the technological fight against organize fraud




1 download


Page 1: The technological fight against organize fraud
Page 2: The technological fight against organize fraud
Page 3: The technological fight against organize fraud

The technological fight against

organized fraud

2011 Summer Course Rey Juan Carlos University

Aranjuez, 4–8 July 2011

Page 4: The technological fight against organize fraud




Miguel Salgueiro / MSGráfica


Gráficas Monterreina

Legal Deposit: M-22831-2012

Page 5: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �


INTRODUCTION ........................................................................................................................................................................................ 5 Santiago Moral Rubio

PROLOGUE ................................................................................................................................................................................................... 7 Pedro González-Trevijano

SECURITY AND BUSINESS: THE HEDGEHOG’S DILEMMA ............................................................................................... 9 Alberto Partida

ANTI-PHISING WORKING GROUP .................................................................................................................................................. 15 Gary Warner

THREAT HORIzON: IDENTIfYING fUTURE TRENDS ........................................................................................................... 21 Adrian Davis

THE RISK Of THE UNPREDICTABLE: “THE BLACK SWANS” ........................................................................................... 27 José Antonio Mañas

ROUND TABLE. NEW THREATS ....................................................................................................................................................... 33 Taking part: David Barroso fernando García Vicent Juan Jesús León Cobos Elena Maestre García Alfonso Martín Palma Rafael Ortega García Tomás Roy Catalá Juan Salom Clotet Marta Villén Sotomayor Marcos Gómez Hidalgo Modera: José de la Peña

Page 6: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�

The technological fight against the organized fraud 2011 Summer Course

THE RISE Of CYBERCRIME: HOW LAGGING SECURITY MEASURES fUEL THE GROWTH IN ORGANIzED fRAUD ................................................................................................ 45 Richard Stiennon

fROM HACKING TO ARTIfICIAL INTELLIGENCE .................................................................................................................. 51 Víctor Chapela

LEGAL CERTAINTY AND CRITICAL ASPECTS Of DATA PROTECTION ............................................................................................................................ 57 francisco Javier Puyol

THE LAW Of PERSONAL DATA PROTECTION IN MEXICO ............................................................................................... 63 Ángel Trinidad zaldívar

DATA PROTECTION AND THE NEW TECHNOLOGICAL CHALLENGES ..................................................................... 69 Artemi Rallo

ROUND TABLE: PRIVACY IN “THE CLOUD” ............................................................................................................................... 75 Taking part: Manuel Carpio Cámara francisco Javier García Carmona Guillermo Llorente Ballesteros Idoia Mateo Murillo Justo López Parra francisco Javier Puyol Carles Solé Pascual Modera: Esperanza Marcos

UNDERSTANDING AND MANAGING SAAS AND CLOUD COMPUTING RISKS ....................................................................................................................................... 85 Tom Scholtz

THE DARWINIAN COEVOLUTION (AS A STRATEGY IN THE TECHNOLOGICAL INNOVATION APPLIED TO RISK MANAGEMENT) ........................................................................ 91 Santiago Moral Rubio

PHOTO GALLERY ..................................................................................................................................................................................... 97

Page 7: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �

echnological globalization has led to a breakthrough in the participation of citizens in processes of public administrations and businesses that

provide them with services, but the same risks that exist in the real world have moved to this field.

The crimes of low intensity, without harming people or their property, were unprofitable in the physical world and therefore are little persecuted; however, technological globalization makes that they are profitable and continue to be of small risk because of the international technological anonymity. Therefore, the risk morphology changes as the parameters of profitability change and that makes now phishing profitable as it is anonymous and massive.

Risks change and the way to manage them change. The same technologies that have allowed creating this globalized world must be used to manage the new risks existing in the virtual world. for example, one of the emerging risks is the ease of transmission and replication of the personal data of citizens.

In order to talk about all this, the Research Center for Technological Risk Management convened a Summer Course (within the framework of Summer School at the Rey Juan Carlos University) that was held in Aranjuez (Madrid – Spain) between the 4th and 8th July 2011 inclusive, with the active participation of almost 100 attendees and some of the main speakers at the global level in this field.

Now, in this publication, we transfer to those interested the transcription of the papers presented at the Summer Course.


Santiago Moral Rubio(Director of the Summer Course “The technological fight against organized fraud”)

Page 8: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�

The technological fight against the organized fraud 2011 Summer Course

Page 9: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �

hat two major institutions of the economic and financial and academic life, as BBVA and the Rey Juan Carlos University, put together their

experiences and, above all, the qualification and competence of their teams, to create experiences of training, research and innovation, could only be the advance of great and encouraging contributions to the scientific community. Thus was born the Research Center for Technological Risk Management.

Under the leadership of Santiago Moral Rubio and francisco García Marín last July the course “The technological fight against organized fraud” was held within the summer courses that the Rey Juan Carlos University holds annually at the Royal site of Aranjuez. The response of the scientific and academic community was massive. The participant’s level was extraordinary. And the result of work, rigor and the seriousness of the summer experience of 2011 is today reflected in this magnificent volume.

The need to respond to new formats of risk and fraud, adapted to a global technological reality, is a genuine requirement of an also universal life experience. The significant of the contribution that this work contains is the ability of academic institutions and centers of research to detect problems, build effective solutions and responses and, straight afterwards, transferring this knowledge to the society.

The Research Center for Technological Risk Management has become not only a leading resort in this area, but also an example of the intense collaboration that universities and companies can and should undertake in a historical setting more demanding. But, above all things, an exciting and motivating environment; an environment of opportunity and challenges for energy, the reflection from the analysis, and creativity. I am convinced that the work of the Research Center for Technological Risk Management will continue to bring, in the immediate future, new grounds for satisfaction like this magnificent work.


Pedro González-Trevijano(Rector of the Rey Juan Carlos University)

Page 10: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�

The technological fight against the organized fraud 2011 Summer Course

Page 11: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �

he philosopher Schopenhauer baptized the expression “hedgehog’s dilemma” to explain, in his view, how the personal and social relationships worked.

According to his research, the human must assume the following paradox: find the collective heat necessary for our survival and avoid any damage that might arise from such interaction with others at the same time.

As the hedgehog that seeks company, but must avoid spikes of others hurt him or do so with their own. Hence I could also explain the perspective from which I took, five years ago, the challenge of creating a security team that was in tune with the business; and the reason why I decided to write a book.

The challenge has been to find a way in which we avoid the damage of the respective “quills” between business and security, seeking at the end more similarities in the interaction of the penguins, species that can reach intimacy more than hedgehogs as they don’t have spikes and have no fear to hurt or be hurt.

The first change I assumed in the definition of my security team was to modify the original name, from “security administration team” to “operational security team”, where we took on the security of the information on production systems; but maintaining the challenge: achieve a harmony between the security team and the business.

Alberto Partida(Security specialist Author of the book “IT Securiteers. Setting up an IT Security Function”)


Page 12: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo10

The technological fight against the organized fraud 2011 Summer Course

To achieve this, the issue must be addressed from two perspectives: one, scientific or methodological (analyzing filters, methods and the steps to take in the next stage) and another, human (focusing on the need for a multidisciplinary team, that work with passion and motivation and fight for innovation).

The methodological element: the method and � filters

Understanding the organization, adapt to their culture and harvest successes… or at least limit the level of frustration. This is what we want to achieve, and for that we need a method.

And the method is based on the following formula: Vulnerabilities x Threats – Measures to mitigate = Risks (VxT–M = R).

The impact and the probability should be taken into account (very used terms for each of the risk situations), and also the malice of the attacker, though many times we overlook it.

And finally, we find the existence of a ratio, referred to the relationship between the benefit that the attacker gets and the risk to carry out that attack, which is often very unbalanced, as in the case of the attacks from Anonymous, where the attacker assumes a minimum risk compared with the benefits he is looking for. This ratio is much more even in physical security.

At this point, we can deal with the existence of five filters, which I prefer to call “1 + 3 + 1”, to explain the risk scenarios that we must deal with.

The first of these refers to, on the one hand, the fact that real threats are equal to the detected, ignoring those that we believe are real or pretend to be (hence the importance of monitoring); and, on the other, consequently, that the real opponents are likewise the detected ones.

In regards to the second filter, impact and ratio between benefit and risk, this means working in the organization with risk scenarios which have a high impact, but a very low risk for the attacker.

The third filter talks about resources and complexity, and the need to be “friendly” to the client.

In this sense, of all risk scenarios, we must deal first with those requiring less amount and complexity of resources, and those that do not harm or weaken the daily experience of the user or client; i.e.: “what can we do with few resources and at the same time not damaging the life that the client had”.

The fourth filter refers to getting to have a positive image of the security team, within the organization.

And, finally, the fifth filter is related to the need to be very realistic, complying both with requests from the Management team and with the regulation.

And… how do we comply with these five filters? The answer is simple: with a suitable method, that will make us go “step by step”, and that is simple and limited in time.

Page 13: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 11

Although it is somewhat shocking, the first years only 40 percent of the resources have to be planned; and when it comes to the technical elements to protect, these must be: networks, systems, applications, data and identities.

The human element: Professionals with passion

Although so far we have dealt with the methodological element, with the need to resort to a method and overcome the five filters exposed before, we will now enter in the idiosyncrasy of the second element which I meant to achieve the necessary harmony between the security team and the business part, which deals with the human component.

Here we return to the metaphors of hedgehogs and penguins to refer to human relations and the need to strengthen ties with others, with other departments in this case, while the spikes of none of them hurt the counterpart.

I believe it is essential to have a highly qualified technical team, either people of technical profile or who have many years of training that support their knowledge.

But we don’t remain there... is crucial to bet on multidisciplinary team capabilities to avoid being isolated in the organization. This, in essence, means to establish ties with other departments and areas, those to whom we communicate our work and our goals to achieve that greater harmony of which we speak from the beginning.

Avoid being separated from the rest, and that no one can say that of “there those of safety are…” as if we were entities out of the business.

We also need experts in public communications or marketing. They are essential for a security team, and are in two dimensions: in all their professional practice, which can be applied within the team; and also as conduits of these new perspectives for the group members, to whom they can gradually provide new ideas in these scenarios of marketing and communication... because we also need to advertise our message and our tasks.

And not only that, it is also a priority to count within the team with other profiles, such as statisticians, economists, business people, etc. However, I must admit that I have not seen teams where there are other profiles besides the technical, though I firmly believe that a varied set will give much better results to the organization.

When creating these multidisciplinary teams, I propose two models to follow, and a common slogan for both: “share, respect and mobilize”.

for me, sharing information is essential to go deeper into internal consistency and success of results. The concept of “mobilize” is also a priority, rather than “motivate”, because this latter term is a term more focused to the personal sphere and is something that only can be owned on an individual basis, is not something that can promote from the team. That’s why, I refer more to “mobilize” and the respect for members of different origin.

Page 14: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo12

The technological fight against the organized fraud 2011 Summer Course

In this context, the first model can be summarized in one sentence: involve in the group people who benefit from a degree of balance among all aspects of his/her life, professionally as well as emotionally and socially.

It’s about paying attention not only to the professional aspects of the team members, but also to their dimension as human beings.

We must take into account the balance between their personal and emotional life, because that will decisively influence in his/her professional side; so that organizations that do not take into account this model to select the members of their department, can discover later problems arising from the interaction among their members.

And it is that there are very good people at a professional level, but with very few resources in the other two fields, and vice versa; and what we need is someone who keeps a certain balance among these three areas of his personality. This is what will lead us to the success of the team; without it, it won’t be possible.

On the other hand, the second model meets its crossroads in the passion with which we perform a specific work… the crossroads between what you like to do and what you are good at making.

And based on that premise, find that “something” that the market requires and that can be adjusted to what the professional, and the group of professionals, can offer.

It is, in essence, a very simple model, and that can serve as a guide to decide in what area or scenario to specialize.

More than one leader and continuous learning

At this point, I would like to transfer another key message: we must avoid having a single leader, and count, on the contrary, with the collaboration of two or three people who assume that role in a collaborative way.

The explanation is simple: the leader work is quite tense and always will require to have two or three close partners to achieve his/her goals, among which we can mention some very significant: identify persons who do not have much motivation and, perhaps not so many priorities, to help them to find the way that takes them to be closer to the segment of the group which is really motivated.

Thus, they will be helped to develop new skills, so they can reach, even, what we call the “critical mass of the team”, which are those members with great skills, motivated and who set the pace of work to all.

Because of that, precisely, models like those outlined above should be applied, so that these members remain in the team, and do so as members of quality.

In parallel with everything explained so far, and as we also advanced before, we must not forget the significance of sharing knowledge among all members of the team, which is what will make the group strong and consolidated.

Page 15: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 1�

We may share both, the knowledge obtained by academic training, and the accumulated as a result of long years of professional experience.

Learning among members will be constant, thanks to the communication in all directions and regarding all the tasks to be performed. And it is that the set will grow when they learn from each other; otherwise impossible.

But to achieve this and reach the harmony between the security team and the Management we have been talking about from the beginning, is essential also, and now we talk explicitly about the role of Management, that it supports the actions of the team, either with adequate budgets, with technical resources, with more provision of personnel, etc.

If this doesn’t happen, the degree of frustration of our staff may increase significantly.

Five provocations to the audience

To continue, and like a kind of “alternative ideas bank”, I propose to the audience the following “five provocations”.

The first of these has to do with the possibility of considering your CERT as your team of “guerrilla marketing”. And to illustrate this option, and although they are not in our sector, I am telling you some recent examples that I found: placing a Mercedes Benz vehicle at an European airport, so the public try it and get acquainted with its performance; or giving out the typical yogurt, for example, when leaving the subway early in the morning, inviting us to be potential consumers.

The idea is to apply this to the incident security team.. Not that we give out yogurts, but take care of our incident response team to become our most powerful marketing tool inside the organization.

When a security incident occurs, the people is disturbed in the company and need to know where to go and, even more, have a sense of protection, so that everything is controlled. If you prepare the ground, if you are clear about the elements to be taken into account and if, moreover, you’ve bet on a marketing component, everything improves.

It is similar to what happens in physical security, which when a disaster happens, the emergency services arrived at the place of the incident dressed with a particularly striking clothing, such as reflective vests. Everyone focuses on them and trusts on their instructions.

The second provocation to which I refer is what I call “the graffiti effect”, or the power of images.

I will give an example: a few months ago I noticed that in the public baths of a palace of conventions someone had stolen the toilet disinfectant dispenser; and when I returned, a few days ago, it was still without replacement. The situation remained equal, and that means a devastating visual effect when it comes to trust on, in this case, the cleaning of these baths. I call it “graffiti effect”, because it’s like thinking about a clean wall and another full of graffiti… Which of the two invites to make a new one? In which does it feel it won’t matter that there is one more?

Page 16: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo1�

The technological fight against the organized fraud 2011 Summer Course

It is the same thing that happens with the security team. It is important that their facilities are professional and attractive. In addition to other details which benefit obtaining a better image, both inside and outside the organization, educating employees about passwords, take care of confidentiality, avoiding confidential papers on the tables and things like that…

When it comes to the third of these five provocations, this is the one regarding using social connectors, as they are defined by Malcolm Gladwell in his book “Tipping Point”. In the book, the author refers to some characters, the social connectors, though not being members of the Management know all employees of the organization and have a high degree of connection with all active agents of the company.

The proposal is to identify these people within the company, and invite them to join our tasks, not as part of the team, but as facilitators and transmitters of the messages that we want to bring to the members of the corporation.

They will help us to make the employees, suppliers or customers aware of everything that we have decided to implant within the company. for example, we can give them a confidentiality filter for their laptop, being sure that they will recommend it to their colleagues; or invite them to an attractive seminar where they can just take away something tangible related to security, or teach them to create a strong password.

The idea is to take advantage of what we have in the smartest way, peer to peer communication, take advantage of the communication and the information that flows at the same level, never as an imposition.

On the other hand, the fourth provocation focuses on what is known as “the power of free”. No one can abstract from the attraction that everything that is free exerts on us. If we give away encrypted memory devices or display protectors, surely we will have its use assured.

finally, the fifth provocation refers to the axiom that “security may not be destructive” because if this is our attitude towards the organization we run the risk of isolating ourselves. It is more important to be present in key projects of the organization rather than complete your own particular one.

In short, and as a former professor said, business exists to do business, not to do security, except for the security business, which is why we should always not lose sight of the lesson of humility and be aware of the fact that, like everyone, we are also dispensable.

In this context, and to recap, if we want to successfully develop our work as department of security, and find that harmony which we talked about, we need a few methods, filters, some steps to follow, and a multidisciplinary team, with passion, motivation and desire to innovate.

Page 17: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 1�

will start my presentation with a reflection: although it seems that people always prioritize the economic factor, and what criminals are looking for is always money, I

really believe that there is a much more important factor: reputation.

Recently I asked a Senator in the U.S. If he has ever got a phishing attack and he said yes. He told me what bank was supplanted and I asked him his opinion about what should be happening to his bank allowing such attacks against its brand. And he replied that most certainly those at the bank were not aware that they were under attack, because they otherwise wouldn’t allow it.

I think that good reputation is more important than all the gold in the world. And the reputation factor is what we must consider when we allow a

phishing attack to continue or not. It’s that and the impunity that benefits the wrongdoers.

We analyzed 85,000 phishing websites of affected banks… And do you know how many of the criminals go to jail? Only 1%, which means that for the remaining 99% is worth committing these crimes.

There are three areas to which we attach special importance within our working group:

The Training of the professionals that tomorrow will fight cybercrime (which will be even more complex).

The preparation of the best tools and most effective techniques in this fight, helping also the special units of the law enforcement and security

Gary Warner(Director of Research in Computer Forensics.The University of Alabama at Birmingham)


Page 18: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo1�

The technological fight against the organized fraud 2011 Summer Course

agencies (we work very closely with the specific unit of the FBI for these matters).

Educating the public in existing cybercrime threats.

In my laboratory we have 35 jobs and organize them in three different zones: one for spam and phishing, another one for malware and forensic analysis and then the research part.

The latter is where the students really relate with the law enforcement and security agencies, learning what’s important and where to focus first when detecting signs of cybercrime.

And based on all the data that we handle there, they learn to perform and formalize an investigation in this scenario.

We have a spam project, where we have recovered more than 500 billion emails that we have already made available also for the law and security enforcement agencies. There we work on how we can identify malware in order to know who the criminals that have sent these messages are.

We have a specific computer for cybercrime, with 14 dedicated servers and another ninety something to store information, and with them we do analyses and studies and give support to the law enforcement forces. We also work with the drug enforcement administration, even with cybercrime bodies in Germany or the Netherlands.

To carry out our work, we must analyze many processes to determine if it is a phishing website. And if we succeed, then, automatically, we look

for a phishing record. We start the manual search and try to figure out the relationship among this phishing site and other phishing websites that we have seen in the past.

It is important to know the relationships among the various phishing pages, because, as we like to say here, not all criminals are equal, and if we understand the relationship among the websites, we will understand also what kind of criminal we are facing.

for example, recently we discovered a curious case in a bank of Alabama, where a Nigerian man took advantage of copies from the month of february, considered as the black history of the bank, to make phishing against the bank. We had everything from him, his facebook page and we knew who his friends were.

It also happened to us with a phishing to Bank of America, that have in their department more than 800 detected phishing websites against their bank, and there we did make a hard work to relate all of those websites.

Seven steps to a phishing research

As I said, we try to find the relationship among the phishing web in question and the others where we have detected the existence of an affinity relationship. We introduce what we are being asked for (user id, password, answer three security questions, enter again the email address and then a passkey…) and we start to realize that a true website doesn’t work like this.

Page 19: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 1�

The operation is simple: when the website gets what it wants, it sends us to the bank website and when we wonder who has sent us there, we can see the files on the server. And then we can detect how many phishing websites have 100 victims and how many have 1,000, for example. And we can also identify the customers who have visited the phishing website.

