Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why?

Stuxnet is and was ground zero for a new generation of digital infrastructure cyber weapons.

The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets in passive mode.

"The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers."

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise.

In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed?

"In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit” (CIU) is alive and thriving."

A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean”?

It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

operational risk

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors.

If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina/Harvey are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"?

The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen.

Only one can be prevented, preempted or neutralized before it can cause harm...

SCRM: ICT Supply Chain Risk Management...

What is your private sector enterprise doing today to improve your ICT Supply Chain Risk Management (SCRM)?  Cyber-espionage campaigns have been operating for years across the ICT domains and are exposed every year in the trade press to John Q. Citizen, soon after "Black Hat" and "Defcon".  Once again, the origins of these sophisticated and viable adversaries are located inside nation states.

The beltway has been talking about the need for more effective legislation to modify behavior on the Supply Chains of Critical Infrastructure.  For many who remain committed to the silent war and the warriors who are fighting it each day on a 24 x 7 basis, they know the operational risks associated with this modern day battlefield.

Do you know where your information is today?  No, not your "Personal Identifiable Information" (PII), but the crown jewels of your latest Research and Development project.  Or the details on the "Merger and Acquisition" (M&A) activity associated with your cash cow law firm client.  Guess again, because you may not be the only one who now has copies of these trade secrets or confidential and proprietary information.

 

The Information Communications Technology (ICT) supply chain is at risk and the days are numbered until our final realization even after SolarWinds, that this issue is far past the policy makers control.  Is this an operational risk that we have done all we can do, to mitigate the impact on our U.S. national security?  Everyone should know the answer to this question.

The complexity and the complacency of the problem continues to plague those who are working so diligently to fend off the daily attacks or counterfeit micro-components.  The strategy is now morphing as we speak, from defense to offense and the stage is being set for our next generations reality of global cyber conflicts and ICT due diligence.  Richard Clarke and others are beyond the ability to say much more than they already have so far.

So where are the solutions?  Where are the answers?  They can be found very much in the same way organizations, companies and nation states realized what was necessary to deter, detect, defend and document operational risks to their institutions for the past several decades.  The science has changed rapidly but the foundational solutions remain much the same using these six factors:

• Identify
• Assess
• Decide
• Implement
• Audit
• Supervise

These six factors of your respective "Operational Risk Management Enterprise Architecture," is the framework for these solutions.  The ability for these to continuously operate within your enterprise will determine how effective you are in surviving what others have predicted for over a decade...

CyberCom: Real-time Situational Awareness...

The Operational Risks to your enterprise that are associated with your digital assets, networks and infrastructure are vast.

What is your organizations exposure today?

The amount of daily "Cyber Intelligence" flowing into the organization is growing exponentially and there are few hours in the day to analyze it. You have invested hundreds of thousands if not millions on cyber security to keep your corporate systems protected and ready for any significant business disruptions.

Electronic Stored Information (ESI) is continuously being discussed at the Board of Directors meetings. Data Breach Notification Laws are being amended and the congressional pipeline for privacy and cyber laws is in full swing in the United States.

The Fortune 500 is already paying for "White Hat" hackers to test their online and data security. The only way to continuously determine the effectiveness of risk management controls, is to continuously test them in a lab or scenario environment.

This "Red Cell" approach to attacking the corporate assets from the "inside out" or the "outside in" provides the intelligence necessary to close the gaps and vulnerabilities. These penetration or vulnerability tests are necessary and the ecosystem of companies of sources and methods is expansive.

A Fortune 500 organization may currently subscribe to annual services that provide the intelligence that gives them an alert of a "Red Flag" in their security landscape.

The company that provides the intelligence is paying a substantial fee to a network of sophisticated professionals to exploit the vulnerabilities in software coding. Namely, the design, configuration or implementation of a complex set of technologies to determine where and how these vulnerabilities may pose a threat to your assets.

The model for Enterprise OPS Risk Management in the most savvy and enlightened critical infrastructure dependent organizations realize that cyber security is not a department or a unit at the company.

It remains a horizontal platform on which all business units and the departments of the organization rest and it's pervasive mechanisms for the security and safety of people, processes, systems and external events must operate 24 X 7 X 365.

Our future is about "Defend Forward" or an "Real-Time Situational Awareness" strategy.

"The “defend forward” concept outlined in the DoD’s 2018 cyber strategy charges Cyber Command to get as close to adversaries in networks outside the United States before they reach the nation. The command uses its authorities to operate in networks abroad to discover malware and enemy tactics that could be used against the American people or election infrastructure.

The command can either share that with relevant partners — such as the Department of Homeland Security, the FBI or private companies — so they can take necessary measures, or the command can unilaterally take action thwart malicious activities before they impact American networks."

