22 June 2014

Asymmetric Warfare: Board Room to Battlefield...

The planet Earth is experiencing a multitude of historical and 21st century "Asymmetric Wars" from the Board Rooms of the Global 500, Internet Cafes of Third World countries and the Miranshah.

Operational Risk Management (ORM) doctrine will continue to be a factor:

a·sym·met·ric

  [ey-suh-me-trik, as-uh-]  Show IPA
adjective
1.
not identical on both sides of a central line;
"Asymmetric warfare" can describe a conflict in which the resources of two belligerents differ in essence and in the struggle, interact and attempt to exploit each other's characteristic weaknesses. Such struggles often involve strategies and tactics of unconventional warfare, the "weaker" combatants attempting to use strategy to offset deficiencies in quantity or quality.[1] Such strategies may not necessarily be militarized.[2] This is in contrast to symmetric warfare, where two powers have similar military power and resources and rely on tactics that are similar overall, differing only in details and execution.
The Irish Republican Army (IRA) perfected the car bomb against the British.  Now "Improvised Explosive Devices" (IED) and suicide bombers continue to be the single greatest threat to U.S. troops in Afghanistan as we withdraw and in Iraq as we engage once again. The Middle East has been embroiled in conflicts with the modern use of "Social Media" and an asymmetric rebel element to initiate change in labor laws or to overthrow a nation states leadership.

A laymen may not understand the relevance of "Asymmetric Warfare" on the corporate battlefield. Some would describe the age old tactic of industrial espionage, competitive intelligence or even patent litigation as a method for a small unknown company to gain an advantage over a much larger and established institution. This is a strategy of Asymmetric Warfare, nothing new. In any case, the perception is that the small and agile still have the means, tools and tactics to defeat the large and overbearing with the benefit of time, resources and the will of the people.

So what are some good examples of modern day asymmetric conflicts:
  • Apple vs. Google
  • NATO vs. Putin
  • Sunni vs. Shiite
  • BMW vs. Jaguar
  • Earth vs. Anonymous
  • Taliban vs. Afghans
  • United States vs. Jones
Each of these represent a conflict between two able parties, regardless of the perception of who is the "David" and who is the "Goliath". So what can your organization or nations state do to prepare yourself for the inevitable risks that will be associated with doing business or operating your enterprise across countries and in hostile environments? By providing your employees and stakeholders the best education, research, training and exercise programs; technology test and evaluation and capability improvement programs that your resources can offer.  Why?  In a few words, to make faster and more informed "Trust Decisions".

The desire to Deter, Detect, Defend and Document is prudent doctrine in Operational Risk Management (ORM). You may call these steps or tactics by other names in your particular process; such as Observe, Orient, Decide Act. What matters most is that the environment and landscape for the "Asymmetric Threats" and "Asymmetric Warfare" will continue to be challenging and dynamic.
BY ASSOCIATED PRESS June 16 
WASHINGTON — Judges around the country are grappling with the ripple effects of a 2-year-old Supreme Court ruling on GPS tracking, reaching conflicting conclusions on the case’s broader meaning and tackling unresolved questions that flare in a world where privacy and technology increasingly collide. 
The January 2012 opinion in United States v. Jones set constitutional boundaries for law enforcement’s use of GPS devices to track the whereabouts of criminal suspects. But the different legal rationales offered by the justices have left a muddled legal landscape for police and lower-court judges, who have struggled in the last two years with how and when to apply the decision — especially at a time when new technologies are developed at a faster rate than judicial opinions are issued. 
The result is that courts in different jurisdictions have reached different conclusions on similar issues, providing little uniformity for law enforcement and judges on core constitutional questions. Technological advancements are forcing the issue more and more, a development magnified by a heightened national debate over privacy versus surveillance and the disclosure of the National Security Agency’s bulk collection of Americans’ telephone records.
Posted by at No comments:
Labels: , , , , , , , ,

15 June 2014

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:
Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.
Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:

Action

  • Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
  • Prevent or disrupt criminal involvement in emerging and strategic markets.
  • Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
  • Develop a mechanism that would make unclassified data on TOC available to private sector partners.
  • Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
  • Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
  • Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
  • Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
  • Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
  • Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:
A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

Posted by at No comments:
Labels: , , , , , , , , ,

08 June 2014

Algo Bots: The Risk of Human Error...

