privacy Policy and Mobile Terms and Conditions for more information. Message and data rates may apply."

Some of you have given up. Enough is enough.

Why not just let the computer USE MY FACE as a way to open up the use of this device or this web site? After all, my ears sticking out, are actually very unique and the FACE ID software will not ever be confused.

Are you winning or losing in Web3?

Godspeed!

Quantum Governance: The Rules of Trust...

People are learning to trust an AI, to make decisions on their behalf.  This will change our world exponentially in the next 10 years.

Now that we have reached connectivity to the Net with 50% of the human connected population, the AI of the IoT will be a growing trust factor in our daily lives.

We are accelerating beyond the simple tools of trusting that the answers to our questions are correct from "Siri" or "Alexa."  Accepting the trusted route from Google Maps on the most ideal navigation to our destination is already a given.

Beyond the consumer, the "Algo Bots" and Algorithmic Trading have already replaced the previous years of approximately 600 Goldman Sachs traders with 2 people, to oversee daily operations on the floor.  There are others who have already predicted the replacement of other human operators in various public and private decision-making bodies.

So what?

Trust Decisions in the next decade will be augmented by "Artificial Intelligence" on a more frequent basis.  That is already a given for many groups of decision makers across the globe.  The question is, how will governments begin to regulate AI?

Who will be in charge of making sure that the code and the algorithmic activity is correct?  That the rules behind the Trust Decisions are correct?

You see, as the software becomes more invasive in an individuals daily life and we rely on it for the truth, governments will be involved.  They already are.

The "rules for composing the rules, that lead to millions of peoples trusted decisions is at stake.  Maybe even more so, the evolution of "Quantum Law."  For those thought leaders such as Jeffrey Ritter who have for years been so keen to articulate the emergence of the thought of governance of unstructured data, there is this:

"We are moving from a time in which we presume that all electronic information is true to a time in which we can affirmatively calculate what it is and know the rules by which it is governed on the fly," Ritter said. "That's quantum governance."

You realize that the words will live on for eternity and for others to always contemplate.  That is a given, that all of us shall be considering for our future, sooner than later.

So how might decision making bodies such as the U.S. National Security Council (NSC) utilize AI?  Greg Lindsay and August Cole have already addressed this years ago with METIS:

"The result is a national security apparatus capable of operating at, as you like to say, “at the speed of thought”—which is still barely fast enough to keep up with today’s AI-enhanced threats. It required a wrenching shift from deliberative policymaking to massively predictive analysis by machines, with ultimate responsibility concentrated in your hands at the very top."

In 2019, begin thinking deeper and longer about your TrustDecisions...

National Security: Cyber Infrastructure Risk...

Is your organization a threat to National Security? That depends on whether you own, install, and maintain Critical Infrastructure. When you hear that term, "Critical Infrastructure" what comes instantly to mind? A bridge, a road or some other shovel ready project?

Yes, the hard leap for many to get their head around is that your cell phone, TV and Internet connection are vital "Critical Infrastructure" and if you are a Verizon, AT&T, Sprint or large cable company in the United States; National Security is a top of mind issue.

Is it possible that our country is at risk because of the same "Risk Management" paradigm that has plagued the Financial Services industry? A lack of resources and focus to deter, detect, defend and document risks to our critical infrastructure, could turn into a systemic and interdependent threat to our national security.

How can you make the case for a 2008 era economic meltdown in the financial services sector, to be similar to the potential failure of the Communications, Information Technology, Water or Energy sector?

It's easy. Look at human behavior and to the motivators of greed, selfishness and just plain blindness to a "risk bubble" just waiting to burst. Who will be the next Bear Stearns, in the Communications Sector?

The truth is, that some Fortune 500 companies marketing departments, may have a larger budget than the information systems, internal audit department and the security department combined. When the nuts and bolts, concrete and plumbing associated with electronic commerce, banking, and just plain mobile communications come to a slow crawl or halt in it's tracks, the government will have to do the same thing all over again.

Bail out or restore the industry and the companies, who are the lifeblood of our Critical Infrastructure.

Our National Security is at stake and the owners and operators are still waiting for the right incentives to invest in robust maintenance and security programs, instead of just more marketing. After all, market share is what shareholders ask about, along with how many new subscribers you won or lost last quarter.

How often do we hear the question at the shareholders meeting, that asks about the amount of downtime, failed systems or customers without service, as a result of a "Glitch" or fried circuit board?

So how does the electronic critical infrastructure really impact National Security?  The Department of Homeland Security (DHS) has the lead.  The mission is to lead the national effort to secure Critical Infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community.

"The Office of Infrastructure Protection (IP) leads and coordinates national programs and policies on critical infrastructure security and resilience and has established strong partnerships across government and the private sector. The office conducts and facilitates vulnerability and consequence assessments to help critical infrastructure owners and operators and State, local, tribal, and territorial partners understand and address risks to critical infrastructure. IP provides information on emerging threats and hazards so that appropriate actions can be taken. The office also offers tools and training to partners to help them manage the risks to their assets, systems, and networks."

A culture of risk management is slowly moving it's way into the Board Room conversations and the CEO may be on notice, if the "Tone at the Top" is not focused on Enterprise Business Resilience. However, that "Tone at the Top" needs to go beyond the shareholder value conversation, to the National Security topic.

