14 December 2014

Intellectual Property: Material Risks Disclosure- Assumption of Breach...

The rules of the game may have changed across the corporate landscape.  Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:
Sony Pictures Entertainment is fighting back
The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. 
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy. 
In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.
The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen.  The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization.  You see, the use of sophisticated offensive cyber malware is not new.  No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

In the recent book "Countdown to Zero Day" by Kim Zetter, the point is made:
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain.  The rules of the digital game have changed.  Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving.  How many digital files in your corporation contain proprietary Intellectual Property (IP)?  If you don't know the answer, then we recommend that you start counting.  You need to figure out what the value is, of all this data and for good reason.  At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S..  Jeffrey Carr explains here:
“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” 
The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis.  What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in?  What U.S. companies are encouraged to relocate a manufacturing plant overseas?  Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage.  Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing.  The hackers-for-hire trade, is larger than you may know.  How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars?  Mid to high six figures.  Not likely.  7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar.  To disrupt and destroy the capabilities of your adversary.  Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident.  The magnitude and the impact of the destruction is apparent.  Are you sure you don't have an Insider Threat?  See appendix C here:
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.

23 November 2014

Trust Decisions: The Future State of Risk Management...

Trust Decisions are being made at the speed of light.  The rules of the game are embedded in lines of code written to instruct computers and simultaneously in the rule of law that is printed in Constitutions around the globe.  As the speed of Internet commerce accelerates the Operational Risk Management (ORM) frameworks will evolve and adapt.  The privacy vs. security evolution is now in full debate as our Critical Infrastructures feel the stress of points of failure.

The future architecture of what is at stake continues to be challenged in so many ways.  Jeffrey Ritter sums this up perfectly:
"Yet, in either direction, freedom vs. surveillance, what are being proposed are nation-state rules. At this point in the Net’s evolution, any national solutions seem almost contradictory to the ambitions of any government to actually be effective in achieving their ambitions. The inherent functionality of the Net is to “route around failure”. Nation-state rules that impose restrictions on the market’s appetite to create economic pricing tiers merely drive commercial activity into other geographic regions. Laws requiring backdoors have the same effect, provoking and encouraging bad actors to find mechanisms that avoid such technology features to be baked into the relevant devices. In a global market where, as one economist observed, there will soon be no further emerging economies, what is the proper role of the nation-states toward the Net? When do new regulations, well-intentioned to provide positive qualities of life, actually become walls that divert the movement of information, funds, and economic activity to other geographic regions?"
As the governance of the Internet continues to be debated, consider the velocity of what is occurring even as broadband and wireless are still so scarce in many locations around the world:
Alibaba Group Holding Limited is a Chinese e-commerce company that provides consumer-to-consumerbusiness-to-consumer and business-to-business sales services via web portals. It also provides electronic payment services, a shopping search engine and data-centric cloud computing services. 
Alibaba's consumer-to-consumer portal Taobao, similar to eBay.com, features nearly a billion products and is one of the 20 most-visited websites globally. The Group's websites accounted for over 60% of the parcels delivered in China by March 2013, and 80% of the nation's online sales by September 2014. Alipay, an online payment escrow service, accounts for roughly half of all online payment transactions within China.
The "Trust Decisions" being made every day by citizens of the planet Earth using the Internet continues growing exponentially.  The systems-of-systems are executing the rules given to them and the human element is beginning to diminish.  Why?

Most people believe in some form of risk management and the truth is, that it doesn’t work all the time.  It doesn’t work because the human being is incapable of processing all of the possible rules of the moment, the game, in any specific scenario, fast enough.  Therefore, failures of people, processes, systems and external events seem to occur randomly.

Is it possible to achieve a state of zero surprise?  Where all risks are mitigated and humans can achieve an environment of trust that is sustainable.  We think it is.  In the right environment and in a specific scenario, surprise is now “impossible”.

“Trust Decisions” occur today at the speed of light and with an accuracy of 99.999%.  Risk Management is our current state and it is destined for extinction.  Trust Decisions as we will now apply them, becomes our future state.  With zero surprise.  The truth is, that risk management is obsolete and a new digital invention is ready for mankind.

12 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
Abstract
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."

29 June 2014

Trust Decisions: The Risk of a Digital Supply Chain...

Are you a business that is operating internationally?  What components of Operational Risk Management (ORM) currently intersect with your international business operations?  The safety and security of your employees who travel into countries with unstable political elements are no doubt of immediate concern.  There may even be a heightened sensitivity with whom your international business executives are meeting with and the tremendous U.S. rule-base associated with OFAC, as one example.

