emerging concerns in it governance july 11, 2007 macdonnell ulsch | jefferson wells managing risk in...
Post on 18-Dec-2015
218 views
TRANSCRIPT
Emerging Concerns in IT Governance
July 11, 2007
MacDonnell Ulsch | Jefferson Wells
Managing Risk In a Hostile World
Speaker Biography: MacDonnell Ulsch
• Director of Technology Risk Management in Boston and the firm’s chief privacy specialist.• Distinguished Fellow of the Ponemon Institute.• Served on the U.S. Secrecy Commission under U.S. Senators Helms and Moynihan.• Advised counterintelligence staff of a Presidential Administration.• Worked with U.S. Senator Sam Nunn on information security policy.• Met with King Hussein of Jordan on Middle Eastern security and political policy.• Advised “DaVinci Code” author Dan Brown on the novel “Digital Fortress,” on U.S. national
security.• Interviewed Judge Leon Jaworski of the Warren Commission on the assassination of President
Kennedy.• On the Board of the National Security Institute, worked there 13 years, with U.S. intelligence
agencies.• Founded information security research program at Dataquest/Dun & Bradstreet and was Chief
Analyst at D&B.• Former Director of Global Risk at PricewaterhouseCoopers, LLP.• Former Sr. Director of Regulatory Compliance at Gartner, Inc.• Former Lecturer at Boston University.• Currently writing, “Threat! Managing Risk in a Hostile World,” to be published by the IIA Research
Foundation.
What’s On Your Horizon?
• Sabotage• Emerging State Statutes• Emerging Federal legislation• International legislation• Asymmetric Threats• Technology Proliferation• Integrated Security• Financial Loss• Reputation Loss• Valuation Loss• U.N. Public Policy• Executive Responsibility for
Data Crimes
• Security Officer Responsibility for Data Crimes
• Money Laundering• Lack of Awareness• Civil Liability• Criminal Liability• Economic Espionage• Trade Secret Theft• Low-Intensity Regional Conflict• High-Intensity Global Conflict• Privacy Strategy Confusion
and Inconsistency
28 Emerging Threats
CAUSAL THREAT AND RISK FACTORS
23 Existing Vulnerabilities 28 Enabling Conditions
PhysicalSecurity
AdministrativeSecurity
HROperations
Security
ClassificationManagement
Enterprise Assets
ProcessLinkage
Internal +External
Monitoring
EIGHT SPHERES OF TRUST
FOUNDATION
Conveyance
ITSecurity
LEGAL Civil ◦ Criminal
AUDIT U.S. ◦ Country-Level
REGULATORY U.S. Federal ◦ U.S. State ◦ Country-Level ◦ International
LAW ENFORCEMENT U.S. Federal ◦ U.S. State ◦ U.S. Local ◦ Country-Level ◦ International
STANDARDS U.S. ◦ Country-Level ◦ International INTELLIGENCE U.S. ◦ Country-Level ◦ International
EN
TE
RP
RIS
ET
RU
ST
Case Histories: Economic EspionageAnd Trade Secret Theft
A Matter of Coincidence?
United States Russian
Question: Did each government arrive independentlyat each design at the same time?
DuPont and Chemist Gary Min
• Former Chinese national.• Former DuPont chemist stole secrets worth $400MM.• Recently pleaded guilty to corporate espionage.• In the crosshairs: KEVLAR, TEFLON, NOMEX, LUCITE
and other products protected under trade secret.• May have intended to sell secrets to government of
China or to Chinese companies.• An employee for 10 years.• Had developed significant products. He had access to a
high-security electronic database at DuPont.• This enabled him, but it was also his downfall.
Tripping the Wire
• His biggest mistake was elevating his profile to security:– Over a short period of time he downloaded 22,000 abstracts and
documents from the secure DuPont database.– 15-20 hours at a time.– This level of activity represented 15 times more use than the
next highest user at DuPont.– Federal authorities were contacted at this time.
• Min leaves DuPont and goes to work for Victrex PLC. He transferred 180 documents to his Victrex computer.
• Min was in China when a DuPont investigator found documents at Min’s home and in an apartment he had rented. Other documents were found on his home PC.
The NYNEX Case
• Certain elements of this case were tried in federal court and were reported in the Wall Street Journal.
• Other aspects of this case have never been made public.
• I am making certain elements of the case public today.
• The case will be discussed more extensively in THREAT! Managing Risk in a Hostile World, to be published by the Institute of Internal Auditors Research Foundation.
• No individuals will be mentioned by name.
• Principal companies will be named.
• Several companies will not be named. Such disclosure would enable the identification of the individuals involved.
