Going, Going...Gone! by ctof magazine

S P I N E

CTO FORUM

Technology for Growth and Governance

March | 21 | 2010 | Rs.50 Volume 05 | Issue 15

INTERVIEW

Unmasking

TERROR PAGE 20

CYBERCRIME

Unsafe

HARBOUR

INTERVIEW

A Slippery

SLOPE

GOING, GOING, GOING, GOING, GOING, GOING, GOING, GOING... GOING, GOING... GOING... GOING... PAGE 28

PAGE 48

SECURITY SPECIAL ISSUE

GOING... GOING... ... GOING GONE! GONE! GONE!

Volume 05 | Issue 15

GONE! GONE! GONE! GONE! PERSONAL INFORMATION, STRATEGIC PLANS, CLASSIFIED DOCUMENTS. HOW SAFE IS

THE CONNECTED WORLD?

A 9.9 Media Publication

PAGE 18

EDITORIAL RAHUL NEEL MANI | rahul.mani@9dot9.in

Information security or the art of war. Heavy shelling alone is not enough.

n today’s world, the insecurity around information is an obsession and not very different from the need to secure our lives and personal possessions. It is a complex issue: mundane at one end as in terms of physical checks, and rather sophisticated at the other as it deals with fundamental issues of liberty and privacy. How far are we prepared to go in securing our information power? To answer this question I explored whether there was

EDITOR’S PICK 48

any similarity between the strategies and methods of guarding information and going to war. First, there is a role for a battle of wits. How do you outsmart the enemy? In terms of the way they think and do. Matters get complicated because in the information security arena as well as in war it is not always easy to either identify or define the enemy. The enemy is often unknown and amorphous. Secondly, in both cases, how well you can determine your

A Slippery Slope

In an interview with Guest Editor Anthony M. Freed, Theresa Payton, former CIO of White House, talks about the new role that government should play in the cyber age.

risks is a differentiator. How well you protect yourself from those risks determines who wins and who loses. Tactics and heavy shelling per se cannot ensure that you win a war. Similarly, for infosec – the right technology or the right strategy is unlikely to deliver the desired outcome. It needs much more. It is worth quoting Bruce Schneier here who says, “Security is a state of mind.” Information security is not about tick-marking boxes on a checklist. You may tick all the right boxes and deploy the best defence and still fail. We have put together this Security Special for you. It has entailed two months of rigorous planning and coordination and we hope you see value in the effort. We have invited the most contemporary opinions, con-

ducted interviews and compiled features by senior security practitioners in India and overseas. The outcome is a comprehensive and insightful collection of compelling security issues, challenges and solutions. While there are many people I should thank for making this possible, I would like to single out Anthony M. Freed, Managing Editor, Infosec Island Network, US who was integral to this issue of CTOF. Our efforts are only as good as you believe them to be. So please write to us and tell us if you enjoyed reading this Special as much as we did conceptualising and writing it. Till we meet again, stay safe and stay secure...

CTO FORUM thectoforum.com

21 MARCH 2010

VOLUMN 05 | ISSUE 15

MARCH 10 CONTE NTS

THECTOFORUM.COM

C O V E R D E S I G N : J AYA N K N A R AYA N A N

N O I T A M INFOR

E N O WARZ

COVER STORY

18 | Security Special

COLUMN

What's more difficult to patch: System vulnerabilities or a faulty approach to managing risk? Our features explore the infosec landscape.

06 | I BELIEVE: HOW TO TREAT A COLD Anthony M. Freed, Managing Editor and Director of Business Development, Infosec Island Network

20 | CYBER CRIME: UNMASKING TERROR A hacker uses his coding prowess to shoot down militant websites. PRESENTED BY ANTHONY M. FREED

Please Recycle This Magazine And Remove Inserts Before Recycling

COPYRIGHT, All rights reserved: Reproduction in whole or in part without written permission from Nine Dot Nine Interactive Pvt Ltd. is prohibited. Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd, C/o K.P.T House, Plot Printed at Silverpoint Press Pvt. Ltd. TTC Ind. Area, Plot No. A-403, MIDC Mahape, Navi Mumbai 400709

CTO FORUM 21 MARCH 2010

thectoforum.com

FEATURES

24 | GOVERNANCE: LINE OF CONTROL Seeking a perfect defence position by going through the rule book can be counter productive. BY ANDREW BAKER

VOLUME 05 | ISSUE 15 | 21 MARCH 2010

www.thectoforum.com Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor: Rahul Neel Mani Editor (Online): Geetaj Channana Resident Editor (West & South): Ashwani Mishra Sr. Assistant Editor: Gyana Ranjan Swain Assistant Editor: Aditya Kelekar Consulting Editor: Shubhendu Parth Principal Correspondent: Vinita Gupta Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR & Anil T Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi

48 INTERVIEW

48 | A Slippery Slope Theresa Payton, former CIO of White House, on the need for a vigorous cyber offensive capability. 14

REGULARS

03 | EDITORIAL 10 | ENTERPRISE ROUNDUP 52A | BOOK REVIEW advertisers’ index

14 | Q & A: ATTACKS ARE BECOMING HANDCRAFTED Enrique Salem, President and CEO, Symantec discusses the new challenges that CIOs are facing.

53 | HIDE TIME: ARVIND G TAWDE A music lover whose golden moment would be meeting Dilip Kumar.

Microsoft EMC Sharp ACPL IBM IBC IBM

RGF IFC 1 7 RGF (51) Checkpoint BC

This index is provided as an additional service.The publisher does not assume any liabilities for errors or omissions.

ADVISORY PANEL Ajay Kumar Dhir, CIO, JSL Limired Anil Garg, CIO, Dabur David Briskman, CIO, Ranbaxy Mani Mulki, VP-IS, Godrej Industries Manish Gupta, Director, Enterprise Solutions AMEA, PepsiCo India Foods & Beverages, PepsiCo Raghu Raman, CEO, National Intelligence Grid, Govt. of India S R Mallela, Former CTO, AFL Santrupt Misra, Director, Aditya Birla Group Sushil Prakash, Country Head, Emerging Technology-Business Innovation Group, Tata TeleServices Vijay Sethi, VP-IS, Hero Honda Vishal Salvi, CSO, HDFC Bank Deepak B Phatak, Subharao M Nilekani Chair Professor and Head, KReSIT, IIT - Bombay Vijay Mehra, Executive VP, Global Head-Industry Verticals, Patni SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager Online Sales: Nitin Walia National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager – Rachit Kinger Asst. Brand Manager: Arpita Ganguli Co-ordinator-MIS & Scheduling: Aatish Mohite Bangalore & Chennai: Vinodh K (09740714817) Delhi: Pranav Saran (09312685289) Kolkata: Jayanta Bhattacharya (09331829284) Mumbai: Sachin Mhashilkar (09920348755) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706

CTO FORUM thectoforum.com

07 MARCH 2010

I BELIEVE

BY ANTHONY M. FREED | Guest Editor THE AUTHOR IS Managing Editor and Director of Business Development for the Infosec Island Network.

How to Treat a Cold

We must keep in mind that resiliency consists of three operations: detection, isolation and mitigation for the sake of continuity of operations. I BELIEVE that the state of global information security efforts is dismal. Cybercrime, fraud, corporate espionage and threats to critical infrastructure are escalating at a record pace, and we can all count on the fact that things are certain to become much worse over this decade.

CTO FORUM 21 MARCH 2010

thectoforum.com

CURRENT CHALLENGE DATA LEAKAGE PREVENTION IS ONE OF THE BIGGEST CONCERNS FOR CIOS

Most often, the conversations surrounding the expansion of information technology are focused on access, censorship, and commercial viability. The advent of the Internet is often compared to that of the development of national electrical grid or telephone communications systems in the early twentieth century. Yes, every effort needs to be made to enhance DLP, but the focus of information security – our combat strategy – needs to make a fundamental shift away from the notion that we can really keep the bad guys out. The new paradigm for information security needs to centre around resiliency, which consists of three basic elements: detection, isolation, and mitigation for the sake of continuity of operations. Much can be learned from the evolution of physical security efforts and applied to the cyber realm. DLP is the fence, and is vital for a comprehensive strategy – but fences have long demonstrated their inability to keep out all who would seek trespass. Throw in some electronic surveillance for the purpose of detection, some automated lock down mechanisms on all access points to ensure isolation, and a half dozen security guards with nightsticks to rush in and mitigate the situation by pummeling the intruder, and you have the makings of a quality physical security protocol. Data breaches are like the common cold – we can all be assured of the fact we will suffer one sooner or later, and with varying degrees of severity. With that fact in mind, would you rather have a medicine cabinet full of products that claim to prevent an infection, or one full of products that ease the impact of an infection by relieving the symptoms so you can get on with your day? I choose the latter.