The public and the consumer are becoming used to the fact, that the challenge continues to be an iterative process and worthy of some levels of patience. 

"Operational Risk Management (ORM) is not about eliminating all threats to the enterprise. It is about the speed and accuracy of understanding the current levels and threat vectors so you can effectively deter, detect, defend and document."

This "4D" approach to risk management in the rapidly changing, digitally mobile organization of 2020 and beyond is a shift away from pure information security thinking that is housed within the Information Technology Department...

ORM: Pervasive Risk Across Disciplines...

What is the origin of the "Operational Risk Management" (ORM) discipline? Was it derived from the work within the financial services industry from the Basel II initiatives?

The definitions and the actual work towards creating standards of conduct and rule-based design has been evolving for the past few decades.

Operational Risk and the approach to risk that is not otherwise considered to be market or credit risk, is one mind set. The other mind set considers the hazards associated with the threat to our valuable assets.

Either point of view depends on the environment that you operate in and the risks associated with that environment.

To give a quick example, here are a few views into Operational Risk in the United States:

"It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag" Forbes

"Boeing will still burn more than $1 billion a month even after halting 737 Max production, according to J.P. Morgan.  Boeing’s decision to stop suspend production of the troubled aircraft was made in light of months of cash-draining groundings worldwide, but the company’s internal overhead and labor expenses will remain and will increase cash burn, analyst Seth Seifman wrote to clients."  CNBC

These examples encompass a U.S. government agency and a private sector U.S.-based global aerospace company.  Both are operational risk scenarios that could contribute to losses that will also impact the reputation of the entity involved.

That aspect alone, could be the major factor in why Operational Risk Management is such a growing discipline in our 2020 global landscape.

Some of the earliest origins of the Operational Risk concerns come from the military. The U.S. Navy is one of the branches who has embraced it fully:

• Purpose. To establish policy, guidelines, procedures, and responsibilities per reference (a), standardize the operational risk management (ORM) process across the Navy, and establish the ORM training continuum.
• Scope. This instruction applies to all Navy activities, commands, personnel, and contractors under the direct supervision of government personnel.
• Discussion. Risk is inherent in all tasks, training, missions, operations, and in personal activities no matter how routine. The most common cause of task degradation or mission failure is human error, specifically the inability to consistently manage risk. ORM reduces or offsets risks by systematically identifying hazards and assessing and controlling the associated risks allowing decisions to be made that weigh risks against mission or task benefits. As professionals, Navy personnel are responsible for managing risk in all tasks while leaders at all levels are responsible for ensuring proper procedures are in place and that appropriate resources are available for their personnel to perform assigned tasks. The Navy vision is to develop an environment in which every officer, enlisted, or civilian person is trained and motivated to personally manage risk in everything they do.

If only our major business entities would would fully encompass the following steps with all employees and processes then more lives would be saved, corporate assets would be protected and the enterprise would be ever more resilient:

(1) Identify the hazards;

(2) Assess the hazards;

(3) Make risk decisions;

(4) Implement controls; and

(5) Supervise.

Yet the losses and the potential for loss continues across the organizations who are well equipped to make Operational Risk Management a part of every person and operating divisions daily mind set:

The places change, the numbers change, but the choice of weapon remains the same. In the United States, people who want to kill a lot of other people most often do it with guns.

The number of U.S. mass shootings depends on how you count

Public mass shootings account for a tiny fraction of the country’s gun deaths, but they are uniquely terrifying because they occur without warning in the most mundane places. Most of the victims are chosen not for what they have done but simply for where they happen to be.

There is no universally accepted definition of a public mass shooting, and this piece defines it narrowly. It looks at the 172 shootings in which four or more people were killed by a lone shooter (two shooters in a few cases). It does not include shootings tied to robberies that went awry, and it does not include domestic shootings that took place exclusively in private homes. A broader definition would yield much higher numbers.

Whether it is on the deck of an aircraft carrier or within any organizations business facility, operational risk is pervasive. It is up to you and your organization to begin to make a difference...

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is continuously on every Operational Risk Management (ORM) executives mind these days.  The names Chelsea Manning and Julian Assange have been headline news for years.

In addition, the 2009 conviction under the Economic Espionage Act of 1996 in the United States, is a stark reminder of the accelerated requirements for an "Insider Threat Program" (InTP), by the counter intelligence and OPSEC units of major public and private organizations.  Flashback to a decade ago:

"A former Rockwell and Boeing engineer from Orange County, CA was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket."

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA a decade ago.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being, that exploits the vulnerabilities in the design, configuration or implementation of your layers of defense.