What we do, basically, is to follow in seven steps the methodology that we have created for the investigation of phishing. first we prepare an electronic program that is sent to the client and then analyze the file in question. Afterwards we try to determine how this website relates to the other websites that we have seen earlier and then we look at the logs, both on the website of the victim as well as on the phishing website. That’s when we are able to identify who has been sabotaging the website to introduce the phishing data.

We then find a lot of information on the offender, who is the one introducing most data on the phishing website, because he wants to make sure it’s working. In fact, the first address we see is nearly always the IP address of the attacker. We may collect all logs in different websites and we can see the same IP address for different phishing websites.

As I said at the beginning, in the U.S. we work very close to the law enforcement and security agencies. They usually handle lots of data, but they often do not know how to process them, and then we do it with our tools, in our laboratory. By looking at the accounts in Yahoo, Hotmail or Gmail we find out who the victims are.

In the last part of the research what we do is open source intelligence, making an analysis of the file. We can take as an illustrative example a phishing website that operated against BBVA. It was designed from a hotel in Barcelona, whose website had been sabotaged to operate as a phisher of BBVA.

On this website we discovered the emails of the criminals, who use them to steal the credentials. following the investigation, we find the same phisher and email address in 8 different websites. In other researches we found phishing attempts with similar characteristics in 29 different websites.

With this we demonstrate that when someone makes a phishing research on their brand, often they are so focused on it, that cannot imagine that the same offender is also attacking the competition.

On the other hand, we should pay attention to the errors committed by criminals, because they do commit them, and many times these errors are crucial to find them.

We had a case of a phisher who organized more than 100 phishing websites. And he thought that his secret address was safe, but it was not so much and from the group we managed to identify him. We also managed to identify all sites or websites of phishing that he had changed and the email accounts he was working with.

Page 20: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo1�

The technological fight against the organized fraud 2011 Summer Course

Success in research

fortunately we can say that there have already been quite a few successes which support our work and our dedication in the fight against anti-phishing. With our collaboration more than 70 people who were carrying out fraudulent activities in different countries of the world were arrested. And in another recent research we detected criminals in Romania and Spain, among other countries, dedicated to make phishing websites.

Another research that I would like to highlight is one that we carried out in the U.S. and ended with the detection of a person that he had been living in Egypt and on his return to the U.S. he began to work as a translator of Arabic.

During his stay in Egypt he met many people, and it seems that almost all of them were offenders, and when he returned to our country deployed a complex network of collaborators of first and second level, in different States, such as California, Nevada, Carolina, etc. These second level connections withdrew money from ATMs with a false identity and were seding money to Egypt.

After a period of research, we managed to have pictures of each and every one of these people. There were 33 people involved within our borders and over 100 worldwide. At the end the plot was stopped and the ringleader and he got 13 years in jail, for crimes of phishing and, by the way, also by cultivation of marijuana.

In 2011 we also investigated the case of three corporations, against whose brand more than 500

phishing websites were operating. It was also one of our most important investigations and we got breakthroughs with it.

In any case, what we always like to say, so everyone is aware, is that offenders are also successful. They can intercept money very easily with the user id and password.

Having said that, what matters is not so much that websites are designed, because of these we can find hundreds of cases. What matters is that these sites end up getting what they were designed for: illicit money.

Malware, more expensive

In addition, I also wanted to comment on the matter of malware, whose vulnerability cases end up being more expensive than those caused by the phishing.

According to some studies, for every dollar lost in phishing, three are lost in malware. One of the most advanced is a keylogger called zeus, which (once the keyboard activity is detected) can take remote control of your computer without much problem.

However, for this type of fraudulent techniques, in the part of the investigation we have others that can counteract its effects. for example, there are options to get the website to detect if you are using a computer other than the usual and alert you in such cases.

for example, it happened to me just yesterday. I wanted to send money to my daughter, and it told me that I was in a computer that wasn’t mine and

Page 21: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 1�

asked me another way to confirm my identity. I introduced the other passkey and I could perform the operation. But the important thing is the warning I got saying that I was operating from another computer, putting one more barrier when it comes to move my money.

Device fingerprints

In parallel, we are also faced a vulnerability where a technique called “device fingerprinting” appears. And how we detect fraud in these cases?

In the U.S. we have suffered some attacks in this respect. And more than 40 people have been arrested between New York and Ukraine, who had managed to steal more than 200 million dollars.

The work dynamics in this case was very simple. A webpage giving problems to the user was accessed and the user was recommended to use a support telephone number that appeared on the same phishing webpage in order to solve these problems. The offender directly answered the phone and he asked for different information which then took the opportunity to use it in the phishing page. If we’d have been able to set up the configuration file this phone number would never show up.

On these configuration files, one of the first steps that should be taken into account is to confirm if other banks are in the same configuration file because they are suffering from the same offender. And perhaps those could afford more advanced intelligence resources and could help us to see who “the bad guy” is and how to arrest him.

A vulnerable end user

It is true that a phenomenon such as phishing, which relies on social engineering, can only be prosecuted with the technological risk management. Particularly significant here is something that sometimes we forget, and it is that phishing depends on and is based on the existence of a vulnerable end user. As long as there are humans who make mistakes and don’t pay all the attention that these especially controversial situations deserve, risk will always exist.

At the Anti-Phishing Working Group we have worked and will work to prevent this lack of awareness. And we will always try to make the banks aware of the messages they are sending. We must achieve a level of security, because of technology and tools, and the awareness of the banks themselves and their users, allowing us to defend from criminals. So, even though these know our user ID and password, cannot steal the money so easily.

Conferences and meetings

The Anti-Phishing Working Group was set up to share information, and that’s what we do at our regular meetings. We plan two major Conferences a year, and another General Summit between October and November. And, in addition, we hold our eCrime Researchers Summit, and the various local Committees, where we invite you to participate from here.

Page 22: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo20

The technological fight against the organized fraud 2011 Summer Course

Page 23: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 21

et’s talk about the future as a reality, as something that is concrete and that is already here, and we will be in a better position to understand why we are

concerned about it and what are the threats and risks that await us in the Information Society.

But talking about the future is talking about globalization. We live in a globalized world where borders no longer exist, where information technology management, or even malware management, can be outsourced.

There is a very interesting book which I recommend, it is called “The World is flat: a brief history of the globalized world of the twenty-first century”, by Thomas friedman, that is very illustrative for this purpose and that speaks precisely about this, the absence of borders and a new way of understanding the world.

Things have changed a lot in recent years. Companies have done it by moving freely from some countries to others and expanding their supply chains. And this is still changing constantly. Just like supply chains and information security threats and risks.

Also, the relationship with suppliers has new features. Now more than ever we must trust the provider, so they do what you want them to do, and even the most important, do what they say they’ll do, or that they are doing. And that’s the big difference.

But the supply chain, in this movement for change, remains a critical component for organizations, its information remains of vital importance… and these changes make us lose also much of the information about it, we know less about how it works and operate.


Adrian Davis(Principal Research Analyst. Information Security Forum - ISF)

Page 24: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo22

The technological fight against the organized fraud 2011 Summer Course

So that we are also facing a very important issue: How can we audit “the cloud”, taking into account that the cloud environment is constantly changing and is not a static system?

Everything has changed, and what’s our problem? If we have many problems and succumb, the company succumbs and it will be a catastrophe, we will be heavily fined if we don’t comply with the regulations already enforced…

How do we tell our colleagues and partners that the important thing is still the information? We have to be careful so the same that happened to the boy crying wolf so many times does not happen to us, the day when the wolf really appeared nobody believed him.

Everything is information

We see how the way we work changes and how we are entering another dimension, which has its own threats and its own problems. We have to be prepared, must pay close attention to what might happen, regardless of that occurring, or not.

Progress is measured according to its utility and its popularization. In 1876 the telephone was not helpful because there were very few and the communication capacity was very scarce, but now we cannot live without it.

Just as the social networks do, which extend their tentacles more and more and establish more and more relations among us. In any environment, information is related to information technologies and these are becoming the center of our live.

The work of ISF

And at ISf, what do we do to help understand this changing environment? Very simple: we collect information, talk to quite a lot of people of very different profiles and thus we approach legal, economic, cultural, political and technological factors, etc. and manage to have a more complete view of the world that lies ahead of us.

Thus, we may know what the most important threats for the information security will be and how they will relate to the changes that we will suffer in the society in the near future.

And we share all this information with the sector through the reports we publish and the meetings that we hold. I particularly have the luck to have managed this project from the last four reports.

We hold several meetings a year and there we ask what the new technological trends will be. In Spain we will hold a call for the Regional ISf Chapter in March in Madrid; and there, among other topics, we will talk about the security in industrial environments, the protection of critical infrastructures and the work program of ISf for this year.

As I said, in these meetings we speak with people who work in manufacturing, banking, health care, and also talk with the World Economic forum and futurists (I highlight here a book entitled “The next 50 years”, which is very interesting); and then we put everything in common in our annual Congress, to be held from 4 to 6 November in Chicago. And it is from there when we gather

Page 25: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 2�

together the final information and the correct data to begin drafting the report.

What we are seeing is that in United Kingdom, also in the U.S. and, above all, in the European Union an effort is being done to integrate, more and more, information and privacy regulations.

In the European Union, on May 1st, 2011 the so-called “cookies law” came into effect, which says that the information of people who visit the web cannot be stored on cookies, unless expressly allowed.

In the United Kingdom, for example, if personal information is lost, our Data Privacy Office can impose a fine of half a million pounds each times this privacy is violated.

Most important threats for 2011

We know many anonymous attacks and many are simply caused by errors, which could be easily remedied. for example, because we do not have the patches installed or because we don’t update the servers correctly. And this is what we know, because after we have the unknown, and what criminals can do.

And an environment that most certainly is not safe from the attacks of the cybercriminals is “the cloud”. More and more business migrate some of their platforms, or even critical systems, to “the cloud”.

In view of this, what are the main threats in the Network? What does it work now against us?

On the one hand, the illusion of borders does. We are now connected to many more people and do not even know that we do. We have all kinds of electronic devices, connected among them and with many other people, so that there is no longer a wall behind which we can hide our privacy.

On the other hand, another threat on the Internet is the existence of weaker infrastructures. We depend on many organizations to make our business run well and to keep in touch.

These sometimes have problems, and if they have problems, then our business suffers too. for example, if the Internet connection doesn’t work, we must wait for the ISP to stat up the backup system so the system failure affect us as little as possible.

Moreover, laws are often written with much delay. When they are approved, the threats against which the regulation was imposed have evolved to another level, what makes this regulation obsolete soon.

And we are not evolving either at the same pace as the cutting-edge technologies do, such as geo-location, or key business aspects as supply chains, increasingly weaker and more relocated.

Other important threats are also the increased number and sophistication of criminal attacks, the increasingly stricter rules and the characteristics of the outsourcing/offshoring environments.

A note about the malware on mobile phones: we have barely encountered this threat because

Page 26: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo2�

The technological fight against the organized fraud 2011 Summer Course

criminals do not find this scenario attractive. But that is only a small part; the important thing now is for us to avoid losing the phone with sensitive data inside.

In London, every day up to 10 mobile phones are left forgotten in taxis, with very important data of the companies for which their users work. We must protect these devices, increasingly focused on the business and with increasingly confidential information.

On the other hand, the business continuity plan becomes essential if we are to avoid major complications later. The cost of data loss per person per year for a company reaches $75, so if a company loses data of, say, 100,000 people, the cost is very high, and this is regardless of the fines, audits, etc.

And it is that the rise of what we now call “digital human rights” is unstoppable. The right to be connected or to freely surf the Internet is already an acquired right that nobody is willing to lose. It is an interesting topic nowadays, and it will be more when the other countries of the world participate also in this connection.

When Africa or Asia are truly integrated into our networks and claim the same role. And there we will have to solve a quantitative problem, because we will incorporate into our “cake” many millions of people. There will be many opportunities, but also many threats.

And in the middle of this picture other topics will explode, such as Internet of things, devices that

speak with devices without human intervention; and the shortening of the supply chain. We will no longer depend on a single source of supply, but from multiple sources. And it will be important to detect what will be the critical suppliers for our business.

Four categories and � important points

We can speak of four threat categories depending on whether we know them or not: that referring to those we know and that we can do something to work with. The things we know, but we can do nothing to avoid them. We also have threats where we have no idea. And, finally, those not considered by anyone but that can cause much harm to the organization.

In essence, we must take into account: People are increasingly less loyal to the companies. There are environments that we cannot manage or control, like social media. The requirements demanded by different governments. Offenders’ optimized ways to deceive and earn more money. And, finally, we have our particular “Black Swans”.

Then, what can we do? Start planning now. Work to make our systems more secure. And we will do so by following a few simple steps. first we have to look at the risks that can affect our organization and information, and then look at the threats that could harm us most.

And once we have common ground on that, resort to using technology, and not only known technologies, but also those emerging that can

Page 27: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 2�

provide us with an extra protection. We must also have the necessary patches and updates, and pay the attention it deserves to identity management.

And of course devote more resources to training and knowledge. Some data regarding this point: most organizations spend around 4 % of their budget on information security; but the companies that work better, with greater benefits and usually with fewer incidents, spend between 15% and 25% of their budget on programs of knowledge, because they think that it is what gives best results.

� deadly sins of the cloud

I’d like to list below the most common problems that exist in “the cloud”, which we also call the “7 deadly sins of the cloud”.

The first would be to be familiar with what we want to manage after.

The second, we always have to know our responsibilities, because “the cloud” provider will sell us a service, but we will always be liable for it.

The third deadly sin is that we must understand very well what the provider will provide us and how we can measure it. We must be able to answer the following questions: are they doing what they say they are going to do? How do I know? And this is taking into account that evaluation in “the cloud” is different because everything changes.

The fourth deadly sin has to do with breaking the law, as we may be breaking a law in a given country and not know it.

The fifth is related to the chaos, disorder, what information is in “the cloud”, which is critical and sensitive and what I have to do with it.

Sixth sin is vanity. Thinking that your infrastructures are perfectly prepared for “the cloud” because you have installed firewalls and other tools, thinking that it cannot affect you…

And, finally, the seventh deadly sin is indulgence. We must ensure that our cloud provider has business continuity and disaster recovery plans.

And lastly, “consumerization”

Ultimately, we must keep in mind that the cloud technology has come to stay. It will not disappear and we must take full advantage of it. That’s why we must also educate our users to have more knowledge, and to see what devices we are going to support and what not, and what applications we are going to use and with what data.

We must make these decisions today, because if we don’t tomorrow we will be flooded with information everywhere and we have decided no strategy in this regard.

The best thing to do is keep up with changes. We must not intend to work as we do now. We must work towards business and because of business. And if business changes, we all change. Our world is going to change and we have to be prepared.

Page 28: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo2�

The technological fight against the organized fraud 2011 Summer Course

Page 29: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 2�

y presentation has as a common thread the concept of the “Black Swans”, which as stated in the book of Nassim Nicholas, and as handled in

the sector, has to do with the impact of the highly improbable. The concept refers to those events that sometimes occur, but are not, at all, predictable.

Actually, adapted to our land, we should say “green dogs”, as when it was said in my town that “you are odder than a green dog”. However, this predictability thing is something entirely relative, sine what is predictable for some it is not at all for others.

I take as an example the Turkey we eat at Christmas time. Nothing could have led the turkey to think

that we will eat it on that date, being so happy and well cared. However, it is something totally predictable for the one who will cook the dinner.

Unpredictable with high impact

In this context of the unpredictable, the most interesting for us are the things and events that besides being unpredictable have a great impact on our Organization. So to understand how we arrived to this part, we can analyze how the risk analysis works according to the schemes of cold and hot areas.

Area one, the hotter, raises the existence of a high probability and high impact. They are things


José Antonio Mañas(Professor at the School of Telecommunications Engineering. University of Madrid)

Page 30: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo2�

The technological fight against the organized fraud 2011 Summer Course

that occur often and that, moreover, “hurt”. This is, undoubtedly, the first thing we have to face as the responsible people of security of our Organization.

As we descend down below area one, the high frequency of events remains, but not the impact, which is starting to decrease. We don’t usually talk about all this because it doesn’t have more effects, but they are what we can call “annoying flies”.

Approaching the warmer area, with less likely things and with less impact, the so–called level 2... here we must decide what we do and what we risk. We think of what benefit we get and look at, for example, what the competition does. In this section, our action is often solved by the regulator and the regulations that apply.

After these two areas, we would be at area three, where we come across with events that besides to occur rarely, also are not important. In my opinion, there is no problem forgetting these events. Or otherwise consider them “opportunities” rather than risks.

And the fact is that we always have to look at risk from the perspective of the benefit that brings us to assume it, it is always necessary to make a business estimate. You’ll take on a risk if there is a potential benefit; otherwise, you won’t.

finally we have section four, where the following two conditions take place: it occurs very rarely; but, however, it has a high impact if it happens. That is outlined in the expression “whatever comes, God willing” * in SME language. But if you

are in a bigger company, it is inevitable to be aware of everything that could happen even if it is something completely remote.

When you say very low probability is to talk about extremely infrequent events; those others not impossible, but never observed; and those that, although possible, we have tackled preventively to make them virtually impossible.

The latter refers to what is our action as responsible for security and boarding made on barriers of security, cryptography, centers of support, etc.

Although, be careful with what is observed. Because what we don’t see in a place or in an environment can happen in another. As the “Black Swan”, not observed in any place, at any time, and yet it appears somewhere else in the world.

Calculating probability?

At this point, the big question is if we can calculate the probability, if we can do a risk analysis, and if we can reach the “midpoint effect”, which is everything that occurs many times.

Here we must take into account that experience predicts only what is more likely and that the Gaussian curve requires lots of observations, which in my opinion leads to the concept of extreme uncertainty and tells us that it is unlikely to happen.

Thus, when we are talking about a singular object, there is no valid statistic and here we are not able to predict. And with regard to that experience

Page 31: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo 2�

can only predict what is likely, we must note that this depends on, in any case, the subject, the own experience, the situation, etc.

We also have to talk about what is unlikely, remotely to happen, and where the impact is uncertain. We do not know what will happen, but we suspect that it may have a costly impact for the business and our assets. Here there is no experience of our own or someone else’s, and we can consider ourselves as part of the problem.

Here, as Heraclitus said “into the same river we enter and don’t enter, because we are and are not”, nothing is like the first time; the river is not the same because the water runs and then we can never bathe twice in the same river. We are in the uncertain cases, in that impact.

*Note from the Translator: Spanish saying “Que sea lo que Dios quiera”.

In these cases, we begin analyzing our own reaction in the race against impact, and the external reaction. The reaction of Shareholders, customers (which can be very loyal, but can also opt to penalize you when the slightest impact is detected), the public authorities (which sometimes seem to do nothing and other times seem to contribute generating even more alarm) and society (where you can be in a public trial without big guarantees, where they wonder if you take advantage of the situation, if you’ve done everything possible, etc.).

The framework where we are has a mathematical model of hard to know probability and another

of difficult to safeguard impact, therefore all the plans and predictions should be done with a “certain amount of art”.

In this scenario of risk management the first thing to consider is to prevent everything that we can prevent, provided that cost is justified, where we could deal with actions of management, risk prevention, impact limitation, etc. It is also important a second issue, considering the expected disaster scenarios, if the incident was predictable.

Thirdly, regarding risk management we have to consider the crisis management itself. Here we can talk about four things:

...the predictive indicators (from the causes we can predict what is going to happen.) for example in amber traffic lights, we know that the red color follows. (Nevertheless, we have to be careful with these indicators, because they seldom occur);

...the alarm detection and escalation (we must have detectors, with a controlled chain of them…) (“don’t tell me you’ve changed the mobile phone number and I don’t have the new one”, and take special care with the so called false positives, which may “harden” and prevent us from detecting the problems later when they happen);

...the management of those affected (whether information technology systems, the business itself, customers, providers, supply chain or society…);

...and the recovery to bring the business back to its usual practice (here we have our disaster

Page 32: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

recovery plan, the backup systems… and that is because “business as usual” no longer exists).