CTO Forum PACKS MORE PUNCH Shop

ions

Solut

ers

Partn

pdate

CIOU

s for

ate -

tegi

Stra

Upd

CIO

New

all

Pers

Foru

Blog

Hot

10 10, 20

ness

Busi

CIO

ffing

ta ers/S

Care

dgets

IT bu ghts

log

hno

Tec

rs:

tte

sle

New

www.linkedin.com/groups?gid=2580450

Daily Daily rkinging

Some of the hot discussions on the group are:

art Saa gral wPireless

In Inte e CIO e an chitectur g ffin can b loud IT ar eback astrucgturey C lot of oids a s Charg m fr te in a that av ent of s tr Foru dgetS lar op rttion r the managem : gs a popu a ics uITr buIT Blo ming al Pchoice fo s of top f Yo co rri t s be r Ha o ial o o H g vers a EricksonNew is als te contro 10 back is 0 In Lis th ow 2 You? nof est columnist But sh 10, falls t for l pita rch Righ gu Ma n is e po tes. nlitibcae pdate lutio t of socia na lo ctha CIOU io So of ent As icat plavoids ack IT, wrrpitegriss ye Managem ent duat ta De n th agem te rgeb Ente ch Da man optio a hi a r e W h la th : tr xt r C IT S coNeming a porspuial choice fokson -Harris of ? our ric be ve ou rY of Y back is also this contro mnist Lisa E t fo igh

March

h New arc Rese s portSaa aily l Re s ngilyD ing kiDa wireles orkor ecia tww pre Ne Net

S ctu archite

arch

Rese

twork Ne Netwo ters:

slet

patdends

pd U Tr Ugy IO lo CCIO no

Tech

Insigh

ITgets Bud Cloud uctureds infrastry Tren

rch. Sea : topics

rts

Spec

et o tem.c Budg e.aco

Join more than 200 CIOs on the CTO Forum LinkedIn group for latest news and hot enterprise technology discussions. Share your thoughts, participate in discussions and win prizes for the most valuable contribution. You can join The CTOForum group at:

po ial Re

Jobs

ona

y Lea

olog

er lop Deve s New

...

la Free

Log

Sho

ter

is Reg

mco coe. ate.at Upd IOpd CI COU

ions

Solut

ers

Partn nce

arch h Se Tec

Freelan

Tech

l Busi Smal

ders

echn

ion T

rmat

Info

Trend

onal

Pers

ness

per

d es an

Techno

lo Deve

ce Jo

aders

logy Le

rmation

r Info

ends fo

and Tr

ies Strateg

CTOForum LinkedIn Group

ster

Regi

gin

/Sta

ers

Care

3 more

r opula

Mos

re » mo All -Time

r Drucke Peter ent agem ct Man er sts ck Co Dru The eter 1k Reinv Wee asons, st t -P This The Re Mo emen Style ilure: CIO anag ct Fa ay day's ts ct M are Proje Tod Cos ilities: To ftw Proje , Theonsib g IT 2 So sownsResp entin ea ment Ne nv , R ei Align heles Ro CIO w: T 1 Royees iness 's /B re Ne us lu ay 3 ai pl Todof IT ct F e EmStyle ases ties: ocess Proje are th uriliPh ffing Foib t lection Pr are e ns Who t? Thpo rs/Sta oftw ction 4Res nmen or Se fing ou Caree Alig 2?"S Vend y Se se IT Staf t Do With New at ?! esth es, n’ d wh es b fyiinng plius s New Rol hey di ss You Ca Stori 5s ofSiITm/B roce g – "T es port Show P fin 3 er se Top n af tio IT St lue Us loyebs Re r Pha Selec Fou IT Va g p- Jo and Em ts efin dor es to r CIO The Ven Dem ITreStthaf Insigh tit Com atte New 4 the CIO emen ing ho a t?Skills in ing When Doesn't M " of the anag /Staff - W iPoad !?se u plify ing oid,ith ect M on aet?Ri rs Sim

lu is R lls of t co show pitfa tion But tes. gues ical Solu ate ocia polit Upd t Ass ation the CIO emen duplic rites e anag IT, w e M Data D is pr h Enter Whic Nex

ula Pop

Toda

This

Week

ime All-T g IT

entin

Proje

O tionnting IT Reinve ucker Style Sec Dr

What are those key competencies that a CIO shall look to acquire to become a true global business leader? Understand Business, Finance and Expenses Never talk Technology but just plain language Do it if possible, otherwise explain and convince users Cultivate the habit of questioning Always be proactive and not provocative Accept new ideas from anyone and evaluate with your technical knowledge

h dr W e pini Proj taff D -wTh 5 Staff IT S anAn Care ’t o adheresh y dipid owres IT ShHi C ITg Le ort to – "T es Sl Risk pow You d for nis Re taffinCompa Peter Job nd ptimize IT S gCIO gy O a ser g te in U w m in ff ra e e .. St alue ta or N Bogg ine.D ur IT V IT S kiM the utes f lls sp o Top Is Yo toenIT t? Di gy ent s Rise ad S r ts ageem Straate om an Staff gem atte The MC igh id, iP ans? 't M nologyMes n it esnTe Ins ndblroe? ership ire IT IT o e ch roBu in TrAou Whe n DAr jectsin CIO to H Your ead tation io Slow YoPur IT L emken g IT Part of wn Opin ies le P ImplR ntin tegral pan StyER veDo r is er ur an In Com gets t Rein DruIsckYo ed fo n be ud iz B emen r ... ck ca tim g p.. O Manag ore geba Pete ggin ar y e. M o ice g or Ch B rv s trateM gy IT d IT Se pute ard ad IT S Strate a Goo of Your Forw y Dis our oud Le endsble ? kes a Step ateg to Find Is Y ement? the Cl art tr Tr w P in S u l Ho s gy g ro ent Ta a ra gy ?nolo n inigTnm Service ent ultant teg Man ch nolo Te t for ess Cons e an In isioning tios Al Tech taes usin is Righ gem 10? enin n buld Prov Are Your B ana in 20 mus lution udgets -B M ca le ck IT So p e n Co ey Ba n ic Im B et ack RC Fines? plicatio ad d Mon Dow Budg Serv rgeeb ERP with G Dedu d Leme an to Bigod IT Get Your eChina th our Data o veus Ti Clo Is Y perativ trategy a Gill You ER thgeSa Which s to . ard an Im S CENT Find W s incin ason re.. nficereen ent pisForw to URCE s t Co emS 3 re rv w Mo or You? o e o ? ag te nd de RESO 0 S H l on n Vi ing s Man s a Ve al is a 01 ING ndice ps to Internation any sulta currity ationa in 2 ke MPUT rerv ey sion TSe e Ap Con D CO ht fo t Ta InteNrn ointigSe rovi ore... LCC ring comp d cc: Mon Back TER on gy :s oogl ca CLOU LCC Eid asst men ld P s?M get olo ou CE nd er G W and as manage x Enndpis R uIT d re ginee n eb Cl o Si e u is lig ur en t h C l 3 C e ns B s A Yo ha gy na n wireles atio UR Tim and lutioAbou ur Fin lz, ny ss OCo Tec m ange Soow Strate ton Kn al o ee rnckho ves s hn Big t Yo sine Ch n RES On De pa Bu a IT : te p e e loy " u o m S to G p In tio al G cc th mp a Jo co ati00 -ele Aof IT, ng IT -B RC Norme in LCC Mo rn1,2 ing UTIN pliced re aged You u uNe oge VP MP st: gi renci Yo G ...neer man Inte Goos Will e 'Newerativ Ded CO bca ss tes en z, has onfe with ard UD ata Will th an Imp LCC sider wh WeIBM No oC d CLO hD Mail,wirele Buckhol How g Forw ors Vide ConDemanoy ee rch nt ?is Whic Movin ng hn end . ? emdie Up On 0-empl IT, Jo ore Spgen Resea IT Projects ty V ? re.. Stupid M curi oking ana You Mo 1,20 se VP ofotes... e You elved ok Lo e M More... oint Se lo ak ic Sh N ut IT ho M rv O M p r w e ic Se l, IB 2010 End ut You ess? Googl onom Mai d Six les in Busin o nge Does stry Ec rward Clou IT Sa Agile Cha gy - now Ab l" ts bust IT Indu g sFoRo trate epaor K ling an orm lNR p 2010 vinict IT S eed to ecia u Enab Proed ng U Sp'New id? sM N ends Are Yo te earch Foro ooki rrejestcter Stup the Hot Tr You RelaR ok L es e Will You IT P 's Ten Cloud 10 utlo w d th 10 0 e ke O o e 2 20 th of a H lv ic in g? and le M Value She nom ndin ales SOA oog g the Eco Spe How IT S sG alyzin siness? . stry ust Doe for An re.. Indu Rob Bu Mo etric 0 IT icts gile tter M 201 Pred an A A Berts ster o bling ] s orre d F Rep ou Ena PM n te 3 l la 4:4 re Y cia Re2:2 ot T e d 10 Are Spe lou/20 of th en H e[3C/10 .com/ 0's T alue nd th eV 201 .ciouApdaate ww SO ng th http://w alyzi How r An ic fo tr e rM ] ette AB :43 PM

y sb

rie Sto

—Viswanathan Sundararaman, VP (IT) at Clariant Chemicals (India) Ltd.

