Saturday, June 16, 2012

London: Olympic Games Risk Management...


As the summer approaches the world is gearing up for the 2012 Olympic Games in London in about 41 days.  The athletes are making their respective rounds on television and other media to discuss their thoughts.  The U.K. Home Office is on high alert and has been preparing the "Operational Risk Strategy Execution" for years.

The private sector is finalizing plans for the millions of dollars in advertising and promotions on television.  The rest of the world will be watching from their easy chairs in Kansas City USA, the mountain villages of Switzerland, the outback of Australia to the most remote locations in the Sahel.

Every two years the humanity of the Olympic Games comes alive and we all realize that it is possible to get along, to cooperate and to coordinate.  For the historical and cultural reasons the world comes together to compete.  And in every venue and each sport the rules change.  The distance, the accuracy, the time.  They are all measured and the rule-sets have been determined in advance.  The competitor knows and understands the measures by which they will be judged.  In the swimming pool, on the track  mat or field or in front of the target.

The collaboration across the planet somehow brings us all to the point of a temporary "Time Out."  Where it almost seems calm and peaceful for those days and weeks.  A time when humanity can say to themselves that it really is possible to all get along.  A time to show ourselves what really is possible if we have the will and the heart to make it all happen, on time and without incident.

The social media buzz on a daily basis will be coming live from millions of Twitter and Blog posts.  The use of Crowdmap will be utilized to assist in the event of a crisis.  The mobile device will continue to be a valuable way for the authorities to have continuous opportunity for situational awareness.  Applications from companies such as RealityMobile provide real-time streaming video from any camera enabled PDA device.  All of the communications equipment to collect, view and analyze information will remain a part of the layered defense in depth to deter, detect and prevent an adverse incident.  The London Olympics in 2012 will have the same challenges and the identical set of risks as Beijing or Greece in 2008 or 2004.  What is different this time?

This summer 2012 Olympic Games may be one of the most technology enabled risk management projects ever.  At the same time, the social scientists have been working on the analysis of the organizational risk facets of such a gathering in London.  Human factors and social demographics of the people attending have a major consideration in operational risk management planning:

"It is necessary for most of us these days to have some insight into the motives and responses of the true believer. For though ours is a godless age, it is the very opposite of irreligious. The true believer is everywhere on the march, and both by converting and antagonizing he is shaping the world in his own image. And whether we are to line up with him or against him, it is well that we should know all we can concerning his nature and potentialities."
Hoffer, Eric (2011-05-10). The True Believer: Thoughts on the Nature of Mass Movements (Perennial Classics) . Harper Collins, Inc..

The 1951 classic by Eric Hoffer is already Operational Risk reading 101 and the modern day Arab Spring is a perfect example of what messages Hoffer has reminded us to consider over 60 years later.  Yet those who continue to study the social science of mass movements, realize that our greatest risk mitigation tool will continue to be one of the least technical and most effective.  Education and Awareness.

We encourage all of our Operational Risk professionals to educate and increase the awareness of your employees and friends and family who will be attending the London Olympic Games 2012:

Official London 2012 Join In App

In the summer of 2012 London and the UK will come alive with events, celebrations and activities during the Olympic and Paralympic Games.
The Official London 2012 Join In app is a mobile guide to help you plan, enjoy and share your Games experience.
This free app is an essential planning tool for everyone, whether you have tickets for a sporting event or not. From the start of the Olympic Torch Relay to the Olympics and Paralympics, the Opening and Closing Ceremonies, plus all the cultural, city and community celebrations happening across the UK, Join In is your essential companion.

Official London 2012 Results App

The Official London 2012 Results app provides all the latest news, schedules and results, allowing users to keep up-to-date with the latest action live across all Olympic sports and Paralympic sports.
Key features include results, live updates, calendar schedule, details of sports, medal tables and athlete profiles. Users can also follow specific countries, receiving official news and updates tailored to them all in one app.
It’s the essential app for all sports fans to share the excitement of London 2012!