Industrial Espionage Case History II
PU
BLI
C U
TIL
ITY
CO
MM
ISS
ION
Bas
ic R
ate
Set
ting
NYNEX
SUBSIDIARY
SUBSIDIARY
SUBSIDIARY
TEXTILEST
wo
Set
s of
Bo
oks
Loss
Thr
oug
h F
raud
Illeg
al P
UC
Inf
luen
ce
CO. X
IBM
DEC
Client
Client
ROGUE
Col
lect
Rep
ort
OTHERS
Rep
ort
$
$ $ UlschEnters
CallsUSDOJ/Immunity
USDOJBriefs
USGAO
UlschBriefs
USGAO
C O
N S
P I
R A
C Y
Aftermath
• NYNEX exited the information products and services business at a loss estimated to be in the hundreds of millions of dollars.
• NYNEX discharged senior executives over the incidents.• A number of Co. X executives were terminated.
– A senior executive was restricted from serving on any public board for several years.
– His employment was terminated.– He was fined but avoided imprisonment.– He was recently honored for his industry contributions.– He is currently the CEO of a privately held, successful company.
Aftermath …
• The rogue consultant was granted full federal and state immunity from prosecution:– He was not fined and faced no prison term.– He runs a very successful research and consulting
firm.– He is financially secure.
• Another senior executive formed a company afterwards and then sold it, making about $100MM.– He was never charged in the case.
The Emergence of Social Networks
The Rise of Social Networks
Drugs Pornography Terrorists
Unregulated. Unrestricted. Unreliable. Unknown.Organized Crime?
Blogging: A Growing Risk
• Rapid growth: 34.5MM to over 100MM blogs worldwide.• Rapid growth: blog audience: 20 percent the size of total
newspaper reading audience.• 9 percent of computer users have created blogs.• Blogging from laptops and Internet-enabled PDAs.• In an organization of 100,000 employees:
– 25 percent blog or 25,000.– Blogging an average of twice per week is 50,000 messages a
week or 2.4MM annually.– Many blog from work.– Others blog from mobile platforms.
• Organized crime is believed to be behind or influence a number of gambling and pornography blogs.
Here’s the Problem With Blogs
1. EmployeesUse Work
Email Accounts
Blog DatabasesWith Billions of
Messages
2. Blog DatabasesArchive
Messages
3. 34.5 – 100MM
Blogs andDatabases
4. DatabasesScanned by
Organized Crime,Hostile faction
7. Identity Thieves,Internet Scams,
SpammersAcquire Data
8. Many OfficesHave No Blog
RestrictionPolicies
5. Millions of MessagesAnalyzed
Using SophisticatedData Mining
Software
6. A Rich Source ofInformation forTrade Secrets
When Analyzed
Blogs …
• Case History:– Company was being hacked weekly, resulting in expensive
downtime.– Targeted by unidentified foreign hackers.– Key IT employee perceived blogging as neutral threat factor.– He needed help in defending the enterprise more effectively.– Internal solutions were not solving the problem.– Company’s proprietary data was at risk.– Blogging made it worse
• Prediction: – Blogs and social networks, left unchecked, will contribute to ID
theft, crime
The Trend of Internet Crime
Complexity of Identity Theft
ID Theft DriversOrganized
CrimeNarcoticsTrafficking
Terrorists
Money Laundering$2 Trillion in Profits Laundered
Emerging NationParticipation in Organized Crime
Black Peso Market Exchange& Money LaunderingDistribution
Channel &Infrastructure
CoreProduct
Manufacture
Operations Financing
Terrorists
Protest Groups
Drug Cartels
OrganizedCrime
EspionageAgents
RogueEmployees
MoneyLaundering
Recruitment
Communication
CapitalFormation
Fraud
Hacking
VirusDevelopment
VirusDeployment
Information Security Crime: Identity Theft is Key
Find the SSN
277-33-1899 185-09-9380 231-54-8274 904-00-1232184-99-3837 275-44-5162 231-44-2005 992-33-4646
“Just a quick note to say hi. Thought this was a cool picture.Call me when you can: I’ve got a business question for you.”
Laptops
PDAs
Internet-EnabledCell Phones
Portable Drives
Flash Drives
Blogs
CDs
Organized Crime Growing
• Organized crime is involved in trade secret theft, economic espionage, terrorist financing, narcotics trafficking, pornography, ID theft … and technology.
• Russia has emerged as a major international influence in organized crime. Many countries participate in organized crime. Russia is but one example.