What "Trust Decisions" did you make this past week?  How fast did you make them?  The ability to manage an entire portfolio of operational risks in a daily routine is daunting.  How do you prioritize? What Operational Risk Management (ORM) process will you engage in, with so many uncertain outcomes?  Why will you sit up in bed at 3AM, to read the latest alert on your smartphone?

In October of 2012, this ORM blog discussed the topic of "Algo Bots" and "Dark Pools".  Machine language talking to other machines, to make optical network speed decisions and more precise, "Trust Decisions."  What is the risk of a low probability and high consequence incident when humans are taken out of the equation?  Dave Michaels of Bloomberg explains the current focus:
Mary Jo White’s blueprint for imposing tighter controls on high-frequency traders and some of the murky venues they inhabit stops short of a crackdown. 
The U.S. Securities & Exchange Commission’s plan, unveiled by White in a speech this week, advanced some new ideas while borrowing heavily from existing proposals and measures that already have support on Wall Street. While stock exchanges, rapid-fire traders and private trading venues known as dark pools all would come under new scrutiny, White didn’t embrace the kind of tighter restraints that have been enacted in countries such as Australia and Canada. 
White isn’t acting in a vacuum. She is responding to political pressures raised by an investigation by the New York attorney general into whether speed traders prey on slower-moving investors as well as a book by Michael Lewis, “Flash Boys,” that condemned the role of exchanges and brokers in enabling unfairness. She announced the initiatives even as she said U.S. markets aren’t rigged and serve the goals of retail and institutional investors.
As an Operational Risk Management (ORM) professional, you have to stay on the edge.  You must imagine the future and dive into the current R&D of innovation.  Being a futurist is staying on the bleeding edge of technology and this is just one facet of the risk mosaic.  The other and more human factor oriented component are the TTP's.  Tactics, Techniques and Procedures (TTP) are what you need your own "Opposition Research" team to be studying.  This is your opportunity to gather the intelligence on your competition and simultaneously look at your own vulnerabilities.  Sam Mamudi and Keri Geiger explain:
The U.S. Securities and Exchange Commission cited Wedbush Securities Inc. and Liquidnet Holdings Inc. for violations of stock market rules, taking tangible steps a day after Chairman Mary Jo White outlined her plan to improve Wall Street trading. 
Wedbush, which the SEC said is among the five biggest Nasdaq Stock Market traders, failed to vet clients who broke the law as they placed billions of dollars of transactions in the stock market, the regulator said. Two current and former Wedbush executives, Jeffrey Bell and Christina Fillhart, were also targeted in the complaint. 
Liquidnet, one of the biggest independent dark pool operators, agreed to pay a $2 million fine for not living up to client secrecy standards on its private trading platform.
So what?  The Rise of the Machine Traders:
In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables. 
By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next.
So how do you mitigate the potential risk of a rogue algorithm? Some have devised a mechanism called a circuit-breaker. In other words, an alarm that something is not normal. Let's slow down until we can understand what is going on here. What are some other ways that we could potentially address the threat or the vulnerability? Was the "Flash Crash" a weak signal of a pending melt down of the complete system?

Or is this just the next natural phase of the future growth curve.  Who will you put your faith in for your next "Trust Decisions"...

operational risk
Posted by at No comments:
Labels: , , , , , , ,

04 May 2014

Consumer Privacy USA: The Risk of Viceroy Tiger and Keyhole Panda...

There is a flurry of Operational Risk Management (ORM) activity around the DC beltway and across Silicon Valley in order to gain new consumer confidence.  The confidence that their personal metadata and information is being protected with encryption software and that privacy policies are in place to notify users, when their information is requested by the government.  Interesting.