One only has to look further in a few places on the "Net," to better understand what the offensive cyberwarfare conversation is all about, as the Advanced Persistent Threat (APT) has evolved in the past few years.

Once you understand that many cyber incidents with our U.S. Critical Infrastructure are just a test, then you will realize that U.S. shovel ready projects need a new public service announcement (PSA), with a shock value of texting while driving.

The risk of a specific kind of behavior on the road or the critical infrastructure complacency within the corporate enterprise, can have the same results. We have already nationalized the likes of AIG, Freddie Mac and Fannie Mae after the last financial crisis.

Perhaps it time to do the same for Amazon, Verizon, AT&T, Sprint and others, who are vital assets in our National Security and have them report directly to the Pentagon...think about it.

Unanswered Questions: Leading Teams in a Virtual Domain...

The "Art and Science" of Leadership in disconnected environments is challenging to say the least.  The science might be initially enabled by the utilization of technology-based platforms including mobile smartphones, Cloud and even SATCOM capabilities.

The art or "How" of leading teams in a geographically dispersed area, across hierarchies of people with precision and speed is the hard problem.  The problem-set for so many growing organizations today.  How do you create a leadership mechanism with the right "Linchpins," to enable trust and simultaneously execute vital tasks, across silos with a single purposeful mission?

Frankly, it is quite complex.  Yet there are proven methodologies and proven technologies, that will quickly jump start and improve your teams problem-solving abilities and to gain "shared consciousness."  It all begins with the leaders implementing a single organizational lens to view the enterprise architecture or operational landscape before them and communicate what they have experienced, witnessed and accomplished.

The shared "Network" of people, systems, philosophy, experience and purposeful mission is paramount to success.  The moving pieces of the network both human and technological or operational, work independently and yet they are becoming a single adaptive entity.

Building and enabling trust across domains, working groups, operators and the significant distance between horizontal or vertical communication, is now the nexus of the "Art and Science" of Leadership.  You have probably read countless books and seen inspiring talks, by people who have done it all, experienced it all and still to this day will admit, that the human organizational issues still keep them from sound sleep at night.

Will those individuals who are in front of the problem-set on your team, act without hesitation?  Do they have the best possible information at their finger tips to make the "Trust Decisions" to achieve their objective?  How will the outcomes of their actions build on the entire teams goals and aspirations?

Whether your team is a family, a work group, the neighborhood, a company, a municipality or an agency doesn't really matter.  The people, processes, systems and external events are going to continuously challenge the intended forward direction.

So what?

This is all great, yet it sounds like we are describing environments where all of this leadership action is taking place in a purely physical world.  What happens when 99% of it is happening in a "virtual space?"

Inside the virtual computing consciousness of the global Internet, across a domain of space made possible by Virtual Machines (VM), solid-state storage and the software comprised of just Zeros (0) and Ones (1).  Now just add billions of interconnected (IP) devices.

The good news is, that much of this virtual environment still requires having human intervention and human participation.  Simultaneously, through global systems automation and use of Bots, Artificial Intelligence (AI) and other autonomous "Machine Learning" inventions are now on our doorstep.  This is our new reality:

The speed that the autonomous machines are making decisions and the abilities they are gaining in shared consciousness, is in most cases beyond human understanding.  The global organizational and national security implications are gaining momentum.

So what does leadership need next, for us to survive the remarkable velocity of our Trust Decisions, in an exponential virtual world?  How do we put it all in perspective?  What are the remaining unanswered questions? Author Jeffrey Ritter gives us his insightful context from decades of experience:

"It is essential to our human nature to make trust decisions. The Net has become essential to our existence. Whether or not this book prescribes the right direction, we will not survive as a global community unless we commit to a new architecture that enables trust in the digital assets of our world to be established and maintained. The solution, I believe, is found in understanding that trust is the essential predicate to the creation of new wealth. Working collaboratively, the world’s population can achieve both trust and wealth.

From my earliest work with the United Nations, I have recognized that the greatest potential of the Net is its ability to enable any of us to trade with anyone else. Trade inherently creates wealth for all of the participants. The curious thing about trade is that, when it proceeds properly, enriching all stakeholders, trade is the ultimate dis-incentive for war. We simply are reluctant to do battle against those with whom we do business. If digital trust can expand our capacities to trade, and connect us effectively into a broader network with whom we can trade, the strongest possible incentives for sustaining peace emerge. That is my fondest hope for the Net, that it will be the infrastructure for enabling global co-existence. To achieve that dream, we must build digital trust."

What are your unanswered questions?...

Symbiosis: Information Advantage in a Virtual Battlespace...

Symbiosis with machines to gain information advantage, is a challenging problem-set.  The magnitude of Operational Risks will now soar, as we pivot towards machines that are performing more as autonomous colleagues.  Pre-programmed instructions has been the standard for our software-based systems, until now.