This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the changing personnel within the organization.

In collaboratin with the Information Technology organization, the Digital Operational Risks that the OPSEC team is focused on these days, has to do with Data Loss Prevention (DLP)  software platforms and proactive data exfiltration detection capabilities.

As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information, there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences, can be just as effective as the newest software running on the fastest computer box.

One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees?

Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

"The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation."

The "Integrity Interview" is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior, is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies, regarding digital assets and cyberspace access to organizational data repositories.

Individuals who have the characteristics associated with deception, could be the target of a further investigation to determine whether any unauthorized information has been sent to an encrypted webmail account or if a 2 TB Thumb Drive happened to be plugged into a corporate laptop, the night before the last day on the job.

This low tech method may still be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure, will not be able to thwart a diligent, patient and trusted insider.

Utilizing "Behavioral Interview Analysis" can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their asymmetric information operations strategy on the corporations and governments worldwide.

Economic espionage and attacks on nations states critical infrastructures, requires a substantial shift in policy and taxonomy, if we are ever going to be effective in protecting our IP and trade secrets.

While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware," we can only hope that OPSEC is still conducting the behavioral analysis exit interview.

A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secrets in the purse or backpack at their feet...

New Vision: Security Operations Center and CIU...

Flashback over 8 years ago when there was a convergence of thinking about the topic of a "Defensible Standard of Care" going on in the industry.

The key Operational Risk Management news from the 2011 RSA Conference was coming in, yet there were inside sources who still needed to be interviewed. What did they think was the most brilliant presentation or idea(s) presented?

This particular release caught some eyes as it addressed much of the thinking on the latest evolution of the Security Operations Center (SOC).  How much of this is still relevant today:

New Vision for Security Operations: Six Core Elements

The vision includes six core elements and prescriptive guidance for how to incorporate these elements into existing security operations. These elements include:

• Risk planning: The new SOC will take a more information-centric approach to security risk planning and invest in understanding which organizational assets are highly valuable and essential to protect. With priorities based on GRC policies, security teams need to conduct risk assessments that focus on the “crown jewels” of the enterprise.
• Attack modeling: Understanding attack modeling in a complex environment requires determining which systems, people and processes have access to valuable information. Once the threat surface is modeled, organizations can then determine potential attack vectors and examine defense steps to isolate compromised access points efficiently and quickly. RSA® Laboratories has developed theoretical models based on known APT techniques and employed game theory principles to identify the most efficient means of severing an attack path and optimize defense costs.
• Virtualized environments: Virtualization will be a core capability of tomorrow's SOC – delivering a range of security benefits. For example, organizations can "sandbox" e-mail, attachments and URLs suspected of harboring malware. Anything suspicious can be launched in an isolated hypervisor and the virtual machine can be cut off from the rest of the system.
• Self- learning, predictive analysis: To remain relevant in tomorrow's IT environment, a SOC will need to truly integrate compliance monitoring and risk management. The system should continually monitor the environment to identify typical states which can then be applied to identify problematic patterns early. Statistic-based predictive modeling will be able to help correlate various alerts. Developing such a system will require real-time behavior analysis innovations, although some of these elements are available today.
• Automated, risk-based decision systems: A key differentiator of a more intelligent SOC will be its ability to assess risks instantly and vary responses accordingly. Similar to risk-based authentication, the SOC will employ predictive analytics to find high-risk events and then automatically initiate remediation activities. The prospect of dynamic typography is one of the most exciting areas of this type of systems automation for the cloud. To implement an APT, an attacker must understand network mapping and be able to model it. In response to this, organizations can remap their entire network infrastructure to disrupt an attacker’s reconnaissance efforts. This is akin to physically rearranging a city at frequent intervals – and the entire process can be automated so that links between systems stay intact and dependencies are handled without human intervention.
• Continual improvement through forensic analyses and community learning: Although forensic analysis can be resource-intensive, it is an imperative element of a SOC and key to mitigating the impact of subsequent attacks. Virtualized environments can provide snapshots of the IT environment at the time of the security event providing useful information if detection of the attack was delayed. Having a way to share information about attack patterns will be the future of the SOC. This concept should be embraced in order to exchange threat information within respective industries and better predict the path of the APT and thereby determine countermeasures.

The evolution of the SOC in your enterprise may start in some unconventional places. Who is it in your organization that is responsible for the loss of corporate assets?

Who in your company is the one who determines what items are counted as losses to the bottom line?

Who does the enterprise look to when the crisis hits and people are looking for answers in minutes, not hours, or days?

Who picks up the phone to answer the call from the local FBI Field Office?

These may not be the people you think of in the CIO's office or IT department. These people however need to be part of the combined Security Operations Center solution in the company.

