Tuesday, August 29, 2006

Authentication Risk: Solving the Multifactor Question...

U.S. Bankers are in crunch mode to make decisions and finish risk assessments by year end. Multifactor Authentication is the issue at hand as Operational Risk Managers wrestle with vendors and their own IT organizations.

"Less than four months remain for banks to meet the Federal Financial Institutions Examination Council's year-end deadline for Internet banking authentication, but some confusion remains over what is an acceptable solution. When the FFIEC agencies initially released the guidance on Oct. 12, 2005, many banks were left scratching their heads as the guidance explicitly states that it "does not endorse any particular type of technology." Rather, the FFIEC says, banks should assess their own risk and decide which solutions best meet their individual needs.

Adding to the confusion, bankers, vendors and experts have fixated on the term "multifactor authentication." But the FFIEC never explicitly states that multifactor authentication is the only way to comply. According to the FFIEC's guidance, "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."


While authenticating the person who is logging into the secure Internet banking site is important, it is equally important for the consumer's chosen banking site to be simultaneously authenticated.

Mutual Authentication

Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer.

Techniques for authenticating a Web site are varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.


One way to solve the issue is to find a company who has taken all of these technology hurdles and has found a viable solution for FFIEC compliance. See Boulder, Colorado based Authenticol to add to your short list.

Friday, August 25, 2006

Metrics: How to Measure Change...

Identifying operational risks to corporate assets is not new. Applying the correct metrics to determine where and how you measure change is a growing arena for a new breed of enterprise risk professionals.

Measures mapping: a way to identify risk mitigation strategies and evaluate their effectiveness is a key component for any initiative on How to Use Metrics and George Campbell has some very relevant places to begin:

We are all familiar with the highway sign "Dangerous Curve, Reduce Speed Ahead." Many of the measures discussed in this story may be applied to provide the CSO and key constituents with similar caution signals. They become the earliest prompts for more in-depth analysis of trend dynamics that allow you to look at the root causes of problems, not just the symptoms.

Examples of incident trends that help diagnose risks to address include:

1. Increased frequency or severity of accident, crime or policy infraction rates

2. Reduced mean times between failures on critical equipment with increased downtime

3. Increased number or severity of negative background investigation rates in specific hiring populations

4. Excessive passwords for access to different "secure" applications, which results in shared passwords and visible posting of passwords

5. Abnormal response times to calls for service

6. Outsourcing sensitive business processes without requisite due diligence

7. Elimination or reduced testing of building evacuation plans, which leads to employee confusion and injury during real incidents

8. Degradation of timely software patch application or increased virus activity in specific client groups


As a former CSO at Fidelity Investments Mr. Campbell has hit most of the critical silos of risk accross the enterprise. Whether it be people, processes, systems or external events, one thing is certain. Without a metrics program in place, how do you measure change? Not so much if we are winning or losing the battle against internal fraud, information security breaches or stolen corporate assets. But the nature of the changes and the potential root cause of those changes.

Competitive and regulatory drivers including BSA, Patriot Act, Basel II and Sarbanes-Oxley have increased pressure on executives to understand and manage risks more effectively. Top level executive mandates include:

* Protect corporate reputation and brand integrity
* Meet current and future regulatory requirements
* Provide visibility into possible risks and limit actual losses
* Achieve a fast response and recovery from actual negative events
* Maintain / improve customer satisfaction
* Increase quality and productivity of risk management processes

But, satisfying these mandates presents three core challenges to risk and compliance officers:

* Detecting risks is not sufficient; how will you manage and respond to them?
* In the face of changing regulations and cross-departmental systems, how will you govern the process?
* With so many point solutions, how will you justify the redundant investment and effort to deliver each one?

Thursday, August 17, 2006

Asia Pacific: OPS Risk Spend on the Rise...

Operational Risk Spend in Asia Pacific is growing rapidly due to the revised Basel II accord which requires explicit assessment of operational risk, endorsements by consultants on the impacts of effective operational risk management systems, and continuous threats from the likes of terrorist attacks.

Financial Insights estimates total Asia/Pacific spending for operational risk systems at US$74 million in 2006. In the next five years, this number is projected to amplify to an inflation-adjusted US$246 million, equivalent to 3.3 times the current value or a compound annual growth rate (CAGR) of 27.2 percent.


This outlook by IDC is taking into consideration the different tiers of institutions including buy-side and sell-side along with banks plus insurers.

Operational risk management was designed to assist institutions identify matrices to determine an institution's risk tolerance, perform data monitoring and analysis to increase visibility of exposures, and create early alerts for immediate corrective action. Several industry incidences illustrated the undeniable correlation between operational risk management and sound business practices, and demonstrated that having control mechanisms in place to minimise operational risk elicits genuine paybacks through loss minimisation and reputation protection.
Consequently, the implementation of operational risk management solutions is accelerating in Asia/Pacific.

Thursday, August 10, 2006

Beyond Fear: Evidence of Aviation Plot...

The Terror Plot Exposed this morning is just one more piece of evidence that the US and UK homeland remains under attack.