The incident management

When it comes to dealing with the management of the incident, there are two options: either we have a passive attitude or the way we handle the conflict is reactive.

If our way of interacting is passive, then we cannot remain impassive to see how it evolves the disaster. This carries a high level of paralysis, as what we said SMEs “which is what God wants”.

If, on the contrary, our attitude is reactive, which I think is the least we have to start with, we can either stop it so it doesn’t become serious or redirect it to make the most of it.

The same thing happened to the classic firm Levi Strauss, which began selling fabrics to make tents and one day the ship with all of the fabrics sank. The way that crisis was managed resulted in the adventure of the brand as a firm of the well-known jeans.

Once we reach the disaster, we still have different options too, which will lead us to different results.

It may be that we return to where we were before the aforementioned happens, being able to apply different disaster recovery plans; we can take advantage of the new opportunities coming up in front us.

Within this context, we can also learn to anticipate these disasters and react according to what most

interests us, being always able to learn from the experience.

And above all, a fundamental question: do we leave as Managers the same blind people that failed to anticipate this disaster? There will be no choice but to answer this question, although the definitive answer many times will depend only on the company stakeholders.

Regulation and compliance

In the regulation and enforcement section, we often find the assumption of “fast” responses to scenarios that, perhaps, never will happen; but many times we have no option but doing so.

Complying with the different regulations responds to several tasks that we cannot disdain, as calming the social alarm; but it is also true that it is quite complicated to validate its effect, since it’ is a rapid intervention in an unpredictable process.

In other words, we do not know if we can measure it, we cannot validate whether we do is correct or not, this is called “feedback system”, from the point of view that we often legislate under much pressure to an event that may happen every 300 years, for example.

On the other hand, and inevitably, regulations serve to make companies take certain measures that otherwise would not assume. This is what is known as “fear of failure to comply”.

There are many reasons that make a Corporation not to hesitate to comply with those regulations affecting them. Among others we can highlight

Page 33: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

the following: staying out of the market, if you are in a regulated field; or, of course, we must avoid being caught “without doing our homework” in case of an unpredictable incident; and, much less, to end up in prison.

Protect and diversify

That being so, the best solution to survive a severe incident, which can have a high impact on the business, is “not putting all the eggs in the same basket”, what is meant by diversifying (clients, services, segmenting the market, etc.).

But in order to understand how we arrived at this point and why, we have to go through a tour before that illustrates this development. We have to talk about what we’ll call “business forecasters”, and which, in turn, are split into two categories: exposed and protected, a philosophy where we’d place this theory of diversification and segmentation.

Starting from the beginning, and within the mentioned “forecasters”, the greatest impact of all possible happens when, as I said before, we have put “all the eggs in the same basket”, when everything is interconnected and vulnerable to an attack at the same time.

We are also more exposed when we have not defined properly the safety margin, where you were recommended to put several doors and hide away, by segregating networks or designing a DMz cloud.

In short, you win much with these lines of defense, which can be deployed throughout your

organization. We take advantage of alarms, and the advantage they give us against risks. And this is very important to take into account, despite the fact that these safety margins are often costly and complex.

Here it is also important to make a reference to resource optimization, something we resort to on many occasions, even more so in times of economic recession as those we live now.

This is important and it has its advantages, of course, but also puts us in the following position: precisely because we are optimal we end up being more fragile against the attacker, and our vulnerability can scupper many achievements obtained with so much effort.

The “rapid spread” condition also plays against us, when any vulnerability or attack means the imminent arrival to our systems and the rapid expansion through our networks and infrastructure.

The physical security people have this more controlled, and always advocate avoiding these fast propagations, by resorting to what they call “retarders”. I take as an example, in case of fire, the use of fire-retardant materials in the construction of certain facilities or as part of the clothing of those who have to perform rescue tasks; in the end, the idea is to delay the spread effect of the fire.

And following the example provided by the physical security, in our departments of logical security we must go beyond installing a password,

Page 34: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

a token, etc., and think about the ability to spread of a threat that reaches that route. And we should always take into account the dynamics and the versatility of the incidents, because if we see them we will be able to adapt to them and fight against their effects.

However, when we look at the dynamics topic, the most important problem that I see is globalization, so that an incident may reach our systems more quickly than before and from any part of the globe.

In addition, we always have to see if there are watertight compartments, and bear in mind that what we often do is, simply, to foresee an isolated incident, but not the concurrence of several of them. And in relation to cloud computing, I have to say that I’m very afraid of the use of cryptography in these environments, because if we have the impact bounded we are protected, but we aren’t otherwise.

Summarizing the above-mentioned and to make it clear what would be the elements and actions that allow to have the assets of an organization protected, we shall return to the subject of bounded impact and the diversification of actions, which I stated as “not putting all the eggs in the same basket”.

In the same way, it is necessary to have an adequate safety margin, with layers of defense, systems redundancy and resilience capacity.

This last capacity, to keep the essential services after the attack and recover as soon as possible from the same, it is what defines the self-preservation quality of an organization, as well as its adaptability to a changing environment.

finally, I should like to make the following point: the responsibility for the risk is located in the person who has to make decisions, who can be the Director of the company, and not the operator or systems manager.

We have clearly seen this in the National Security Scheme approach. And finally, the fact that one makes decisions and another one assumes the consequences must not happen. Decisions must be made by the people who will suffer the consequences.

finally, I highlight the following: there are a number of risks that more or less we know of, we don’t even know of other risks, we can find ourselves in situations that we wouldn’t want to be, but we failed to foresee them… and we must have a solution for that day.

This is why it is also important that when production managers design the service portfolio, they include the risk analysis of each service. I think that this may be a good target for 2012.

Page 35: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

David BarrosoS21sec Director e-Crime(Currently head of Security Intelligence

AN DLAB. Telefónica Digital)

I would change the title of the table and would rather call it “old threats”, because, deep down, what we are experiencing today is no more than a copy of what we were suffering six or eight years ago. Though we might consider it as new platforms (for example, smartphones), rather than as new or old threats; and, mainly, as new players.

All this coupled with a situation where we continue to be supported on unsafe foundations and are failing in the way to address these threats.

Regarding the fact that we support our

philosophy of security on unsafe foundations,

suffice it to say that we are still talking about

TCPIP, SMTPs, IDSs; we are still using passwords;

we invent new words like “clouds”, but they

already were here before; we are facing attacks

that incorporate social engineering. In essence,

we have the usual threats. What has changed is

the way they reach us.

We also fail in the way to address threats, because

we are not going to the root of the problem,

but patching on patches. We talk about mobile

phones, but they are still unsafe (downloading an

application that may have a Trojan horse).

This roundtable was intended to discuss whether there are any new threats or only, and so far, new scenarios.

It had the following participants: David Barroso, fernando García Vicent, Juan Jesús León Cobos, Elena Maestre García, Alfonso Martín Palma, Rafael Ortega García, Thomas Roy Catalá, Juan Salom Clotet, Marta Villén Sotomayor and Marcos Gómez Hidalgo, chaired by José de la Peña (director of the SIC magazine).


Page 36: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

So, as I said, instead of talking about new threats I’d talk about “new players”, where we can highlight the organized groups that we came to know so far; the threat arising from the citizenry itself, as Anonymous has demonstrated; or related to Governments, which also play a role in Internet attacks.

At the end, user training is the most important thing and without further steps in this direction we cannot fight neither new nor old threats.

Fernando García VicentDirector, information security and SOC.Group Mnemo

In my opinion, and trying to link up with what Mr. Barroso have just raised, we are not only encountering a new level playing field and players, but also, in addition, they are also more and more professional, which leads us to a change of direction from cybercrime to cyberterrorism.

In other words, I think that we have gone from attacks of economic motivation to other attacks where there are already other interests, more focused on doing real damage, as we have seen in some denial of service and Nation vs. Nation actions.

In this position, I would like to stress two points, which could be interesting for discussion. The first is the importance of security holes prevention within the organization, to struggle with fraud.

And as any hole usually comes from an illegal action that in turn comes from inside and it

materializes by releasing information to the outside. In other words, most of attacks that we have registered had their root, for example, in an internal phishing, using professional networks such as LinkedIn.

That is why it is important to know what is happening within the organization to prevent information leaks. And it is important to pay particular attention to the security perimeter and threats arising from mobile devices, which are already a very important dynamic element.

Secondly, we must talk about verification of authenticity and code signature of applications that are being downloaded. And, even, the use of digital signature techniques and signature verification on transactions from mobile devices; if used together, they can provide more light than individually.

Having said all that, I also stress the importance of defining global strategies for the detected threats and that are of global scope. Here there are two elements: one, championed by leading analysts of the market, which is sharing information, related to the establishment of procedures of intelligence to know what happens and how the attackers move; the incorporation of on-line detection techniques and scoring tools so we can somehow see when fraud occurs; and another: the product of the sum of analysis tools to obtain measurements, indicators of how such threats are occurring.

And finally, there are the so-called “Internet of people” and “Internet of things”.

Page 37: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

Juan Jesús León CobosProduct Manager.GMV solutions global Internet SA

I agree with what has been said: instead of new technologies this is about the existence of new players. However, in my opinion, in recent years we do have seen new things.

And, in fact, I think that there has been a change that affects the three different types of threats we know: which pursue money or profit (cybercrime), those looking for power (cyberterrorism or cyber-espionage) and which simply seek to “annoy” (cyber-anarchist).

In regards to cybercrime, everything has gone very quickly. There has been consolidation of malware, it seems that they are organizing a kind of monopoly system to better manage their evil, and here they defeated us a bit.

While we have technology to fight against the “bad guys” (robust authentication, modern end point security, etc.), it is difficult that organizations follow the pace of technology, while the criminals do follow the pace of technology. In my opinion, they have everything they need.

Regarding the cyber-anarchist, which is a new phenomenon and orchestrated by new things like social networks, I think that it will be the threat making more progress over the next years. And I think, also, that it is very difficult to combat.

We only can prevent it, and not at all, and for any action we will need much intelligence. They can do much damage by attacking the clouds and by

his anti-establishment philosophy; they can also infiltrate social networks and take control.

And I think that many Governments could also infiltrate to keep track of them and be more aware of the new scenarios of cyberterrorism and cyber-espionage

finally, we can also refer to a new term, coined by an excellent professional, Javier Osuna, which is cyberdemocracy, which is defined as a mechanism of reaction of the “good people” who are in social networks to combat, in a collaborative way, these anti-establishment people who can be so negative.

Elena Maestre GarcíaPartner of PwCHead of Technological Risks

I am going to refer to three fundamental issues: the definition of what the new threats are and their relationship with fraud; what I call the seven dilemmas of the threat evolution; and finally, how I see some conclusions and the challenge of responding to fraud.

Regarding the first scenario, when we say new fraud-related threats we refer to unlawful acts which pursue profit (which, moreover, can be direct or indirect, or what I call “incubator of ideas”, allowing third parties to take advantage to commit criminal acts).

So, in essence, when we refer to new threats we talk about two things: a question of capacity,

Page 38: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

which today has much to do with technological advances: and, on the other hand, aspects related to intentionality.

In regards to the seven dilemmas of the threats evolution, these are as follows: a first driver that has to do with advances in technology and communications, which have advanced so rapidly that it has opened up new security breaches, now with a single blow to the whole world; changes in the operation and the way of doing business, as, for example, on-line recruitment, which open new routes for fraud; the rise of information poured into social networks, and, above all, in a less professional environment and of lower level of rigor; the aspect of globalization, as the fourth factor, where it is easier to learn and replicate attacks, and harder to put barriers to an interconnected world; anonymity, which introduces certain amount of impunity when it comes to commit an offence; the professionalization and industrialization on the hacker’s side, where there are already organized networks willing to pay big money for sensitive data; and, in the seventh and last place, cost, the fact that in some environments fraud has a ROI.

I would like also to mention the massive penetration of the cyberattacks; since, according to some studies, 80% of the companies that we know have admitted some act of cyberattack. And this is no longer a concern exclusively of businesses, but also at governmental scale, and also affects the protection of critical infrastructures.

Therefore, in view of this situation, I believe that the responses must change. We must evolve towards a new way of managing these threats, beyond the strict perimeter protection.

Actually we must take a more proactive position in the fight against fraud, assuming that the challenge is on the fronts of information analysis, so we need to increase the knowledge and the behavioral patterns on conducts.

Other aspects would be the demonstration of these situations of fraud, many times something very complex; the aspect regarding investments, which are never enough; and the dynamics of business, where it is often difficult to put reasonable security levels to avoid fraud.

Alfonso Martín PalmaHead of CybersecurityINDRA

In our Organization, when it comes to identify new threats related to technological fraud, we focus on three aspects: the techniques used to attack; the technologies that are being attacked, and the change in profile of the attacker.

Regarding the techniques used to attack, we think that while new threats have emerged, the fact is that the counterattack matter is mature enough. There is no doubt that we need more investment, and that the attackers are becoming more sophisticated; but we can also argue that our level of response has increased in strength and maturity.

Page 39: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

On the other hand, mobility, social networks or the geolocation are some of the new technologies targeted by the latest attacks. What is also called “the Internet of things” and the critical infrastructures, where an attack would allow taking control of assets as significant as running water, electricity power or natural gas, and communications. In my opinion, there is a risk in all these scenarios, as in many cases cost savings and ease of use have more priority than security, and this can sometimes lead us to a system more vulnerable than before.

The change of the profile of the attacker is posing a more drastic change in the current situation of attacks. We are facing traditional terrorist groups, but also groups of cyber-anarchists, the anti-establishment people, and inside these we see the so-called “outraged”. The best of these groups is the great mobilization capacity of the like-minded people, which at any given time can perform combined simultaneous attacks.

And, finally, cyber-defense and cyberwarfare will be the biggest changes in this landscape in the coming years. There are already acts of war in the cyberspace, it is already known that Russia was behind the attacks on Estonia, we also know that the Chinese are very active although they are more based on the side of espionage, actions on the Canada channel or in Canadian ports have been already detected to control sea traffic… or the actions developed by the United States or Israel, or jointly, to get Iran’s nuclear program damaged. Here cyberwarfare is already mixed with the protection of critical infrastructures.

In these circumstances, what we have to do is to change our strategy and invest more in cyber-intelligence, and thus take advantage of all the experience, both in the virtual world and the physical world.

And moreover, I consider it is essential that Nations begin to consider technological fraud as a matter of national defense. It is necessary that the Nation guarantees the security of citizens and enterprises when any of them operate on the Internet.

I think that it should be something not only linked to the business world, it should not be just the responsibility of the companies in the sector, but also governmental. Just as we have services such as the police department, army, fire department, etc., also the Government can ensure our rights and interests in this area.

Thus the first steps have already been taken. U.S. and NATO have their own cyber-defense Centre, and in many other Western countries are launching similar initiatives.

Rafael Ortega GarcíaAdvisory Partner at Ernst & Young(Currently responsible for the area of Governance, Risk and IT security of Solium)

Honestly, I have no idea of how to raise the advent of the future based on the vision of what we have now. What I believe is that we face a major problem hindering progress, and the fact is that we have been 20 years with the same security model.

Page 40: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

With the emergence of the Internet and data protection, we have created a very comfortable environment, where I handle the analysis of risks management, my ISMS, my compliance, and my vulnerability management, and there I am quiet. And, on top of that, I’m subcontracting.

And this comfortable environment is the problem, because it creates a false sense of security, which in many cases makes us difficult to approach an environment of uncertainty, where we really should be to grow.

The key is that we must stay and handle in an environment of uncertainty. And for that to happen we must maintain a state of permanent alertness, prepared for an impossible.

On the other hand, I also believe that we have made a lighter security, and now the “bulls” that are approaching us are bigger. Now we create predictive models, but for this we must have saved historical records…, but how many do we have saved?

And this is one of the main fronts where the security people have thrown ourselves into and now have to make a stop. At the same time the key question in these points is the team, the human factor that can fight and give answers to what is coming… and this is only provided by the experience, training, and continuous education.

Thomas Roy CataláDirector of the area of Quality, Security and Relations with suppliers. Centre for telecommunications and information technology (CTTI)

Generalitat de Catalunya

from my perspective, there are new threats; and within them, another problem, which amounts to a challenge to solve: a big budget cut amid the crisis, which generates big risks of viability to the type of projects and services that should be provided and how to fit into this.

Another threat is coming from the creation of transformation processes and services, and technological transformation processes, which are summarized in the motto “more for less and better”; and, in addition, we are also having problems of obsolescence of applications and maintenance of services.

They are threats, therefore, which we are not used to (in Catalonia we are, for the first time since last year, in a situation where there is no economic growth), and against those the CESICAT (Centro de Seguridad de la Información de Cataluña), with its Computer Crime Unit, cannot fight.

Now, we are monitoring social networks to find indications of new movements and criminal actions. In this sense, we cannot obviate the attacks we suffered, just like other agencies, coming from citizen groups.

We suffer from different types of attacks, such as those concerning the data integrity, the image of the Agency, of economic type or denial of service.

Page 41: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

Apart from all this, there is a threat that worries me especially and it is the one concerning critical infrastructures. Here there is a criticism that I would like to make, because ICTs are not included in the plans of civil protection, however heavy snowfalls, floods, etc., are included. ICT are never considered, and it would be interesting to raise in these scenarios the recovery and resilience of ICT.

And secondly, I also advocate the development of an action plan when the ICTs are the factor of attack. In other words, we develop a recovery plan when the attack, as is happening now, is targeted against the business.

In essence, we should focus our efforts, in this order: critical infrastructures, business continuity, and services assurance.

And after this, two very important topics we have been dealing with from the security area, the applications performance and the infrastructures. And we have the challenges of the logs management and the monitoring.

I think that times will change. It is true that we have lived a period of comfort, but these attacks will put the head of security in a position of responsibility, leading him/her to make decisions.

Here I make a very brief reflection: all companies that hold assets define people responsible to protect them and ensure that they will be supported over time (may be money, the human resources part, etc.), but there is one that remains largely unprotected: information, maybe because the CISO is not fulfilling his/her job.

Juan Salom ClotetMajor of the Civil Guard and Head of the Group of Telematic Crime (currently Director of International Security of the Santander group)

I am going to talk about two scenarios which for me are two new threats in the technological fraud. The first is the socialization of technological fraud and the second is on-line gaming.

With regard to the first point, and this can be a priori contradictory with what was said here about the specialization, I believe that we have gone from that particular pairing we saw between hackers and specialized crime to exploit the electronic banking (today I already think we can say that the banks have won the battle, minimizing the impact of these frauds) to the fact that currently they do not need money nor being organized to commit a crime of technological fraud.

The business of malware is designed and sold at a very low price, as demonstrated by, for example, the “Operation Mariposa”, where some kids had bought some botnets for 500 euros, able to control an incredible quantity of systems.

We are no longer talking about organized groups, but about small groups who buy malware, a botnet, or another tool, and exploit them.

We are lowering the fraud to the mini-fraud, where the victims are multiplying. And this is focusing, mostly, on e-commerce. And we are witnessing an important movement of loss of confidence in the entire system, in the businesses, in the Internet.

Page 42: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

On the other hand, and as I pointed out before, the second stage of technological fraud is online gaming, which is not regulated, neither for the services delivery nor for the fiscal aspect, even though we have introduced an Internet gaming law; but in my view is very open and lacks regulatory development.

from our unit at the Civil Guard we have lived situations that either become a money laundering scene for other criminal acts, or carry out criminal practices in the game itself.

Here it is very difficult to keep track, because gaming is ruled by multinationals or groups that operate internationally, and safeguard the profits fleeing to tax havens of the network.

Marta Villén SotomayorDepartment of Logical Security and Fraud Prevention.

Telefónica Spain

I’m going to talk about a very specific case, the fraud we suffer from in the telecommunications operators. How it has changed in recent years and how now is becoming a fraud to the customer, not the operator. We talk about micro-frauds and a large number of clients.

The first documented case of telephone fraud was dated in 1958, carried out by a young American 9 year old blind to the Bell Company. He discovered that a specific sound activated the PBX programming mode, and so he called for free.