Much of this wasted bandwidth is focused on competitive strategies.  If LinkedIn gets 3 or 4 stars from the EFF "Who Has Got Your Back Report" then our social media company should aspire to do the same. Transparency to the consumer end user on how data is protected and when you are notified of it being lost, leaked, hacked or handed over to law enforcement is the buzz right now.  Why?
Apple, Facebook, others defy authorities, notify users of secret data demands 
By Craig Timberg, Published: May 1 
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered. 
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July. 
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
Enterprise business are now waking up to the reality of investing in more robust Operational Risk Management (ORM) practices within their Enterprise Architecture Framework.  Areas that have been neglected in the architecture for data transport are now finally being updated.  Even the fact that the latest versions of SSL capabilities are being exposed as a result of the "Heartbleed" vulnerability, has finally motivated many to upgrade to TLS 1.2 and add Forward Secrecy.  Even LinkedIn, who gets multiple stars from EFF (and only a "B" from Qualys SSL Labs) doesn't even use TLS 1.2 nor does the average consumer even understand why Forward Secrecy is an important capability or why Google uses it within the popular Gmail service.

The privacy policies and opt-out capabilities the consumer really needs, are from the private sector companies that are currently trading your personal information.  Your browsing history. Your purchases at national retailers.  When was the last time you gave your phone number to a cashier at the register, to earn buy 1 get 1 coupons or a discount at the local gasoline pump?  Where do you think all of this activity-based behavior about you the consumer is being resold?

The marketing of privacy and security will continue to become a product or service differentiator.  The government agencies will continue to follow the law to obtain your information.  The magistrate judges will make sure of this.  The adversaries however, are becoming more productive and will find new exploits to attack your infrastructure in new ways, on vectors that you have not even thought of yet.

Who are some of the adversaries?  A few worth noting:

  • Iran:  Cutting Kitten
  • India:  Viceroy Tiger
  • China:  Comment Panda, Deep Panda, Foxy Panda, Keyhole Panda, Union Panda, Vixen Panda et al

These cyber adversaries are in many cases focused on cyber espionage and the theft of your Intellectual Property or Research and Development.  This leaves hundreds of other capable crime-ware driven organizations across the globe, who are targeting other valuable data to perpetuate their fraudulent activities.  So what have you done at the Board of Directors level and the Executive "C" Suite, to pave the way for more effective collaboration with the G-man?

Collaboration with the FBI, Secret Service, SEC, FTC, OFAC, U.S. Attorney, State Attorney General or even the local county prosecutor is a prudent and wise Operational Risk Management strategy. "Complacency"--this could be one of the greatest vulnerabilities that your share holders and stake holders have ignored.  A proactive organization has established protocols, implemented best practices and tested policies.  They are already in place to work collaboratively with local, state and federal government.  These organizations will ultimately be the marketplace front runners.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
This is just one more example of what is becoming the new normal.  The Operational Risk Management (ORM) professionals in your organization are ready and willing to support corporate executives and the Board of Directors new found enlightenment.  Your new government partners will even share information with you, on the latest modus operandi of "Keyhole Panda"...

Posted by at No comments:
Labels: , , , , , , , , , , ,

20 April 2014

The "New Age" of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning is the same as change from a different worldview.
Heartbleed 
Heartbleed is a catastrophic bug in OpenSSL: 
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. 
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. 
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks.

How would your risk profile change if the following scenario took place at your business?
Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't even use OpenSSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.
What potential operational risks exist today with this particular business process?

1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.

2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.

3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.

4. The privacy policy may not have been updated and amended to reflect the new business process and to document that a security code is not needed as of (date.)

The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.

In the words of Charles Handy:
"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."
"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."
Posted by at No comments:
Labels: , , , , , ,

01 March 2014

RSA Conference 2014: The Aftermath and the Consequences...