0 2:24

/201

/[3/10

Statement about ownership and other particulars about newspaper CHIEF TECHNOLOGY OFFICER FORUM to be published in the first issue every year after the last day of February Place of publication Periodicity of its publication

: Mumbai : Fortnightly

Printer’s name Nationality (a) Whether a citizen of India? (b) If foreigner, the country of origin Address

: Kanak Ghosh : Indian : Yes : Not Applicable : KPT House, 41/13, Sector 30. Vashi, Navi Mumbai 400 703

Publisher’s name Nationality (a) Whether a citizen of India? (b) If foreigner, the country of origin Address

: Kanak Ghosh : Indian : Yes : Not Applicable : KPT House, 41/13, Sector 30. Vashi, Navi Mumbai 400 703

Editor’s name Nationality (a) Whether a citizen of India? (b) If foreigner, the country of origin Address

: Anuradha Das Mathur : Indian : Yes : Not Applicable : KPT House, 41/13, Sector 30. Vashi, Navi Mumbai 400 703

.com

date

.cioup

Form IV

www

http://

In keeping with our goal of providing a platform for sharing the best insights relevant to CTOs and CIOs in India, CTO Forum has tied up with CIOUpdate. com - an internationally renowned site that features strategies, trends and best practices for technology leaders. Through this initiative, we sincerely hope that you will benefit from global perspectives on how to drive more business value from IT. Also, achievers willl share their experiences on the challenges they faced. After all, isn't technology supposed to bring our world closer together? Do stay tuned...

WRITE TO US: The CTOForum values your feedback. We want to know what you think about the magazine and how to make it a better read for you. Our endeavour continues to be work in progress and your comments will go a long way in making it the preferred publication of the CIO Community. Send your comments, compliments, complaints or questions about the magazine to editor@thectoforum.com

CTO FORUM 21 MARCH 2010

thectoforum.com

Names and addresses of individuals who own the newspaper and partners or shareholders holding more than one per cent of the total capital: NINE DOT NINE INTERACTIVE PVT LTD., KPT House, 41/13, Sector 30. Vashi, Navi Mumbai 400 703 NINE DOT NINE MEDIAWORX PRIVATE LIMITED, K-40, Connaught Circus, New Delhi 110 001

I, Kanak Ghosh, hereby declare that the particulars given above are true to the best of my knowledge and belief.

Date: March 2010

Sd/Signature Of Publisher

STORY INSIDE

Enterprise

Convergence onto security platforms leads IS trends for 2010. Pg 12

PHOTO IMAGING : SANTOSH KUSHWAHA

ROUND-UP

destroy evidence.

FLASH DRIVE vendors may want to include another item in the stress-test list for their products: resistance to stomach acids. A man accused of skimming information off ATM cards swallowed a flash drive to destroy one of the chief pieces of evidence on his person. According to the Web site The Smoking Gun, the “giga-biter,” Florin Necula, was in the custody of U.S. Secret Service agents in Brooklyn awaiting questioning after his arrest in Queens, N.Y., on Jan. 21 when he took the USB drive that was on him and swallowed it. Necula and several co-defendants were held in policy custody at the Secret Service office in Brooklyn and

CTO FORUM 21 MARCH 2010

thectoforum.com

were to be interrogated for the alleged crimes when the incident occurred. They have been accused of placing card readers over ATM slots to "skim" magnetic strip information off cards inserted in those machines. The act of swallowing the drive netted Necula one more charge: that of obstruction of justice. That’s in addition to the three other felonies he’s charged with. The jury is still out on what effect stomach can have on the Kingston-brand thumb drive that Necula swallowed. “As you might imagine, we have no actual experience with someone swallowing a USB,” Kingston executive Mike Sager said to The Smoking Gun.

3089 2446 No. of Defacements

If You Can't Hide it, Swallow It! Fraudsters find new ways to

DATA BRIEFING

.com

.in

238

166

.org

.net

others

Statistics of defaced Indian Websites for the year 2009 SOURCE: WWW.CERT-IN.ORG.IN

ENTERPRISE ROUND-UP

THEY BRUCE SAID IT SCHNEIER One of world’s greatest security experts and part-time restaurant critic Bruce Schneier, Founder and CTO BT Counterpane is well known as the developer of the Blowfish and Twofish encryption algorithms. He has also authored books that examine security and society. Bruce is a prolific speaker and avid blogger.

Sniffing Out Criminals. New nosescanning techniques will do the trick. about illegal immigration and identity theft, authorities are increasingly looking to using an individual’s physical characteristics, known as biometrics, to confirm their identity. Unlike other facial features used for biometrics, such as eyes or ears, noses are difficult to conceal and also aren’t changed much by facial expression. Dr Adrian Evans and Adrian Moorhouse, from the University’s Department of Electronic & Electrical Engineering, decided to investigate whether images of people’s noses could be used to recognise individuals. They used a photographic system called PhotoFace, developed by researchers at the University of the West of England (Bristol) and Imperial College London, to scan the 3D shape of volunteers’ noses and used computer software to analyse them according to the six main nose shapes: Roman, Greek, Nubian, Hawk, Snub and Turn-up. Instead of using the whole shape of the nose, the researchers used three characteristics in their analysis: the ridge profile, the nose tip, and the nasion or section between the eyes at the top of the nose. They combined the curvature of the ridge with the ratios of the tip and nasion widths and ridge length. This combined ratio was then used to distinguish between a database of 36 people. Source: http://www.bath.ac.uk/news WITH WORRIES

QUICK BYTE ON SPAM SURGES

“Forget cybercrime! Crime is crime. It's the same stuff that criminals have been after for thousands of thousands of years: mostly money.” — Bruce Schneier, Founder and CTO BT Counterpane

In its 2009 Annual Security Report, the networking gurus at Cisco predict that worldwide spam volumes will increase by 30 or 40 percent over 2009 levels. In 2009, there were nearly 400,000 active bots engaged in malicious activity on any given day with several million active over the course of any month. CTO FORUM thectoforum.com

21 MARCH 2010

PHOTO IMAGING : PHOTOS.COM

ENTERPRISE ROUND-UP

Six Trends That Will Further Reshape Information Security in 2010. Convergence leads the rest.

CTO FORUM 21 MARCH 2010

thectoforum.com

206, 884

2009 2008 2007

Complaints Received

Loss (in US$ million)

SOURCE: WWW.IC3.GOV/MEDIA

239.09

198.44

559.7

2006

265

The Internet Crime Complaint Centre (IC3), a partnership between the FBI and the National White Collar Crime Centre (NW3C), released the 2009 Annual Report about fraudulent activity on the Internet.

207, 492

336, 655

GLOBAL TRACKER

to new types of threats. We see convergence taking place in multiple areas in information security – at the endpoint, at the email security gateway, at the web security gateway, at the next-generation firewall and, for small to midsized organisations, the multifunction firewall. 2.Virtualisation: This is a topic I research extensively. Beyond just deploying virtualisation securely, the virtualisation of security con-

275, 284

FOOD for thought to kick off 2010. The convergence of these trends (listed in my opinion of the order of impact) will radically reshape the future of information security – both the vendor landscape and how we architect and manage information security internally: 1.Convergence onto Security Platforms: The movement of related security controls into “security platforms” capable of being adapted

trols (like firewalls and intrusion prevention systems) will alter the information security landscape. Beyond this, virtualisation offers a new platform to enforce security controls in new ways – such as introspection techniques for rootkit detection. 3.Cloudification: The enforcement of our enterprise security policy via security controls and infrastructure that we don’t own. This isn’t necessarily new, but the other trends listed and enterprise adoption of cloud-based applications is forcing this. Cisco’s recent acquisition of ScanSafe or Barracuda’s acquisition of Purewire to extend their on-premises capabilities are timely examples. Other examples include the use of cloud-based web application firewalling or cloud-based filtering of web and email traffic. 4.Externalisation: The tearing down of walls between businesses and the opening up of our information, processes and systems to outside parties – whether these are contractors, outsourcers, partners and customers. Nearly every enterprise I speak with is being asked to enable and foster secure collaboration with external entities. The massive uptake I see from clients using SharePoint in extranet scenarios is a testament to this. 5.Consumerisation: The use of consumeroriented technology (systems and software) for business uses. Examples include the connection of iPhone to enterprise systems, remote access via personal machines and employee demands for access to Facebook, Linkedin and other consumer-oriented sites in a business context. Combined with #4, this implies a large number of systems that we don’t own and don’t manage connecting to our systems and networks. 6.Operationalisation: As threats become well understood and the technologies we use to protect our infrastructure become more mature, these can be turned over to IT operations. Examples include endpoint antivirus being managed by desktop operations, antispam and email security gateways being managed by the email ops team, firewalls being managed by network ops and so on. This is the only way we’ll free up enough of our limited information security resources to tackle the new and emerging threats that relentlessly continue. — Source http://blogs.gartner.com/neil_macdonald