Fortune 500 organizations are all too familiar with these concerns, as major players in international business. The Chief Security Officers (CSO) and other key executives charged with the safety, security and integrity of employees, are focused on those who are traveling and meeting across the globe.  This is considered ORM 101.  This facet of ORM is quite mature and familiar to the Board of Directors who are charged with the Enterprise Risk Management (ERM) of the company.

What is growing more pervasive and continues to plague organizations doing business internationally is the risk of a Digital Supply Chain.  Trusted information and the confidentiality, integrity and assurance of data.  The "Genie" is out of the bottle and even the most mature and risk adverse global organizations, are continuously barraged by sudden incidents that interface with privacy and security of information.

Here is a recent example:
After a public comment period, the Federal Trade Commission has approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor.
The FTC previously announced the settlements in JanuaryFebruary and May of 2014 with the following companies: 
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.
Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
So what is the real underlying issue here?  It is about "Trust Decisions".

These organizations were representing themselves as compliant with a U.S.-EU framework designed and established to protect their constituents, under the jurisdiction of the Federal Trade Commission (FTC).  The decisions to trust these organizations by an individual or business, regarding the perception that they are in compliance with a framework for privacy and security, is what is true.

How often have you ever made a "Trust Decision," based upon your knowledge that a business is displaying an official seal, mark or a sign that your information is safe and secure?  There are dozens of high profile companies operating across the globe that are in the business of selling "Trust".  Symantec, TRUSTe and GeoTrust to name a few.  The reason that a business buys one of these trusted seals or marks is because it wants to increase it's perception of trust, to the consumer or business that it is engaged with to transact business.

The business wants to display that they are compliant with the particular laws or rules associated with their industry or country.  It wants to create a sense of business assurance or peace of mind for the buyer of their products or services.  When you use one of these seals to assist in making an affirmative "Trust Decision" based upon the display of one of these badges, marks, signs or even special symbols or colors; the consumer still assumes risk of the unknown risks.  So what?

So how many consumers on a daily basis do you think visit this web site to get their free annual credit report? Green Padlock https://www.annualcreditreport.com/index.action

This is the official web site advocated by the U.S. Federal Trade Commission (FTC) for consumers to get a free annual credit report in compliance with Fair Credit Reporting Act (FCRA).  When you visit this site, you see that the URL displays a green padlock and the https: designating that the site is using secure protocols to transmit your Personal Identifiable Information (PII).  Or is it?

When you test the Annual Credit Report web site with a SSL security test service, run online by Qualys SSL Labs, https://www.ssllabs.com/ssltest/ this is their rating, on the security of Annual Credit Report.com as of 6/28/14.


Overall Rating
F
0
20
40
60
80
100
Certificate
100
Protocol Support
0
Key Exchange
80
Cipher Strength
90

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
This server is not vulnerable to the Heartbleed attack.

Q: What information do I need to provide to get my free report? 
A: You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.
On a daily basis, humans are subjected to signs, marks, badges and other indicators that help them make more informed affirmative "Trust Decisions".  Whether it is the "Green Light" at the local intersection or the "Green Padlock" on the web site where we are being asked to give up our Personal Identifiable Information (PII).  The regulatory and private entities that are tasked to ensure that the signs, marks, badges and even colors are in compliance, must also look to their own level of trust of their Digital Supply Chain.

This is just one glaring example of why "Trust Decisions" are so vital to online global e-commerce.  It is also a wake-up call for any organization that is advocating trust by using a digital third party that the consumer relies on every day.  However, the FTC and other government agencies rely on private sector companies to assist them in outsourced services such as hosting Annual Credit Report. com.  The site is hosted by:

IP LocationUnited States - Massachusetts - Cambridge - Akamai Technologies Inc.

How confident are you, that your organizations digital supply chain is ensuring safe and secure "Trust Decisions" for your customers?

08 June 2014

Algo Bots: The Risk of Human Error...

What "Trust Decisions" did you make this past week?  How fast did you make them?  The ability to manage an entire portfolio of operational risks in a daily routine is daunting.  How do you prioritize? What Operational Risk Management (ORM) process will you engage in, with so many uncertain outcomes?  Why will you sit up in bed at 3AM, to read the latest alert on your smartphone?