After that, we came to a time where the mafias carried out detailed attacks to an operator, or several; but now the picture has changed.

Before we were fighting against a fraud of establishment of booths, and now they are real sinks of traffic on the network, where fictitious traffic for the “bad guys” enrichment is performed.

Last month we suffered an attack where several telecom operators were involved. The fraud was originated by Vodafone phones calling en masse to a single Movistar phone which had automatic call forwarding to a Telstra phone, which in turn made an international routing ending in a french operator…

Call diversion has been the latest scourge to all operators, and fortunately we didn’t allow it for international call, which has freed us from some fraud.

And how are these frauds carried out? It’s very simple. There is a whole marketing industry of specific devices for such a task, which can cost 400 euros. Machines like Simbox, the Pool GSM mode…

In addition, they have mechanisms to be able to rotate the SIM cards so they avoid seeming criminal, so that all the detection and patterns algorithms we had are no longer useful. Their power is noteworthy; they can send up to 42,000 messages within 24 hours.

But now, as I pointed out, what they are doing is to attack directly the customers. I take as examples

Page 43: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

the following two: last year we had an average of one attack per day on the switchboards of customers, where they compromised the security and charged them calls; and the recent attacks on two social networks. In one of them, Tuenti, they made a phishing spreading among the contacts to obtain a fraudulent subscription.

Marcos Gómez HidalgoAssistant Director of programs. Operations office.National Institute of Communication Technology (INTECO)

from the 15,000 Incidents that INTECO usually solve per year, related to end users and SMEs, nearly 40% deal with electronic fraud issues, about 7,000. Of these, more than 90% deal with attacks based on social engineering.

This being so, and according to a study on fraud, carried out in the last quarter of 2010, 53% of users declared to have been victims of an attempt (not necessarily accomplished) of fraud in the last 3 months, highlighting the invitation to visit a suspicious website (35% of the cases), fraud through email (26%) and through suspicious job offers (21%).

On the other hand, among the forms that the issuers of suspicious communications take, we highlight the banking identity theft, e-commerce and buying and selling webpages and online lottery and gaming.

Even so we are optimistic, 95% of Internet users said not having suffered economic damage in

those last three months (and those who have suffered from it, in an amount not greater than 400 euros). In addition, the number of banking Trojan horses has been reduced throughout 2010 in almost 4 percent, staying at 39%. We have not registered many micro-frauds on mobile devices.

Social networks, on their part, together with mobility, are the real crux of the matter for us. And on top of this, at government level, we have the protection of critical infrastructures, where we work actively with ENISA (European Network and Information Security Agency).

However, I continue to emphasize our work in threat detection, which also follows the lead in Europe. The European Commission has created a CERT, named EUCERT, (though it still doesn’t have the competences and objectives defined), we hope it will do a work of coordination bearing fruit soon.

We also have to highlight the Cyber-exercises. The first European cyber-exercise was carried out in 2010, where more than 400 incidents were solved in real time; and in 2011 it was carried out along with the US Homeland Security Department.

In our country, the Spanish Security Strategy stands out, where we have collaborated on the drafting of the chapter on cyber-security, in which appear the roles of the administrations that will be devoted to protect in cyber-security the citizen, the companies, the country... and in which we will see future Royal Decrees articulating this issue.

Page 44: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course


To what extent is compatible to combat new threats with reduced budgets, as we now have?

Tomás Roy Catalá: when you have to make a budget reduction it does not mean that everything, and always, will have to be reduced. In the end it is a matter of common sense. for example, we have avoided redundancy, and make the most of the security capacities of the network devices.

And how do you make also the reduction in R&D compatible with this budget reduction?

Fernando García Vicent: The level of threats existing today, makes us to be more effective and efficient. We cannot continue to pose the same methods as before; and also requires us to have more knowledge of the technology and available devices. It also demands us more efficiency in each organization’s internal business processes.

Have you turned into something positive the attacks suffered in your organizations to achieve greater valuation and justify the need for greater budgetary allocation?

Marta Villén Sotomayor: I really think so. We must take advantage of these incidents to further raise the awareness of senior management.

Tomás Roy Catalá: It has created us a level of high interaction and a greater awareness; on this side very well. Although I would like to make it clear that we have to assume responsibilities in any case, not delegate them and act in case of crisis.

Marcos Gómez Hidalgo: We have been reactive, and I say this with regret. And I think it is much better to present our Department by the incidents that we have avoided, and not by other type of news.

Are we losing the battle against the “dark side”?

Marta Villén Sotomayor: In my opinion, we have not lost it. I think it is a very difficult battle, and always keeps us active and innovating.

Juan Salom Clotet: I think they win by a mile. Because we have tools to fight, but the problem is that the “bad guys” work with impunity. In addition, we look at the large sums, but really this scenario is riddled with small offences, where often they don’t reach 400 euros.

Tomás Roy Catalá: Regarding the “dark side” I have to say two things: not all are crimes, as demonstrated by some actions of organized citizen groups; and I think that we must seek other channels, because there has been a certain manipulation in this game to go against public institutions.

Rafael Ortega García: The fight has always existed and will continue to exist. I am as pessimistic as Juan Salom on the legislative part, but I also believe that this makes the technology evolve. However, the offences that do not come to light are what matters most to me, remaining inside the company.

Fernando García Vicent: I would add to the feeling of impunity the big lack of awareness that seems to exist in society and enterprises.

Page 45: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

David Barroso: They are quite ahead of us and are more determined. And we are not creating tougher laws to compensate.

Marcos Gómez Hidalgo: It is also a matter of image, with figures such as the Cyber-Czar of the security. More than 40% of the attacks come from the US... they come to stop to Europe, but we are not going to stop things there.

How do you see the role of regulators in the field of information security?

Rafael Ortega García: Europe is hyper-regulated, so I think that either we minimize the transpositions, for example, or it is impossible to deploy them. I would like to count on a regulation by sector, and it would be enough.

Elena Garcia Maestre: It is important to regulate and define some common frameworks for action and homogenization, always with a dose of reality, without it being “regulate for the sake of it”. And, in addition, we should be more exquisite, because I see an over-regulation that is never supervised.

Fernando García Vicent: The legislation will be always behind. We require a work of coordination and implementation from the States, both at local and European levels.

Alfonso Martín Palma: It is surprising that there are sectors where there is no regulation to the effect, especially in the US, as in the nuclear field. I believe there must be impositions in the field of regulation, because, as we know, if things are optional, they will be applied seldom, if ever.

Page 46: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

Page 47: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��



ybercrime has increased dramatically over the past years even though the strength of the inhibitors has also increased, such as a greater security

and a more fruitful international cooperation to fight it.

Although certainly, there are also more and more powerful drivers that promote the ease of attacks, such as the ubiquity of Internet, the advent of electronic commerce and the emergence of a identity market, that have essentially brought new vulnerabilities.

The identity market subject is especially complex and harmful. Here the hackers specialized in stealing identities from the banks to sell them

later in the market where the fraudulent card manufacturers used them.

They resorted to the recruitment of people from within the Organization, using the privileges of the people in networks. And there they got organized in large fraudulent companies dedicated to buying and selling identities and specific tools.

The problem here is that anyone who has access to the information becomes a potential thief. But that can no longer be so, because it is as though you could not trust anyone.

We are entering the phase of what we call hacking of business processes. And what can somehow

Richard Stiennon(Chief Research Analyst. IT Harvest)

Page 48: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

break this trend is the international cooperation among all legal forces.

While many efforts have been made, it is still a very slow process, since even if a country captures its own criminals, the world and threats are global and we end up encountering criminals in other countries, such as Russia, which holds the lead on these activities.

The worst possible scenario

A couple of years ago I was asked to give a lecture of 10 minutes to present the worst possible scenario that we can arrive at with regard to cybercrime.

In my view, what we can get to witness is how the cyber-criminals could greatly influence jurisdictions and legal environments of the different countries of the world, imitating the Italian or Colombian mafia. And in fact, this doesn’t sound like a story, because for example in Russia the cyber-criminals already have access to many environments in the institutions of law enforcement.

Cybercrime began with the arrival of e-commerce webpages and the desire of their owners so the more users they could attract the better. What happened then, in those early days, was that hackers stole information and received their searches through the computer. That time was characterized by working by means of statistics, appearing multitude of computers infected with worms, adware, spam, etc.

In 2004, this scenario came to represent a 2.4 billion dollars business, according to estimates by Webroot.

Israel experienced a few years ago an especially significant case of cybercrime, involving the Bezeq telephone company. There, a consultant modified and marketed a specific software, and sold it to private researchers of Israel so they could use it later to infect their objectives. In turn, Bezeq hired private investigators to spy on other mobile telephony carriers. All this was discovered when the company realized that their information was being transferred to other computers in Germany and United Kingdom. This was the first case of data hacking services in “the cloud”.

United Kingdom has also suffered especially painful attacks from cyber-criminals, like those that occurred in more than one bank of that geography. In essence, I believe that there are parallels between what happened in Israel and what occurred in Great Britain: that in both cases there were people involved inside of the organization, who were able to install some inhibitors of security without major problems. In England, for example, they gave them the passwords in order to enter the branch and transfer 120 million pounds to various banks around the world.

I can also provide the example of a British chain of stores where some criminals replaced the credit card terminals of the store, in such a way that every night they stole data from all those that used the credit card to pay. In the end, the hackers

Page 49: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

managed to steal identities from more than 100,000 people.

These examples I’ve put and the many others that we all know make us raise the following question: we all know how costly is to make the necessary investment to optimize and assure the security of our business, but it is also true that an attack can cost us a large sum of money, so, what is it better? What do we prefer?

Business process hacking

A very important step that organizations around the world must take to consider that their information assets are safe is to have very clear strategy is case of hacking of business processes.

In this sense, we can address this problem by taking four steps: first, identify the business process (i.e., when the essential business movements are performed, when the money changes hands exactly, the operational procedures, etc.); second, identify key vulnerabilities and trust relationships (with customers, with partners, with the staff from within the Organization, etc.; in essence, with anyone who can access the information of our company so they could cause a significant damage to our assets); third, define what information or organization asset is likely to be stolen so it turns into something useful and profitable that can bring large sums of money to those stealing them (here it is important to note that the value of this information or assets is not so much what it means for us or the organization itself, but for the market or competition); and

four, monitor our systems so they provide us the information and records regarding the steps our data goes through.

When I really understood all this I have just explained, we tirelessly look for vulnerabilities and attempt to access them directly trying to mitigate a possible attack against them. It is also important that we resort to doing an audit if necessary.

The danger of internal staff

In order to illustrate how dangerous might be not paying enough attention to internal staff loyalty, I shall comment on two cases of fraud in the US, one involving a computer manufacturer and another one of a railway company.

The computer manufacturer hired us in 1998 to make an assessment on their e-commerce web page, which according to them was the number one on billings. We tried to find a way to enter and break the security of their Cisco routers, Check Point firewalls, and the remaining components of their security systems.

But what I also began to study immediately was their business model. I realized that with a simple password you could enter the VIP account, where the instructions on how to obtain the latest computer of the company were clearly shown.

We then realized the scanty security that this company had on their website and, by extension, on their business. And hence it was the first time that I could identify a breach of security in a business process.

Page 50: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

And I also remember from that experience how difficult it was to convince management that there was a problem they should be responsible for, which it was not exactly a problem of the department of security, but of the business model itself.

On the other hand, regarding the business process analysis of the US railway company, where during the night someone was stealing the goods from the cars and precisely, the most valuable cars, we realized that all the staff could have access to the sale of tickets on the Internet and we knew by intuition that the “bad guys” worked with someone from inside who could be providing information about what cars contained what freight.

More attacks

As we can see, the world of attacks is diverse, but above all it is very easy to violate the privacy of data from many websites where, in many cases, someone has not been very aware of how dangerous was to leave their systems so open and with so many vulnerabilities.

We have witnessed attacks of all kinds over the years, where some of them were even pretending to show the system vulnerability to the world. for example, in 2008 there was an attack that involved placing false news in the on-line press. The attackers did it in a way so simple that it turned out to be alarming they could carry out a threat of this kind with impunity.

Another well-known fraud was the electronic tickets one. In the Indian railways, the hackers worked with confirmed tickets, avoiding fraud detection

systems, so that they could resale them immediately afterwards at sites such as or for $1,000. There was also another method that involved buying seats by scammers and prevented others from getting seats.

We can also mention what was known as “carbon credits”. It was a phishing attack launched against a dozen companies in 2010, which affected seven of every 2,000 German companies. A total of $4 million were stolen by transferring to two accounts owned by the attackers. The “feat” was repeated in 2011 and then they managed to steal the Romanian subsidiary of the Holcim cement company with a total of $36 million.

More succulent objectives

That being so, we realize how exposed we are (although many times we don’t think so) to attacks of all kinds and condition.

And the sequence continues. Because, while the attackers have chosen specific forms of violation and sometimes more sectorial in the past, in the future we will see an explosion of threats that seek bigger goals.

Then, the security that we have used for years to protect our systems is no longer efficient enough to save us from threats that have optimized their routes of entry to our systems and, in many cases, without a trace.

That is why it is urgent to find a new security that really serves us to confront new challenges and new threats.

Page 51: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

The security we had ten years ago is no longer valid and we have to realize this as soon as possible to respond to attacks that, finally, can go directly against the “Crown jewels” of any company.

At the same time, we must pay close attention to new forms of malware, more and more sophisticated, as we have seen. There is one that especially catches my attention and is known as TDL-4 or Alureon, which is a malware of botnet type that (since version 4) is considered by the experts in computer security as an indestructible virus.

Its constant update affected more than 4 million computers in three months. In essence, it works as a file that is installed in the core of the computer and makes possible to insert up to 40 different forms of malware in it. It has a proxy service, which can download and perform searches on websites through anonymous proxies.

This is the reality of this threat and we have to fight against this one and others alike. And one of the best ways to do so is through the trail of logs they leave, so the best recommendation is access these logs and follow the trail that the attackers have followed in their action.

Vulnerable business processes

In order to better understand how to defend ourselves from what and from whom, let us also review the business processes that are particularly vulnerable, as the treasury functions.

Here it’s inevitable to have authentication functionalities so that we safeguard the funds of our company and protect its financial assets.

It is also important not to leave unprotected our part of logistics, where any attack on our truck routes can be very attractive; as well as energy, natural resources, utilities, etc. platforms (here it is important to avoid being constantly attacked as it happens to the Japanese with their Chinese neighbors, who do not hesitate to attack them in their attempt to control all the raw materials in the world).

We must also safeguard everything related to the workers payroll process, so we don’t go through the same that happen to an American company where someone stole the signed checks distributed to their employees with a fleet of trucks. The place where these checks were printed had a pit to prevent trucks and any possible attacker from accessing the inside, but in the end the attack couldn’t be avoided.

Gambling and gaming websites, with transactions of millions of dollars, are also subject to violation. And since 2004 there are very famous cases of attacks extorting money from the gambling websites, and these attacks are growing. I’m always surprised at how remarkably easy it is to make a denial of service attack.

In short, trading depends on trust, and if there is no confidence, it fails. People no longer trust in businesses, and I think that it is going to be harmful to everyone.

Page 52: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

Page 53: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

iskVolution is the name of the book that, along with my colleagues, I am finalizing to address the risk evolution. With my presentation I will try to bring over to

the attendees how the definition and design of the content of the volume has been done.

firstly I will devote my presentation to show the hacking options in a given system to reach the users database, applications and take control of the operating system and the information.

Basically what we did was to connect from the web and enter in the database, which in turn allowed us to take another base and connect back

to the operating system, installing privileges so it

sends us an access later. With all this, I am asking

myself how I can automate hacking.

In this process we have found a total of ten points

where we’d been able to stop the hacker attack,

ten points where we could change our strategy to

avoid in the future being subject to these threats.

The understanding of how to shape hacking so it

could be automated led us to understand on the

other hand how to shape much more complicated

things such as, for example, how to modify

protection in those ten points mentioned above.

Víctor Chapela(Chairman of the Board.Sm4rt Security)


Page 54: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

The key is the synthesis

We have seen what they call “analysis” (either of risks, vulnerabilities…). And that is the mistake: the scientific method is dedicated to analyze, to break into pieces under the belief that the different pieces, by themselves, will allow us to bring us closer to the total or global concept.

However, when we start to separate the pieces, we lose much information of the relationship established among all of them… like the Volvo car made from lego blocks… if I give you a piece , is like not giving you anything.

It is precisely this reductionism that has prevented these models of vulnerability analysis from working correctly. The whole does not equal the sum of its parts, because we missed the interaction among the parties. What is known as “synthesis” allows us to join all the pieces together, and this is precisely the model of RiskVolution.

With our model we propose a new synthesis of the same pieces we all know; we are not doing something new, but adapting it to a new way. There is a saying that I like particularly, from George Edward Pelham Box, which says “In its essence, all models are wrong, but some are useful”.

And I agree, all are wrong, because they are essentially just a poor replica of reality; but some are useful, like ours, which gives us new ways to manage risk much more easily than other current models.

Three premises of RiskVolution

The approach we present in the book is based on three premises: those who best manage risk will prevail; the species (genes) and the communities (memes: everything that is in our mind as a standard and that is has been transmitted from generation to generation) that best mitigate their risks will survive; and those who best manage digital risk will endure in the future, something that we are not able to do now.

Moving on with my explanation, I will now resort to the concept of “entropy”, which can be summarized as the disorder or uncertainty of a system. In my opinion, life is, ultimately, a fight against it, which is translating in diversification and adaptation to survive.

However, we should take special care with “over adaptation”, if we adapt completely to the environment we will not have rapid re-adaptation mechanisms and will become extinct, as it happened to the dinosaurs.

Looking at the evolution, we have the surprising capacity of adaptation of the mammals, where humans stand out especially by an extraordinary capacity to predict and find anomalies in that prediction.

We predict that our table will remain the same tomorrow, and we are able to see if there is a new element. All this leads to the assertion that risk prediction allows us to adapt to new ones.

Page 55: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

And we do this thanks to the sum of three capabilities that become the essence of risk management: education, experience and experimentation.

Why we do not understand the digital risk

Digital risk equals impact multiplied by likelihood. However, and though these basic ideas are still prevalent, in our book we have preferred to rename and convert it into: intentional digital risk equals threat multiplied by accessibility. What is the reason for this? Because these concepts are measurable and more accurate in the risk controls we usually analyze.

However, can we explain why digital risks are growing? It is simple: the threat has increased geometrically; and the accessibility, exponentially.

In regards to the threat, a premise which is essential to understand this growth is the implicit anonymity in the digital world. If we feel anonymous, the “bad guys” too, and they feel greater impunity in order to commit any offence.

Also, it is a fact that without a perception of risk we all turn into transgressors. And in this context, the risk that exists for those who want to commit an offence in a digital environment is also lower, while profitability (which is equal to return/risk) has grown to a large extent.

for its part, as we have seen, the accessibility has increased exponentially. Before we started to be connected through networks, everything was

more secure and computers were completely deterministic.

But when we were connected we lost control, and the computers also became “indeterministic”, becoming machines so complex that they are no longer predictable, due to the inability to understand the relationship among all components of the machine.

It is true that we gained in value with the advent of networks, but also in complexity, because the number of users and possible attackers has grown exponentially.

In short, we are facing two evils: a greater threat, due to the greater imbalance with regard to the potential risk posed by attacking; and a greater complexity.

To confront these challenges we need space-time patterns, and on the Internet there is none of this, given that it can be transmitted from any part of the world and immediately, without temporary consequences.

Having said that, and turning to another previous presentation, our education does not solve this problem, neither our experience… so, we still can experience as a way to find the best ways to manage this risk.

At this point, how can we shape this digital risk? In my opinion, digital risk is composed of different things and we have to understand a fundamental paradigm shift, because digital risk is not what was supposed to be.

Page 56: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

And the error is that we start from a wrong basis, since we rely on the idea that there are vulnerabilities that have to be corrected, and secure our assets with patches and passwords but without understanding why.