ENTERPRISE ROUND-UP

Wiseguys Botnet First in Line for Concert, Sports Tickets. The botnet opened thousands of connections as soon as the tickets went on sale. WE FREQUENTLY read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes. Recently, a US federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendants later allegedly resold the tickets on Internet at much higher prices. According to the indictment, the distributed software was developed by some program-

mer accomplices in Bulgaria. The application defeated security measures designed to limit individual ticket purchases and snatched up the best ones. Unlike usual botnets, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million. The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet: Monitored the online ticket vendors’ websites for the exact

moment that tickets to popular events went on sale. Opened thousands of connections at the instant that tickets went on sale. Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), speeding ahead of legitimate buyers. Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets. Filled in all the fields necessary to complete the purchases, including credit card information and false e-mail addresses. The indictment explains how the Wiseguys took advantage of many popular events such as the BCS college football championship game, the Barbara Streisand concert in Chicago, Hannah Montana concerts in New Jersey, and the 2008 Bruce Springsteen Tour. For this last event, the botnet was able to purchase approximately 11,800 tickets. This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies. Source: www.mcafee.com

Q & A | ENRIQUE SALEM

ENRIQUE SALEM | SYMANTEC

Attacks are becoming

INCREDIBLY handcrafted

Enrique Salem, President and CEO, Symantec, in a conversation with Vinita Gupta, discusses the new challenges that CIOs are facing and Symantec's roadmap for the years ahead.

What are the challenges CIOs face today and how can Symantec help them? CIOs are facing enormous challenges, both internally and externally. Internally they are focused on reducing costs, minimising risks and achieving near and long-term ROI, while externally, they are confronted by an increasing number of threats. Malicious activity is growing at a record pace; at the same time, data breaches are becoming more prevalent and costly. The amount of data customers must deal with is growing exponentially year on year. Enterprises must have the appropriate security posture to ensure controls. This should include policies that sensitive information cannot be

CTO FORUM 21 MARCH 2010

thectoforum.com

copied on to personal storage devices and emails. Symantec provides customers with the appropriate tools that help protect data irrespective of where it resides. Another trend that is impacting businesses is the consumerisation of IT. Increasingly, employees are bringing in their own devices such as laptops and mobile devices and they want to connect them to corporate networks. This could put sensitive information under tremendous risk. Further as software-as-a-service (SaaS) continues to grow in popularity, customers' most sensitive data, more often than not, will be found in the “cloud” – stored outside their network.

Symantec created more than 1.6 million new malicious code signatures in 2008. That is more than what we have created in the last 17 years combined. Currently, we block an average of more than 250 million attempted malicious code attacks across the world every month and we scan 30 percent of global email traffic. There are many security solutions available in the market but security is still a major concern for CIOs. Comment. Yes, things have changed a lot. When I started my career in the security business, kids wanted to show-off and it was a matter of pride. Now,

SIZE MATTERS: Enrique Salem, President and CEO, Symantec says that they scan 30 percent of global email traffic

CTO FORUM thectoforum.com

21 MARCH 2010

Q & A | ENRIQUE SALEM the shift is towards monetary gains. Clearly, there is a shift from mass attacks to attacks targeting devices. In the recent past, attackers are targeting specific enterprises, and, what's more, attacks are becoming incredibly handcrafted. It is about breaking into an enterprise network in search for sensitive information. But, there's another aspect to this the malicious insider, who has access to sensitive information and takes undue advantage of the privilege. We realised that since the attacks were getting targeted, we can’t just keep writing signatures. We created what we call reputation-based security. We believe that by supplementing the classic approaches with reputation-based security techniques, where every application is assigned a reputation value, we can significantly strengthen security. Symantec has said that within five years it is going to have 15 percent of its revenue coming from SaaS offering. How? SaaS has the potential to be a gamechanging transition in the IT world, and Symantec is well-positioned to expand its position in the market space. Symantec Hosted Services now covers more than nine million end users from 21,000 organizations spanning 100 countries. Symantec is currently the largest infrastructure SaaS provider and we manage 41 petabytes of cloud-based back-up. We are also adding 1,00,000 consumers a month. We’ll continue to look for innovative ways that provide our customers choice and flexibility in how they purchase and use our products and services. Also we will continue to invest in SaaS offerings across the

“There is a shift from mass attacks to attacks targeting devices”

product portfolio, leveraging Symantec technology in data loss prevention, compliance, endpoint security and archiving. Why is Symantec concentrating more on storage virtualization and de-duplication? We are moving de-duplication closer to information sources by integrating the technology into information management platforms. Recently we announced new versions of our flagship backup and recovery solutions, NetBackup 7 and Backup Exec 2010. We’ll also look at ways to help our customers build scalable, high-performance file-based storage systems for their enterprise, including private and public clouds using our FileStore technology.

CTO FORUM 21 MARCH 2010

thectoforum.com

What is your vision as a CEO for Symantec?

THINGS I BELIEVE IN Supplementing the classic approaches with reputationbased security techniques, we can significantly strengthen security. Our internal R&D efforts, coupled with newly acquired technologies, will help to strengthen our businesses.

I have been a CEO for a year now and what I would like to see Symantec grow and continue to be the leader in information management not just in market share but also in thought. To me, Symantec should constantly innovate to stay ahead of customers' requirements in information management. We need to continue to enhance today’s solutions so that we can meet current customer demands, while at the same time focus on developing new solutions and services to meet future customer needs. Innovation is one of our core values and we strive to build a culture of innovation within Symantec. We believe our internal R&D efforts, coupled with newly acquired technologies, will help to strengthen our businesses and improve our competitive positioning.

N O I T A M R O F IN

Z R A W

Z ONE

What's more diffi ult to patch: Sys vulnerabilitcie t e m s o r a fa ulty approach to managing risk? O ur features exp infosec lore the

landscape.

ILLUSTRATION BY BINESH SREEDHARAN

AN ANTI-TERRORIST hacker refuses to come out in

the open and talk about his methods. Why? The problem is his tools, well understood only by a few, can bring down the sites of the world's top financial institutions as well. Then again, counter terrorism operations want him out their way. (see interview Unmasking Terror, pg 20) Should government and the private sector collaborate to ward off common enemy? Yes, says the former CIO of the White House. If that question is easily answered, the next one hardly is: what constitutes a national border in the cyber age? (see interview Slippery Slope, pg 48) The choices that CIO/CISO's have to make everyday may not be directly connected with cyberterrorists or the ethical (really?) hacker, but in the muddled waters of information security nothing is straight forward. In some articles, we have carried viewpoints from experts on tough questions, in others, experienced professionals have talked about their approach, but it's up to us to find the pattern and create a credible defence. CTO FORUM thectoforum.com

21 MARCH 2010

CYBER CRIME

G N I K S A M N U

O R R TE 20

CTO FORUM 21 MARCH 2010

thectoforum.com

CYBER CRIME

RECENTLY, we have witnessed the emergence of international hactivist “The Jester “ through his crusade against militant Islamic networks. Jester’s activities raise many important questions: technical questions about the nature of The Jester’s methodology and potential mitigation of the exploited vulnerabilities; the role of sovereign and international laws regarding cyber crime; the use of communications technology in terrorist and counterterrorist operations; and ethical issues regarding where cyber vigilantes fall on the ethics spectrum. In this interview with network security consultant Michael Menefee of WireHead Security, The Jester talks about the methods he employs and why he does what he does. In Menefee’s analysis of the DoS (Denial of Service) attack, more than half of all the websites in the world use Apache, which means that the exploit The Jester employs potentially poses a very serious problem should it ever be utilised by nefarious elements. Menefee began a series of IM chats with Jester in an effort to uncover more about his methods and motivations. The following are several installments of Menefee's conversations with The Jester:

Who are you targeting with your DoS attacks and why?

ILLUSTRATION BY BINESH SREEDHARAN

Targets are rife, but I vet every single one. I am tipped off via various channels. But I verify all targets. What constitutes a target? I ‘target’ known sites that recruit and co-ordinate attacks. They can’t use cell phones anymore – they use the web – it’s the anonymous playground.

Why take them down and up, why not just knock them out? Their operations are very time sensitive. My task is to make their chosen communication method unreliable. By taking them down at random intervals, for random intervals, they can’t rely on them – they become unreliable and useless.

Critics say you do more harm than good – your reply?

OR Some critics have said that I will only drive them underground. Well is that not the best way to strike at them when we know that they are looking at recruiting people? If you take the position that online militant propaganda, proselytization,and inter-

A hacker coding p uses his shoot rowess to

own militand sites. Thte aut

horities d like his m on't Fact is, heddling. is

methods dangerou are s. Presente d by Anth ony M. F reed

CTO FORUM thectoforum.com

21 MARCH 2010

CYBER CRIME action is increasingly important in their recruitment, then is it bad to drive them back into the shadows online? That’s a key principle of COIN. Underground they can’t reach the masses; therefore they are less effective at recruiting. An underground recruiter is less dangerous than an overground one.