The integration challenges ahead on the leading edge of "Information Advantage", produces a spectrum of new-born problems to solve.  User interfaces that are speech driven or by a new Virtual Reality (VR) capability, is just the dawn of a new era.  DARPA (BAA-16-51) is already headed this direction:

The symbiosis portfolio develops technologies to enable machines to understand speech and extract information contained in diverse media, to learn, to reason and apply knowledge gained through experience, and to respond intelligently to new and unforeseen events. Application areas in which machines will prove invaluable as partners include: cyberspace operations, where highly-scripted, distributed cyber attacks have a speed, complexity, and scale that overwhelms human cyber defenders; intelligence analysis, to which machines can bring super-human objectivity; and command and control, where workloads, timelines and stress can exhaust human operators.

"Technological surprise" is a complex area of research.  The problems to be solved are tremendous.  Information advantage in virtual environments has been developing for years.  15 plus years before the U.S. Department of Defense utilized the concept of a public "Bug Bounty" style program for vulnerability discovery on public-facing systems, Bug Bounties were used by the private sector.

Automated Testing tools and the ability to run software scripts that can simulate a human behind the keyboard, were invented more than a decade ago.  It is time for the next generation of information advantage to be addressed; combined with a strategic and policy focused initiative.

Why?

Principal Investigators understand the stakes within the cyber domains.  The myriad of adversaries have advanced far beyond current capabilities and are even utilizing our own infrastructure against us.  Their abilities to adapt and change direction, cloak their presence and attack from new locations is finally being understood in the Board Room.

Yet what is the business problem that is being addressed?  Who are going to be the primary beneficiaries of any new invention or solution?  More importantly, why will they continue to use it?

In between commercial-off-the-shelf (COTS) and military unique systems is the zone we shall be navigating to in the next few years.  Military adapted commercial technology is the place for tremendous opportunity and new innovation.

How will we get there?

Since there is no viable rapid acquisition structure in place, it means that new leadership and resources will be required to deploy these solutions.  The entrants to this area will prosper, if they are able to mobilize strategically and with speed.

Information advantage is a lofty goal and worth the ambition to achieve it soon.  The speed to attain even a slight edge over the adversary is a whole different strategy when you are talking about information operations.  Different than traditional air or sea domains, the speed and ability to scale, deploy and execute with COTS is exponential.

How long did it take start to finish, for physical solutions such as "PackBot", "TALON", "Sand Flea", "BigDog", "Cheetah", "Perdix", "RiSE", "BEAR" and "WASP" to make it onto the operational arena?  The ARGUS-IS camera on a "Global Hawk" UAS generates 1 million terabytes of data daily with a "persistent stare", to track all ground movements in a medium size city from 60,000 ft.  How long did the procurement take to get this capability into the physical domain?

The speed in the current information warfare domain is exponential using COTS and IoT.  Using existing Virtual Machines on AWS-like infrastructure, combined with IP-addressable CCTV cameras to launch a DDoS on a DNS provider in minutes or hours is just one example. The "Mirai botnet" is just another tool (weapon) in the information advantage virtual battlespace.

So what?

Symbiosis with machines to gain information advantage, is a challenging problem-set.  Think about the time it takes to design, procure and deploy a robot solution on the physical field of play.  Now think about the same, in the almost limitless virtual domains across the globe.  The challenges ahead are formidable and the really hard problems to be solved, remain endless...

Know Your Customer: ISP Future Horizon...

The American public is changing their behavior as a result of the privacy and security failures across the private sector business policy landscape.  As the latest NTIA survey data reveals again, online commerce is being impacted and government agencies are now trying to further communicate there is a growing problem:

Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities
May 13, 2016 by Rafi Goldberg, Policy Analyst, Office of Policy Analysis and Development

Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA [1] in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

Perhaps the most direct threat to maintaining consumer trust is negative personal experience. Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the July 2015 survey. Security breaches appear to be more common among the most intensive Internet-using households.

This survey is indeed only one facet of a much larger topic and pervasive problem.  Digital Trust is the output of making affirmative "Trust Decisions" with computing devices. Whether they are machine-to-machine, person-to-machine, or machine-to-person requires several technology engineering elements and business rules, that are understood and agreed upon.  The question is by whom?

Consumers who are using the Internet for communications and commerce and are the victims of Identity theft, stolen funds or other fraudulent schemes, are just the first wave of targets for transnational organized crime (TOC).  We have known this since the invention of virus scanners and bug bounty programs, in the early days of the 21st century.

Yet fifteen plus years later, the government is doing a study on the consumers feelings about privacy and security.  As a business or a consumer, we understand that the speed of commerce and technology is always far ahead of the regulations and the laws.  When enough people or businesses seem to be harmed, then the momentum begins for policy shifts and new laws are sometimes enacted after thousands of pages of semantic negotiation.

The answers and the outcomes we seek will come.  However, they will not first be solved by politicians and lawyers.  They will be mostly solved by our brilliant mathematicians, software engineers and data scientists.  At this point in time, we are getting so much closer to achieving digital trust through new innovations and inventions.  Just look at IBM Watson.

It is now time for business and commerce to begin the process of finding the truth.  Why do we continue to allow the levels of known bad actors to operate inside and within our networks?  It's a numbers game and it is because the criminals also employ the smartest social engineers and data scientists.

Digital Trust in the next fifteen years will mean something different than it does today.  We will have found the formula along the journey, the new equations and the rules agreed upon by all to make online and digital commerce more safe and secure.  So what will we do today and tomorrow, until the engineers and scientists save the day?