Three types of risks

To better understand the problems we must bring us closer to the different types of risks that, in our view, are divided into: accidental, opportunistic and intentional.

Accidental risks are related to the probability of a casual disaster occurring. They are linked to the problems of availability, and through redundancy we mitigate its potential effects.

On the other hand, opportunistic risks are closely related to the complexity of systems and our way to mitigate them is to place protection barriers, install antivirus, firewalls, etc. Here we have to opt for a technology that mimics the health world, achieved with a sum of efforts.

In essence, we try to keep our networks and systems healthy, so that we insert only healthy components, complement them with patches and updates, isolate them from external threats, generate alerts that report us any error, we will keep logs to understand risk, etc.

Regarding intentional risk, while in the accidental risks “the best effort prevails” (if one works, we end up with this), and in the opportunistic is “the sum of efforts”, in the intentional what we must keep in mind is “the minimum effort”, if

there is any weak password on the system, our infrastructure is in danger.

It is related to the accessibility to my data, and to its confidentiality and integrity and its value in the market. The formula so far was impact multiplied by probability, but in our opinion it is better to speak of threat multiplied by accessibility.

The impact is determined by estimating the economic value (not only the direct economic value, but also the value of the benefit for the attacker or opponent). The probability is measured by calculating the potential connections. Intentional risk feeds on everything that we left undone in the opportunistic risk (a level of being healthy is sufficient), so here we need to free up resources for the fight against those attacks of intentional type.

In view of all this, we arrive at the following conclusion: we need to accept risk. It is impossible to have the appropriate strategy because the threats and the opponents are many and very dynamic.

The value of our information by data type can be set by making an inventory of the life cycle of the data, as well as determining what information has value for potential competitors. We can also generate policies, definition of controls, standards and procedures, and then implementation and auditing.

How to calculate the vulnerability

To calculate the vulnerability, which is not other than accessibility, we can convert all users and

Page 57: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

accesses into the vertices of a graph. And we can see how they are connected, since at this junction is where risk and vulnerability are. And in fact the most valuable is the easiest to hack, for example the database, because it is connected with tens of applications, and all kinds of protocols.

Once we understand these interconnections between the nodes, we can manage differently. Managing access in “the cloud”, where we can have a single point of access, is simpler than, for example, in the email, where the administrators of the domain, the server, the email… can be connected.

The “cloud” gives us the ability to manage these accesses, the key to the intentional risk. Then, on the one hand, you have it virtually separated from where the risk is (clients, suppliers…) and, on the other, it concentrates us the access points, which is very advantageous.

In order to reduce the risk of our organization we have two ways. Regarding the control of accessibility, we can reduce it by means of filtering, isolation, authentication, etc. And on the profitability part, we can reduce the anonymity and its consequences, and/or reduce the value (“an unsigned check that is worth almost nothing”).

The idea is that we can use these three vectors (accessibility, anonymity and value for third parties) on a daily basis to see how we manage risk. I can reduce the three axes of the graph, but I can also reduce only one; which all alone halved my risk.

In any case, we must keep in mind that the accessibility has a negative effect within our Organization (the more privacy, the less availability), therefore many times it’s easier to manage better the other two vectors.

Strategies to manage risk

At this point, we are approaching the most optimal strategies to manage risk: filter and isolate, for accessibility issues; dissociate and separate, for items of value; and monitor and record. And each one of them allows us to do different things over time.

Here we can highlight, for example, standards such as PCI, where they say “don’t put everything on the accessibility”, do not encrypt everything and separate part of the information to decrease its value.

However, we should be especially careful with the redundancy issue, which we have been resorting to throughout our lives.

In my opinion, on the other hand, it has nothing to do, and it’s even at odds, so we must be especially careful with how much redundancy we are going to put because if we have an alternative data center at the end we will have duplicate controls and will be more vulnerable.

How this is related to regulatory compliance

We have worked with the IfAI (Federal Institute of Information Access and Data Protection) in Mexico, in order to “avoid unauthorized access to the personal data saved by the person in charge”. Regulation tells you what to do or not do in terms of privacy, but we must also handle volume:

Page 58: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

the greater volume of data, the higher the risk; and the greater the volume, the higher the risk, therefore controls will also be greater.

What we are going to use to cover these risks is, precisely, what we said before: filtering, dissociation and monitoring.

It will be suggested to keep a maximum area per risk level (remember there are three, accessibility, anonymity and value for third parties), and here we can choose among different controls to reduce the area, giving them a certain score on each vector in order to determine how much we’re increasing or decreasing the security of our information.

This action is very efficient for the company, because you can choose your own controls; and effective for the person because for every vector we mitigate we get a direct impact on the reduction of the potential risk to the company’s data.

“Cyber-memes” and negative databases

In conclusion, I would like also to talk about a very particular risk management mechanism, which we have called “cyber-memes”.

We think that just as we have developed a few

memes to manage risk, we now see how this

risk management is beginning to shift to our

systems; in such a way that there will be a level of

abstraction that will enable our teams to manage

the risk that we cannot manage. for example, this

can clearly be seen on credit card fraud.

There is currently a research project on the

subject that is not looking for the traditional

analytical approach (“we would have 7 million

ways to see the data and we’d go crazy”), but

face it using the sequences of these frauds and

with models similar to those used by the human

neocortex, of hierarchical temporal memory,

allowing us to understand space-time patterns.

On the other hand, we are also beginning to work

on “negative databases”, which come to emulate

the immune system, “they have to react against

things that have never seen and generate new

antibodies by comparing them with the previous


In short, we are at the beginning of a new journey

and these contributions will help to support future

security and risk management disciplines.

Page 59: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

ith my presentation I would like to achieve two things: give a critical view of the current situation and provide elements of reflection on

the way of data protection.

We cannot ignore that the world has changed and continues to do so rapidly, and that in this sense globalization is affecting the legal certainty of the most sensitive data. There is a change and we have to be realistic in this definition.

Today, when we speak of data protection we are faced with a situation of third-generation data protection, it is no longer the law and regulation what concerns us, nor the complex legal relations

Francisco Javier Puyol(Director of Corporate Litigious Legal CounselingBBVA)



from the commercial point of view, but the fact that we are in something else.

We are immersed in new worlds such as social networks and cloud computing, and with elements that set a new pace, such as self-regulation or the shift towards the privatization of data protection through corporate rules, the BCRs (binding corporate rules). In essence, moreover, it seems we are changing the landscape of the strictly public on data protection to a more business oriented, more private vision.

Lack of adaptation of the regulation

These major changes in society, on the basis of an ever-increasing technological development,

Page 60: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

make it essential that the regulation changes and evolves to adapt to society and to the technological development, and that’s something that is going much slower than necessary. The law of data protection of 1992 lasted 7 years, and the law of 1999 is already lasting too much. It is true that the regulation handbook has included fundamental reforms that the law needed to evolve, but this is not enough.

What we need is to “go to the simplicity of models”, towards much simpler models from the regulatory standpoint. And towards an international vision, which is essential in a globalized world as the current one.

It is very important to realize that we are in an environment with many legal loopholes, due to the speed of technological development; and also we have contraindications from the internal regulation standpoint, but above all from the demands of the commercial legal traffic affected by privacy.

In this context, we highlight the event of the International Conference of data held in Madrid a couple of years ago. The topic discussed there was the development of standards with regard to international transfers of data, mainly based on the European Community directive and the Spanish legislation and with the values that the international data transfers must have.

It was an attempt to normalize this matter, where they also opted for the creation of new figures, such as the “data recipient”, which can have a scope other than the party responsible for the file or for data processing.

New legislative developments

On the other hand, we require awareness of the right to oblivion and a questioning on some aspects, such as the fact that the security element is the pattern element of international data transfers. It is necessary to go to more generous models, which allow us to have a global perspective.

Also, from the business standpoint, data protection clashes with realities that we must bear in mind. Many companies are working to comply with the minimum and the basics, they are more or less reliable, but opt for more cosmetic than substantive data protection compliance. And this has to be eradicated because otherwise, the rights of citizens are not met, the habeas data set forth in article 8.4 of the Spanish Constitution.

This issue of formal cosmetic compliances, but lack of effective compliance, which also shifts to other topics such as cookie policies, needs another treatment from the business standpoint, and that is materialized in what is known as social responsibility. Like the auditing systems, regulatory compliance controls have to be mandatory in any company, as well as the integrity of the rules. Until we get that done, there will be a hint of compliance, but the citizen rights won’t be respected.

Competitive advantage for enterprises

Another point to keep in mind is the consideration of the regulatory compliance as a value and competitive advantage for the companies that

Page 61: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

fulfill it, something that does not happen and would be very interesting to pose. In our country, both the law and the regulation handbooks foresee developments in this regard. Thus, companies that are committed not only to obbey the law, but to establish higher standards of compliance, could see their attitude valued from the reputation standpoint, so the market knows them for fulfilling the canons of data protection, representing a competitive advantage over other entities that don’t have the same level of awareness.

On the other hand, I believe that the legal authority to sanction of the data protection organization itself has to be reviewed, because sometimes there is duplication of sanctions because it was already foreseen in type codes.

And this is the case with BCRs. It is all right that groups can establish internal rules of international data transfer, that we intend to privatize. And this is quite logical if it has a transnational character, but at the national level we must reduce the bureaucracy either when it comes to reduce these international data transfers or when it comes to create some internal BCRs that do nothing but make life difficult for us.

Self-regulation *

On the subject of self-regulation, I believe that we have to overcome our fear, as it can destroy the experience of data control. Although, however,

we have to do with control, since self-regulation alone can bring about situations of denial of fundamental rights. Little by little we will have to adapt this model to the European level, which is regulatory, and that can leave gaps to this model of self-regulation. And an example of this is the internal self-reporting system.

It should not be forgotten, moreover, that the data protection model is not only a legislative model, but also is a cultural element, which is linked to the development of society, to the citizens awareness as consumers, who can exercise their rights against the owner of the files. It is necessary to have a cultural component, because if we stay only in the formal nature, it is more complicated that permeate in the awareness of the citizens.

New regulatory model

A very important criticism we can make is that the data protection model seems like an untouchable model, but it’s been two decades since the first projects, and now we require a serious reflection on the model of regulator that there has to be in Spain and in the European Union.

Our model is fundamentally based on supervision and sanctions, and I am not personally in favor of having as the only criterion the punitive action. It is ok, but it should not be the only one. The formative action is also important, and even some criterion again, as the reputation that we talked about before, according to which citizens can get to know what parties responsible of files comply or not with the rules and to what extent, and so that is an element of attraction. In my opinion,

* Note from Translator: Self-Regulation is a general concept used in other disciplines. The actual translation should be “Self-Regulatory Organizations”.

Page 62: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

beyond the punitive model, we should advocate for the formative and the reputation ones.

And here, in a new model where the reputation elements were introduced, the positive incentives would come. We are not talking about giving incentives for companies to comply with the law, but treat this fact as a starting point, as a required minimum, and encourage those corporations to develop an orthodox compliance and an effective guidance in the framework of a proactive policy. The incentives that could be proposed can pass for being facilities in various proceedings and actions, bureaucracy reduction, social transmission of such compliance so that they benefit from the competitive advantage that we saw earlier.

In the end, data protection is also a matter of free competition. Regulated markets entail the existence of ethical companies that compete on equal terms. for this reason, this must also be related to other areas such as competitiveness and unfair competition, coming to be regarded as an act of unfair competition the act carried out by a company “cannibalizing” data. That’s why the regulator itself should have in these cases the necessary sensitivity to assess that there is an irregular use of them.

We also need a model to anticipate problems and that is not going behind the circumstances ,and which follows international examples, as the Mexican wake that also deals with legal persons and not only natural persons.

On the other hand, the data protection model should adapt likewise to every area of the

industry. And accordingly there shouldn’t be special regulations every other minute, and that the agency would be forced to admit exemptions to the organic law and the regulation handbook to prevent the sectors from coming to a standstill.

Another element to take into account is the importance of consumer associations, but at the present time they are not fulfilling their role. We are facing very serious and technical matters and we come across this loophole.

Questioning legal certainty

There are matters governed by commercial, criminal, civil or administrative law where the application of these rules of substantive law collides with the existing rules on data protection, and it is necessary to find a criterion of interpretation to apply privacy rules. Nowadays, any contract needs not only the substantive legislation but also that vision of data protection and we need an integration, because otherwise or we comply with the substantive legislation and make irregularities in the data protection or comply with data protection and, however, we make irregularities from the substantive point of view.

This is also the same occurring with the special legislations, such as video surveillance, private security, financial law or money laundering and financing of terrorism. That may make an ordinary law breaking an organic law, as it is the case with the financial o terrorism funding law, as if you comply with it, many times you don’t comply with the specific one for data protection. However,

Page 63: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

in the new joint regulation between money-laundering and financing of terrorism, there are specific rules on data protection, where it used to be a completely abnormal situation and that let the organizations choose freely to comply with one or the other.

In addition, it is also necessary to combine data protection with new technologies. And this seems simple, but it poses a huge conflict from the legal point of view, which needs solutions.

In the light of this, we are approaching new perspectives on data protection. It is an area of business in relation to company directories, professional directories, professional data and the concept of personal agenda. As all of these concepts are interrelated, it is necessary to simplify the models to avoid grey areas of regulation.

Delimitation of concepts

furthermore, also it is imperative to promote the delimitation of certain concepts, such as the cancellation rights, oblivion and revocation of consent; as well as the cancellation, blocking and deletion of data, where it is necessary to find a much simpler regulation for the citizen.

Another issue relates to the responsibilities of the party responsible for files. On the one hand, there are derivatives of data protection, and, on the other, those derived from the underlying legal business. With regard to the former, they have a limitation period of three years, in a way that if I delete the data within three years, the

contract has ended and I block it, and when the three years period ends I delete it because it has already prescribed (or six years period, according to the commercial code). But we may find paradoxical situations such as, in the case of a bank, once data is deleted I go to court for discrepancies the customer on the current account operations, the judge will sentence me because I cannot defend myself for making an orthodox observance of the law on data protection. And this is nonsense. What I say here is that you should not opt for the responsibilities deriving from the treatment because you’ll end up defenseless. That is why it is important that we take as a reference the derivatives of the underlying legal business, and, specifically, the time of limitation of actions that may be exercised against me in the contracts that I subscribed.

Similarly, we must be bet on the principle of quality of data and updating them ex officio, encouraging the updating of those. In addition on models that help to build instead of those that only punish, as I said before, because, for example, in the field of data cession, where I need consent, it turns out that in case of problems I come across a duplicated doubled sanction with respect to the provision of services.

Regarding consent, we need to use authentication to be able to truly verify identities, and that has a different legal regime. And of course we must be very careful with the tacit consent, as its use is being enabled but it’s not accompanied by a control of how and for what is used. It is surprising that the rigor of the AEPD (Spanish

Page 64: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

Data Protection Agency) on these issues is so banal: I send you a communication and say that if we get no answer within a deadline then we opt for the tacit consent. But maybe this answer is not returned due to multiple causes, so we need to avoid abusive situations and always protect the rights of the owners.

Regarding consent we also have some problematic situations, such as the consent for minors, where there are various rules to fulfill: regulation handbook, LO 1/1982, of civil protection of the right to honor, to personal and family privacy and self-image of the minors law, which says that we must turn to the attorney general’s office, etc. And it is a disaster because this situation discourages from treating the minors’ rights, even though they are adjustable. for me the simplest rule is the following: under the age of 14, always the parents, guardians and legal representatives; over 14 years, the minors themselves.

The provision of consent in the case of the disabled is also problematic, where we do not know who exactly should render it.

finally, we must also find new ways to deal with subcontracting, paying special attention to the legal limits versus the contractual ones; and also for international data transfers. In regard to subcontracting, we must find solutions from the contractual point of view.

And this flexibilization of the legal regime of subcontracting must be compatible with the protection of rights, obviously, of the holder, and with the responsibilities of the party before whom has to exercise these rights. Regarding international transfers of data, standards have done much, but they are not a panacea. We must look for homogeneous criteria and a parallel among transfers, social networks and cloud computing. We must seek common ground and a joint regulation.

Page 65: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

ur data protection law came into effect nearly two years ago, and it includes novel aspects towards the Spanish legislation, as the treatment

that it does of the legal persons and not only the natural persons. furthermore, as a regulatory organization we not only work to the private sector but also for the governmental.

To me the key is why protect. And this is something that was raised in 1967, within the Council of Europe, where an Advisory Committee studied the information technologies and its potential aggressiveness to the rights of the individual. After several regulations (“Human rights and new technical and scientific achievements” EC resolution 509; Convention

108 of EC, in 1981, of protection of individuals with regard to automatic processing of personal data) we come to Directive 95/46/EC of 1995 on the protection of natural persons with regard to the processing of personal data and on the free circulation of such data.

With the personal data laws we seek not to lose control over our most sensitive information, increasingly more scattered throughout the network; while in other latitudes, as in the US, the need for privacy is expressed more in terms of the right “freedom to hold opinions without interference”.

In this regard we can highlight a sentence of 15 December 1983 of the German Constitutional

Ángel Trinidad Zaldívar(Commissioner of the Federal Institute ofInformation Access and Personal Data of Mexico. IFAI)


Page 66: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

Court, which stated that “the proliferation of data centers has allowed, thanks to technological advances, to produce a total image and detailed the respective person (a personality profile), even in the field of privacy, thus the citizen becomes a man of glass”. As an example of how dangerous the generation of these personality profiles can be, we observe that enterprises rely on social networks to gather information about applicants to employment. A study conducted in the US in 2010 revealed that 40% of organizations claimed to stop hiring a particular person based on the information they found in social networks. A stratum particularly vulnerable to this transparency is that of young people. Many times I tell my children that perhaps they may regret in 10 years, when entering the labor market, the comments they now write indiscriminately in social networks. And this is precisely what the laws of data protection aim to prevent, this discrimination.

From the public to the private sector

In Mexico we started our activity in 2002 with a law of transparency and access to governmental public information (LFTAIPG), which in seven articles recognized the range of the personal data protection in the public sector (medical records of public institutions, official documentation, etc.). In 2007 a reform of article 6 of the Constitution is published, and there is a much more explicit recognition on the personal data and the need to regulate and protect them. It elevates to rank of fundamental guarantee the right of access to information, with two limitations: information concerning the private life shall be protected in

terms of a corresponding law, and everyone has the right to access and rectify their personal data.

In 2009 the Constitution is reformed again, this time article 16, and here it already recognizes the protection of personal data “as an autonomous and independent right”, recognizing the so-called ARCO rights (access, rectification, cancellation and opposition). Here it is already recognized the following: “every person has the right to the protection of their personal information, access, rectification and cancellation of the same, as well as to express their opposition, in the terms established by law, which shall establish the assumptions for exception to the principles that govern the treatment of data, for reasons of national security, public order provisions, public health and safety or to protect the rights of third parties”. And in 2010 the federal Law for Protection of Personal data in the Possession of Individuals (LFPDPPP) is passed, finally extending the regulation on the matter into the realm of the private sector.

Since the regulation of personal data in the public sector to its extension to the private sector 8 years have passed and during that time there was in our country a hectic discussion between some areas of both sectors. In total, 9 different bills were presented, ranging proposals from a guarantee-based model that hindered the free flow of information (opt-in) to the model liberalized without minimum regulatory points giving certainty to the citizen.

The most important achievement of the regulation of 2010 is to have come to a hybrid

Page 67: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

model, which took the best from all these initiatives, and also from diverse international experiences, such as the AEPD one, which proved to be very useful for us.

We believe that we have a modern legislation that recognizes and protects the so-called rights of “third generation”, in particular the informative self-determination, which translated into this last capacity of not losing control of personal data, that each one of us knows who has our data, for what, how long should they keep them, etc. It places the individual at the center of the guardianship of the State, recognizing and respecting their dignity and worth; and it establishes a general framework that provides clear, specific and minimum rules to achieve a balance between protection of personal data and the free circulation of the same in a globalized world, in accordance with international standards

Influences and differences

What we have sought has been a balance between all the possible regulations presented to us. Some suggest that there are basically two models: the American and the European, but the truth is that we also take into account other models because at the end in this globalized world in which we live, personal data may be anywhere.