The Advanced Persistent Threat (APT) now requires the intersection of prudent strategy from the business leadership, the accounting or finance leadership and the risk management leadership.

If the CIO is looked upon as the key executive running a "Utility" inside the enterprise, think again.

This blog has discussed the "Corporate Intelligence Unit" in years past :

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU. It includes with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject. "Connecting The Dots" with others in the same company or with industry sector partners, increases the overall resilience factor and hardens the vulnerabilities that are all too often being exploited for months if not years.

In retrospect, you can be more effective investigating and collecting evidence in your company to gain a "DecisionAdvantage". To pursue civil or criminal recovery of losses from these insider incidents, you may not go to law enforcement, but it's likely they will come to you once they get a whistle blower report, catch the attacker and/or they have the evidence that you were a victim.

How your organization pulls together the right people to staff and operate your "CIU" is going to depend on your culture, funding and current state of the threat.

BALTIMORE—Sean Gallagher - 6/5/2019, 9:25 AM
It has been a month since the City of Baltimore's networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard "Jack" Young and his cabinet briefed press on the status of the cleanup, which the city's director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.

Here is another thought. A thorough review of the current funding, staffing and strategy of a SOC or CIU in the enterprise, may even become a priority at the next "Board of Directors" meeting.

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

• 57% - Unintentional exposure of private or sensitive data
• 37% - Virus, worms or other malicious code
• 32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

• 38% - Outsiders
• 33% - Insiders
• 29% - Unknown

Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...

4th Generation Warfare: Insider Risk...

Flashback to 2010.  Over 8 years ago, this author discussed the situational awareness and the implications of the "Stuxnet" malware that was being investigated by international authorities. In January 2011, the New York Times published a more detailed set of facts and a hypothesis that the sophisticated "worm code" was tested in Israel:

William J. Broad, John Markoff and David E. Sanger.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

4th Generation Warfare (4GW) and the implications for global critical infrastructure organizations is obvious. The Operational Risks associated with targeted infiltration of systems that control machines, manufacturing processes and software that manages transportation, has now changed the baseline for where to begin mitigating this asymmetric threat.

Executives then and to this day, realize the continuous requirement for improved focus on the "Insider Threat" to their systems operations. Why?

This particular worm was initially delivered by a USB Thumb Drive according to various reports. This means that someone would have to have been inside the facility targeted for the attack, to actually introduce the malware to the actual system controller. A person within the perimeter of the organization with this single device, could set the chain reaction in motion.

Whether you are a major manufacturer or an electric utility doesn't matter. The person you trust to access systems inside the organization, is the basis for mitigating this type of attack. Most important is the scrutiny associated with the extended supply chain of semi-trusted contractors or others known to the organization. 

All of the back ground checks and other methods for determining someone's character will not be the major deterrent to a worm introduced internally to an Intranet, with the use of a USB thumb drive.

So what is the answer to address this threat?

A TSA-style check, scan and pat down at the entrance to every commercial enterprise that has computers inside with open USB ports? This is very unlikely in the near term for most facilities.

What about disablement of the technology itself, that turns off the ports themselves on each system inside the organization perimeter? This solution is more likely to deter many opportunities for this type of USB style attack to occur, yet still doesn't remove all of the risks against another possible vector to the network through a CD drive as an example.

Regardless of the method or the controls you employ to mitigate this risk, it will not eliminate the entire threat from your organization. Even the use of a "Digital Sandbox", Endpoint security measures or other methods to disable ports on systems will entirely lock down your organization.

There is only the ability to create a more resilient and durable environment to survive a significant business disruption. The mind set shift to durability and the latency to recover, now becomes the new strategy for these kinds of risks.

Using a strategy for "Business Resilience" is one that requires significant resources, a Global Security Operations Center (GSOC) and a committed management team. The ability to survive is the first part of the process and how soon you return to full operational capability is the metric. How long does it take to bounce back to normal from a major crisis, in your organization?

The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption or crisis, will be a competitive differentiator for companies and countries alike in the 21st century.

Homeland security is often seen as a protective, even defensive, posture. But Maginot lines are inherently flawed. Fences and firewalls can always be breached. Rather, the national focus should be on risk management and resilience, not security and protection.

Resilience—the capability to anticipate risk, limit impact and bounce back rapidly—is the ultimate objective of both economic security and corporate competitiveness...

Crowdsourced Risk: Situational Awareness in Mass Emergency...

Real-time information and raw intelligence via mobile devices, has changed the risk management dialogue from the Emergency Operations Center (EOC) to the corporate board room.

Operational Risk Management (ORM) professionals are leveraging this information in combination with crowdsourced mapping applications, GPS, video feeds and live reporting.