At this point in time, it is simply called "Know-Your-Customer"(KYC).  If this was utilized more effectively across critical infrastructure sectors beyond finance in our digital economy, then we would be making some progress.  Where are we talking about next? 

The FTC and FCC are well on their path to defining those critical elements of improving the trust that consumers have using their digital tools with ICT and on service providers web sites.  Yet even to this day, you still can find the criminals using and leveraging our own Internet Service Providers (ISP) to launch their attacks and perpetuate their fraudulent schemes.  How will this ever be deterred?  Could a version of KYC work with the ISP's?

Even with a global banking system in place you have pockets of greed and deceit.  Rogue nations or territories that have become the go-to-locations for the transnational organized crime syndicates to flourish.  Yet we can do much better, than we are today.

Just ask any "BlackHat" hacker from Eastern Europe who they prefer to do business with.  Query the experts that exist on the dark side and you will find the ISPs they prefer to do business with.  One day the regulators will realize this is where the business of e-crime has an opportunity for change and additional reform.  It will be more than just opening an account to gain access to the Internet.  It will be about scaling up our systems to a future horizon with new rules and robust real-time behavioral predictive analytics.  In the mean time:

May 11, 2016 

In testimony before Congress today, the Federal Trade Commission outlined its work over the past 40 years to protect consumers’ privacy at a hearing convened to examine privacy rules proposed by the Federal Communications Commission.

Chairwoman Edith Ramirez and Commissioner Maureen Ohlhausen testified on behalf of the Commission. The testimony before the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law provided background on FTC law enforcement efforts, policy work and consumer and business education programs related to protecting consumers’ privacy.

The testimony highlighted the FTC’s extensive history of privacy-related work. The testimony noted that the agency has brought more than 500 privacy-related enforcement cases in its history against online and offline companies of varying sizes, including companies across the internet ecosystem. In addition, the testimony highlighted a number of recent cases of note.

The testimony also provided information on the FTC’s policy work in the privacy area, going back to its first internet privacy workshop in 1996. The testimony noted that recent policy work has been based on principles featured in the FTC’s 2012 privacy report, and also highlighted workshops and reports related to the Internet of Things, big data, and other issues, including cross-device tracking.

The testimony also described the FTC’s extensive consumer and business education efforts related to privacy, including the FTC’s Start With Security campaign for businesses, and the newly-updated IdentityTheft.gov.

CRO: The Modern Day CISO...

In light of the new clairvoyance in many Board Rooms authorizing management to hire a dedicated CISO, Operational Risk Management (ORM) professionals have to smile.  Some are even laughing out loud.  Why?

The Board of Directors in organizations around the globe are finally waking up to the digital battle field that has been fought in the information technology trenches since the late 1990's.  Only a very few saw the threat horizon for "Botnet" enabled cyber malware and sophisticated and complex information operations by nation states.  Those organizations that have had a Chief Information Security Officer (CISO) participating in Senior Management for more than a decade are rare.

So what are the attributes of the ideal CISO?  If the Board of Directors is going to find the best person for the role in their organization, they must have a baseline of requirements for the search.  What do they need to know and what do they need to understand about Information Security?  What is the ratio of skills and knowledge that is balanced between technical, business and operational domains? How do you judge the potential CISO's ability to grasp the vast interdependencies in the enterprise with other business processes?

The modern day CISO has certainly evolved since the early 2000 days.  The first generation CISO's were hired long before the evolution of the latest NIST Framework, Personal Identifiable Information (PII) definitions and data breach compliance notifications mandated by state and federal agencies.  Now the modern day CISO has all of this as a baseline, yet so much more.  The CISO today needs to really understand Operational Risk Management (ORM), more than ever.

You see, the Board of Directors really needs to understand that the CISO domain within the enterprise, does not manage risk or mitigate risk to information assets alone.  Here are just a few of the categories the modern day CISO must have mastered:

1. Security policy - management direction
2. Organization of information security - governance of information security
3. Asset management - inventory and classification of information assets
4. Human resources security - security aspects for employees joining, moving and leaving an organization
5. Physical and environmental security - protection of the computer facilities
6. Communications and operations management - management of technical security controls in systems and networks
7. Access control - restriction of access rights to networks, systems, applications, functions and data
8. Information systems acquisition, development and maintenance - building security into applications
9. Information security incident management - anticipating and responding appropriately to information security breaches
10. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
11. Compliance - ensuring conformance with information security policies, standards, laws and regulations

Operational Risk Management (ORM) touches each of these 11 categories and more.  The CISO who understands the interdependencies of these categories and how they intersect with the other senior managers in the enterprise, is a key factor.  How do you Plan-Do-Check-Act (P-D-C-A) with the VP of Human Resources?  How do you design "Acceptable Use Policy" and adapt consumer privacy policies with your General Counsel and the legal staff?  How do you coordinate with the Chief Financial Officer (CFO) or the Chief Security Officer (CSO) that is likely to have been on staff for far longer than most of the others.

The modern day CISO, equipped with a substantial understanding and comprehension of Operational Risk Management (ORM), will be able to interface easily with the other senior managers.  They will be able to do this because they have a substantial grasp of enterprise business operations.  They know how to run a business and they know how business is run. They know how to mitigate the risk of loss events within and to the business.  The CISO of the modern day enterprise has the ability to discuss with confidence, the risks associated within every other domain within the enterprise architecture. Why?

