Thursday, October 01, 2009

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.


Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.


The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.