• Compare organized crime in the US and Russia (American Russian Law Institute):– US:
• 24 crime families• 2,000 active members
– Russia• 5,000 – 8,000 groups• 100,000 active members
Russian Organized Crime & IP Theft
• The theft of intellectual property by organized crime is escalating in the following states, in particular:– New York– California– Pennsylvania– Massachusetts
• According to a report from Michigan State University School of Criminal Justice:– Russian activity is accelerating as a result of the dismantling of the
Soviet Union.– Federal authorities are currently investigating and infiltrating these
criminal enterprises.– “The threat from … economic crimes (such as the theft of intellectual
property, industrial espionage … and computer-related crime) is increasingly recognized as a matter of national security.
• Use of IT and communications professions by organized crime is growing.
Linkage to Child Pornography
• The majority of child pornographic images and videos seized are produced primarily in:– The former Soviet states.– Southeast Asia (including Japan).– South America (increasingly).
• The proliferation of commercial pay-per-view technology and Internet payment systems technology that provide anonymity are in demand.
Case History: A Boston Police Officer
• Police in Boston– Several rogues involved with local crime gangs,
offering protection of• Drug transactions• Prostitution
– Target owners of luxury automobile• Use police access to database to obtain personal identity
information• Use personal identity data to acquire credit information about
the target individual. This is accomplished through an employee at a local bank
• Credit information is sold to East Coast identity thieves, who in this case are undercover FBI agents
Employee Crime
• A financial institution network used for XXX-rated web sites• A corporate data center used by rogue employees operating their
own profitable business• A man buys a SSN online, commits ID theft
– But then he engages in cyberstalking the woman to whom the SSN was assigned.
– This turns in to physical stalking, as many cases do.– He ended up assaulting and killing her– What if the SSN came from your data base?– What are the moral and ethical implications?– What is the reputational impact?– What is the financial liability?– What if the security controls were sub-standard?
An Attack Trend?
• The first information warfare occurred during the Kosovo war: web site defacements of U.S. Department of Defense and U.S. corporate entities, including IBM.
• An interesting DDOS attack on Estonia– Bots or Zombies used in attack– Parliament disrupted– Nation’s largest bank severely disrupted– Traced attacks to inside the Kremlin– Significant because of KGB linkage to organized crime– Zombies linked to organized crime– Three weeks to block the attacks
• Many attackers make precise attacks: don’t want to disable Internet because of its usefulness to them
Managing the Mobile Risk Force Multiplier
• Mobile technology contributes to the dimension of risk:– Greater distribution of target information.– Less institutional monitoring.– Fewer employee observations about risky behavior.– Less attention to security policies and procedures.– Greater likelihood of losing a mobile device.– Greater likelihood of mobile device theft.– Greater likelihood of a breach.
Mobile/Wireless: A Risk Force Multiplier
Mobile Device Theft
• More than two million a year reported stolen worldwide.• 1,600 a day reported stolen in the U.S.• A laptop is stolen every 53 seconds.• Chances of a laptop being stolen are one in ten.• 97% are never recovered.• Most common crime after identity theft.• Contains the most sensitive data, including social security numbers,
as well as intellectual property, and trade secrets.• Six of one hundred government and defense workers in the United
Kingdom are said to have lost or had stolen a laptop computer.• Many stolen laptops have passwords written on paper and taped to
the underside of the laptop.What is on your laptops?
What policies are in place to prevent mobile device theft?
The Mobility of Logical Information
• Electronic information seldom resides in one place.
• Information structures are designed for redundancy.
• Then behavior reinforces the principle of redundancy.
• Where does data exist and where is it at risk:– Desktop computer– Laptops– Handhelds– Cell phones– Flash drives– Portable backup drives– Data centers: domestic and
foreign– Email servers
– Databases– Home computers– Data management third-
parties– Internet Service Providers– Spouse’s and children’s
computers– Hotels & resorts &
conferences– Neighbors homes– Restaurants– Taxis– Office– Subway– Rental & personal cars
• E-Discovery Act Implications?
The Legislative Trend
Legislative Uncertainty
The passage of any privacy statute is uncertain. But trends are developing that will shape emerging legislation.
Don’t expect preemption.
12 C.F.R. 30 Will Influence Legislation
Interagency Guidelines Establishing Standards for Safeguarding Customer Information
Set forth standards pursuant to section 39 of the Federal DepositInsurance Act (section 39, codified at 12 U.S.C. 1831p-1), and
sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of theGramm-Leach-Bliley Act. These Guidelines address standards for
developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of
customer information.