It is because the title of the position includes the word, "Information."  Yet maybe the title should not include the word "Security," as this could diminish the roles of risk management.  Risk mitigation. Risk avoidance.  In reality, the CISO should just now become, the "Chief Risk Officer" (CRO).

Information is a given.  It is the lifeblood of the organization.  Each front line manager or director knows they are responsible for the security of their proprietary or sensitive information.  Yet do they understand the "Why" of a holistic approach to mitigating systemic risks within the entire enterprise? Do they truly understand the necessity for a robust counterintelligence program within their global organization?  Do they even realize that their trade secrets and vital research and development formulas are being sold to the highest bidders, in an electronic marketplace designed for transnational organized crime (TOC)?  Do they know how this ecosystem works and why their organization may be the target?

What about the risks to organizational personnel who travel to places on the globe where OSAC has issued travel warning or security messages to U.S. citizens?  Does the CISO realize the focus of international business operations and the interdependent 3rd party supply chain?

The CISO shall now become the CRO.  The CRO shall be the master of Operational Risk Management (ORM).  Information Security is a given for the future state.  The Board of Directors shall be asking the Executive Recruiters to change the overall requirements for their next addition to senior management, if they haven't already.

RSA Conference: CSO Insomnia Over Insider Risk...

Next week in the U.S. there will be thousands of risk management and security professionals invading the RSA Conference in San Francisco. The myriad of topics, education and case studies are worth examining to see what is on the mind of these thought leaders and practitioners who are also designated speakers. You can even look to the popular press to see what the vibe is on what this years biggest worries will be:

1. Mobile Devices
2. Advanced Persistent Threat
3. Big Data Privacy
4. Hacktavists

However, if you spend some time to drill down on each of these topic areas and really look at the actual presentations of the presenters, some are based upon real cases and research and others are not. The one presentation that caught our eye and continues to be what some savvy CSOs would say keeps them sleeping with one eye open each night, is their insomnia over the "Insider Threat." That person or organized group of unidentified subjects that are there to recruit vulnerable people into initiating or perpetuating crimes against the organization.

Dawn Cappelli runs the Insider Threat Center at the Software Engineering Institute and highlights these areas of concern from their research and analysis of real cases:

The CERT Top 10 List for Winning the Battle Against Insider Threats

Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University

• 10. Learn from past incidents
• 9. Focus on protecting the crown jewels
• 8. Use your current technologies differently
• 7. Mitigate threats from trusted business partners
• 6. Recognize concerning behaviors as a potential indicator
• 5. Educate employees regarding potential recruitment
• 4. Pay close attention at resignation / termination!
• 3. Address employee privacy issues with General Counsel
• 2. Work together across the organization
• 1. Create an insider threat program NOW!

Number Three on the list is certainly on the top third and for good reason. Employees and the policy decisions on what data is owned by the company and owned by the employee is of grave concern these days in the United States. Now after so many years it looks as if this issue is going to get more heated and see the light of day from a congressional point of view. Yet the CSO must feel that the ability for the safeguards necessary to keep the organization safe and secure are not in place yet. Catherine Dunn of ALMs Corporate Counsel sheds more light on this:

According to a new White House report on consumer data privacy protection, trust is worth a lot of money to U.S. businesses—users have to know their data will be protected if the economic engine of digital innovation is to keep roaring. Ergo, the U.S. needs a privacy framework that’s “flexible” enough to accommodate industry innovation, and comprehensive enough that consumers will feel safe—and keep clicking.

But trust between consumers and companies in the U.S. is only part of the equation. There’s another important element, too: how compatible U.S. safeguards are with those of the rest of the world, and particularly Europe. This new proposal arrives a month ahead of a conference on data protection between E.U. and U.S. officials in Washington, D.C., leading to questions about whether Europe and the U.S. are any closer to getting on the same page when it comes to data privacy.

The answer not only depends on who you ask, but also what section of the White House’s report you’re looking at. The white paper lists seven principles and stresses that these principles should form the basis of voluntary codes of conduct adopted by industry. Once adopted, the Federal Trade Commission would have the power to enforce compliance to those codes. The paper also includes a call for Congress to pass legislation based on these principles, and devotes a section to “international interoperability”—which considers how data can be sent across international borders without violating laws on either side of the transaction.

This is where we need to make sure we understand the difference between what privacy issues have to do with a company employee and the privacy associated with just a U.S. consumer, who is not an employee but perhaps a member, client or customer of the organization.

If we go back to the big worries at RSA and combine this with the employees who are operating at the "Speed of Business" in your enterprise, you begin to see the difference. Actually, if you think about it some more, every employee of the organization has a duty to care for the information inside the organization, in order to better protect the assets of the enterprise but simultaneously the assets of the consumer.

The consumer assets are their "Personal Identifiable Information" (PII) and this represents in many cases what the organized criminals are after in the first place. This is where the outside recruitment threat starts to have its nexus. However, even the highly trained and state sponsored agents who are inside the enterprise to steal corporate or national security secrets are far and few these days. That may be surprising to some, but if you look at how the exfiltration of data is taking place it's almost all automated. No human intervention is required.

