Tuesday, November 16, 2010

Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why? Stuxnet is ground zero for a new generation of digital infrastructure cyber weapons. Glenn Kessler from the Washington Post explains:

The Stuxnet computer worm that infiltrated industrial systems in Iran this fall may have been designed specifically to attack the country's nuclear program, potentially crippling centrifuges used to enrich uranium gas, according to new research.

In a blog post late last week, a Stuxnet researcher at Symantec wrote that the software firm had concluded that the worm targeted industrial systems with high frequency "converter drives" from two specific vendors, including one in Iran.

Independently, Langner Communications of Germany, a systems security firm, also announced over the weekend that another part of the worm's attack code was configured in a way to target a control system for steam turbines used in power plants, such as those installed at the Bushehr nuclear power plant in Iran. Langner also confirmed that the worm appeared to attack key components of centrifuges.

Ivanka Barzashka, a research associate at the Federation of American Scientists, said the Symantec findings "if true, are very significant."


The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets is passive mode. The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers.

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise. In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed? Just ask the people at Renesys:

Afghans headed to the polls today for parliamentary elections in a tense but hopeful atmosphere. If the Internet has a role to play this year in helping Afghanistan develop a peaceful civil society, it will probably turn on two key developments: cheap GPRS Internet delivered over mobile phones, and strong relationships with neighboring states to provide Internet transit.

In today's followup to last week's blog, we present the evidence we see in the global Internet routing tables for a strengthening technical relationship between the Tehran and Kabul governments. In Afghanistan, as in Iraq, Iran now sees an opportunity to export influence by exporting its technological infrastructure.


In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit" is alive and thriving. A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean"? It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

Tuesday, November 09, 2010

Operational Risk: 7 Years and Counting...

After writing this blog now since 2003, it is amazing how some items seem to be coming back full circle. Operational Risk does not change; only the places and the particular circumstances change. Do you know where a loss event will impact you and your organization next?

The US has intensified its war on terrorism on the financial front, targeting an ancient, informal system of money transfers that officials believe funnelled millions of dollars to Osama Bin Laden's al-Qaeda network.

The system is known as hawala, and it has been used for hundreds of years to move money across distances and around legal and financial barriers in South Asia and the Middle East.

The California Public Employees' Retirement System (Calpers) is opposing Freddie Mac's reappointment of auditor PricewaterhouseCoopers and the reelection of members of the mortgage finance company's audit committee, according to the Washington Post.

Any board member or executive today is well aware of the direct impact an adverse event or significant business disruption can have on shareholder value and customer confidence. When it does happen, how many people just throw up their hands and shout, Murphy's Law!

Murphy's Law ("If anything can go wrong, it will") was born at Edwards Air Force Base in 1949 at North Base.

It was named after Capt. Edward A. Murphy, an engineer working on Air Force Project MX981, (a project) designed to see how much sudden deceleration a person can stand in a crash.

Corporate Governance in the board room itself is blazing out of control at Hewlett Packard (HP) as a result of an internal investigation. The finger pointing, board resignations and ethics questions are all in the news. And that is just a very small story on the entire landscape of corporate digital surveillance or internal investigations. This is a business your insurance company is funding and for good reason.

These snapshots of the past demonstrate the variety, breadth and depth of the Operational Risk Management challenges before the Fortune 500 and the small-medium-enterprise (SME) that has limited staff and resources. Yet the time, effort and resources dedicated to the INFOSEC, OPSEC, Internal Audit and Risk Management functions within the enterprise are in many cases dwarfed by the Marketing and Advertising line items in the budget.

Will one more 30 second spot of an insurance lizard (GEICO) or vikings doing their banking (CAPITAL ONE) really make us change brands? Doubtful. On the other hand, if you were to show us that the bank is now using Multi-factor biometrics for it's online banking access and transactions you might make us switch. Perhaps the insurance carrier could make us change with a difference of 45% not just 15% savings because we doubt you will be able to hedge the risk of another driver running into the back of my automobile on a rainy day on the freeway.

Operational Risk will continue to evolve as much as an "Art" as it is a "Science"because there will never be the perfect algorithm or software program to give you a sensor alert in time or in the right place. You need human factors to use such mechanisms as "Intuition", "Reid Technique", and other senses that only the Homosapien has the ability to process with a brain that contains a large cerebrum. Without lot's of these brains making sensual observations, analyzing and processing the possibilities; the likelihood of an adverse event will increase dramatically.

We are still amazed that organizations are spending more time and effort on sophisticated sensors and technology and less on the human factors. Yet the right ratio of both can get you to that place that tips the scales in your favor and your enterprise is on the verge of being more proactive, preventive and predictive.

When was the last time you spent a day on the front lines with your OPS Risk Team? It could be a CEO's wake up call...