You are all over Twitter - what about a militant group’s right to free speech?

“THERE IS A N UNEQUAL A MOUNT OF GOO D

ND BAD IN MA OST THINGS, T HE TRICK IS TO WORK OUT THE RATIO AND AC

ACCORDING T LY”

Well the internet is all about freedom of speech, which is a concept I support. Freedom of speech is one thing, but when bad dudes use our internet, on servers hosted in our country, or continent – because they have no infrastructure of their own to do it – that’s a different matter. As for their freedom of speech, if that’s all they want, then please speak freely. Just make sure there is not recruiting or co-ordination going on. Now do you see my point?

Tell us about your first target – how did you decide? The first target was selected after I read an article that talked about how militants are using the web more and more for recruiting and coordinating homegrown terror cells. I decided to develop a method of hitting them down, not permanently, but enough to make things unreliable. It’s the unreliability and disruption that hits the co-ordination hardest.

Did you plan on doing more, or did the attacks just evolve one by one? I didn’t really plan on doing more. But I tweeted it and then received, well, requests – people asking me to hit specific AlQaeda and other militant sites. So I would take a look, and if the site displayed signs of recruitment or co-ordination I would hit them. It has grown from there, and allowed me to refine the method to make it more effective.

CTO FORUM 21 MARCH 2010

thectoforum.com

—THE JEST ER

Do you plan on recruiting more hackers to your cause? Well I did have ideas about an anonymous network of volunteers, nobody knowing the identity of any other member, but that would mean I have to release this technology and method to unknowns. How can I be sure I am not handing the bad guys a big gun to shoot us with? I am only hitting the bad guys, imagine if the tools were used against say eight of the world’s major financial institutions. A single person on a single machine could easily takedown eight sites simultaneously. So I have no plans to involve others at this time.

How long will you go on? As long as my nerves hold out. It’s a serious situation I find myself in, the bad guys want to slice my head off on YouTube with a rusty blade, and the good guys want to lock me up in an orange jumpsuit, along with the bad guys.

Do you have anything big planned soon? I am currently working on cleaning things up, the method I am using involves much shell-hopping, and so I am creating a shiny new GUI version. Here’s an exclusive - the final software solution will be

known as Project ‘XerXeS’ as in the guy that took on the Spartans.

What’s your biggest accomplishment in your opinion? I suppose it’s always nice when an ISP hosting one of these militant sites takes a site down, due to pressure from its own customers. This is what I do – create pressure. You can ask an ISP nicely to perform a takedown, but mostly they don’t, that’s where I seem to fit in.

How did you first develop your DoS technique? It started with a little script I wrote a while back to harden-test servers. I modified this script, and it was just a nasty script, very cumbersome. When (much later) I realized the extent of the militant online recruiting and co-ordination involvement, I realized I could turn this script into a weapon. But the problem with that was it took me constantly shell hopping and wasn’t very user friendly. Now I have started on project XerXeS, an intelligent frontend with the ability to hit multiple targets autonomously.

What about collateral damage to third party systems? Many people worry about the nodes between me and the target. This technique affects nobody but the intended target. All intermediaries remain unaffected.

And XerXeS is being automated to take down multiple targets at random intervals? Oh yes! This is how I will render their websites undependable for coordinating terrorist activities. I am building a nice simple GUI and adding elements of AI that can auto-detect if the target ‘wakes up’ during a strike and counter that autonomously. I am also adding the ability for the software to halt the attack after a specified time period.

Will automation increase the frequency of your attacks? Yes. The frequency of my attacks is currently limited to the time I have to spend

CYBER CRIME on this project. XerXeS will make the attacks less of a shell-hopping exercise, and more of a fire and forget exercise.

helping the good guys prepare and defend against something like XerXeS?

What are the implications if something like XerXeS was combined with a large zombie network, and coordinated against critical U.S. infrastructure, like our communications, power grids, or financial systems?

I can guarantee that no bad guy has XerXeS in his arsenal yet, and no bad guy will ever get it from me. I have not been approached directly by the authorities, but if that happens I would be glad to help out. Preferably, they should approach me with a signed document which provides me immunity from prosecution. I am not going to just throw myself to the wolves.

XerXes requires no zombie network or botnet to be effective. Once a single attacking machine running XerXeS has smacked down a box, it’s down, there is no need for thousands of machines. But, XerXeS does not hurt intermediary nodes along its path to the target. So the answer is that such institutions’ systems would still be intact, as it causes no collateral damage, just not functional.

So something like XerXeS in the wrong hands could be a serious threat? Even if someone were stupid enough to hit critical targets like those, they couldn’t keep it up forever, and the nature of XerXeS ensures no data or systems would be physically harmed. Someone would have to be really dumb to hit those kinds of targets.

Do you want to add anything else? I want the emphasis to be on the reason for this project, I don’t mind talking about XerXeS but I need the true message to get out. If it wasn’t me and XerXeS, I am sure there would be others like me. I am sure there will be few readers who are interested in the ‘how’, but the issue really is the ‘why’. Project XerXeS is an ongoing project that is a means to an end. The end goal is to disrupt the online communications, recruitment and co-ordination efforts of international and homegrown terrorists.

Can you talk more about the Apache vulnerability exploit?

How easily can we defend our systems from such attacks?

The Apache vulnerability you speak of is only the tip of the iceberg; Xerxes is also evolving to hit IIS - pretty easy by the way - a simple modification on the Apache vector is all it will take. Still in the experimental stages, but it works. It's the backend databases that are really interesting they hold much of the content that the HTTP server pushes out, so if you knock the database over, it has the same effect as taking out the HTTP server. The aim is to create a single cohesive suite that will knock out with precision and no sideeffects anything it comes up against, for any specified period. Another vector I am working to build on is the ability to autoinject code into a site's landing page that causes the viewers browser to crash.

Web delivery servers could theoretically defend temporarily, but then XerXeS adapts too, in effect modifying the fine tunable aspects of the strike, just like cutting a new key to fit a lock.

One of our members at the Infosec Island Network posed the question on a forum: Jester, whom do you serve?

Is it likely another hacker with less noble intentions may soon replicate your technique? Yes that could happen, the technology for this type of activity has existed for years, it’s just the particular way I happen to put it all together. I have combined various methods and technologies into a single deadly weapon – that is where the real difference lies. I would be a fool to think I am the only one developing this type of gadget. I am just the only one who tweets about it!

What role will you play in

I am quite clear on this. I 'serve' all the people who support my methods and want

to make things difficult for the bad guys. At this time I am not officially funded, supported or otherwise sponsored in any way. I operate and develop this alone, and hope it is making a dent in the terrorists efforts. I know there are some that consider all this morally, socially and ethically wrong, not to mention unlawful – but there is an unequal amount of good and bad in most things, the trick is to work out the ratio and act accordingly.

Many critics of your tactics make the argument that you may be interfering with Western intelligence operations. Your retort? The intelligence gathering argument is really starting to wear thin. I know the value of good intelligence, but it must be actionable. There is very limited actionable intelligence to be gleaned from most of these sites. They serve only two purposes: to recruit homegrown terrorists (by invitation no less), and to waste our security services teams time trying to honey-trap them. Why should we allow a site that actively recruits homegrown terrorists to operate, merely so it can be 'monitored' just in case we get some intelligence? And it's not like these servers are hosted on the moon! Most are hosted in the US and Europe. Why can't counter-terrorism agencies just go after the hosting provider for this 'valuable intelligence'? By knocking out the militant sites for random short periods, it causes them to be unable to rely on the site for recruitment or co-ordination. This in turn will have the effect of drawing them out into the open to do the recruiting and the counter-terrorism agencies can do what they are best at, which is intercepting and apprehending suspects.

Anthony M. Freed is Managing Editor and Director of Business Development for the Infosec Island Network. Anthony is also the Guest Editor for this special issue of CTO Forum

CTO FORUM thectoforum.com

21 MARCH 2010

LINE OF GOVERNANCE

R T N CO “I HAVE HEARD

of military operations that were clumsy but swift, but I have never seen one that was skilful and lasted a long time.” Master Sun (Chapter 2 – Doing Battle, the Art of War) The GRC (governance, risk and compliance) market is driven by three factors: government regulation such as Sarbanes - Oxley, industry compliance such as PCI DSS 1.2 and growing numbers of data security breaches and Internet usage violations in the workplace. $14 billion a year is spent in the US alone on corporate-governance-related IT measures. It’s a space that’s hard to ignore. Are large internally-focused GRC systems the solution for improving risk and compliance? Or should we go outside the organisation to look for risks we’ve never thought about and discover new links and interdependencies. This article introduces a practical approach that will help the CISOs/CSOs in any sized business unit successfully improve compliance and reduce information value at risk. We call this approach ‘GRC 2.0’ and base it on three principles. 1.Adopt a standard language of GRC 2.Learn to speak the language fluently 3.Go green – recycle your risk and compliance-

CTO FORUM 21 MARCH 2010

thectoforum.com

$14

billion a year is spent in the US alone on corporate governance related IT measures. It’s a space that’s hard to ignore.