Sunday, June 03, 2012

NLE 2012: Trustworthiness of the System...


The National Level Exercise (NLE) 2012 Capstone will soon be taking place and the private sector is embracing for potential cyber domain blowback.  NLE 2012 is based upon an exercise scenario that is not only timely, but also an expanding Operational Risk to the U.S. critical infrastructure.  This comes months after the secure communications channel has been established between Washington and Moscow, in the event of a damaging digital attack to prevent any escalation to full hostilities.

National Level Exercise (NLE) 2012 is part of a series of congressionally mandated preparedness exercises designed to educate and prepare participants for potential catastrophic events. The NLE 2012 process will examine the nation’s ability to coordinate and implement prevention, preparedness, response and recovery plans and capabilities pertaining to a significant cyber event or a series of events. NLE 2012 will examine national response plans and procedures, including the National Response Framework (NRF), NRF Cyber Incident Annex, Interim National Cyber Incident Response Plan (NCIRP) and the International Strategy for Cyberspace. Unique to NLE 2012 will be an emphasis on the shared responsibility among all levels of government, the private sector and the international community to secure cyberspace and respond together to a significant cyber incident.

Simultaneously, the  U.N.'s International Telecommunication Union (I.T.U.) is mediating the future of the Internet.  Hamadoun Toure will be meeting in Dubai as I.T.U. secretary-general later this year as 193 nation states debate the new rules of engagement.   The lines have already been drawn in the sand between rogue groups and Western democracies, private companies, law enforcement and hacktivists.

As strategic media leaks are continuously debated and clandestine operations are exposed, the Operational Risks for the private sector continue to soar.  Whether it is the threat to the Olympic Games in London this summer or the covert "Olympic Games" in cyberspace, there continues to be a set of consistent taxonomy developed years ago by Sandia Labs researchers, that this blog has highlighted before:
"Attackers use tools to exploit vulnerabilities, to create an action on a target, that produces an unauthorized result to obtain their objective."
The three areas that you need to focus on continue to be:
  • Design
  • Implementation
  • Configuration

Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
Once you understand the entire taxonomy of an "Incident", you are far better equipped to prevent and preempt attacks on your valuable corporate assets.
Now the question to be answered is, who is your adversary?  Answering this question and putting a face on those who are attacking you, somehow seems to be more important these days by some.  Attribution is only one key facet of asymmetric warfare.



at·tri·bu·tion

  [a-truh-byoo-shuhn]  Show IPA
noun
1.
the act of attributing ascription.
2.
something ascribed; an attribute.
3.
Numismatics a classification for a coin, based on itsdistinguishing features, as date, design, or metal.
4.
Archaic authority or function assigned, as to a ruler,legislative assembly, delegate, or the like.


at·trib·ute

  [v. uh-trib-yoot; n. a-truh-byoot]  Show IPA
verb, at·trib·ut·ed, at·trib·ut·ing, noun
verb (used with object)
1.
to regard as resulting from a specified cause; consider ascaused by something indicated (usually followed by to ): She attributed his bad temper to ill health.
2.
to consider as a quality or characteristic of the person, thing, group, etc., indicated: He attributed intelligence to his colleagues.
3.
to consider as made by the one indicated, especially withstrong evidence but in the absence of conclusive proof: to attribute a painting to an artist.
4.
to regard as produced by or originating in the time, period, place, etc., indicated; credit; assign: to attribute a work to particular period; to attribute a discovery to a particular country.
noun
5.
something attributed as belonging to a person, thing, group,etc.; a quality, character, characteristic, or property:Sensitivity is one of his attributes.


Regardless of the ability to attain the identity of your attacker, your focus should remain on your trusted systems and your resilience factor.  The trustworthiness of the system requires evaluation and a trust decision to use the system.  "The risk calculus evaluates whether the probability that the services as a result of using the system, will exceed the risks that may occur as valued by a user.  The cost component of a trust decision includes an evaluation that the use of a system will occur at an acceptable cost and will produce economically acceptable results."  [US 7240213]