In October of 2012, this ORM blog discussed the topic of "Algo Bots" and "Dark Pools".  Machine language talking to other machines, to make optical network speed decisions and more precise, "Trust Decisions."  What is the risk of a low probability and high consequence incident when humans are taken out of the equation?  Dave Michaels of Bloomberg explains the current focus:
Mary Jo White’s blueprint for imposing tighter controls on high-frequency traders and some of the murky venues they inhabit stops short of a crackdown. 
The U.S. Securities & Exchange Commission’s plan, unveiled by White in a speech this week, advanced some new ideas while borrowing heavily from existing proposals and measures that already have support on Wall Street. While stock exchanges, rapid-fire traders and private trading venues known as dark pools all would come under new scrutiny, White didn’t embrace the kind of tighter restraints that have been enacted in countries such as Australia and Canada. 
White isn’t acting in a vacuum. She is responding to political pressures raised by an investigation by the New York attorney general into whether speed traders prey on slower-moving investors as well as a book by Michael Lewis, “Flash Boys,” that condemned the role of exchanges and brokers in enabling unfairness. She announced the initiatives even as she said U.S. markets aren’t rigged and serve the goals of retail and institutional investors.
As an Operational Risk Management (ORM) professional, you have to stay on the edge.  You must imagine the future and dive into the current R&D of innovation.  Being a futurist is staying on the bleeding edge of technology and this is just one facet of the risk mosaic.  The other and more human factor oriented component are the TTP's.  Tactics, Techniques and Procedures (TTP) are what you need your own "Opposition Research" team to be studying.  This is your opportunity to gather the intelligence on your competition and simultaneously look at your own vulnerabilities.  Sam Mamudi and Keri Geiger explain:
The U.S. Securities and Exchange Commission cited Wedbush Securities Inc. and Liquidnet Holdings Inc. for violations of stock market rules, taking tangible steps a day after Chairman Mary Jo White outlined her plan to improve Wall Street trading. 
Wedbush, which the SEC said is among the five biggest Nasdaq Stock Market traders, failed to vet clients who broke the law as they placed billions of dollars of transactions in the stock market, the regulator said. Two current and former Wedbush executives, Jeffrey Bell and Christina Fillhart, were also targeted in the complaint. 
Liquidnet, one of the biggest independent dark pool operators, agreed to pay a $2 million fine for not living up to client secrecy standards on its private trading platform.
So what?  The Rise of the Machine Traders:
In the beginning was Josh Levine, an idealistic programming genius who dreamed of wresting control of the market from the big exchanges that, again and again, gave the giant institutions an advantage over the little guy. Levine created a computerized trading hub named Island where small traders swapped stocks, and over time his invention morphed into a global electronic stock market that sent trillions in capital through a vast jungle of fiber-optic cables. 
By then, the market that Levine had sought to fix had turned upside down, birthing secretive exchanges called dark pools and a new species of trading machines that could think, and that seemed, ominously, to be slipping the control of their human masters. Dark Pools is the fascinating story of how global markets have been hijacked by trading robots--many so self-directed that humans can't predict what they'll do next.
So how do you mitigate the potential risk of a rogue algorithm? Some have devised a mechanism called a circuit-breaker. In other words, an alarm that something is not normal. Let's slow down until we can understand what is going on here. What are some other ways that we could potentially address the threat or the vulnerability? Was the "Flash Crash" a weak signal of a pending melt down of the complete system?

Or is this just the next natural phase of the future growth curve.  Who will you put your faith in for your next "Trust Decisions"...

22 March 2014

Information Leaks: Risk Of The Data Supply Chain...

There is a well known threat that has been talked about with the Board of Directors behind closed doors for years. This threat is not new to most Operational Risk Management (ORM) professionals and yet executive management is still in denial that it could happen to us. Have you or someone in your C-Suite ever awakened one morning and wondered how the companies new plans for a merger are now in the published press? What about that new research and development breakthrough that ends up with another company with a similar process being patented a week or a month ahead of you?

What is the threat? Call it competitive intelligence, economic espionage, press leaks, loose lips or advanced persistent threat (APT), it does not really matter. The threat remains from all those people, rivals, industry peers, countries, states, allies and enemies that are working 24 x 7 x 365 to copy your valuable information and use it for their own advantage. What advantage depends on who obtains the valuable information and how they will eventually use it or sell it.

What is even more fascinating to most subject matter experts, is the amount of information that is still created and allowed to be compromised in some way that is false, fake and designed to confuse the adversary. So what is it, that much of executive management still does not understand about all of this? 

The "source" of the vulnerability that is leaking or allowing the secret or confidential information to be compromised. They still to this day are naive to the potential source. This source is not even inside their own company or organization in many cases. It is within the organizations data supply chain somewhere, but where is it exactly?

The answer is only possible to narrow down, if you absolutely know where your data and secret or confidential information is collected, transported and stored, in the hands of trusted third parties, outside the four walls of your business. That is the remedial first step. Creating a definitive map of who has custody of your data through some kind of third party agreement. The agreement could be with any number of key business partners in your data supply chain:

  • Banker
  • Venture Capitalist
  • Accountant
  • Attorney
  • Insurer
  • Internet Service Provider
  • Utility
  • Data Telecom Provider
  • Wireless Telecom Provider
  • Payments Processor
  • Document Custodian or Shredder

This short list is a good place to begin your quest for better understanding where the source of your information leak may be. Now think about this list and ask yourself who might have the most robust set of staff, resources and technology savvy people to keep your data safe. Regardless of the service level agreements or engagement letters in place, who is the most vulnerable on this list?