GRC 1.0 GRC was first coined by Michael Rasmussen. GRC products like Oracle GRC Suite and Sword Achiever cost in the high six figures and enable large enterprises to automate the workflow and documentation management associated with costly and complex GRC activities.

GRC - an opportunity to improve business process GRC regulation comes in three flavours: government legislation, industry regulation and vendor-neutral security standards. Government legislation such as SOX, GLBA, HIPAA and EU Privacy laws were enacted to protect the consumer by requiring better governance and a top-down risk analysis process. PCI DSS 1.2, a prominent example of industry regulation, was written to protect the card associations by requiring merchants and processors to use a set of security controls for credit cards. The vendor-neutral standard, ISO27001 helps protect information assets using a comprehensive set of people, process and technical controls with an audit focus. The COSO2 view is that GRC is an opportunity to improve the operation:

GOVERNANCE

L O R T

Seeking a perfec t defence position by going through the rule-boo k can be counter-pro ductive. Thinkin tangent g

ially will help. By Danny Li eber

man

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…the same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

GRC 2.0 The COSO position makes sense, but in practice it’s difficult to attain process improvement through enterprise GRC management. Unlike ERP, GRC lacks generally accepted principles and metrics. Where finance managers routinely use VaR (value at risk)

calculations, information security managers are uncomfortable with assessing risk in financial measures. This creates silos – IT governance for the IT staff and consultants and a fraud committee for the finance staff and auditors. GRC 1.0 assumes a fixed structure of systems and controls. The problem is that, in reducing the organisation to passive executives of defence rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow. Learning about changes must be at the heart of day-to-day GRC management.

A fixed control model of GRC is flawed because it disregards a key feature of security and fraud attacks – namely that both attackers and defenders have imperfect knowledge in making their decisions. Recognising that our knowledge is imperfect is the key to solving this problem. The goal of the CSO/CISO should be to develop a more insightful approach to GRC management. The first step to making that happen is to get everyone to speak the same language.

The threat analysis base class We formalise this language using a threat analysis base class which (like any other

CTO FORUM thectoforum.com

21 MARCH 2010

GOVERNANCE class), has attributes and methods. Attributes have two sub-types – threat entities and people entities.

Threat Entities Assets have value, fixed or variable in Dollar, Euro, and Rupee etc. Examples of assets are employees and intellectual property contained in an office. Vulnerabilities are weaknesses or a lacking in the business. For example – a wood office building with a weak foundation built in an earthquake zone.

countermeasures. It’s all about the billable hours. Vendors provide security countermeasures. The effectiveness of vendor technologies is poorly understood and often masked with marketing rhetoric and pseudo-science.

Methods The threat analysis base class prescribes four methods: Set Threat Probability – estimated annual rate of occurrence of the threat

ANY CONTR OL POLICY THAT IS PRESUMED OPTIMAL TO DAY IS LIKELY TO B E OB

TOMORRO SOLETE W. LEARNING A CHANGE BO S MUST BE

People entities Business decision makers encounter vulnerabilities and threats that damage company assets in their business unit. In a process of continuous interaction and discovery, risk is part of the cost of doing business. Attackers create threats and exploit vulnerabilities to damage the business unit. Some do it for the notoriety, some for the money and some for the sales channel. Consultants assess risk and recommend

CTO FORUM 21 MARCH 2010

thectoforum.com

Go green – recycle your threat models Leading up to the Al Qaida attack on the US in 9/11, the FBI investigated and the CIA analysed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes. This sort of GRC disconnect in organisations is easily resolved between silos, by the common, politically neutral language of the threat analysis base class.

UT AT THE HEA RT OF

DAY-TO-DAY GRC MANAG EMENT. Threats exploit vulnerabilities to cause damage to assets. For example – an earthquake is a threat to the employees and intellectual property stored on servers in the building. Countermeasures have a cost, fixed or variable and mitigate the vulnerability. For instance, relocating the building and using a private cloud service to store the IP.

PAN is an asset, the threats are criminals who collude with employees to steal cards and the countermeasures are specified by the standard. You can document the threat models in your GRC system (if you have one and it supports the eight attributes). If you don’t have a GRC system, there is an excellent free piece of software for threat modeling available at www.ptatechnologies.com

Set Threat Damage To Asset – estimated damage to asset value in percentage terms Set Counter Measure Effectiveness – estimated effectiveness of the countermeasure in terms of a percentage. Get Value At Risk

Summary

Effective GRC management requires neither better mathematical models nor complex enterprise software. It does require us to explore new threat models and go outside the organisation to look for risks we’ve never thought about and discover new links and interdependencies that may threaten our business. If you follow the Tao of GRC 2.0 – it will be more than a fulfillment exercise.

Fluency in the language A language with eight words is not hard to learn, it’s easily accepted by CFO, CIO and CISO since these are familiar business terms. The application of our eight word language is also straightforward. Instances of the threat analysis base class are “threat models” – and can be used in the entire gamut of GRC activities: Sarbanes-Oxley, which requires a top down risk analysis of controls, ISO27001 – controls are countermeasures that map nicely to vulnerabilities and threats (you bring the assets) and PCI DSS 1.2 – the

Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003, Danny has been doing data security consulting and data protection/ information assurance projects using data loss prevention/extrusion prevention technology.

SUNIL DHAK A | OPINION

THE ENEMY

E D I S IN

WITH THE

progress of information revolution, computer systems have grown both in complexity and expanse. The growth has amplified the importance to protect information assets by setting up an array of controls. One of the most important parts of the entire information ecosystem is the users. As they say, a chain is as strong as its weakest link, and the information users often constitute the weakest link. In most organisations, a majority of the security controls deployed focus on external threats. However, various global surveys over a time span of more than two decades show that internal threats account for around 70-80% of the total threats. The ‘insider’ user group can be bucketed under three broad categories, namely, business users, technology users and contractors and partners. It is important to note that the “insider”, being a part of the system, has far greater access than a remote user and hence poses a greater threat. Regardless of the user group, common motivations that fuel security incidents include dissatisfaction and greed. Business users have knowledge of the business processes that wind around the technology systems and this includes process gaps as well. Technology users have physical proximity and administrative access to the systems. Contractors and partners are external entities that reside virtually inside the system by means of both process knowledge and system access, depending upon the type of activity contracted.

“Risk assessmen an inventoryt, of ‘WHAT NEEDS TO PROTECTEBE is the place D’ start.” to —SUNIL DHAKA CISO, ICICI Bank

Deaming’s PDCA (Plan, Do, Check and Act) model coupled with a risk-based approach for mitigating the identified concern areas is a popular way for managing the insider threat. Adopting an Information Security Management System based on the ISO 27001 standard would ensure a structured and holistic implementation. Risk assessment: Risk assessment, an inventory of ‘what needs to be protected’ is the place to start. We need to understand various business and technology information handling/ processing methods. On the basis of the initial risk assessment and the findings arising out of gap analysis, an organisation would be able to establish a policy which has direct relevance to the organisation’s line of business. Risk mitigation: Risks identified as a result of the assessment may be addressed by implementing suitable controls in line with the documented policies. It is essential that the controls are inexpensive, invisible and implementable. Metrics would be required to measure the effectiveness of implemented controls. Regular assessments: Periodic assessment to review the processes in light of the changing threat scenario would need to be undertaken to enable mid-course corrections. Proactive approach: Some of the important proactive approaches essential to managing insider threat are user awareness and building a 360 degree trust relationship amongst the employees.

CTO FORUM thectoforum.com

21 MARCH 2010

CYBER CRIME

UNSAFE

HARB The enemy is using our own weapons to infuse fear in our m inds.

By Jennfer L Hesterman

MOST WOULD AGREE

that globalisation, fed by technological advances in the information system and telecommunications realms, has overwhelmingly been a ‘good thing’. Our world is connected like never before, and those formerly isolated are now part of the landscape, able to access critical medical information, tap educational resources and answer almost any question in two clicks. Unfortunately, terrorists are similarly thrilled with globalisation. They, too, can answer any question in two clicks, including how to build a PETN bomb like the one that nearly exploded on an airliner over Detroit on Christmas Day. They use Google Earth to indentify targets and landmarks, as shown in an Al Qaeda terrorist attack against a U.S. military recruitment office last year. Somali terrorists used Facebook pages to liaise with recruits in Minneapolis, and rebels on the battlefield have satellite phones and use Twitter to communicate. In fact, terrorists are now able to directly engage you through your home computer or your child through his/ her web enabled device to spread their radical ideology.