Our law aligns with the maximum expressed in this regard by bodies such as the OECD, APEC (picking up their elements in the framework of privacy) and the European Union, and also contains the “International Standards for the Protection of Privacy”, adopted in Madrid in

November 2009 as pointed out in his presentation by the master Puyol, always looking for the benefit of the person and encouraging commercial transfers. It provides legal certainty in cross-border and national trade, favoring thereby, the arrival of more investment and consequently the generation of employment; and it enables companies to establish or improve their privacy policies, directly resulting in greater security on the information handling.

In addition, it does not impose excessive and unnecessary burdens of compliance, for example; it does not require a registration of databases owned by individuals; it’s expected the holder’s consent to be tacit (opt-out) for almost all treatments; and the obligation to request consent from the guarantor body for international transfers is not expected.

In this context, from the IfAI we want to present ourselves as the guarantor organ for the protection of personal data, as well as the right of access to information. And also do it with the involvement of other ministries, which will make our policy closer to reality. The advantages of our regulatory authority include the autonomy (technical, managerial and decision making, as well as with its own legal personality and assets); the unification of criterion, eliminating the risk of asymmetries in the level of adherence to the principles of protection of personal data demanded from those responsible, whether they come from the public or private sector; and the learning curve, taking advantage of the accumulation of knowledge and specialization in the field of personal data.

Page 68: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

In Spain, however, is still discussed whether or not it should be a law on access to information and transparency. And there help has come the other way round, we have told from the IfAI our experience to the Spanish authorities, who are either unclear about whether the AEPD also becomes an agency of transparency and access to information, like us with the IfAI, or if a different institution is created. In our opinion, the best is to have one authority because there is uniqueness of criteria.

But apart from the similarities with other similar regulations, our legislation on data protection has specific differences in relation to the legislated in the European Union and Spain. We can highlight among others: a registration of databases is not required, as after our experience in the public sector we realized that it was not useful for anything; the consent of the owner is tacit to almost any action, except for those that require the latter, such as medical records or financial actions; and reporting to the regulator and to the Ministry of Economy for international transfers, instead of the obligation to request authorization from the guarantor body.

Main challenges and first actions

Among the main challenges stand: to prevent this constitutional guarantee from becoming “dead letter”; spread the knowledge of this new right among the Mexican society, as well as promote their realization and monitor its due observance; issue secondary legislation to give full effect to the provisions contained in the law; build a “commitment of responsibility”

with the private sector, in order to achieve high levels of compliance with the law, and through various mechanisms such as self-regulation; promote the model of certified third parties (self-regulation); provide in a rapid and timely way, technical support to those responsible for the fulfillment of obligations; implement computer systems of support for the protection of rights; raise awareness among the computer users, about the importance of this right; initiate appropriate actions to request the adaptation of Mexico before the European Commission; and encourage among the international community the adoption of regulatory developments in this area.

Being these challenges the main ones that we face, from the IfAI we have already begun the first actions with the creation of a technological system of open access on the Internet, Case Management System, where we copy the model that we already have in the law on transparency, where an electronic system is provided to citizens in order to make the request for access to information via the Internet.

The plan is that it will be running in the first quarter of 2012. The hardest thing will be the authentication process of those making such request for access or rectification, but we are looking for advice and working to find the best solution. This case management system will facilitate individuals to exercise their ARCO rights, will favor the treatment of complaints throughout the country, will offer type formats of privacy notices for those responsible, will facilitate the identification of security measures appropriate

Page 69: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

for the type of processed data and the responsible parties may look up tables of equivalence between regulation and rules to establish security measures.

On the other hand, we are also working on certification programs on the importance of recognition of this right to the protection of personal data; on the training of regulated subjects, holders of the data, and staff of the Institute; the development of a database with frequently asked questions, which are used to provide guidance though the telephone and Internet; deciding the model of territorial implementation of attention to procedures; the definition of the system for the treatment of queries, complaints and conciliation procedures; the definition of the methodology for the relief of procedures of verification and the preparation of list of topics and contents for the training of inspectors; and determine the procedure of accreditation of certified third parties.

On this last point we are immersed in seeing who is going to certify the certifiers in this process, deciding where companies will turn to so they give them a certificate that guarantees this process. But we still have to solve the problem that this warranty only certifies the accreditation the day when requested and not in the long term. Therefore, here we have no choice but to wait for a citizen to place a complaint and then do verify again .

Apart from the above, the Institute has designed models of privacy available for the private sector; and has held meetings with some members the

private sector, in order to clear specific doubts about the implementation of the law.

There is a particularly significant action, and this is the submission for public consultation of the specific regulation handbook on the matter, which we prepared together with the Ministry of Economy. We will take into account the suggestions that we receive in the coming weeks and assess whether we make appropriate modifications. We hope to have the regulation adopted before 2011.

The Mexican regulations allow a wide variety of processes, such as the ARCO rights (we can highlight our rule by the fact of not having to wait for the right to access previously requested, also to request a correction or cancellation; and because all companies are required to have a specialized unit in the field of data protection, as well as having its own privacy notice). The regulated subject must have appointed an Office specialized in the field of personal data. There are also procedures for the protection of rights, verification, lack of response, conciliation (something interesting that the regulation says is that it will have binding effects, so that at the time that the regulated subject is committed to something, it has to fulfill it, because if not it will suffer a penalty) and imposition of sanctions.

In this last section, our intention is not to constantly resort to punitive actions. We also have a mechanism to impose sanctions through existing minimum wage, which serves as a reference. We also have the option of penalty of imprisonment, of up to five years, or twice as long

Page 70: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

in the case of sensitive data, but our philosophy is to avoid punitive actions and promote the processes of conciliation.

finally, I would like to make a point about the power that the regulation gives us to enable self-regulation.

We are convinced of its benefits, and try to learn from the different experiences from around the world, as the cross-border privacy rules, or

the binding corporate rules that were already

discussed here.

The whole process of accreditations and

certifications enters this scenario, where we

seek to encourage companies to become

certified, so they feel that they have a backing

with regard to data protection. Our basic idea

is, simply, that there is shared responsibility

between holders.

Page 71: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

s Director of the Spanish Data Protection Agency since 2007, I think it is interesting to emphasize that, in its 20 year history, the Agency

has made a major effort in what Americans call “enforcement”.

Each institution gains its own profile and we have done this to assure the compliance with the law, giving a special relevance to the preventive attitude. It is true that we have also developed an important sanctioning task, attending to all claims that come to us from the citizens, but prevention remains one of our maxims.

In this sense, we have long experience in terms of these preventive sectorial investigations, which we have made in various areas throughout all these years, and which are lately more focused on new scenarios, such as advertising in the newest technological means, such as Internet or mobile smart phones, dealing with issues such as the access of minors to Internet or the use of video surveillance systems.

In addition, we have also attached special importance to the transposition of the European directive on traffic and location of electronic communications, or to other topics not so focused


Artemi Rallo(Professor of Constitutional Law of the University Jaume I of Castellón, and exdirector of the Spanish Data Protection Agency, AEPD)

Page 72: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

on emerging technologies, such as compliance with data protection in the health sector.

�,�00 complaints in 2010

The research capacity of the Agency has grown remarkably over the years. In 2007, we managed approximately 1,600 claims and complaints; and in 2010 we have almost tripled this figure, reaching 4,300 complaints. This increase is related to the increase of awareness of citizens, not so much to the increase of breaches or by moving away from the law by enterprises and public administrations.

If we wonder about the sectors that have registered an increased number of complaints, we have two historically conflicting areas: telecommunications and financial; where video surveillance has been also added. With regard to the latter, we have witnessed a significant growth of this technology in recent years. And with this, also the increase in the number of complaints relating to this practice since in 2006 the Agency issued an instruction governing the installation of private security cameras with a series of requirements. Thus, in 2010 video surveillance was the sector with most complaints collected, with 20% of the total, becoming the most penalized sector, but not regarding the volume of fines.

On the other hand, the different problems arising from Internet are also emerging, which are not in the first position of the Agency’s indicators, because the number (168 investigations on these areas in 2010) is not very significant, but not so in qualitative terms, where its value is particularly relevant. Because unlike other sectors such as

telecommunications and financial, citizens have more difficulties to identify problems that may affect the security of their data, and do not know an institution of reference in Internet where to report these violations. That’s why, in the Internet world complaints are not so numerous yet, and the Agency makes up for this situation by a more preventive action, making sectorial inspections or analysis of the different services of the Internet where some kind of insecurity of the information could be detected.

If we stop to analyze the issue of sanctions, these also have been increasing significantly, reaching its climax, in relative terms, in 2006, where the sanctions figure (almost 25 million euros) was generated by little more than 300 reported actions. In 2009 that figure of sanctions was reached by twice as many reported actions, showing a decrease of 50% in relative terms; and a trend we expect to go downward, especially after the entry into force in March, of the law which amended the sanctioning regime of the Agency.

ARCO Rights

Beyond of the sanction, the AEPD deals with the so-called ARCO rights (access, rectification, cancellation and opposition) when they are handled by public or private entities. And at an increasing pace in the last 4 years and consolidated in the last two, with a claims figure twice that of year 2007.

The rights exercised more often (54% of cases) are those referring to the right of cancellation, with examples such as the cancellation of data in

Page 73: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

telecommunications companies that have already ceased to provide services. And these are followed by those of access (34%).

Specifically, the rights of access most frequently expressed have been those referred to data on payment delinquency in possession of financial institutions and the medical history; while the right of opposition, for its part, has been mainly related to the reception of advertising.

Also noteworthy is the unique contribution of the Agency to the Data Protection General Registration Office, where they oblique to register all the existing files. The Registration Office ended 2010 with a figure of more than 2.1 million files, experiencing a significant growth with respect to the figure of 2009.

Three axes: Video surveillance, advertising and Internet

In my opinion, data protection can be summarized in three words: video surveillance, advertising and Internet. It is my feeling, but also what the press says and wants to transmit to society.

About video surveillance or the conflict between data protection and security, we have talked earlier. It is a growing technology and raises various questions and challenges, having been the sector that accounts for the greater number of complaints in recent times. Nevertheless, it is a significant challenge for the sector.

With regard to advertising, I will put in value the fact that there has been a very significant

mutation in this scenario. We have moved very quickly from an exercise of the advertising activity based on the traditional means such as postal mail, which as of today does not pose any problem in regards to data protection, to the complex idiosyncrasies associated with technological media. In this context, the AEPD developed in 2009 an ex officio sectorial plan that summarized the actions in the society of advertising and marketing through fixed and mobile telephony and Internet.

However, if there is an environment that demonstrates the main challenge of data protection that is the Internet. It poses a maximum challenge for the specific legislation, which adds new problems to those the Agency already had and often remained unresolved. And that is because data protection becomes more complex and problematic once we sense the risk that the automated processing of all kinds of data has for personal information.

Having said that, the big handlers of data, financial institutions or service companies have seen how their conflicts with the safeguarding of this personal information were resolved largely thanks to the experience of recent years; so we have witnessed an important process of adaptation of these sectors to the specific legislation of data protection. But as in other areas, the advent of the Internet has added a greater number of complexities.

In this scenario, the first step was taken by the Agency almost four years ago to analyze an Internet service and learn about their adaptation

Page 74: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

to the data protection legislation. The European and Spanish Agencies subjected to analysis, in this sense, the functioning of search engines and their policies on cancellation of personal data referring to the IP address. It was a first step that later caused the emergence of other services that have left in a secondary place these search engines, such as web 2.0 and social networks, where citizens are active actors of the system. They can provide and exchange information and not only receive it. However, the popularization of these sites and the extension of its use have increased, if not skyrocketed, the risks on the personal data, as for example, in social networks, it’s alarming the amount of information of a sensitive and very sensitive nature that is provided and shared on the Internet, such as data on health, religious beliefs, sexual nature, or, even the communication that is established, which is also extremely sensitive to its violation.

There is no doubt that social networks are the greatest challenge that regulatory agencies of personal data protection face nowadays. They are born without paying the slightest attention to the privacy of the information, since they are born with the “logic of the Internet”, which seeks the widest dissemination and publicity. The designs are not defined thinking about privacy and how to protect the most sensitive personal data, but looking for the widest dissemination, regardless of the consequences, because they are not valued; they are simply avoided. This leads to poor and inadequate protection of the fundamental rights of citizens, which leaves our most intimate and private life utterly defenseless, without us worrying too much.

Problems on the Internet

After making it clear that the Internet is the greatest challenge that the regulators face in the field of data protection, let’s see what are the main problems associated to the Internet to better understand the ability we have to react.

Before entering other considerations, we cannot forget the added difficulty posed by the limited training of an average user. This is particularly worrying: the user uses the search engine, writes some email, access the pages of interest and creates a profile on a social network and there he posts, often without the adequate filters, a large amount of personal data. The problem is that this average user is unable to make a responsible use of the Internet service that is compatible with the protection of her/his most sensitive information. She/he is not aware of the need for privacy practices claimed by her/his data, or the risks entailed in not protect them adequately. for example, he forwards or answers to emails without using the carbon copy field, so he ends up sharing the addresses of other people on the network.

In this context, when it comes to address how to guarantee personal information on the Internet there are several questions that are still unresolved, because the data protection legislation was born originally for the real world, the physical database, and it doesn’t have its reference in this new area. But, of course, this has to be changing slowly, at the same time that the doubts that tarnish a faster progress are being solved. I’d focus these questions in four different

Page 75: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

areas: conceptual, technological, development of the Internet and of jurisdiction.

Regarding the conceptual, the laws of data protection exclude from its scope of application the domestic or personal environment, the so-called “domestic exception”. The Spanish legislation only exempts from its application the intelligence files, those applied to the fight against organized crime and terrorism, and the files of personal or domestic nature.

That being so, how can we categorize or assimilate to that concept what the social networks represent on the Internet? There the data, photos, communications, etc. are shared. Are we talking about a relationship strictly personal or domestic? Can we assimilate to share a photo on the Internet with the physical fact of stay at home of friends to see the pictures of the summer holidays together? Some defend from the conceptual point of view that we can, and hence it wouldn’t result in the application of the data protection law; but some others, of course, also believe otherwise. These doubts were completed to resolve in a document in which the domestic or personal character was refused when the so-called friends are not what we understand as “friends”, but in this account on the social network the number of contacts exceeds the number that can be considered assimilable to that concept.

In regards to the technology doubts, we have some questions, such as how to verify compliance with certain requirements of the law of data protection on the Internet. Here, if we take as an example the obligation under the Spanish law

that any entity to seek personal information of a child less than 14 years must try diligently to check the age of that person, something that in the real world is so easy, it draws attention to how complicated it is to bring this to the Internet world. In any case, we also say that there is an open debate on this, because indeed there are technological means that allow it.

On the other hand, there is a significant risk of sacrifice of the development itself of the Internet. I earlier referred to the transposition of the European directive, which requires informed and prior consent of the citizens before the installation of cookies on their PCs.

Well, a maximalist literal transposition of such a requirement of the Directive would put in check the development of Internet itself as we see it today, because it would require a constant consent by citizens to each act of navigation. Or also the demand itself for security that is imposed to Internet services, as many think that when managing the personal information of their basic activity then an extra security is required in the custody of such information, in front of other small entities.

finally, we would have also a problem of jurisdiction, since there are companies that claim the application of the US legislation, denying the application of the rights of the country from which the user operates.

New horizons

In light of these issues, regulatory bodies have to work very hard to solve these situations in the

Page 76: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

shortest possible time, because the Internet is evolving at a dizzying pace, and we could run the risk of not responding at the same speed.

We must emphasize, in this regard, the discussion that now exists in Spain and the European Union on how to transpose (in Spain there is already a draft law presented) the directive of the privacy of electronic communications with regard to advertising based on the behavior of Internet users. A transposition which poses difficulties in different scenarios, as it is the case of what is

related to the “Internet of things”, RfID technology

or cloud computing.

In addition, a few days ago, we knew that

facebook is implementing what is known as the

facial recognition on the Internet (not even Google

has used it, although it has the technology). I, for

my part, acknowledge having doubts about how

to tackle these problems, but I am confident that

in a short space of time we will have answer to the

most important.

Page 77: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��


Francisco Javier García Carmona: Increasingly we need to store more information, consume less, increase the memory and the volume of data, and of course share and make the information more flexible.

And at the beginning everything was closer, there was a more direct relationship among all

these realities, but recently the concept that has revolutionized the way of doing things is cloud computing, where associated keywords such as flexibility, demand, sharing, service, cost reduction, benefit, requirement, agility… As Shakespeare would say, “to go or not to go to ‘the cloud’, that is the question.”

In times of crisis, “the cloud” environments allow a pay per use and avoid the need to set up large-scale infrastructures of software or applications.

This round table addressed two subjects: Security paradigm shift: from the near to the distant; and Security in “the cloud”. for that purpose, it had the contributions of Manuel Carpio Cámara (Director of Information Security and Prevention of Fraud. Telefónica); francisco Javier García Carmona (Director of Information and Communications Security. Iberdrola); Guillermo Llorente Ballesteros (Deputy Corporate Director of Security and Environmental Protection. MAPFRE); Idoia Mateo Murillo (Global Director of Risks. Produban. Group Santander); Justo López Parra (Responsible for Computer Security. ENDESA); francisco Javier Puyol (Director of Corporative Contentious Legal Counseling. BBVA) and Carles Solé Pascual, (Director of Information Security. La Caixa); moderated by Esperanza Marcos (Professor of languages and computer systems II. Rey Juan Carlos University, URJC).


Page 78: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

It adapts to the customers’ needs, and even their most pressing security needs.

In my opinion, at this point, we must answer two questions: “Start for what?” and “Why start?”

And how does the concept from the near to the distant materialize? Certainly with a new technological direction, with a pay-per-use service, so we understand it in a simple way. We move from the earthly to the faith, in other words.

And a key question: who provides the services in “the cloud”? Are they ready to guarantee their security? Are data in “the cloud” safe? Since our great concern is the security of our information in the cloud environment. In addition to the security level, it is important for those who contract to know where “the cloud” is located (whether is located in third countries, for example), what the owner of “the provider cloud” offers, what possible subcontracting subscribes, etc.

It is an unstoppable craze. “The cloud” sweeps everything. It indeed has many advantages, but we also have to pay close attention to the volume of information that we place in its inside. I think it will be very positive that we all move to the cloud area, but always with caution and security.

And that is what the action of some agencies such as INTECO means, which works closely in the benefits of “the cloud”, and the Cloud Security Alliance, which brings together major manufacturers in the sector.

We can lose autonomy in the management capacity, and of course, the same question on the privacy and security of our data always goes with us. But it is unstoppable. We are all in “the cloud”... Is it a step forward or a new story? Does it involve a technological change or an economic change? Actually, it involves a paradigm shift.

On the other hand, we also have before us an important dilemma: if the cloud triumphs… Is there going to be more unemployment in our sector? They are things that are there on the table. Although I am sure that something will happen, we’ll change the model… And taking into account that many basic services, such as electricity power, gas and energy services, have been in “the cloud” for a long time...

Always cloud? I would say that “it depends”. There are obvious benefits and others that may come, but there are also many risks and others that will arise…

At this point... I pose two questions: Do we need to run so much or is it preferable to wait for the second round? And, on the other hand, are we going or is someone taking us to? And all this in the midst of a domestic dilemma: Am I “cloudable” or “abandonable”?

Guillermo Llorente Ballesteros: from this perspective, the landscape of the cloud is so idyllic… who shouldn’t want it? But that’s not the question or the debate. The question is what we want to outsource and under what conditions. And what obligations and what needs we feel when we externalize something. And what are the risks involved.

Page 79: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

In my opinion, there is huge pressure on the table, because it seems that if you’re not in “the cloud” you are archaic. And it depends… for a small company might not be the case. Why are we going to assume that you’ll be more efficient that I managing something? It depends.