The 2014 RSA Conference USA is complete and yet what have we learned?  Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office.  The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers.  By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk.  Now what.
  • Have some of the largest retailers been the victims of massive data breach hacks?  Yes.  Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information.  Yes.
  • Meanwhile, Operational Risks exist far beyond Moscone and San Francisco.  Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash?  Yes.  
  • Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states?  Yes.
  • Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.
And the Operational Risks to your organization will continue, that is for certain.  How after a week of RSA can you return to your enterprise and know where to begin?  What to change.  What new initiative to begin.  What new vulnerability to remediate.  Don't worry, the list will not be getting any shorter.  The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment."  Here are the key variables for the rows of your matrix:
  1. Loss of life:  Likely fatality count.
  2. Economic damage:  Estimated costs of the attack or hazard.
  3. Psychological impact:  Considerations of change in population behavior toward social functions.
Now, the consequence levels become your columns of the matrix:
  • 0 - None or Negligible
  • 1 - Minor
  • 2 - Moderate
  • 3 - Significant
  • 4 - Catastrophic or Severe
In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix.  So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition?  In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:
JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception. 
The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.
If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise.  None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
to
4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases."  What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise.  You are imagining an attack or hazard outcome, that impacts that component of your business.  Such as these typical cases:
  • Earthquake destroys data centers
  • Tsunami overcomes nuclear reactors
  • Data hack exposes millions of customers PII
  • Infectious disease outbreak across work force
  • Government prosecutes for violations of regulatory laws
  • Employee sues company for management harassment
  • New Customer Order Management system launch encounters substantial bugs/failures
After you have cleaned off your desk from a week away at RSA, the work really begins.  Start your new "Consequence Assessment" soon.  Gather senior executives for an off-site for two days to review the new scenarios you have designed.  Get their independent feedback and perception of the variables of your matrix.  Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.
“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”
— Marcus Aurelius Antoninius
Posted by at No comments:
Labels: , , , , , , , ,

22 February 2014

Fraud Trends: Hedging Transnational Organized Crime...

The facts and the results of forensic investigations across the cyber domain are telling a significant story.  The question remains, will CxO's take the time to digest and think about what is happening within their Enterprise Risk ecosystem?  Operational Risk Management (ORM) has four key dimensions:

  • People
  • Processes
  • Systems
  • External Events

Each of these dimensions must be looked upon in a holistic and interdependent manner, realizing that they are all indeed interconnected.  One may impact another or managing risk in some but not others could bring the entire enterprise to it's knees.  This is understood.

You are no doubt utilizing a myriad of strategies to deter, detect, defend and document the Operational Risks within your specific industry and associated with the adversaries and regulations pertinent to your business.  So why is this still the state-of-play?
Companies are beginning to change how they think about cybersecurity – viewing it as a business issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past 24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it was likely their organization would suffer from cybercrime within the next 24 months. 
Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent from 2011. U.S. respondents' perception of the risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S. respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were unaware of cybercrime's cost to their organizations, compared to 33 percent of global respondents.

Didier Lavion, PwC principal and lead author of the U.S. report, said, "U.S. corporations need to better leverage and implement the computational and analytical power of cybersecurity technologies to help combat the increasing global presence of cybercrime."  --Source:  PwC's Global Economic Crime Survey 2014

The reason that the state-of-play remains in turmoil, is the inverse of what the survey is reporting. 29% of U.S. respondents have no perception that the risks of cybercrime has increased over the past 24 months. The 29% who do not perceive this, must be in an industry group that is either not connected to the Internet, does not use mobile devices or are using paper and pencils to run their business.
So for the other 71%, the perception of the risks of cybercrime has increased.  Again, what are the business details of these respondents?  What would be interesting is to ask the question:  How many U.S. citizens have been issued a new credit or debit card last year due to fraudulent charges?  Perhaps the 29% are the unbanked population of the U.S. who are not issued cards because they do not participate in the formal banking system?  Unlikely.

 Cybercrime analysis needs to go deeper.  As an example, it would be interesting to discover what percent of cyber fraud victims in 2013 currently run a Microsoft-based operating system on their computer? No doubt the highest, due to the vast installed base of Microsoft-based PC's over the years.