If that is the case, then what is Dawn Cappelli and the Insider Threat Team at CERT so concerned about from their research insights:

Criminal enterprises mask their fraud by involving multiple insiders who often work in different areas of the organization and who know how to bypass critical processes and remain undetected. In several cases, management is involved in the fraud. Those insiders affiliated with organized crime are either selling information to these groups for further exploitation or are directly employed by them. Ties to organized crime appear in only 24 cases in the CERT insider threat database and are characterized by multiple insiders and/or outsiders committing long-term fraud.

All of the insiders involved with organized crime attacked the organization for financial gain. The insiders usually were employed in lower level positions in the organization, were motivated by financial gain, and were recruited by outsiders to commit their crimes. The average damages in these cases exceed $3M, with some cases resulting in $50M in losses.

Now you know why your CSO is headed to the RSA Conference this week and why they are sleeping with one eye open these days.

operational risk

Digital Domains: Threats to Nation States and Corporate Board Rooms...

The last two plus weeks the planet Earth has witnessed the use of Digital Social Media to help facilitate the overthrow of the 30 year reign of Hosni Mobarak in Egypt. Is this the last example of how the use of the Internet combined with the masses of humanity can overthrow government leadership? The Operational Risk to nations states and the implications of the impact on business, commerce and political outcomes is increasingly being subjected to the new digital influence of social networking apps.

(CBS) The revolution in Egypt was historic not only for toppling President Hosni Mubarak after 30 years, but for revealing the awesome power social media had amassed - enough to be the instrument that inspired hundreds of thousands of people already staunchly opposed to the regime to rise up and act as one.

Now the questions are already being asked - can social media's power be used that way again and if so, where and when?

The protesters In Egypt were mobilized largely via the use of Facebook and Twitter, over 18 long days.

Special Section: Historic Change in Egypt

The revolt there is already being dubbed the Social Media Revolution.

It started Jan. 25, with a call-to-action -- from a Facebook page dedicated to Khalid Said, an Egyptian businessman who was beaten to death by police last summer after threatening to expose police corruption.

Millions of Egyptian youth are big users of Facebook, and saw the page.

Over time, a few prominent faces emerged from the masses. One, Google executive Wael Ghonim, identified by Mubarak's government as the creator of that first Facebook page, was detained.

But the movement had already gained momentum.

Facebook and Twitter, said one protester, "It's a very good way for communication. It has no power or control from anyone."

Now that the US State Department has established a Twitter feed in Arabic, the odds are that the strategy to more effectively communicate US policy to the muslim world will grow. The risks associated with the speed of communications via the Internet and the "Ground Truth" situational awareness have forever changed the meaning of an "Intelligence-led" enterprise. The continuous news cycles fueled by the masses will provide the Fortune 500 executives and the nations states world leaders with the sentiment of their brand, their policy or their reputation at the touch of a personal "Blackberry" or "iPhone."

What has not changed however, is the requirement for increased confidentiality, integrity and assurance of information whether that be streaming from the US State Department feed or the public relations department of a company such as Cisco. Will human behavior begin to migrate from reading the latest official press releases or the Facebook and Twitter feeds to better understand the current state of affairs on the company. The answer is both. It will just be a matter of what lens you want to look through to determine the truth about a subject or situation with the organization that you are investigating.

The information integrity conversation is ongoing from the board room to battle field. How do you continuously insure that the Intel or the digital data you are receiving is the truth and not changed along the path to the leaders decision support consoles? Monitoring the information streams within an organization is not only a strategic necessity, it is a survival requirement.

NEW YORK — The company that runs the Nasdaq stock market said Saturday that hackers had penetrated a service that handles confidential communications between public companies and their boards.

The service run by Nasdaq OMX Group Inc. carries strategic information for about 300 companies. The company said it appears no customer data was compromised.

Nasdaq OMX said the hacking attempts did not affect its trading systems. Nasdaq is the largest electronic securities trading market in the U.S. with more than 2,800 listed companies.

The targeted application, Directors Desk, is designed to make it easier for companies to share documents with directors between scheduled board meetings. It also allows online discussions and Web conferencing within a board.

Since board directors have access to information at the highest level of a company, penetrating the service could be of great value for insider trading. The application's Web page says "Directors Desk provides multiple layers of security to protect our clients' most vital corporate records."

The Digital Domains will continue to be threats to Nations States and Corporate Board Rooms for years and decades to come.

operational risk

Employee Misconduct: Mitigating Insider Risks...

The new Verizon Cyber Report is a valuable read for OPS Risk professionals that focus on data breach and incident response. The full breach report can be found at this link at Verizon Business.

We have to agree with the observations made by Brian Krebs on the following topic in the report:

A key finding in this year’s report is that most companies suffering breaches missed obvious signs of employee misconduct – breaches that were either initiated or aided by employees. Sartin said in almost every case where a breach investigation zeroed in on an employee as the culprit, investigators found ample evidence that the employee had long been flouting the company’s computer security and acceptable use policies that prohibit certain behaviors, such as surfing porn or gambling Web sites on company time and/or on corporate-issued laptops.