The enemy defined The most widely accepted definition of terrorism is the unlawful use of force or violence against persons or property to intimidate or coerce a government and the civilian population in furtherance of political, social or religious objectives. A terrorist is one who causes fear and seeks to dominate or coerce. Terrorists can work in large groups, small cells, or as lone wolves. Terrorists have always employed asymmetric tactics to achieve their goals; they often strike in unanticipated

CTO FORUM 21 MARCH 2010

thectoforum.com

252% growth in attacks on government. 204% — growth in attacks on banking and finance in 2009

Source: Scansafe Annual Global Threat Report

CYBER CRIME

ways to maximise results. Never has asymmetric warfare been more prevalent than in the last decade - from the use of airplanes as missiles on 9/11 in the United States, to the seaborne staged attack on Mumbai in 2008. It is important to understand that religious terrorists are the most dangerous. Not only do they disregard the rule of law, they have no moral restraint, believing their faith imparts authority to kill innocent victims in extraordinary ways. They use all means to advance their agenda. The religious ideology is not confined to nation state boundaries, making it harder to engage and penetrate. Finally, religious terrorists have an apocalyptic agenda, which could ultimately lead to the employment of a weapon of mass destruction. At its very core, terrorism is nothing but an elaborate marketing campaign. The main product is fear; however, by-products include recruitment, empathy seeking and fund rais-

ing. Like all marketing operations, terrorism is meant to shift the public centre of gravity through use of symbolism or themes, and their techniques can be overt or covert. We must also remember this is a long campaign; the enemy is patient and thinks in terms of millennia, not years. Our childrenâ&#x20AC;&#x2122;s children may be struggling with the same issues we are today.

Shifting tactics Bruce Hoffman, a noted terrorism expert, believes Al-Qaeda (and its affiliates) is

increasingly focused on overwhelming, distracting and exhausting us. We may have defused the bomb in the airline on Christmas Day, but are we going to survive the financial destruction the enemy is trying to bring about in a long, protracted war? Terrorists are fronting threats that may not exist (such as suitcase nuclear bombs), which force us to spend billions on countermeasures and incite fear in the populace. Similarly, rather than engaging in standard cyber warfare by deliberately targeting our systems to deny service, terrorists appear instead to be leveraging technology to wage societal warfare.

ILLUSTRATION BY BINESH SREEDHARAN

R U O B

CYBER CRIME My first task in the morning is to scan 22 websites in an open source intelligence collection activity that supports my university teaching and journal writing efforts. In the spirit of ‘know thy enemy’, an axiom of the Great War strategist Sun Tzu, I also access various Jihadi sites and the pages of domestic and ethno-separatist terror groups. Often it is just the same rhetoric, but I have sensed a shift from outright violent threats to a more subtle, understated threat. For instance, seemingly benign, friendly organisations are using webcasts to facilitate understanding and discussion of the Muslim religion. Having joined telecasts (anonymously), I find that such sessions are not moderated by respected clerics, but by radical Imams or even worse, those who believe they have special dispensation to interpret the Koran in ways not accepted by the mainstream religious body. Also, groups such as Hamas and Hezbollah are masters at using the web to achieve social objectives and goals for their communities. They use foundations, with ever changing names and websites, to raise funds for widows and those orphaned by their operations, and also seek donations to build schools and hospitals. Naturally this community building activity creates good will (and safe harbour) and furthers recruiting goals. Many citizens have donated money without realising it is funding activities of internationally designated terrorist groups. There are many other ways terrorists are infiltrating society through the cyber realm – by using the web for blogging, by posting videos on You Tube, by interacting in virtual worlds, the list goes on.

WE HAVE A

WEAK SET OF

INTERNATIO LAWS, ANDNAL NO OVERARCH ING GOVERNIN G BODY FOR

ENFORCEM IN CYBERSP ENT ACE.

Troubled waters A few contributing factors led to the use of cyberspace for societal warfare: Cyberspace is virtually “un-patrol able”. We have a weak set of international laws, and no overarching governing body for enforcement.

CTO FORUM 21 MARCH 2010

thectoforum.com

3. Your operations will be targeted using system probes or by information collected from your employees. This can be very disheartening – or very enlightening. Just understanding the enemy will go a long way toward protecting our infrastructure. During my military career, knowing the enemy was a critical part of every endeavour. I worked on various application development projects and never developed a product or fielded a new piece of equipment without the ‘enemy’ in mind. From initial brainstorming sessions to every stage of development, we ‘baked in’ countermeasures. And similar to for-profit companies, we were also in a rush to field technology since our soldier’s lives and our nation’s defence were at stake. By acknowledging the existence of an enemy, and keeping him in mind on every step, you may prevent your product from being used for destructive outcomes.

Which way now? Sovereign nations that believe in freedom of speech and expression may monitor the web through their agencies, but do not actively infiltrate and disable sites. In the rush to get cutting edge products to the market, no-one reflected on how technology could be exploited by, what I call, “the 1%” – terrorists and criminals. On many fronts in this ‘war’, we’ve greatly underestimated the sophistication of terrorists. Not only do they use the same technology that we do on a daily basis, their financial assets may be growing exponentially. It has recently come to light in the counterterrorism community that groups like Al Qaeda are now engaged in the narcotics trade in South America and the Western Coast of Africa. This will provide them access to large sums of money – the kind needed to get the right people on the payroll such as scientists, engineers and technical experts. Therefore, we’ve created an environment that is conducive for infiltration by terrorists who are sophisticated, have vast resources and are patient. As such, the following assumptions must be made: 1. New applications will be exploited. 2. Every technological solution will be defeated.

I am neither an IT or cyber warfare expert, but I know the mind of a terrorist. I understand how terrorist groups seek to turn the switch from ‘off’ to ‘on’ in the human brain and recruit those who will carry out the most heinous of missions, sacrificing their own lives in the process. The radical militant ideology is like poison to the mind, especially to the hopeless and downtrodden who would rather die in a spectacular blast than as a hungry beggar. Using cyberspace as a medium for conducting societal warfare in your community and mine, is a new front. We must engage in this war on terror. And being aware of its existence is a great step.

Jenni Hesterman is a retired Air Force colonel. She is a senior analyst for The MASY Group, a Global Intelligence and Risk Management firm, and is a full professor at American Military University and contributing editor to The Counter Terrorist magazine. Access her blog at www.counterterrorforum.com.

FELIX MOHAN | OPINION

G I B G N I FIX

S K A LE

CORPORATE espionage is rap-

idly rising. Years of R&D can go down the drain and intellectual property worth millions can be lost to competition overnight. What once began as legitimate intelligence gathering has now morphed into a quick-fix solution by unscrupulous competitors out to nullify their rivals’ competitive advantage. Google’s threat to withdraw from China is a confirmation that corporate espionage is increasingly common across the Internet and can be extremely difficult to detect. As companies struggle to survive in a hyper-competitive environment, prying into rivals’ secrets has become lucrative. Obviously, corporate ethics is taking a back seat. It’s not just companies. Governments too are snooping. Today national security lies as much in a country’s industrial strength as it does in the possession of advanced weaponry. The methods employed generally involve highly trained spies and advanced gadgetry for carrying out sophisticated hacks on corporate trade secrets. At the other end of the spectrum, a vast majority of corporate espionage occurs not in cyberspace using high tech gadgets, but rather through low tech devices such as a Rs. 500 bug hidden under the board room table. While a company may implement state-of-the-art logical and physical security by spending millions, it may do little to protect information from either the untrained or disgruntled insider, who is the cause for more than 85 percent of the leaks. Placing of ‘moles’ within the competitor’s organisation, and recruiting key

“There's a c for obfusca ase of sensitive tion by maintaindata multiple and ing VERSIONS fake DATA ALONOF WITH THE G CORRECT VERSION” —FELIX MOHAN Group CISO of Bharti Airtel

employees working for the competitor are particularly insidious and commonplace. Under these circumstances, companies must take proactive steps to mitigate the risk. Get a non-disclosure agreement that can be enforced under the Indian Contracts Act in place with all employees handling or creating sensitive information. Carry out thorough background checks of employees with access to sensitive data. Institutionalise whistle blower and suspicious activity reporting, make employees aware of their responsibilities and consequent legal penalties and establish internal capabilities for monitoring, investigating and initiating legal proceedings to punish or seek compensation from those who have committed the crime. While standard information security controls such as identification and classification of sensitive data, risk assessments, strong authentication, data leak protection, encryption and regular bug sweeps are a must, companies must also explore measures such as out-of-band communication channels within the company for highly sensitive data, and obfuscation of sensitive data by maintaining multiple and fake versions of data along with the correct version, which is known only to trusted key staff. There is a vast array of competing priorities for a company, and security issues tend to be addressed as a reaction to unfortunate events. However, corporate espionage is a major business risk, not just a theoretical curiosity or an issue purely for IT – and every board needs to treat it as such!