 Executive Management of companies with over 1000 employees who do not perceive the risk of cybercrime on the rise, may have other more pressing issues.  Labor, raw materials, weather, or other factors that may be impacting their business.  It makes some sense.

 Over the next decade, the tide will turn on the motivation to pursue petty cybercrime and fraud.  Not because the laws and enforcement are more effective.  Not necessarily because the fraud opportunity becomes too difficult because of the effectiveness of new technology. Not even because the Microsoft Operating System installed base, dwindles to a minority percentage.  Why?

 It is because the best cyber Transnational Organized Crime (TOC) organizations will become allies with nation states or even terrorist non-state actors.  They will be paid much more handsomely and they may not even have to disclose their true identities.  The stakes and the fortunes to be made in TOC are rising.  The cyber domain is now a race for superiority.  The best of these skills and knowledge will come from the "dark side" to start, and at a high premium.  So what are you to do, if you are the CxO of a top Global 500 organization?

 Pray longer.  Allocate a treasure chest to invest in your long digital war ahead.  Hedge the risk...
New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit 
Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone). 
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. Several reasons make us believe this could be a nation-state sponsored campaign.
Posted by at No comments:
Labels: , , , , , ,

25 January 2014

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:
Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.
And this little item in the "Privacy Policy" caught our eye:
5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.
So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.
Evidence
Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.
It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?
The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 
As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.
Posted by at No comments:
Labels: , , , , , , ,

28 December 2013

OPS Risk: Best of 2013 and 2014 Forecasts...

This Operational Risk Management (ORM) blog has been posting since September 2003.  Over a decade later, the 1000+ pages of content on the discipline and profession of Operational Risk Management provides continuous learning and significant new insights.

Here are a few of our most visited "Operational Risk" blog posts of 2013:
As we approach the end of 2013 and embark on our journey into 2014 in the United States, there are many reflections and new aspirations on our mind.  When we look back over the past 12 months, we see old Operational Risk vectors pioneered in the days prior to the Internet, now making their way online.  Why?  It is far easier and more efficient to rob banks, extort people, defraud consumers and conduct psychological warfare, over a global network of interconnected digital devices.

2014 will continue to accelerate the needs and requirements for more robust Operational Risk Management strategies and increased adaptive tactics to neutralize a rapidly evolving set of new adversaries.  This however, may be one of the most compelling challenges for OPS Risk professionals across the globe:

Correcting the record on the NSA review
By Michael Morell, Published: December 27 
Michael Morell is the former acting director and deputy director of the Central Intelligence Agency and a member of President Obama’s Review Group on Intelligence and Communications Technologies. 
One of the dangers of a 304 -page report on a complex subject is that everyone gets to choose what he or she thinks is the bottom line. Many of those commenting on the report and recommendations of the recently completed Presidential Review Group on Intelligence and Communications Technologies must have read a different report than the one I helped write. 
As one of the five members of the panel, let me try to clear up some of the confusion and misperceptions. One such misperception is the extent of the changes called for in the report. Commentators have used the word “sweeping” to characterize the recommendations, arguing that they would“roll back” the capabilities of the intelligence community.  This is incorrect.
The reason that the ambiguity on the "Security vs. Privacy" debate will challenge the OPS Risk professionals, is obvious.  Uncertainty and indecision, increases vulnerability.  As a policy maker, U.S. military officer, consumer or a corporate CxO, the same applies.

2014 will require augmented abilities to adapt and to increase our adaptive speed.  What is your latency to change, from the time your adversary measures your behavior after a test of your controls or defenses?  In these continuously asymmetric ecosystems operating on a global basis, the response time window has narrowed to minutes or even seconds.  Not hours or days:
Target: Deceive first, answer questions later
Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday. 
Evan Schuman December 28, 2013 (Computerworld)
For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them. 
The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken." 
Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?
2014 Operational Risk Management (ORM) will include "lessons learned" from the advice given to and within companies, such as Target Corporation.  Corporate counsel in collaboration with external private sector Incident Response companies including government agencies, will debate the disclosures, the sources and methods, as well as the timing of public relations press releases.