• 110th Congress, 2007, Sen. Leahy:– Personal Data Privacy and Security Act of 2007
• Require data brokers to disclose information held on individuals
• Requires companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs
• Increases criminal penalties• A crime to conceal a security breach• Requires government to establish rules protecting data
privacy
U.S. Federal
• 110th Congress, 2007:– Data Accountability and Trust Act
• Authorizes the U.S. FTC to write data privacy requirements for businesses
• Mandatory vulnerability assessments• Policies for obsolete data disposal: feasibility study for
standard processes– Includes paper records
• Data breach would result in FTC audit of security practices• Administrative, technical, and physical security controls• ID reasonably foreseeable vulnerabilities• Enhancing punishment for ID theft
U.S. Federal
U.S. Federal
• 109th Congress: Specter-Leahy Personal Data Privacy And Security Act of 2005, S. 1789• Increased penalties for electronic ID theft• Section 102: Adding fraud as a predicate offense for RICO (Racketeer
Influenced Corrupt Organizations), recognizing organized crime• Section 103: Making it a crime to conceal ID theft• Give individuals access to, and the opportunity to correct, personal
information held by data brokers• Require entities with personal data to establish internal policies that
protect data• Require that entities notify consumers of a breach, as well as law
enforcement• Prohibits companies from requiring consumers to disclose Social
Security Numbers• Authorizes $100M over four years to help state law enforcement fight
misuse of personal information
U.S. Federal
• Data Security Act of 2006– National data protection and breach notification standard– Impacts financial institutions, retailers, and government agencies– Requires timely investigation of security breaches– Law expands the reach of current laws-both state and federal-that
require only financial institutions to protect personal information– Modeled after Gramm-Leach Bliley Act of 1999– Failure to comply:
• Levy fines• Impose corrective measures• “Even bar individuals from working in their respective industries”
• H.R. 1263: Consumer Privacy Protection Act of 2005• … (2) Policy … shall be … approved by the senior management officials
U.S. Federal
• H.R. 620: Security Measures Feasibility Act [addresses driver’s license and ID cards, assesses cost to states for security]• Establishment of State motor vehicle databases that contain all
fields of licenses. [A report to Congress states that] any recommendations … that the Comptroller General considers necessary to better protect the security of driver’s licenses and identity cards issued by states
• This could have significant legislative impact and, eventually, commercial impact
States & Privacy
Many entities make the mistake of mapping privacy policy to 1386
State Legislation is Proliferating, Changing
California: Established the precedent, SB-1386 SB-1386 Safe Harbor:
– Businesses may forgo consumer notification if the information contained in the breached database is encrypted
– SB-1297 and paper
Arkansas: Act 1526 of 2005: Disclosure of Personal Information to Consumers Notification Law Similar to 1386 but includes Medicare information
Indiana: Addresses government agencies only
Montana: Broadens the range of personal identifiers
North Dakota: Similar to 1386 but includes DOB and mother’s maiden name
Washington: Similar to 1386
Georgia: Applies only to data brokers such as ChoicePoint
– New Jersey• Identity Theft Prevention Act requires destruction of unneeded customer data• Limits use of social security number sent by the U.S.P.S.• Consumer notification
– Louisiana• Database Security Breach Notification Law• Consumers must be notified, as well as state government officials
– Illinois• Personal Information Protection Act• Does not require state government notification
– New York• Information Security Breach and Notification Act• $150,000 fines• Disclosure timeframes vague
– Wisconsin• Includes DNA profile. Requires notification for unauthorized access, even paper
access. Also in North Carolina.
States
Notification Triggers Variable
• California: no threshold triggers. All California residents must be notified
• In some states, notification required only when there is reasonable likelihood that the information at risk will result in harm
• In California, businesses required to notify only those affected by the breach. In other states, only consumer reporting agencies must be notified
• In New York and North Carolina, businesses hit with a security breach must notify the Attorney General’s office.
• In New Jersey, the State Police must be notified• The trend is toward legislation that protects the consumer• Multiple complex state laws encourage more federal legislation in
order to reduce regulatory and trans-state conflict and jurisdiction
International Section 304 of H.R. 1263:
• Harmonization of the International Privacy Laws, Regulations, and Agreements
“... the Secretary of Commerce shall provide notice of the provision of the Act to other nations, individually, or as members of international organizations or unions that have enacted … information privacy laws, regulations, or agreements, and shall seek recognition of this Act by such nations…. The Secretary shall seek the harmonization of this Act with information privacy laws … to the extent such harmonization is necessary for the advancement of transnational commerce, including electronic commerce.”
International: Fortress India
• Fortress India is an initiative backed by the National Association of Service and Software Companies (Nasscom) in response to U.S. legislation and interest in protecting U.S. information overseas– Background investigations are difficult in a nation hampered by a
lack of online databases and high attrition rates– Fortress India, as an element of Nasscom, wants to change this
security and privacy dynamic– At ICICI OneSource, a call center, employees swipe ID cards to
enter the center, empty pockets of cell phones, PDAs, pens notebooks, calls are monitored and recorded, data is guarded
Contact
MacDonnell Ulsch
One Liberty Square
Boston, Massachusetts 02109
(617) 428-7705