Intelligence Analysts have leveraged Big Data and Digital Analytics to extract the relevance of key questions asked by their constituents.  These same ORM professionals also realize the raw data feeds from John Q. Citizen is exactly that.

Fact checking, vetting and data verification, is still the task of journalistic and intelligence experts.

Whether you are talking about risk incidents that involve whistle blowers on Wall Street, severe weather events, natural disasters, the Arab Spring or an active shooter in a Denver, CO suburb; social media is there.

Corporate Chief Information Officers are in the middle of "Bring Your Own Device" (BYOD) policy development, while National Public Radio (NPR) is using Twitter as a news room approach to reporting in the Middle East. Errors, Omissions and the operational risks associated with this "New Normal" is upon us, with the crowdsourced future of news and intelligence:

In just a single flash back to 6 years ago, we were writing about how users of Twitter and Reddit used those networks to tell a compelling story about a mass shooting in Toronto, and how the same phenomenon was playing out in real-time during another horrific incident: a shooting at a movie theater in Colorado, that had killed at least a dozen people and wounded more than 50.

Although local TV news channels and CNN had been all over the story since it broke, some of the best fact-based information gathering had been taking place on Reddit and other open source curation tools.

The information posted on Facebook, Reddit or the organizational blog is at stake. Crowdsourcing and Crowdmapping with the correct tools and trusted rule-sets, is just the beginning.

From innovation to Revolution, Patrick Meier and his blog captures even more on the vital crowdsourcing topics. For a good foundation, also be sure to visit Sarah Vieweg's dissertation on situational analysis:

Situational Awareness in Mass Emergency: A Behavioral and Linguistic Analysis of Microblogged Communications (2012)

"In times of mass emergency, users of Twitter often communicate information about the event, some of which contributes to situational awareness. Situational awareness refers to a state of understanding the “big picture” in time- and safety-critical situations. The more situational awareness people have, the better equipped they are to make informed decisions. Given that hundreds of millions of Twitter communications (known as “tweets”) are sent every day and emergency events regularly occur, automated methods are needed to identify those tweets that contain actionable, tactical information."

Welcome to Dataminr...

In each of these news worthy events, we can see how a new form of journalism and situational intelligence — one that blends traditional reporting and crowdsourced reports — has evolved.

When an era of these applications and zettabytes of pictures and videos are available to the public, the journalist/analyst has a tremendous volume of sources. This now includes the evolution of Body-Worn-Cameras (BWC).  And with those sources, comes a renewed responsibility to the integrity of the real mission before us. The truth.

What is actually the truth? What happened to whom and when?

The private sector has been leveraging Big Data Analytics for decades, including little known companies such as Acxiom, to collect and verify information on people, for the purpose of marketing. This indeed is a mature and established sector of the consumer retail industry and financial institutions for the purpose of operational risk management:

The ideal combination of vetted and proven data sources from private sector companies such as Acxiom in the U.S., along with the raw reporting of information from the social media sources is already the future of journalistic trade craft.

When journalism from trusted sources or intelligence reports from trusted analysts misuse or error in their use of these tools, the operational risk factors are magnified. This can damage reputations and even jeopardize human lives.  The mobile social media revolution has the potential to be a Pandora's Box.

Operational Risk Management discipline provides the framework and the proven methodologies to mitigate the rising likelihood, of a "Decision Disadvantage."

Whether you are the editor of a major publication or the watch commander at the local police department does not matter. Whether you are the CISO at a major corporate enterprise or the head of a government intelligence agency does not matter.

It begins long before Journalism school or high school English class. The ethics and integrity of information is at stake and it begins the first time you hand a pre-teen, their first mobile digital device.

Unthinkable: Adapting in New World Disorder...

Will 2018 bring more data breaches, lost laptops and insider threats than 2017?  This is why CSO's, CPO's and corporate General Counsels have their teams working overtime.

When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised organizational intellectual and data assets, the future horizon becomes ever more clear. 

The statistics don't lie.  1579 documented Data Breaches occurred in 2017. Up 44.7% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.  It is the new normal.

The Insider Threat Program (InTP) however, remains a key focus for Operational Risk Management (ORM) professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may have never considered doing something to jeopardize their reputations, may now be up against a wall.

When there is no obvious exit and no way out, people will do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life.

In Joshua Cooper Ramo's book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system:

"A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt".  Being Adaptive.  However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy investigator on how she solved the case and you may hear just that, "I had a hunch."

Talk with a Chief Privacy Officer in any Global 500 company.  You might get them to admit they have a sense that their organization will be the target of an "Insider data breach" incident in the coming year or two.