The key question is what I can outsource, what your core business is. Because maybe you have no core and all you do is to manage parts of companies. In my view, if we assume that we must go to the cloud it’s a mistake. We’ll have to analyze the costs, the present and future ones, the visible and hidden ones. Is it better to buy or rent this building? It depends. If this building is the core of your business, it might be better to buy it; otherwise, perhaps not. If you go just because you have to, from my point of view, is not appropriate.

Carles Solé Pascual: It will depend on to whom you ask. for me “the cloud” is a competitive advantage today, because you can start a business without having to estimate the size of the company since the beginning, when you do not know how many customers and what needs you’ll have. On the other hand, in consolidated companies like ours, it’s possible that “the cloud” may not have the same functionality, and it’d be a not so good idea to bring everything to “the cloud”, with the amount of personal data that we handle. Here size does matter.

Manuel Carpio Cámara: In fact the decision on whether or not to go to “the cloud” is a matter of pure business, money. Although there is also a small legal problem... How the data will move to “the cloud”... If they are naked or not…

Anyway, there is an error of precision. We are not dealing with a discussion about whether “the cloud” yes or “the cloud” no… who is asking for is the business. According to the data provided in the International Cloud Alliance, held in March in Barcelona, 80% of North American companies are in “the cloud”, while in Europe they are only 5%. We must go to “the cloud”, it is inevitable. And the problem of privacy can be solved because we have the technology...

If the Chinese are in cloud environments as well as the US; If the Indians and Brazilians are heading to it… in Europe we cannot be thinking whether we are going to “the cloud” or not. We may regret in the future if we don’t do anything now.

Idoia Mateo Murillo: I agree with you, Mr. Carpio, that in the end all of us will end up going to “the cloud”; but I also agree with Mr. Llorente on the fact that “the cloud” is not suitable for all services, and probably it isn’t for our core business. We as financial institutions and entities in the energy business, have a terrible regulatory and audit pressure. And as you said the technologies are there... we have been at this for years as security officers, setting up a SOC, giving thousands of evidences per year, passing thousands of audits. We are in a comfortable model, and I don’t think that everything could be outsourced; the essence of our business does not, in my opinion.

Another thing is the deployment of a specific project, of, for example, about eight months. This is ok, because it will be more cost-effective

Page 80: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

to deploy a rapid infrastructure in a cloud environment that setting it up physically. But that’s not the case in the core of my business.

Manuel Carpio Cámara: You are giving me business arguments, and that’s what I wanted. I don’t think that we shouldn’t get carried away by an atavistic fear of going or not to “the cloud”, and not even because it’s trendy that others are already there (there are companies which are externalizing the email in the cloud because other renowned companies are doing so) without raising cost-benefit metrics. What I’m asking for is thoroughness when making these decisions.

Justo López Parra: I agree with almost everything exposed. And I also think that it will be the business that tells us if we are or are not going to “the cloud”. Another thing will be that of putting security in the cloud environment, which will mean more than one problem.

What I think is that there will be indeed a part of our business in “the cloud”; but there will also be other than not, because it will be very difficult to put security in these environments.

Guillermo Llorente Ballesteros: That the business asks for it… what business, I say again...

Let’s see, I’m from business, and have no idea on technology... Do you really believe that my President or my Vice President is thinking whether they take technology to “the cloud”? They do not think about it. They only think about it if they come together with yours, Mr. Carpio and he tells him about it. When he says that has a great

service that will save money. And my boss says “great”. And I say that too.

The problem is, equally, how you measure how much money I save, and who will then assume the risk. Do I have to be less demanding with Telefónica or BT than with my long-suffering people from IT production?

What I consider is that not all trends are positive. I don’t say either that they look at the other side. What I am saying is that we must evaluate them and then, we’ll see. We already know that Google offers email at $60, indeed; but do you know that it does not guarantee the recovery of email? It seems that you have to resort to an act of faith... “My name is Google and am sure that you will keep the email, but if not…”

What is causing me outrage is that someone wants to sell me a motorbike and doesn’t let me ask what engine capacity it has. And he tells me: “hey, it’s a Harley…” Yes okay, I know, and I think it’s great… but what engine capacity does it have? Is It yours or mine? Where will it be stored?

Manuel Carpio Cámara: I should clarify that “the cloud” that said in generic are many “clouds”. There are gray clouds, white clouds, black clouds… there are many types of clouds, and there are many ways to outsource infrastructure and services. What I mean is that one thing is Google, a cheap and rude version of “the cloud”, and otherwise is a serious service with its SLAs.

Francisco Javier García Carmona: It’s, as I said before, a paradigm shift. It’s a change from a

Page 81: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

technological model to a pay-per-use model. It is not anything more than that. The business does not have to speak in security terms, but in terms of service, level of service.

Idoia Mateo Murillo: I think that security risks are not owned by the business, they are our problem. for example, in “the cloud” proposed by Google the problem is in that they don’t allow us to audit it, their agreement clauses prevent us from doing so. The financial institutions are subject to many regulations, and we must comply with what was raised in many countries. Then, when we deal with it we try to comply with thousand regulations, controls, and evidences… but when it is in “the cloud” we can’t do it.


In the village of my family in Majorca, there was no running water and they had their water cisterns. When the running water arrived, they continued to keep the cisterns, just in case…Do I also keep my infrastructure if “the cloud” does not solve all my needs?

Carles Solé Pascual: I agree on the model. Here we talk about going or not going, and I talk about what we move and what we don’t.

Francisco Javier García Carmona: The problem nowadays is not “trust”. We all have to enter “the cloud”... and “the cloud” has to adapt itself to the conditions of the service, not so much to the technological.

Manuel Carpio Cámara: We are not those who decide if we want to go or not to “the cloud”. This is the way things are, and you can recognize this and join or not join. Okay, they are business decisions, where there is business, and if it is in “the cloud” so there we go. It is not something that we have invented, it comes imposed by society.

Guillermo Llorente Ballesteros: This is just what I heard to say a few years ago from a professional of the savings banks: “It’s the real estate market, you have to be there...”

Manuel Carpio Cámara: In that case we will fall, but we will all fall.

In regard to this idea that Mr. Carpio said before “we all know what a cloud is”, I see two aspects: one is the philosophy, the outsourcing; and the other is the technology, where I connected before point to point now I do it over the Internet. What were you referring to, Mr. Carpio, philosophy or the technology to distribute and virtualize?

Manuel Carpio Cámara: There are many models of cloud: IAAs, SAASs, etc. There are many types of cloud, and Google is just one of them. I speak of philosophy and technology, of outsourcing in any case.

Francisco Javier García Carmona: I think we just have to talk about philosophy. I don’t care how they get my service and how they are going to give it to me. What matters is that you meet a series of requirements. We are talking about cloud and outsorucing… there is nothing new under the Sun.

Page 82: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

It is a great critique that we have to do to these outsourcing service providers… Gentlemen, let’s continue calling things in the same way, do not change the reality because we are talking about a single reality.


Francisco Javier Puyol: I am the only jurist of the table and therefore I’m quiet. There is much talk of security, business and little about law, but it is important to also define legal frameworks. The concept of cloud is a concept of legal development. There are many elements that are changing the landscape of the law, because we have to regulate the new situations, new society and new technology.

So far we haven’t talked much about “the cloud”, and only it has addressed in partial regulations. We must bear in mind what “the cloud” is exactly: it is information, infrastructures, applications and services. Thus we must regulate on the basis of these four concepts and see what regulation is applicable. But I find with sectorial regulations partial on each of the concepts, and what I need is a global regulation.

In any case, regarding the rules to apply… we must also keep in mind that a cloud on a small scale is not the same as other on large scale and with a significant number of services. Nor is the same a national cloud than another international… what jurisdiction would apply? We refer only to service providers and services provided to companies or also to customers or consumers?

Here I am talking from a substantive perspective, but also from the perspective of data protection, front for which we must take care. And here we have to apply the same parameters, from jurisdiction to applicable regulations.

Nowadays much is discussed about these issues, but “the cloud” will be also accompanied by those legal developments that allow us to devote it to all kinds of services, applications and all types of infrastructures. And we all know that when we come out of the European Union and secure ports, our foundations tremble. This project is very interesting, but we are out of step with the regulation of law.

Idoia Mateo Murillo: I agree on one thing. It seems to me very important to know where our provider in “the cloud” is, because there is a framework there and the cloud will house not only personal data, but also other types of information that also has to comply with the regulations. To me it is important to know physically where my cloud provider is, because I will have to resolve the question of what Data Center I will show to regulators and auditors.

Francisco Javier Puyol: And, of course, it is also important that regulators support us. We can have an impeccable regulation, but if we don’t have the approval of the regulators… We can make a point to the AEPD to see what it says: what happens if we present a contract where our provider is not identified in a physical address… it could be in Tanzania… The AEPD will tell us that it is not legal and will require us the specific place where it’s located.

Page 83: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

Carles Solé Pascual: And beyond the lack of security in certain places, there are also the rules of the various Governments. If data is sent to the US or China, these Governments require this information to be visible… so we are also talking about a problem of confidentiality.

Francisco Javier García Carmona: As I said, we talk about this issue in two keys: confidentiality and privacy. We work in many different parts of the world and it generates a pile of complexities. In the end, I think that the countries that fall within the umbrella of the so called “safe ports” or “trusted sites” will benefit from this. It is infinitely complex and here the lawyers and the AEPD will now have to work hard, on all that is coming.

Francisco Javier Puyol: The legal reading of all this is to promote the regulations development of the different markets and not only as regulated markets, where companies can compete on equal footing and where there is a modern regulation. We will find difficulties as we move or make transactions to some countries and others. The only way is to create more safe ports and regularize all possible situations.


Data is protected not only when is in a place with the same laws as your country, but there may be other models: the US safe harbor, where it is true that the laws are very different from the European but there is the option that companies adhere to other laws more comparable. What is your view, Mr Puyol, on these models?

Francisco Javier Puyol: We are in a period of regelation transition. There has to be a change in philosophy in the regulation of data that we know today. Until now we have dealt with the perspective of the citizen, and now have to incorporate new developments that respond to other environments, such as “the cloud” or social networks. And we cannot address that from a local perspective.

In the first phase we will look for regulated markets, where companies can compete on equal terms and there is not cannibalism with the data of persons. And we require that security, while still being a fundamental aspect, is not the only one with that we address this scenario. We must also lose that sense of “normativism”, of localization… we are putting restrictions to ourselves.

Do you think that is more secure a credit card contracted with the Santander or BBVA, or with the Citibank of New York, which, unlike the European, can carry your data to anywhere in the world?

Francisco Javier García Carmona: If the international standards are met, I don’t care where you contract it.

Guillermo Llorente Ballesteros: There is great concern for the privacy of data, and also for the availability and confidentiality of the same. My perception is that these two entities, Santander and BBVA, have a degree of higher security than that offered by the American banks in general.

Manuel Carpio Cámara: If we stick only to the regulatory matter, the three are under the burden of the PCI DDS, so let’s say that they go hand in hand.

Page 84: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

Another thing is the perception of privacy that we have in Europe and in the US (where currently a Personal Data Protection Act is under way). In Europe, space in which privacy is a fundamental right, companies do not want anybody to play with their data, while in the US the privacy is understood as the “right to leave me alone, especially the Government, that they do not get in my private life”.

Idoia Mateo Murillo: We need the same flexibility as the Americans, who surely have the same access control and the same technology, but more flexibility to operate.

Manuel Carpio Cámara: The problem is flexibility, indeed. In Telefónica we have had wise meetings where we discussed about whether the data protection act allowed us to share the directories of the lotus notes of a fellow team member in another part of the world. And it turns out that knowing the name, surname and phone numbers of a fellow team member of Peru is international transfer of data.

What do you think about the compatibility between “the cloud” and the law on Protection of Critical Infrastructures?

Guillermo Llorente Ballesteros: We want the critical to be under control. We are outsourcing a service that carries associated data, and we are no longer depending on ourselves for the continuity of the business.

Manuel Carpio Cámara: “The cloud” has a fundamental advantage. If you are a terrorist and

you want to know where to crash a truck loaded with explosives, that in “the cloud” is not known.

European operators have joined together in a global agreement to try that Spanish and the European laws on critical infrastructure protection will not become a restriction on “the cloud”, because of a misinterpretation of the security problem. I believe in the cloud, if what we are looking for is the availability. The last thing I’d do is to put everything in a bunker because the “bad guys” might have it located.

Idoia Mateo Murillo: In the end, the problem is the business continuity. And it’s an issue of relocation: the earthquake in Chile did not affect us because the host computer is in Spain. Now I make annual contingency tests, I have local and national disaster recovery, but if you are in “the cloud”, we do not know what it will mean for us.

Justo López Parra: We went indeed through this. Our computer systems that support the electricity generation and distribution, which have a very high level of security, are on a separate network. But it’s never incompatible with taking them away to “the cloud”.

Francisco Javier García Carmona: In this regard, we could refer to certain services that could have outsourced the production environments, in this issue of the critical infrastructure and “the cloud”. for the critics, however, there isn’t such a mindset. What can be critic will have to be closely tied and re-tied with appropriate service level agreements.

Page 85: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

Do you think that we can prevent the citizen from going to “the cloud”? Two examples: last year Google and Apple displaced Nokia as leading manufacturer of mobile phones; and Paypal, which is a company of “the cloud”, is the Bank that manages 50% of payments by the Internet.

Idoia Mateo Murillo: It’s a generational shift. Young people don’t care about whether it is safe, they use the services and will continue to do so in the future. for them, the security in “the cloud” will be like a commodity.

Francisco Javier Puyol: This is a game of supply and demand of services, guarantee. It is a reputation game. All of these factors will make the consumer to opt for a traditional company or one in the cloud environment. In my opinion, it has no more reading than a matter of adjustment of supply and demand.

Guillermo Llorente Ballesteros: And why is Paypal the Bank of “the cloud”? Because the perception of the citizen is that it is more secure.

It appears that those who are afraid of entering “the cloud” are financial entities…

Manuel Carpio Cámara: I think that it is an opportunity. Anonymous attacked us last weekend and we have been able to defend ourselves.

Regarding critical infrastructures, where the law also says “against non-deliberate attacks”, the catalog listing developed to the effect puts us in third line of beach (in first line we have

the electrical power and energy; and then transport).

We strongly believe in the possibilities of “the cloud”. We have been supporting it for some time, it’s nothing new, and we are delighted that you contract in “the cloud”. There is no reason to overwhelm or to have fear...

Guillermo Llorente Ballesteros: It does overwhelm me, because what has been proposed deals with the core of my company. And I am not quiet.

One last thought: Coming back to Paypal: I can register as Juan Carlos I King of Spain and it doesn’t have necessarily to verify my identity. As an industry, Will we have to compete with unregulated models? Are we going to have the capacity, as corporations, as multinationals, to fight and compete against these clouds?

Idoia Mateo Murillo: If the legislators and regulations don’t help us, it will be impossible. We have to have traceability of our customers, know their names, know their IDs, keep their information for a specific time, etc. None of our entities can compete against what has been posed.

Francisco Javier Puyol: I believe that regulators are important but not decisive in this topic. Going beyond, we are checking it every day with the economic news, and the news related to financial institutions: the world is changing and the society is demanding a change from us. That is the crux of the matter. We think of authentication, but at

Page 86: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

the end we will have to evolve more and develop systems that are much more agile and that allow us to be on equal terms with these companies that have a very low level of legal certainty and a significant absence of regulation.

Manuel Carpio Cámara: It’s what Javier said. What happens to us is that we are fighting with one arm tied behind our backs, and it’s not fair.

Francisco Javier García Carmona: Recently I

saw a report about a German manufacturer who

talked about where the technology will be within

15 years. All our data will be in “the cloud”. And

we will also have the new RfID technologies and

geolocation services. Privacy in the personal

sphere, no longer the business sphere, will be

“minus 10”.

Page 87: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

ne of the most innovative and exciting topics for us analysts is, without a doubt, the cloud world. These environments have emerged

as the new panacea in the information security world and customers need to understand what their opportunities are, as well as their risks and uncertainties.

Despite what you may think with what I am about to explain in my exhibition, I am an advocate of “the cloud”, I believe in its benefits, I am not against a progress as important as that is, but I am very critical with the costs it has associated and which may adversely affect our business. It is not

about saying “no” to the technology, but about helping customers to better understand it.

What the companies in “the cloud” value

The crisis situation where we find ourselves makes organizations work for greater effectiveness of costs in the computer services, and this valuation, the associated savings, is one of the main considerations that customers refer to when it comes to opt for a cloud infrastructure.

But the costs are neither the only nor the most important consideration that organizations have in mind when opting for these environments.

Tom Scholtz(VP Distinguished Analyst Gartner)


Page 88: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

When asked in one of our annual surveys for the requirements to take into account when they consider to contract services in “the cloud”, the companies pointed out issues such as security, privacy, reliability, business risk and loss of control. This demonstrates that apart from its initial concern, there is a healthy understanding of what “the cloud” means and a concern also about the potential risks associated with the use of these models.

Two sides of the same coin: more potential and more uncertainty

In my opinion, cloud computing, like many other things, has in its definition two perspectives, as if they were two sides of the same coin. On the one hand, we have a very attractive environment which encourages us to use its full potential. And here, thinking like businessmen, we can argue why not pay for these services as we do for other types of public services. Many conceive the computing services in “the cloud” the same as electricity power, water or other utilities, and then wonder why not make the payment per use as we do in the rest of these services, and not spend large amounts of money in complex and fixed infrastructures.

The other side of the coin, however, is that “the cloud” is, in essence, an outsourcing mechanism. And we all know that if we outsource we lose direct control of the security actions related to the protection of our information. And when you are outsourced, one of the biggest challenges of “the cloud” is the lack of transparency for the customer. We can’t enter to validate these services

that they provide to manage our security, can barely control either the process or the result, and don’t know the contracting procedures of who provides the service. When we outsource it, we are putting it in the hands of others, with all that this means. With the entire increase of uncertainty it entails. And for this reason, then, it also means greater dose of risk for us.

Risks: technology and people

Then, what are the most dangerous risks of “the cloud”? We are talking about economies of scale, taking out work loads of dedicated servers, using dynamic workload environments and optimizing them to offer the best service at the best price... and all this poses a major issue: who will take care of my workload to operate effectively in a virtualized environment? That my workload will be moved to optimize performance? How do I know that the people who work to support these services have been properly selected and I can fully trust them?

It is true that my technological colleagues say that virtualization technologies have very good tools. But this is not just a question of technology. The behavior of the people is fundamental also here. There are documented cases that talk about how some “cloud” administrators accessed unauthorized personal information of the supplied email. Thus, we not only have to understand and solve topics of technology, but also on people’s behavior.

And that is the great dilemma: technology can offer us ways to control the procedure, but there

Page 89: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

are other aspects that we need them to work also in the most optimized manner possible. And it’s about people, about how we can ensure the integrity of people accessing our facilities and data.

Another big issue is the one related to the recovery of the data. How will the cloud provider get these recovery capabilities optimized? There are voices in the industry that convey the message that the location of data doesn’t matter, that makes no difference. And others, at the same time, ensure that we don’t need to have any support infrastructure, since they clarify that there are so many copies of the data that, if something goes wrong, in a part of the storage mechanism we have another redundant copy of information… and often we don’t realize that the infrastructure hasn’t been ever available.

There is always another version of the data somewhere else. But, beware. Because there have been cases of attacks on the e-mail system to corrupt the system deliberately. Here there is no asynchronous backup system for customers; all the systems are on-line, so that all of them were destroyed as a result of the attack by hackers.

In this way, when someone tells us that the location of the data doesn’t matter, we must be careful, because it depends. If we are subject to the legislation of the European Union, it does matter where the information is located. If we are outside the scope of action of the European Union we will attend to legal implications with regard to the privacy of data. And the issue is that if these data are replicated we have all this amount of

copies of the information in real time, and what happens if we decide to change from one place to another? How are we going to recover all the data?