Even more important may be the question of which one of your data supply chain business partners, has the least amount of resources, people and state-of-the-art detection systems for the APT, Zeus, and other mechanisms that are exfiltrating your data to another country. When was the last time you asked any of your business partners to walk you into their IT department for a look around with your CIO or CTO?

Believe us when we say that if you get that "Deer in the Headlights" look on your business partners face, you are in trouble. You can bet that the attackers are not attacking you, as much as they are attacking your data supply chain. If you say in public or on your public filings that you have your primary outside counsel firm as "Red, White and Blue," you can be assured that your adversaries will take notice.

You see, just because your organization has spent millions or billions on new data centers with the most sophisticated technologies available to counter your cyber adversaries, how can you be sure that your business data supply chain has done the same? There is only one way to do that and it is in person and on site. You may consider this level of due diligence before handing over your business for the merger and acquisition project or the development of a vital new component for your new patented product. A model "Request for Information" (RFI) on the business partners controls and capabilities for securing your sensitive, confidential and secret information shall be a first step requirement.

The second step shall be to get an inventory of what systems your data supply chain partner has in place to mitigate the risk of a data breach. At the top of that list, should be the management system that governs all the other hardware and software systems. So even if your business partner says they are using RSA NetWitness on their corporate networks and Fixmo MRM for their mobile devices, that is not going to be enough.

The overarching "Management System" is not about technology. It is not about your favorite eDiscovery or computer forensics guru. It is about the way your business partner trains and educates it's people. It is about how those people use relevant business controls to secure your secrets, confidential data and records. Look at their behavior around this topic of "Achieving A Defensible Standard of Care" and you will soon discover whether you have found the most ideal banker, accountant or attorney to entrust to your digital supply chain.

01 March 2014

RSA Conference 2014: The Aftermath and the Consequences...

The 2014 RSA Conference USA is complete and yet what have we learned?  Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office.  The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers.  By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk.  Now what.
  • Have some of the largest retailers been the victims of massive data breach hacks?  Yes.  Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information.  Yes.
  • Meanwhile, Operational Risks exist far beyond Moscone and San Francisco.  Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash?  Yes.  
  • Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states?  Yes.
  • Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.
And the Operational Risks to your organization will continue, that is for certain.  How after a week of RSA can you return to your enterprise and know where to begin?  What to change.  What new initiative to begin.  What new vulnerability to remediate.  Don't worry, the list will not be getting any shorter.  The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment."  Here are the key variables for the rows of your matrix:
  1. Loss of life:  Likely fatality count.
  2. Economic damage:  Estimated costs of the attack or hazard.
  3. Psychological impact:  Considerations of change in population behavior toward social functions.
Now, the consequence levels become your columns of the matrix:
  • 0 - None or Negligible
  • 1 - Minor
  • 2 - Moderate
  • 3 - Significant
  • 4 - Catastrophic or Severe
In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix.  So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition?  In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:
JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception. 
The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.
If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise.  None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
to
4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases."  What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise.  You are imagining an attack or hazard outcome, that impacts that component of your business.  Such as these typical cases:
  • Earthquake destroys data centers
  • Tsunami overcomes nuclear reactors
  • Data hack exposes millions of customers PII
  • Infectious disease outbreak across work force
  • Government prosecutes for violations of regulatory laws
  • Employee sues company for management harassment
  • New Customer Order Management system launch encounters substantial bugs/failures
After you have cleaned off your desk from a week away at RSA, the work really begins.  Start your new "Consequence Assessment" soon.  Gather senior executives for an off-site for two days to review the new scenarios you have designed.  Get their independent feedback and perception of the variables of your matrix.  Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.
“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”
— Marcus Aurelius Antoninius

04 January 2014

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for? The low consequence high frequency incident or the high consequence low frequency incident? The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio yet what about the resilience to the Black Swan?
A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was. The astonishing success of Google was a black swan; so was 9/11. For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.

Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy. Yet it is the "Outlier" incident that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long. Just ask those people who had been working 24/7 since the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone. What is amazing to many in the after-action reporting is how much we continue to under estimate the magnitude of a lack of planning and resources devoted to these low frequency high consequence events.  Enter Target Corporation:
Is Target to Blame for Its Data Breach? Let the Lawsuits Begin 
By Joshua Brustein December 26, 2013 
The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data. 
Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it. It’s not even clear how much legal responsibility they have to protect it. “There is limited judicial guidance on what constitutes negligence in the cybersecurity area,” says Craig Newman, a partner at Richard Kibbe & Orbe who follows legal issues related to security.