Do you remember signing off on reading and your acceptance of the employee handbook?  When did your organization last make changes to the Corporate Employee policies?  We would start with the updates to the following sections:

• MEDIA CONTACT
• SOCIAL MEDIA POLICY
• REMOTE ACCESS POLICY
• E-MAIL, VOICE MAIL AND COMPUTER NETWORK SYSTEM PRIVACY
• (YOUR ORGANIZATION) RIGHT TO ACCESS INFORMATION
• SYSTEMS USE RESTRICTED TO COMPANY BUSINESS
• FORBIDDEN CONTENT
• PASSWORD SECURITY AND INTEGRITY
• INTERNET ACCEPTABLE USE POLICY
• POLICY ON USE OF SOFTWARE
• COMPANY PROPERTY
• PROTECTION OF TRADE SECRETS/NON-DISCLOSURE OF COMPANY INFORMATION 

Due to the increasing complexity of IT systems, cloud computing, data networks and the hundreds or thousands of laptops and mobile devices circling the globe with company executives and employees is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively.  Proactive Intuition.

Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

Alternative Analysis: Intelligence-Led Methodologies...

Operational Risk Management (ORM) is about the consideration of past failures and the possibility of unknown future failures of people, processes, systems and external events. The analysis of the likelihood and implications of those loss events, requires different methodologies to assist in the mitigation strategies to prevent or avoid the risks of failure. In light of the nature and complexity of transnational asymmetric threats, this requires the use of alternative methods of analysis.

Intuitive decision making and sense-making— can be combined into a framework for categorizing the residual thought processes of intelligence analysts. This is called "intelligence sense-making".

This process involves the application of expertise, imagination, and conversation and the benefit of intuition without systematic, consideration of alternative hypotheses. Compared to traditional methods of analysis, intelligence sense-making is continuous rather than discrete, informal rather than formal, and focused more on issues that don't have normal constraints.

Employing alternative analysis means that you can't “afford getting it wrong” and then you challenge assumptions and identify alternative outcomes. However, it may be of little use in today's growing non-state transnational threats and for ongoing criminal enterprise complexities. This is because there are so many considerable outcomes, consistent and perpetual changes, and contingencies for any single risk management process to be effective all the time.

Web-logs 3.0 are the future for some effective transnational alternative analysis. Combined with such machine learning threat intelligence systems such as Recorded Future, the open source analyst can operate with increasing pace and context. Unlike more formal published papers, intelligence Web-logs are a more free flowing “unfinished” production, whereby both human intuitions and more formal arguments are posted, and then challenged by those with alternative ideas.

Indeed, Web-logs are the mechanism for a facilitated contextual dialogue— the electronic equivalent of out loud sense-making.

"On September 11th, about half of the hijackers had been flagged for scrutiny at the gate before boarding the ill-fated flights. Had the concerns of the Phoenix FBI office about flight training not only been shared broadly within the government but also integrated into a mindfulness-focused inter- agency process—featuring out loud sense-making, Web-log type forums, computer-generated references to extant scenarios for crashing airplanes into prominent targets—might at least some of the detentions been prolonged, disrupting the plan? --“Rethinking ‘Alternative Analysis’ to Address Transnational Threats,” published in Kent Center Occasional Papers, Volume 3, Number 2.

In our modern day era of Twitter, Facebook and "Crowd Sourcing" technologies perhaps the tools are already in place. Platforms such as Ushahidi are geocoding the information origin, providing ground truth situational awareness and providing context on issues that are unbounded. How often does the published press currently use these tools to get their original leads, potential sources or new ideas for a more formal story? This story then takes on the formal journalistic requirements for confirmation from trusted and vetted sources, before it makes the final deadline and is delivered on printed paper to our doorstep each morning.

The doctrine of analysis for transnational threats and homeland security intelligence, are still evolving in this accelerating digital ecosystem. The alternative methods and tools that we will utilize to examine, refute or justify our thoughts remains endless. The degree to which we are effectively operating within the legal rule-sets for our particular country, state or locality, remains the ultimate privacy and civil liberties challenge. These respective governance guidelines particularly with regard to intelligence record systems and liability issues, must remain paramount:

• Who is responsible for entering information into the Intelligence Records System?
• Who is the custodian of the Intelligence Records System that ensures all regulations, law, policy and procedures are followed?
• What types of source documents are entered into the Intelligence Records System?
• Does the retention process adhere to the guidelines of 28 CFR Part 23 in the United States?

Finally, community-based policing has developed skills in many law enforcement first responders, that directly support new domestic counterterrorism responsibilities. Intelligence-led policing (ILP) provides strategic integration of intelligence, into the overall mission of the larger "Homeland Security Intelligence" enterprise. It involves multiple jurisdictions, is threat driven and incorporates the citizens of the community to cooperate when called upon, to be aware of your surroundings and report anything suspicious.