It’s like what we say to our children with regards to facebook, that they have to be careful with what they write there, because it might be the case that you can’t delete it ever and that could harm their future. With regard to the cloud is similar, How can we know how many versions of our data are going to be floating out there? Will they will be accessible to other people?

Two perspectives of outsourcing: responsibility is not outsourced and you don’t outsource what you don’t understand

Having said all that, I will not tire of recommending caution with the people we listen at. We have people in the industry that confuse, claiming that it doesn’t matter where the data are located and that it is not necessary to have an asynchronous backup system.

And we must take special care because this is contradicting the two essential principles of outsourcing: we can never outsource the responsibility to protect our organizations, and that we should never outsource what is not understood.

With regard to the first point, from a security perspective, the responsibility of the information security may never be outsourced. I have to ensure that the risk is managed in a sufficiently correct and appropriate manner. We can

Page 90: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

outsource the operations, implementation, integration, but not the responsibility to protect the information. And a good example of this would be what happened in the Gulf of Mexico with the BP spill. In fact, the operations were contracted by this company to a total of five different companies; but, who was found guilty? Of course BP, and not the subcontractors.

About the second perspective, we must not be so naive to outsource what we don’t understand. It’s like giving a blank check. How are we going to know how much to pay for a service if we don’t understand the technologies and the process of what we do? This leads us to the following: there are many innovative technologies and surely we don’t have information and sufficient training to properly assess them.

More than one model

Anyway, we have to start from the idea that “the cloud” is not defined in a single model, but that there are different versions and needs. And the choice of one or the other directly influences the level of control and responsibility that we have on the security actions. If we operate according to the platform as a service rather than the software as a service, the responsibilities will be shared, and the provider will have in this case a greater responsibility over a large part of the operations.

The important message is that we have to understand the nature of the service and understand how to translate the responsibilities of security in practice. But, indeed, always

remembering that, regardless of the model we will never be able to outsource responsibility, only some of the operations. And the provider, for its part, will have to be able to validate if it is fulfilling or not successfully the mandated tasks.

On the subject of cloud providers, we also find a wide spectrum of players. We have providers who, coming from the business side, understand our business needs; and others who unfortunately, come from the consumer side and their attitude is another: they just offer the service, “don’t worry and sign here”, pretending that you don’t want to know more about the contract nor how they will assure the security of the data. You can’t ask them how they are going to deal with the protection of your information or ask them to show you how to manage recovery mechanisms for disasters. They won’t tell you because they consider that you don’t have to know it.

The message is that much more information and more internal control have, easier it will be to verify the controls. It’s get some minor uncertainty and, therefore, levels finally also have less risk. The verification is everything. You can have more capacity for scale, have all the resources to ensure a more secure environment, etc., but the problem is in the verification capacity, pass tests of vulnerability, do audits on our behalf.

We have to realize that business has to understand that there are risk differences based on the level of information, assuming that the service provider is willing to provide us with the necessary data.

Page 91: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

So, what can these control mechanisms give me? They can give us the opportunity to monitor the protection of confidential data and identify the management of access and identities, and we may get to know who has access to what and from where. This last control can be useful to remove access to those employees of the service provider when they leave the company.

In short, it is not a question of whether the provider has the tools, but of whether or not they use them. That they meet the requirements and needs of the customer, share the monitoring process and demonstrate the process of incident management.

Actually, if we compare the cost of an in-house service with the cost of outsourcing it to a cloud provider, we see it is much lower in this second case. But what should also be taken into account is whether we are prepared to invest resources to get additional guarantees that help us to control the risks. Because in the end it may be that “the cloud” becomes a more expensive option, or at most, that the difference between the two proposals is not so big.

In this context, I heard in some meetings that many times the costs associated with “the cloud” in terms of increased security, or the greater extent of the necessary bandwidth, may have come to be costs often similar to those of the service provided from the customer premises.

We are surely thinking about to subcontract one or two providers of technology and services in the cloud, but often we end up subcontracting

a greater number. In a study we did on United Kingdom a few months ago, we found that the majority of organizations were already using, on average, a total of 6 service providers.

It may happen that there is a place on the Internet where the volume of data is very high and the sensitivity associated with them is, on the contrary, very low, as facebook; but, generally speaking, because of the use of the application, today the sensitivity of corporate data tends to be quite higher, and then we have to deal with more risks.

We have cases where the value of the data is very low and the sensitivity is high. for example, if we work in a federal Department. There I believe that it is a good idea to pass all security applications to “the cloud”. Although we would do is to block the most sensitive information, such as emails or certain reports that we were working on.

We can also come across a situation where the sensitivity of the information is very high and the value for the business is also high. In this case, we have to use it, and manage it. An example would be the relationships with customers, or sales relationships. This is a simple model, which shows that the security people don’t have to participate in all the cloud activities.

And at this point, what are the key reasons that lead us to adopt services in “the cloud”? (Before we saw in another survey why adopt them). On this occasion, requirements for security and privacy are pointed out, even more than the ability to grow. I believe that common sense prevails.

Page 92: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�0

The technological fight against the organized fraud 2011 Summer Course

In essence, this is what I wanted to share with you. “The cloud”, the infrastructure, software, are valid models that potentially give much value to the business. However, they have associated uncertainties. The way in which technologies are being used and how the working methods and the workload management provide a greater uncertainty, that’s why we have to pay special attention to how all these scenarios are being managed.

Cloud computing is good, and I am in favor of it, although it has a few additional risks associated with the technology. I believe that there is an opportunity for us as security officers. We must act with caution, but looking towards the opportunities.

Page 93: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo �1

ll of you may recall that so-called quiz show * “one, two, three...” where the contestant had to choose among three options (two pumpkins and

an apartment in Torrevieja) and that mimics the known as “goat game”. With the game that I propose it is explained that the percentage of possibility that we have to get the apartment in Torrevieja or the gift that is hidden in the triad changes if, being the first discarded card a pumpkin or a goat, and keeping with us two letters of your choice, we modify our initial choice.

Santiago Moral Rubio(Director de Riesgo IT, Fraude y Seguridad del Grupo BBVA)

THE DARWINIAN COEVOLUTION (As a strategy in the technological innovation

applied to risk management)

In other words, if we have the cards A, B and C, and we have to choose one thinking that it is the apartment in Torrevieja: what is the probability to get it? It seems that 1/3 and it’s true. But… and if A is chosen, and then we discard, for example, the card B and this is a pumpkin… and now we are left with A and C: will I have the same percentage of probability to get the apartment if I continue to keep with me the A choice or will it will if I switch to the C option? All you will say that it is the same, but it isn’t. If we modify our first choice right now, the chances of getting the apartment increase up to 2/3. To many this seems to be verbiage, but if we apply the logic game we can see that it is so and, by the way, check “how idiots that we are

* Note from Translator: Spanish TV quiz show exported to other European countries.

Page 94: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo�2

The technological fight against the organized fraud 2011 Summer Course

the human, we are unable to reason about events of different origin. We believe that we have 50% chance in the third round and that my past history doesn’t count. But I tell you that it does. So in a game if someone takes away the bad one, change always, you’ll double your chances of getting right”.

Unverified beliefs: What is not Cassandra

Now we’ll make another game. Try to say “row” twenty consecutive times. It will happen that I’ll get to a point where I don’t know how many times I really said “row” or the swearword that we all are thinking, and we tend to believe that the cause of the twentieth is still the same as the first, and possibly, this is not so.

In view of this, another question: what do you think is safer, a token or a coordinates card? Everyone will think that a token. Well, it is not so, though it may seem otherwise. The truth is that it is easier to design a Trojan horse to attack the security of a banking access through token, where a one-way communication is established, where the user will be giving all the time information to the hacker even though he is not aware of it, than by means of a coordinates card.

More questions: Can someone tell me where is coming from the idea or belief that we must change passwords from time to time? Perhaps in the first information systems that made sense, it meant that the password “Hello” always gave the same result… hence it was very easy to build a reverse password dictionary. But actually is something not contrasted and all we have

invented a lot of mental justifications to continue to defend this idea not verified.

All this basically is summarized in the message araised by Victor Chapela in his presentation: “The units of risk that we use have been seldom contrasted. In the 90% something we don’t verify them… they are memes that we learned because we had to”.

This is what we are trying to do with the Cassandra model… that force us to analyze the truths, not the beliefs. The essence of the model is that: If we manage to differentiate what we do really to defend ourselves and what we do following “memes” or fashion or what “we have to do”, possibly will have opportunity to put our businesses and Nations above the competition, as we reduce the operational cost of the risk and reduce the operating costs of the company.


Changing the subject, we will go into the concept of coevolution, around which we have created our Research Center for Technological Risk Management (CIGTR); I’ll explain this concept by resorting to the discovery of an orchid named “Christmas Star”.

In 1822 the french botanist Louis-Marie-Aubert du Petit-Thouars discovered in Madagascar this orchid, whose most special feature is that its spur is much longer than that of any of its congeners, measuring 29 cm in length. The problem is that the botanist didn’t find any pollinator that could

Page 95: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

access the nectar located so deeply, being at the bottom and occupying as much four centimeters.

In 1862, Charles Darwin in a work on the fertilization of orchids proposed a solution to the enigma: the pollinator of the particular Madagascar orchid should be a butterfly with a Spiro-trunk between 25 and 28 centimeters in length. But as any Butterfly with such a long trunk was not known at that time, several entomologists ridiculed the hypotheses of Darwin.

Had to wait until 1910, Karl Jordan and Lionel Walter Rothschild found the bug that pollinated the “Christmas Star” Orchid: a subspecies (geographical breed) of the sphinx of Morgan. And until 9 years ago, it hadn’t been filmed ever. Its name: the predicted orchid butterfly.

I have told this story because it is curious that someone predicts a specimen when observing the existence of another. And after this the theory of coevolution was enunciated in 1980… which says that there are species that wouldn’t have evolved if at the same time others had not evolved together with them.

And in my opinion, this is something that we can move to the same idiosyncrasy of the knowledge society: now everything is related, and the information we share advances an effect in the receiver that allows the creation of new “ideas” that we continue to share.

The knowledge society shifts of paradigm: I no longer leave from my ideas, but from my ideas disseminating. And this means that, in this sharing

of ideas, my ideas can enrich, and thus only grown... And our philosophy is based on that at BBVA: If you want to be great, your environment must be great. Nowadays is not worth that only you are large, it cannot be sustained, that is why we are committed to a model of information where you share knowledge as the central axis of motion; and that is, precisely, where our CIGTR is based on, where we have already begun to have results. Let us see, then, what results has given the coevolution.

Eight years ago at BBVA, together with GMV, we started some innovative projects, such as the so named Gesvult, which was a monitoring system to have the perimeter of our organization controlled; and five years ago other projects were born too, thanks to an exchange of ideas with again GMV. We started to tell us everything that we thought an ATM had to have to be safe, and software was developed, which is marketed today.

And currently, for example, I personally have been working with Victor Chapela for several years on a book that we hope will come out someday, where we combine his vast experience in graphs and his perception that this is the best way to measure security, and my contribution with my book on the game theory, because we are convinced that in the future both will converge. What matters is the path, not the final result. It is important what we have enjoyed and learned. So much that I already don’t know which are my own contributions and that of the environment.

Page 96: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

Goal of the Center

In this field of the game theory, moreover, we are already working at the CIGTR, along with the foundation of the Rey Juan Carlos University, for the development of a methodology of this style. And, at the same time, we are also working with the faculty of Mathematics in a couple of projects, in which context I stress one dedicated to the extension of the Cassandra model with a methodology of analysis based on graphs.

The Center aims to share information and create a greater knowledge with good scientists in a neutral space. But, what is this system based on? It’s then based on the convergence of three points: companies like us that have data and needs (to investigate we need data: if I want to design a new system of fraud analysis, either I have data of fraud or it is impossible); scientists who want to have more knowledge; and industry that wants to have more and better product.

This course is the first action of the CIGTR. from now on we are going to see what interest we generate in other universities, suppliers, engineering and consultancy companies, etc., which want to work with us.

Ongoing projects

We have developed, with the part of Cryptography from the faculty of Mathematics, some algorithms of preservation of format and a token, which will help us in the implementation of PKI. Also, we have helped the company RSA, the Security Division of EMC, to develop hardware for host

environments, which adds to its big experience in distributed environments. Already a first version is designed in our premises…

With all this, the improvement of knowledge between BBVA cryptographers and scientists of the University has been spectacular. I don’t know if we’ll get from this model something usable or not… but what I do know is that the expert BBVA cryptographers are now experts in preservation of format algorithms. I don’t know if we will do something or urge any manufacturer to release it on hardware.

We are also working with this Department in some algorithms that relate levels of investment with service level to see how the fall in the level of service is projected when you decrease the level of investment. It is especially interesting in models of crisis.

On the other hand, and following the enumeration of other lines of work, we highlight the models of cyber-biometrics, field in which we have begun to combine parameters of the users behavior along with a biometric recognition in a model that we call “cyber-biometric”, where the behavior and biometrics mingle in order to have a concept that we have christened “natural authentication”, and with which we are already working also in collaboration with other Universities.

Moving on to other issues, and already out of the CIGTR, but within the Plan of innovation of BBVA, we are working on the production of new models for fraud analysis based on disruptive mechanisms of artificial intelligence, or other

Page 97: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��

types of artificial mechanisms. Here, for example, we were working with a company from California, Numenta, on a mechanism of artificial intelligence based on the functioning of the neocortex and the hierarchical temporal memory.

At the same time, we work with GMV in another project using artificial immunity, which is reporting us very good results. At this point we must emphasize that we are working on production models of three phases. We first make an assessment of whether the model can work; in the second phase, it is built to make a formal verification that the model can withstand; and in the third, it’s already assumed the complete construction of a system where we can put already all the workload. In today’s event we are communicating what we’re doing, and what we are going to continue doing… The following steps will be aimed to talk to the rest of companies in our area.

Cassandra Model

And now I would like to talk about the Cassandra model, which in itself is one of the best examples I can give you of coevolution.

If we do a bit of history… in 2001, when I was in a “circle of comfort”, was fortunate to have as chief Javier Viñuales, and at that time the Group’s Management obliged us to justify in an irrefutable way what is exactly what we were working on. Management supported all actions, but I exchange we had to justify and reason out them all. We explain our maxim: the segregation between the data and the application is zero, so it is useless have them on different networks.

This attitude of never stop questioning ourselves is the fundamental part of the DNA of our Security Department. We question the best practices, and when we had something based, Management indeed supports us. It’s a fractal of security, non-linear behavior. And there is a moment in which we begin to break this cause-effect link to see beyond… and we realized that it had to do with the games theory and I started reading the first book of the game theory.

In essence, the Cassandra model all it does is to question the “memes” of those who we have spoken these days, and from there, it builds everything on the basis that it has to be profitable. It is based on the analysis of reality, which cannot be done without knowledge. We made a database in 2005 with all the security incidents that we knew of from the industry, of which public part was made available to INTECO a few years ago. “When we say that you do or not do something, when we advise you, we don’t do it on opinions, but on facts”.

In essence, we respond to a scheme that we have called “the drawing of the fried egg”, where we are going from a concentric circle to another according to their impact in our business: pass from “things in security that can happen” to “things that have happened”, then come to “things that have happened in our sector” and “things that have happened to me”, then come to “things that happen to me with relative frequency” and, finally, “things that happen to me every day”. The fundamental question is this: where is the problem you want to solve? If it is in the “happen to me every day” we will have to do whatever is

Page 98: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo��

The technological fight against the organized fraud 2011 Summer Course

necessary, even without budget, and hence you will see in the prioritization system… for budgets, time and resources.

Regarding the rest, we work with different methodologies too. for example, with business continuity technologies we are dealing with those “that happen a few times”; meanwhile, we turn to classical methods for those “that happen very few times, but which impact is incredible”. In the backbone of security problems, which have to do with confidentiality and integrity, is where we apply the model Cassandra. And this is the model of reasoning by which we design the security policy, the model of control, etc.

And what has this to do with the game theory? The response focuses on the context of the intentionality and the coevolution in the case of fraud (remember the example of the Orchid, whose existence “forced” the existence of a

butterfly in particular). If there is fraud is because it is profitable, because it generates a benefit to an attacker, either economic, or of moral satisfaction. It is the essence of this model. This is analyzed with theory of games... nothing happens that isn’t profitable for anyone, if it isn’t an accident. And moreover, the ways they happen are optimal for the attacker.

Having said that, I‘m going to declare this first course closed, where we have not tried to reach conclusions, but open new possibilities and channels of communication. We hope to have achieved it.

We’ll see if it is of interest to repeat the format in coming years, and with what content.

I’d like to give many thanks to everyone for your contributions, and for the synergies that the coevolution will provide us.

Page 99: The technological fight against organize fraud

2011 Summer Course The technological fight against the organized fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo ��


Page 100: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

The technological fight against the organized fraud 2011 Summer Course


Page 101: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

2011 Summer Course The technological fight against the organized fraud

Course Opening. (Left to Right) Alberto Partida, Gary Warner, Francisco García Marín, Pedro González-Trevijano and Santiago Moral.

Pedro González-Trevijano, Rector of the Rey Juan Carlos University, giving the Course opening speech.

More than one hundred students from different countries attended the Course.


Page 102: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

The technological fight against the organized fraud 2011 Summer Course

Alberto Partida, Security specialist and author of the book “IT Securiteers. Setting up an IT Security Function”.

Gary Warner, Director of Research in Computer Forensics at the University of Alabama in Birmingham and member of the Anti-Phising Working Group.

José Antonio Mañas, Professor at the School of Tele-communications Engineering. University of Madrid.

Adrian Davis, Principal Research Analyst of the Information Security Forum - ISF.


Page 103: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

2011 Summer Course The technological fight against the organized fraud

Ángel Trinidad Zaldívar, Commissioner of the Federal Institute of Information Access and Personal Data of Mexico. IFAI.

Artemi Rallo, Professor of Constitutional Law of the University Jaume I of Castellón, ex Director of the Spanish Data Protection Agency.

Francisco Javier Puyol, Director of Corporate Litigious Legal Counseling of BBVA.


Page 104: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

The technological fight against the organized fraud 2011 Summer Course

Richard Stiennon, Chief Research Analyst of IT Harvest.

Tom Scholtz, VP Distinguished Analyst of Gartner.

Víctor Chapela, Chairman of the Board at Sm4rt Security.


Page 105: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

2011 Summer Course The technological fight against the organized fraud

Between lectures, the attendees took the opportunity to get in touch and exchange experiences.

The course had its manifestation also in the social networking environments.

(Left to Right) Ángel Trinidad, Santiago Moral, Artemi Rallo and Francisco Javier Puyol, a historic image where privacy and security mingle with law and technology.


Page 106: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

The technological fight against the organized fraud 2011 Summer Course

Participants in the round table about “New Threats” (Left to Right) Rafael Ortega, Alfonso Martín Palma, David Barroso, Marcos Gómez Hidalgo, Elena Maestre, José de la Peña (moderator), Marta Villén, Tomás Roy, Juan Jesús León, Fernando García Vicent and Juan Salom.

Francisco Javier Puyol, Justo López Parra, Esperanza Marcos (moderator), Carles Solé, Idoia Mateo, Santiago Moral, Guillermo Llorente, Francisco Javier García Carmona, Manuel Carpio and Francisco García Marín.


Page 107: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

2011 Summer Course The technological fight against the organized fraud

Santiago Moral Rubio, Director of the Summer Course and Director of IT Risk, Fraud and Security of BBVA Group, in two moments of his lecture, where he explained the principles that inspire the Cassandra methodology.


Page 108: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

The technological fight against the organized fraud 2011 Summer Course

The Summer Course left unforgettable testimonies of social relationships and friendship in the incomparable setting of Aranjuez.


Page 109: The technological fight against organize fraud

Centro de Investigación para la Gestión Tecnológica del Riesgo

2011 Summer Course The technological fight against the organized fraud