2014 will embark with the political narratives that are necessary to gain psychological advantage over the masses. Business media interests will begin managing the risks associated with any negative outcomes of their favored Pawns, Bishops and Knights.  Protecting the King or even the Queen for the first time, is the name of the game.  Political chess has an impact on governance, regulatory and compliance environment for business.

In 2014 horizontal thinking will "Break out" to bridge the gaps between public and private strategies. Managing catastrophic risks to vital critical infrastructure requires private sector willingness with public sector cooperation.  Big picture problem-solving and addressing global issues, requires more focus on the World Economic Forum  Global Risks Report agenda:
  • Testing Economic and Environmental Resilience
  • Digital Wildfires in a Hyperconnected World
  • The Dangers of Hubris on Human Health
In an interdependent, fast-moving world, organizations are increasingly confronted by risks that are complex in nature and global in consequence. Such risks can be difficult to anticipate and respond to, even for the most seasoned business leaders.
Finally, 2014 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

Posted by at No comments:
Labels: , , , , , , , , ,

14 December 2013

Unauthorized Access: Civil CFAA Legal Risk Strategy...

A tutorial on the definition of a "loss event" is appropriate for those who seek greater understanding of "Operational Risk Management" (ORM).   Specifically when it comes to the civil litigation strategy utilizing the "Computer Fraud and Abuse Act" (CFAA) 18 U.S.C. 1030.

What is a loss?  Easy:  Loss = cost.  "Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service."

So the remedies available are economic damages, loss damage and injunctive relief.  Not exemplary damages or attorneys fees.  Don't let that last one scare you from using CFAA, as an effective deterrent in your arsenal as a General Counsel.  The basic threshold is that the victim incurred a loss during any one year period, of at least $5,000.00.
For the focus of this blog post, we will talk about "Insiders" who exceed authorized access, that is access in a way not entitled.  Typically employees or others in the business supply chain, who may have the use of a password or key to gain access to information only known or available by another employee, such as a supervisor or system administrator.
It is imperative here to state the importance of finding an attorney that truly understands this law, from a civil, not a criminal perspective.  The complaint must provide factual content that the Plaintiff has suffered the type of damage to "data, a program, a system or information."  Think more about business interruption and the expenses related to investigation, remediation and integrity of operations.  An employee who leaves the company and has e-mailed proprietary information of clients or proposals to their personal account, is not what we are talking about here.

What about the employee who decides to damage or destroy organizational records or of their primary area of responsibility, (database of client contacts, meeting notes, reports and proposals) or even those of the entire company.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  Here is just one example:
Tech Systems, Inc. v. Pyles, 2013 WL 4033650 (ED VA Aug. 6, 2013) (4th Cir)
After being terminated, former employee forwarded company emails and deleted company emails from mobile device before returning it to employer because they contained incriminating evidence. Court granted spoliation finding and jury returned verdict for violating Computer Fraud and Abuse Act, among other claims.
This is just a single case of how a single disgruntled employee, decided to proactively get revenge with a former employer, Tech Systems, Inc. of Alexandria, VA, a U.S. defense contractor.  Why organizations do not utilize the tools such as CFAA to find civil remedy, on a more regular basis is the question at hand.

CFAA is designed to be legally effective on a broad scale and for good reason.  It does however, require that someone uses it with the right intent and legal purpose.  We predict that more civil cases will be filed, as General Counsels and attorneys better understand how to effectively utilize it, in combination with other laws associated with Intellectual Property Theft.  As judges and more cases are tried, the momentum will pick up.  So what?

Booz Allen Hamilton v. Snowden.  Not yet?  Just a Violation of a "Code of Ethics" and fired?  Not likely.
The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. 
One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. 
The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.
 United States of America v. Edward J. Snowden.  Filed under seal June 14th, 2013. Offenses include 18 U.S.C. 641, Theft of Government Property.  18 U.S.C. 793(d), Unauthorized Communication of National Defense Information.  18 U.S.C. 7989a)(3), Willful Communication of Classified Communications Intelligence to an Unauthorized Person.