The Department of Homeland Security is taking immediate steps to increase security measures in the aviation sector in coordination with heightened security precautions in the United Kingdom. Over the last few hours, British authorities have arrested a significant number of extremists engaged in a substantial plot to destroy multiple passenger aircraft flying from the United Kingdom to the United States. Currently, there is no indication, however, of plotting within the United States. We believe that these arrests have significantly disrupted the threat, but we cannot be sure that the threat has been entirely eliminated or the plot completely thwarted.

For that reason, the United States Government has raised the nation’s threat level to Severe, or Red, for commercial flights originating in the United Kingdom bound for the United States. This adjustment reflects the Critical, or highest, alert level that has been implemented in the United Kingdom.


The nature of the imminent threat and the Operational Risks associated with keeping the investigation under cover any longer prompted authorities to "Go Public" with the plot early today. While only 21 individuals have been arrested at this point in time, the weeks ahead will tell a more detailed story about links to Pakistan and possibly al-Qaida.

The era of suicide bombers is extending month by month and year by year. Vigilance in our thinking about what is possible and how effective their strategy can be, is imperative.

Terrorists have used suicide bombs for decades. As the suicide attacks in New York and London have demonstrated, this tactic has now become a threat to parts of the world previously untouched by suicide terrorism.

Suicide bombers may use a lorry, plane or other kind of vehicle as a bomb - either carrying explosives or using the fuel aboard the vehicle as a makeshift explosive - or may conceal explosives on their persons. Both kinds of attack are generally perpetrated without warning. The most likely targets are symbolic locations, key installations, VIPs or mass-casualty 'soft' targets.

When considering protective measures against suicide bombers, think in terms of:

* Denying access to anyone or anything that has not been thoroughly searched. Ensure that no one visits your protected area without your being sure of his or her identity or without proper authority. Seek further advice through your local police force's CTSA.

* Establishing your search area at a distance from the protected site, setting up regular patrols and briefing staff to look out for anyone behaving suspiciously; many bomb attacks are preceded by reconnaissance or trial runs. Ensure that such incidents are reported to the police

* Effective CCTV systems can help prevent or even deter hostile reconnaissance, and can provide crucial evidence in court

* There is no definitive physical profile for a suicide bomber, so remain vigilant and report anyone suspicious to the police.

Friday, August 04, 2006

CSO Job Security: Training To The Rescue...

Businesses Don't Get It when it comes to training employees on security technology and policy.

What's particularly alarming is that the desire for security compliance doesn't sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can't be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted.

Still, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don't train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training.


Can you imagine being a CSO or CIO on the witness stand today? Or maybe it's just a deposition. The legal counsel for the plaintiff asks a simple question like:

Does your company have a written policy for training new employees on security technologies and controls?

Yes.

Does this written policy specify how and when a new employee shall be trained on security procedures and controls?

Yes.

Can you please state the number of formal training sessions held last year on security technology and policy at your company?


No.

Can you estimate the number of new employees trained last year according to your companies written policy?

No.

And the pain and suffering continues as the CxO realizes that the chain of evidence does not show a clear and demonstrable strategy for training employees on security controls. It does not follow the written policy of the company. Game over.

Given the increase in the number of data breaches, businesses can't allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.

Tuesday, August 01, 2006

Public-Private Partnerships: Understanding Regional Interdependencies...

The Business Roundtable has released it's findings on U.S. Preparedness for A Major Cyber Catastrophe.

The Roundtable report identified major gaps in the U.S. response plans to restore the Internet:

* Inadequate Early Warning System – The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.

* Unclear and Overlapping Responsibilities – Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.

* Insufficient Resources – Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)’s funding is targeted for support of cyber recovery.

In its report, the Roundtable concluded that these gaps mean that the U.S. is not sufficiently prepared for a major incident that would lead to disruption of large parts of the Internet and the economy.


Karl Brondell, who heads up the Cyber Security Working Group of the 160-member Business Roundtable, an association of CEOs at leading companies, presented a group report to the Federal Financial Management Subcommittee, saying the nation lacks coordination between the public and private sectors in the event of an internet outage.

The report, "Essential Steps Toward Strengthening America's Cyber Terrorism Preparedness," found major holes in planning, including an inadequate warning system to identify possible internet attacks, unclear responsibilities among public and private partners should an incident occur and unsatisfactory resources to recover from an attack.

The Business Roundtable is on the right track when they recommend that a public-private partnership be established to address these vital issues. What is important to remember is that this will be difficult and almost impossible to achieve on a national level. The interdependencies of our Critical Infrastructures including the Internet are a regional issue. This requires a public-private dialogue and coordination with metro areas and tri or quad state regions. Only when you have the exercises and the testing locally will each party better understand their own vulnerability. This is when each company or city realizes the necessary planning for supply chain redundancy and the criticality of logistics strategy.

The CEO's can talk and publish reports yet it will be the operational risk professionals, contingency planners and emergency managers who do the heavy lifting. They are the people who are making a difference everyday to make our country more resilient to the impact of major economic and public safety threats. These are the people who are "doing" and still not "talking".