So what types of information do street officers need from an Intelligence Unit?

1. Who poses threats?
2. Who is doing what with whom?
3. What is the modus operandi of the threat?
4. What is needed to catch offenders / threat actors?
5. What specific types of information are being sought by the intelligence unit to aid in the broader threat analysis?

Alternative analysis is designed to hedge against human behavior. Analysts, like all human beings, typically concentrates on data that confirms, rather than discredits existing hypotheses. Law enforcement is constantly focused on the key evidence to prove who committed the crime.

Alternative analysis shall remain part of the intelligence tool kit, for more formal policy level work. Imagine the use of Intelligence-led methodologies such as "intelligence sense-making" combined with secure Web 3.0 collaborative applications, at the finger tips of our Homeland Security first responders. Now think about that "lone wolf" or "sleeper cell" lying in wait.

Proactive and preventative risk management requires the right tools, with the right information in the hands of the right people.

Startup Strategy: Opportunity of Digital Trust in a New Era...

The startup ecosystem of new ideas for SaaS platforms or mission based digital solutions are becoming evermore robust, in our growing economy.  As a result, Operational Risk professionals are more in demand to help new co-founders adapt to the legal, compliance and consumer transparency requirements, that will soon descend upon them.

It makes sense, that when you are starting a new company you first are focused on the product/mission and who the intended market or user will be.  Yet soon after this is defined and the "Go-to-Market" strategy is in place, there is a tremendous amount of Operational Risk design and implementation of internal capabilities, that will be required.  In just Social Media, here is just one example:

"As social networks continue to mature, they increasingly take on roles they may not have anticipated. Moderating graphic imagery and hate speech, working to address trolling and harassment, and dealing with dissemination of fake news puts companies like Facebook and Twitter in powerful societal positions. Now, Facebook has acknowledged yet another challenge: Keeping your data safe from surveillance. That’s harder than it may sound. When you post something publicly on a social network, anyone can view it—including law enforcement or federal agencies."

Since the dawn of the Internet, new startup companies have been developing algorithms and bots to scour the vast landscape of "data oceans" for relevant content.  As public Internet tools, databases and consumer-oriented web sites were developed for even Blogs (Blogger.com) such as this one, other companies were figuring out how to capture the data content in their searchable systems.

Years later, startups developed ways to develop the API as a new product-set, so that other companies could embed and utilize a set of data or capability and have it more integrated with a new set of functionality or service mission.  What is one company in this category focused on Twitter?  Gnip.com:

"PowerTrack provides customers with the ability to filter a data source’s full firehose, and only receive the data that they or their customers are interested in. This is accomplished by applying Gnip’s PowerTrack filtering language to match Tweets based on a wide variety of attributes, including user attributes, geo-location, language, and many others. Using PowerTrack rules to filter a data source ensures that customers receive all of the data, and only the data they need for your app."

So what?

If you are a startup company that is planning on a pledge to your customers to "Keeping your data safe from surveillance," just as the juggernaut Facebook is also currently doing, you have a tremendous amount of work and new processes/systems to get in place.  You are embarking not only on the steep growth curve of adding new customers and revenue; you are simultaneously under the mandate to help achieve a higher level of "Digital Trust" with those same customers.

Developing the policy alone is only the start.  Here is how Twitter is addressing it:

"To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products."

How Facebook and Twitter and Snapchat or LinkedIn and all of the hundreds of Social Media companies will scale up enforcement, is now the big question.  Maybe they have the deep pockets and resources to build and operate their "Digital Trust" business unit.  What about the new startup with only 6 or 7 figures in the bank from a seed or even "A" round of funding?

The policy implications and new federal laws being drafted in the United States and the European Union may be good indicators of where the future requirements will be defined for a new startup.  In the EU this week, the G20 finance ministers are converging on the topic of "Cyber Crime" soon after a recent indictment:

"Two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts. The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud."

How will the new startup who is focused on addressing transparency, privacy, and surveillance now "Enable Digital Trust of  Global Enterprises."  Here is a glimpse from the latest PwC CEO Survey:

"Yet, if forfeiting people’s trust is a sure-fire route to failure, earning their trust is the single biggest enabler of success. As an example, the progression from assisted to augmented to autonomous intelligence depends on how much consumers and regulators trust machines to operate on their own. That, in turn, depends on whether those who create the machines have the right risk and governance structures, the means to verify and validate their claims independently and the mechanisms to engage effectively with stakeholders."