The study found a strong correlation between ‘minor’ policy violations and more serious abuse. From the report: “Based on case data, the presence of illegal content, such as pornography, on user systems (or other inappropriate behavior) is a reasonable indicator of a future breach. Actively searching for such violations rather than just handling them as they pop up may prove even more effective.”

The "Insider Threat" continues to be under estimated and all of the monitoring tools will not be able to stop it completely. Ever. So what are some of the solutions to address the issues at hand? Here are a few ideas worth exploring if not for the Fortune 500 Enterprise but the small-to-medium enterprise (SME) who doesn't have the budget or the internal staff to engineer a robust and resilient infrastructure. They have their unique place in a layered approach to cyber defense:

Idea #1: ScanSafe

Cisco recently acquired the pioneering SWG SecaaS company ScanSafe. ScanSafe continues to execute well and has the largest market share in the SecaaS market including several organizations with well more than 100,000 seats. ScanSafe is expected to form the basis of an increasing array of Cisco SecaaS offerings, starting with the addition of e-mail. Cisco's credibility with the network operations team, the progressive development and market growth of the S-Series and the acquisition of the leading SecaaS provider moved Cisco into the Leaders quadrant this year.

Idea #2: IronKey

IronKey was chosen by the Reader Trust Voting Panel, comprised of security and technology experts from large, medium and small enterprises from all major vertical markets, representing the wide distribution of SC Magazine readers. With an unprecedented number of entries submitted the 2010 SC Magazine readers selected IronKey over competing solutions from Check Point, CREDANT, PGP and Symantec.

IronKey brings unprecedented mobile data security to enterprise and government organizations by combining the IronKey multifunction security devices with the ability to remotely manage the devices and strictly enforce security policies from a centralized administrative console. IronKey enables organizations to securely deliver complete desktop environments on ultra-secure, remotely managed devices with integrated two-factor authentication and fraud protection capabilities.

Idea #3: OpenDNS

OpenDNS has solutions that are perfect for organizations of all sizes, from small businesses to Fortune 500 enterprises. With no equipment to install, no upgrades and no maintenance, OpenDNS will reduce your costs, give you more control and make navigating the Internet on your network a safer, more secure experience.

OpenDNS provides comprehensive security for your organization's network through botnet and malware site protection. OpenDNS delivers network security services through the DNS layer, blocking known malicious or infected sites from resolving on your network. Since infected sites are prevented from resolving, malicious content is blocked from reaching your network, and thereby OpenDNS provides the most efficient protection available.

Built-in botnet protection stops trojans, key loggers and other persistent malware and viruses on machines in your network from sending out confidential data and personal information to hackers outside the firewall.

These are just three examples that we have found to be reliable, cost effective and easy for the small-to-medium size company to hedge against some of the infrastructure risks and bad behavior by employees. So what else could the savvy VP of Operational Risk inject into the organization to address some of the other types of "Insider Threat"?

Provided as a resource by the Association of Certified Fraud Examiners (ACFE), EthicsLine serves as an internal control tool through which companies can detect and deter fraud. Powered by Global Compliance, EthicsLine includes hotline, case management and analytics to empower organizations to prevent, detect and investigate instances of organizational fraud and abuse.

EthicsLine provides expertise and experience. As the power behind EthicsLine, Global Compliance introduced the original ethics and compliance hotline and is the largest provider of hotline, case management, and analytic solutions worldwide – supporting over 25 million client employees in almost 200 countries. Global Compliance also provides additional products and services that integrate with EthicsLine and protect an organization from fraud and abuse.

The employee who knows how to circumvent the "Rule Sets" as it pertains to the Acceptable Use Policy for the corporate digital assets may also be the same person who is stealing from the company. Whether they are stealing actual cash from the register, using vendor billing schemes or other occupational fraud tactics they understand how to get around the control objectives. Operational Risk Managers need to look at the employee population as an ecosystem of risk and that a certain percentage of those employees will be trying to surf Internet gambling sites and simultaneously misappropriating assets.

As you spend more time in OPS Risk, the more you understand the intersections with human behavior. The tools will assist you along the way yet it is the day to day interaction with people that will help you predict where and how someone may be increasing the risk to your enterprise.

operational risk

Lying in Wait: Cyber Pearl Harbor...

The Operational Risks associated with the corporate battle against "Conficker" are still a true threat to our cyber infrastructure and maybe more than we could have ever imagined. Is this "Botnet" lying in wait for some future 4th Generation Warfare master plan?

Speaking at an end of year wrap, F-Secure chief research officer, Mikko Hypponen, said 2009 was an exceptional year in IT security.

“We never see huge malware outbreaks anymore — except this year we did,” he said “Conficker peaked with over 10 million infected computers around the world and at the end of 2009 is still in millions of computers.

“This was very advanced malware using several tricks we have never before seen. [It was] a massive botnet not being used by the malware operators for anything useful and we still don’t the real story behind Conficker and that makes it one of the biggest mysteries in the history of malware.”