 Civil CFAA Legal Risk Strategy can be utilized in many cases where the magnitude of the loss and the economic exposure to a U.S. government contractor, is not on the radar of the U.S. Attorney.  Keep it in mind...

Posted by at No comments:
Labels: , , , , , , , , ,

01 December 2013

eDiscovery Risk: The Marketing of Privacy...

Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days.  It is ironic, that now privacy is the new vogue marketing strategy.  After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services.  Chris Strohm explains:
While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key. 
The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.
Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies.  Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen.  Go figure...

What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information?  Improved market share and presence.  The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.

As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary.  So who really is the adversary these days; the criminal organizations or the U.S. Government?  The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category.  This is a real mistake and one that should be evaluated, discussed and agreed upon.

You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean?  Operational Risk encompasses the risks to the institution from a legal perspective.  That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence.  It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes.  Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.

As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff.  The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:
Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. 
A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).
So this is where the marketeers and the legal staff need to get their heads together.  The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:
Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."
Posted by at No comments:
Labels: , , , , , ,

16 November 2013

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:
40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.
So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.
The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.
Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders."
 
In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.
 
No one that we know of can explain the basis for this process better than Martin T. Biegelman:
"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 
Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity."
So what?  
 
If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

Posted by at No comments:
Labels: , , , , , , ,

10 November 2013

Veterans Day: Operation Stigma Continues...

One year ago on the Marine Corps Birthday, 10 November 2012, we raised our glasses to celebrate.  It had been a long day, and here is that post from this Operational Risk Management (ORM) blog, from the front lines of Hurricane Sandy:
On Sunday morning, observing Veterans Day in the United States began with a few words from a leader from the American Red Cross at a local shelter near North Brunswick, NJ  USA.  We heard his words of recognition and what it felt like for him to return to our country after serving in Vietnam and being ridiculed and spit upon.  The veterans in the room were all gearing up for another day on the front lines of a new domestic battle with the aftermath of Hurricane Sandy.  Team Rubicon and it's growing presence of agile, selfless and highly skilled professionals have been working along side other national and international NGOs.  They are projecting a rapid and significant force on the ground, from New York to previously unrecognized communities such as Union Beach and Montoloking, NJ.
Serving along side veterans with Team Rubicon (TR) in the face of a major disaster zone is one honor.  The journey this past year has been a rewarding one, working with and to support veterans.  Five months after this first hand experience, one of our TR colleagues in NJ committed suicide.  Neil was not alone.  The numbers are staggering at this point.  Here is the post soon after, on May 11, 2013:
There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk? 

Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs.  By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.
Melanie Haiken, Contributor - Forbes
Since then, this blogger has been serving in another veteran focused non-profit.  One that fills the gaps between natural disasters.  And for good reason.  The wounded, injured and ill can't wait for the next tornado, hurricane, earthquake or tsunami to get out of the basement of their house.  The thousands with Traumatic Brain Injury (TBI) or Post Traumatic Stress Disorder (PTSD) are living their lives each day, until they end up like our colleague Neil.  There is not a cure.  Only treatment.  Only living with an outcome from serving your nation.  This is a global epidemic for all those who have served in and around the conflicts across the globe.

In order to really understand this, you have to get close to it.  For the past six months, serving those wounded, injured and ill has assisted in the education of what is missing and how to fill the gaps.  The biggest gap we face, is the one that took Neil from us.  The Stigma.
stig·ma 
noun, plural stig·ma·ta [stig-muh-tuh, stig-mah-tuh, -mat-uh] Show IPA , stig·mas.
1.a mark of disgrace or infamy; a stain or reproach, as on one's reputation.
2.Medicine/Medical .a.a mental or physical mark that is characteristic of a defector disease: the stigmata of leprosy.b.a place or point on the skin that bleeds during certain mental states, as in hysteria.
3.Zoology .a.a small mark, spot, or pore on an animal or organ.b.the eyespot of a protozoan.c.an entrance into the respiratory system of insects.
4.Botany . the part of a pistil that receives the pollen. See diag.under flower.
5.stigmata, marks resembling the wounds of the crucified body of Christ, said to be supernaturally impressed on the bodies of certain persons, especially nuns, tertiaries, and monastics.
Yes, the stigma surrounding PTSD and TBI is now our Operation.  Our target.  Ending it, is our mission. You see, this blogger has identified "Stigma" as a likely adversary.  How can we say this? One only has to read the heart felt prose of Sgt. Jeremy Conway from his blog, started a few months ago:

Who Dwells Within
November 8, 2013 PTSD &  TBI PTSD, TBI, Army, Veterans, Navy, Depression, Family,Civilians, Soldiers, Marines, Medical, Anxiety, Health, Memory loss, TBIAir Force, fellow Veterans, the Veteran Community, Conditions and Diseases, Charity, Donate 
Who Dwells Within 
Day to day
I wait to see
What awaits and what I’ll be
Who dwells within
To all who care
For those I love
No answers come from Heaven above
Who dwells within
Never understood
Read every book
About what overpressure and shockwaves took
Who dwells within
Each day I wake
Where darkness resides
I become whatever my mind decides
Who dwells within
Day to day
To all who care
Never understood
Each day I wake
Who dwells within 
--Jeremy Conway
We know people like Jeremy Conway are out there and may also want to raise the awareness of "Operation Stigma".  Sgt. Conway has the continued courage to face this vital mission and we look forward to reading his blog for years to come.  He is a true "Quiet Professional"....

This Veterans Day 2013 as we lay a wreath in Arlington Cemetery at the Tomb of the Unknowns, we will be remembering Neil and praying that we all continue to "Bridge the Gap."

Posted by at No comments:
Labels: , , , ,

22 September 2013

Hidden Lynx: Transnational Group for Hire...

The current state of organized transnational criminal and cyber espionage groups are becoming more robust. CIO's and corporate "Active Defense" teams are gearing up for a continuous barrage of new exploits and phishing vectors. Operational Risk Management is more of a priority than in recent years.
Symantec report by Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar highlights the latest:  
The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.   The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans.
The Bit9 incident is one of a few documented targets by this organized team known as "Hidden Lynx."  They are no different than those known "Base" groups in 2001 who have attacked our nation by hijacking airplanes.  Hidden Lynx exploits the little known weaknesses in the design, implementation or configuration of ICT systems, instead of our transportation and border protection controls.  Their trade craft for cyber espionage and potential sabotage is characteristic of an organized set of professional fraudsters, bank robbers, special operators and intelligence professionals.

So what does this mean to the average Fortune or Inc. 500 company with a dedicated IT and Information Security Task Force?  It is time to call in reinforcements and to realize that you are already behind the curve of the OODA Loop.  The enterprise executives who are now tasked with reporting material losses and other adverse events to shareholders, understand the magnitude and the expenses involved to remediate a significant breach.

The cyberspace narrative is changing in the U.S. after the transparency of significant requests by law enforcement for intelligence information on U.S. persons.  Private sector companies will be more open about how many times information was requested.  An open public debate will heighten the dialogue to a level not possible before and will produce a faster response to the necessary change in policies, both public and private.  The citizens rights and the equilibrium necessary to protect those same citizens will be the crux of the dialogue.

While the debate continues, "Hidden Lynx" will continue to operate and this transnational criminal group will grow stronger.  Our U.S. critical infrastructure assets may be subjected to new attacks that produce additional losses and damage to shareholder equity.  Policy makers continue to work in joint sessions with public agencies and private enterprise to craft the right mix of new disclosure requirements.  Operational Risk professionals know one thing for certain.  The pace and magnitude of the attacks will increase.  How and when we counter is still in major debate.  In the mean time, "Hidden Lynx" will continue to be in the cross hairs of the professionals in Ft. Meade, Chantilly, Pittsburgh and Orange County.

Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)