"In short, trust is an opportunity, not just a risk. Many CEOs recognise as much: 64% think the way their firm manages data will be a differentiating factor in future. These CEOs know that prioritising the human experience in a virtual world entails treating customers with integrity."

Welcome to the new era of achieving Digital Trust...

Scrutiny: The Noun Missing From Your Culture...

The culture of your business or organization will continue to be the root cause of many of your most substantial successes.  Simultaneously, it will be one of the most significant factors in your potential downfall as a company.  Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community.  There is one key principle that is worth emphasizing again at this point in time:

Ensure all work is subject to scrutiny.  Require conflict of interest-free peer review for all programs, projects and strategies.

This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons.  The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization.  The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise.  Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight.  It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture.  When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it.  Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning that employees used customers’ information to open sham accounts, according to new figures reported by the bank.

The nation’s largest retail bank beat expectations when it reported more than $5.6 billion in profit for the past three months. But the bank’s earnings report also hinted that the Wells Fargo may have some trouble convincing people to open new accounts in the wake of the scandal.

The number of checking accounts the bank opened in September fell by 25 percent from the same time last year, the company reported Friday. Credit card applications filed during the month dropped by 20 percent from a year ago. And the number of visits customers had with branch bankers also fell by 10 percent from last year.  Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture.  Consider this definition:

scrutiny

noun, plural scrutinies.

1. a searching examination or investigation; minute inquiry.

2. surveillance; close and continuous watching or guarding.

3. a close and searching look.

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information.  Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:

• Protecting Personal Data
• Political Hacks and Leaks
• Cyberspace:  A 21st Century Warzone
• A Focus on Critical Infrastructure
• The White House and Cybersecurity

Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets, binary code.

In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers had been circulating in security circles at that point in time.  Soon thereafter, warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.

In this decade old case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The human element, which relates to situational awareness, can't be ignored any longer.  And this can only be changed through more effective education, training, and testing of employees.  An organization that procures technology worth millions of dollars is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.

"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."

The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat.  We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.

If you start thinking of the Super Bowl championship as your motivation, you are going to miss the trees for the forest or the forest for the trees. I never could understand that one. Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees

Homegrown Violent Extremism: Vigilance of Intelligence...

Since the Boston Marathon terrorist attack on Patriots Day, April 15th, 2013 the spectrum of Operational Risks that have descended upon the region and the country are vast.  People, processes, systems and external events are the state-of-play.  If you own a backpack and you are taking it on public mass transit or to a public event soon, remember this.  The new normal has finally arrived in the United States of America, again.

What does the face of terrorism look like?  London understands.  Oslo now understands.  FOB Chapman understands.  New York City.  San Bernardino.  Orlando.  Dallas.  Even as we begin the analysis of this latest U.S. based event in context with all the similarities of past episodes of terror, we are left with one absolute known.  Operational Risk Management is essential, no matter who you trust and how much you trust them.  The public now understands this once again and regardless of how much we may want to continue to enjoy our civil liberties and privacy, you never know when or how this will happen again.

Why is it that Israel and other nations that are so far more advanced in their Operational Risk strategies, still witness numerous incidents of terror?  Because it is impossible to eliminate.  It is only possible to mitigate the risks and likelihood of occurrence.  Public safety and security incidents of this magnitude are the visible metric we all judge to make sense of our progress.  Our only hope is better intelligence.  Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012

So in the dark shadows and behind closed doors, the whispers continue to debate how Boston Patriots Day 2013 could have happened?  How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing.  Why didn't the intelligence we had already, provide the warning in time, in the midst of a glaring yellow or red flag?  As the analysis continues and the best and the brightest determine the lessons learned, we can only pray, that our process changes take place and citizens behaviors are modified.  Erroll Southers explains why we have more work ahead of us:

 At the same time, the radicalization process is not brief. Extremism smolders like a hot coal, an idea that grows into a violent fire fueled by anger, conflicts of identity, feelings of humiliation and marginalization.. It is important for the public to understand that removing any one of these elements cannot fully disrupt radicalization. All of these and other root causes need to be addressed in the effort to not just apprehend terrorists, but dissuade the radicalization that leads to terrorism.

There will be numerous accounts of heroism, people who saw or reported details that could have helped stop any of these Homegrown Violent Extremist (HVE) events.  What matters most from this point forward is that "John Q. Citizen" realizes the importance of being ever vigilant.  Having a continuous sense of personal vigilance is our only hope.  Whether in the crowd at the next marathon or in a lonely office cube, off Route 123 does not matter.  The goal is the same and we must not lose sight of our mutual responsibilities and unified purpose.

Godspeed America!

1. An expression of good will when addressing someone, typically someone about to go on a journey or a daring endeavor.