DHS CyberStorm III is scheduled for September 2010 and will leverage the lessons learned from I and II. What are some of the major "Wake-up Calls" in the CSII Final report:

• Finding 1: Value of Standard Operating Procedures (SOPs) and Established Relationships.
• Finding 2: Physical and Cyber Interdependencies. Cyber events have consequences outside the cyber response community, and non-cyber events can impact cyber functionality.
• Finding 3: Importance of Reliable and Tested Crisis Communication Tools.
• Finding 4: Clarification of Roles and Responsibilities.
• Finding 5: Increased Non-Crisis Interaction.
• Finding 6: Policies and Procedures Critical to Information Flow.
• Finding 7: Public Affairs Influence During Large Scale Cyber Incidents.
• Finding 8: Greater Familiarity with Information Sharing Processes.
• Source: CyberStorm II Final Report - Page 3-4 - July 2009

The Homeland Security Department's third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the Obama administration, said industry and government participants in the simulation exercise during a conference on Tuesday.

Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact.

You are not going to hear very many people talking about "Conficker" being the beginning of a "Cyber Pearl Harbor" sneak attack and for good reason. SEE FINDING 2.

Physical and cyber attacks are rarely mutually exclusive. Physical attacks impact cyber infrastructure and cyber disruptions can have acute physical impact. This is why an "All Threats and All Hazards" approach has been adopted by many, including this blogger.

The 20+ page report from DHS took thirteen months to produce. Exercise in March 2008 and report in July 2009.

Yet the realistic future scenario is not too much of a stretch to imagine. At some point after the "Conficker" malicious code is put into action, a "Stall" warning light comes on at US-CERT. The Internet is the mechanism for the delivery of a lethal payload never before experienced in any previous tests, or real events. William Jackson has this to say:

"Dec. 7 is the anniversary of the Japanese attack against Pearl Harbor that crippled the U.S. Pacific fleet and brought this country into World War II. What have we learned in the 68 years since that world-changing day?

The threat in our age is less to ships and aircraft than to the technology that controls so many aspects of our lives. Many observers have warned that our defenses are not adequate to protect our nation’s critical infrastructure, and the phrase Electronic or Digital Pearl Harbor has been commonly used to describe a surprise cyber attack that could cripple our military and commercial capabilities. Dire as these warnings are, we should take them with a grain of salt.

Although cyber threats are real, the chances of a Digital Pearl Harbor remain small. This is due not so much to the success of our cyber defenses, which in many places remain inadequate, but to the realities of warfare and networking."

Perhaps there really is an "E-Qaida" as Brian Krebs of the Washington Post has alluded to in his Security Fix column. An insurgency from non-state actors and not China as many would say is our largest cyber enemy from a non-nations state. If this is true and the "E-Qaida" are out there, then you can quickly make the leap to counter insurgency, irregular warfare and other metaphors in the wars of Iraq and with the drug cartels of Latin America. Fourth Generation Warfare (4GW) insurgencies can't be compared to traditional insurgency models in that they do not intend merely to replace the existing government. The target is the state itself.

Physical weapons are not the only tools of the insurgents. Recently, the internet and satellite television have increased the opportunities for insurgent groups to recruit, communicate, and wage war to win the opinions of their target populations whether they are the local populace, foreign governments or the world public at large. In 4GW environments, physical weapons may be counterproductive to the cause of the insurgents. The prodigious use of propaganda may be all that is needed to achieve their goals. Source: FMFM 3-25

So if you are reading this now, is it working?

operational risk

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.

The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

• Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.

Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.

The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

operational risk

FACTA: Red Flags & eCrime...

The "Red Flags" rule has some banks and financial institutions scrambling to get compliant by the upcoming November deadline. The corporate governance and compliance teams are working hard to make sure the Operational Risks associated with the rule are being addressed in a timely and prudent manner:

Federal Trade Commission (FTC) and five Federal financial regulatory agencies published a series of final rules and guidelines entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act (FACTA) of 2003." Red Flags are relevant indicators of a possible risk of identity theft and Section 114 of FACTA specifically explains rules about the development and implementation of a written identity theft prevention program. The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers' accounts are prone to identity theft, and mandates that they then implement a program to identify, detect and respond to its indicators.

Organizations who have many of the Information Security and Enterprise Risk functions under the CISO or CIO will have to make sure that they are communicating effectively with the Board of Directors, just as they did with SOX. Senior management is on the line when it comes to the security and safety of the vital information on clients and customers.

"Financial institutions or creditors could look at this as a governance strategy to get the Operational Risk objectives on the Board Room agenda," said Peter L. Higgins, Managing Director and Chief Risk Officer of 1SecureAudit. "When Board Members themselves are having their own personal identities compromised by Transnational eCrime Syndicates, senior management can bet that they will have to have their house in order, especially by November 1st." "Our advisory teams are recommending integrated enterprise solutions alongside software tools such as Norkom Technologies, Memento and Actimize to mitigate these specific compliance and eCrime business problems," Higgins said.

And just when the financial institutions have their hands full with ID Theft, so do the health care and medical sectors:

To be sure, the most recent data available suggests medical ID theft affects a relatively small number of people. In 2005, more than 8 million Americans were victims of identity theft, and 3% of them, or about 249,000, had their personal information misused for the purpose of obtaining medical treatment, supplies or services, according to a 2006 study from the Federal Trade Commission.

But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised.

In May, the U.S. Health and Human Services Department's Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to Booz Allen Hamilton to study the extent of the nation's medical identity theft problem.

The last to know?

Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said.

"Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues."

operational risk