CTO FORUM thectoforum.com

21 MARCH 2010

IDENTIT Y THEFT

IDENTITIES WHETHER YOU THINK

that social media is an asset to your organisation or consider it a liability, one thing is clear: the number of people signing up on social networking sites keeps increasing. There are close to a half a billion people who are active on social media. Last time I checked, Facebook had more than 400 million users and Twitter 50 million. Some say social media sites such as Facebook and others combined have close to a billion views per month. Web 2.0 is alive and has changed the game for IT professionals. There are thousands (4600+ on record) of social media sites worldwide such as Facebook, LinkedIn, MySpace, Twiitter, and YouTube. However, social media is still in its infancy. There are many security issues plaguing social media sites. Users are tricked into clicking links. Viruses enter the network as a result of employees downloading or simply visiting an infected page. For the past year, I’ve been screaming about the trouble with social media – the numerous loopholes it has created and how criminals are exploiting them for crime such as identity theft and brand hijacking. Social media creates many opportunities for crimi-

CTO FORUM 21 MARCH 2010

thectoforum.com

nals to make “friends” with their potential victims in order to create a false sense of trust and use the misplaced trust against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better. Indeed, that's what has happened – criminal hackers have taken hold and are in full force. We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a “friend” who’s sending me a video that’s actually a virus. Not too long ago, it was big news when a criminal broke into Facebook accounts, and, impersonating the victim, sent messages to the victim's friends, claiming to have lost his wallet in the UK and begging for a money wire. Lately, I see such stories every week.

Pinching where it hurts Scammers aren’t just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies’ bottom lines. While many may not have sympathy for the bottom lines of bil-

11.1

million adults were affected by identity theft in the United States and the total fraud amount was $54 billion according to the 2010 Identity Fraud Survey Report by Javelin Strategy & Research

What you p ost o

are. Or what

lion dollar corporations, this hurts the little guy too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers’ jobs and hurt the economy even as the money is directed to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, “Counterfeiting operations are highly organised and very global.” Imagine if someone used your name and image, or the name and logo of a business you own, to create a profile on Facebook, Twitter or some other social networking website. Then they start posting blogs and sending out links while pretending to be you. Establishing an online presence using someone else’s identity creates unlimited opportunities for a scammer.

nline is wha you give awa t y. By Robert Sicilian you o

Social media identity thefts are of different types and occur due to a number of reasons: Winning clients: An impersonator may be attempting to steal your clients or potential clients. A person could be squatting on your name or brand, hoping to profit by selling it back to you or preventing you from using it. Gaining backdoor access: Criminal hackers could be posting infected links which, once clicked, could infect the victim’s PC or network with a virus that gives hackers backdoor access. Damaging your brand: An impersonator may intentionally pose as you, and even blog as you, in order to damage your name or brand. Anything

1 2 3 4

they say to the world that is libelous, defamatory, or just plain wrong hurts your reputation and can even make you the target of a lawsuit. Identity thieves could be parodying you or your brand, by creating a tongue-in-cheek website that might be funny and obvious, but will most likely not be funny to you. An impersonator may be using your identity to harass someone you know. An impostor may be obsessed with you or your brand, and simply want to be associated with you. Posing as you could yield attention and satisfaction. Obtaining privileged access: Impersonators may wish to use a name or brand that has leverage, such as a celebrity or a Fortune 500 company, to obtain privileged access.

5 6

CTO FORUM thectoforum.com

21 MARCH 2010

IDENTIT Y THEFT

Extracting credit card information: If you or your business sells products or services, identity thieves might pose as you and offer deals with links to spoofed websites, in order to extract credit cards numbers. Collecting personal information: An identity thief may pose as a government entity for the purpose of extracting data and committing new account fraud. Unfortunately, the list of the type of frauds that can be committed keeps growing and is limited by the imagination of the thief.

The to-do list Some guidelines you can keep in mind: Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cyber-squatting. Do the same for your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. Set up a free Google Alerts for your name and get an email every time your name pops up online. You will find out if there is any sight that disparages you. Get a Google Profile. It’s free and it shows up on page one. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web. Go to Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 150 social media sites. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. Bury bad stuff 20 deep. This is a combination of online reputation management and search engine optimization for your brand.

2 3 4 5

CTO FORUM 21 MARCH 2010

thectoforum.com

REN’T A S R E M M SCA G N I L A E T JUST S ND A S E I T I IDENT MALWARE. SPREADING ING K C A J D N A R THEY ARE B ARE T A H T S Y A IN W PANIES’

M O C G IN T R U H S. E IN L M O T T BO

Watch before you leap Most people who post personal information online do not recognise the potential consequences of their actions, or maybe they simply don’t care about their identity. Sir John Sawers is the head of MI6, essentially the British equivalent of the CIA. His wife posted sensitive personal information to her Facebook page, including the address of the couple’s London apartment. She also posted family photos that included her half-brother, who was an associate and researcher for a historian who has been convicted of Holocaust denial. Her Facebook profile was left open to anyone in the London network. Patrick Mercer, Conservative chairman of the Commons counter-terrorism subcommittee, has pointed out that these types of postings leave Sir John Sawers open to criticism and blackmail. “We can’t have the head of MI6 being compromised by having personal details of his life being posted on Facebook, He is a long-serving diplomat and ambassador and his family are well aware about it. I would have hoped they would have been much more sensitive to situations like this which could potentially compromise his security.” While all of us may not be high profile

targets, you can still be a target at some level, and the more intelligence you make available to potential attackers or criminal hackers, the easier you make it for them to harm you. If you use social media and regularly update your status or profile, please keep the following advice in mind: Before you post anything online, think about what a hacker, stalker, employer, or potential employer could do with it. Don’t give away specifics. Don’t post your address, date of birth, kids’ names, pets’ names, phone numbers, or any account numbers or financial information of any kind. You really shouldn’t even post children’s photos online. Do not tell the world you are going on vacation! Or if you’re going to dinner or the beach and won’t be at your house for several hours. Why would you let potential burglars know that you are away? Before posting pictures or videos, consider what a criminal or potential employer might see. Could they be used against you in any way?

1 2 3 4

— Robert Siciliano is the CEO of IDTheftSecurity.com a professional speaker and author. He can be reached via Robert@ IDTheftSecurity.com

VISHAL SALVI | OPINION

F O N I A R B E TH

R E T T A M THE

I HAD NEVER thought about how the different parts of the brain could impact the decisions I take in the course of managing information security. That was until my visit to RSA 2010 which changed my outlook. At a session on Psychology of Security, I learnt that there are two parts of our brain which are designed to assess and react to risk. The amygdala which is primitive part and the one which causes adrenaline and other hormones to be pumped into our bloodstream and neocortex which has developed recently to deal with complexities in today’s world. So we have two systems for reacting to risk--a primitive intuitive system and a more advanced analytic system--and they're operating in parallel. What does all this have to do with information security? There are two fundamental problems with the way our brain has developed: 1. It's hard for the neocortex to contradict the amygdala. 2. Neocortex is not fully developed and hence we get things wrong. Most of our flaws when posed with security decision or risk response are due to this. Understanding the anatomy of the brain would have been of little help to me, had it not been for the way in which the panel members Dr. Jakob Nielsen and Bruce Schneier helped me to connect the dots. Dr. Nielsen has been a pioneer in the field of “Usability” and Bruce on psychology of security. It turns out that understanding the way our brain has developed may help us

“Understan ing the way od u brain has r developed m help us PUTay IN PLACE A BETTER RESPONSE PLAN” —VISHAL SALVI

Sr. Vice President & Chief Information Security Officer, HDFC Bank

put in place a better response plan. Most CSO’s and CTO's would say that awareness is one of the top three focus areas in their information security agenda. However, is just awareness enough? Will this ensure a suitable change in the people behaviour? Most likely the answer is a “No”. The solution lies in tailoring the process and technology to adjust to human behaviour; while most often we expect it to be the other way around. This is the fundamental problem! There were some useful take-home points for me. People choices are affected by how a trade-off is framed. Frame the choice as a gain, and people will tend to be risk averse. But frame the choice as a loss, and people will tend to be risk seeking. People assess the frequency of a class or the probability of an event by the ease with which instances or occurrences can be brought to mind. In other words, in any decision-making process, easily remembered (available) data are given greater weight than hardto-remember data. People exaggerate risks that are spectacular, rare, sudden and personified and downplay those that are evolving slowly, common, long-term and anonymous. As Dr. Nielsen put it, “98% of the issues and problems in the information security field lie in area of human behaviour, whereas the rest 2% can be solved by technology.” Even if this is an exaggeration, he is still making a very important point.

CTO FORUM thectoforum.com

21 MARCH 2010

IDENTIT Y THEFT

G N I T SIT

K C DU 80% of those polled are concerned about privacy issues on social networks, yet almost 60% are unaware of what their privacy settings are and who can see their data. 36

NOW THAT THE THREE major search engines Google, Bing and Yahoo index real-time search for Twitter and other social networks, consumers and employees must be aware that not all relevant search is a safe click. Scammers and identity thieves see this as real-time free advertising for their malware. When news breaks, the social media is now considered a trusted source for cutting edge information. The search engines trust that data and place those keyword search results on page one. A criminal hacker seeing news break begins to multiply that message and embed malware in the links that lead to fraud. Tainted Twitter and Facebook updates are riddled with spam and viruses in status posts where links are often disguised in short URLs that go to spoofed sites or include a downloadable virus. The use of short URLs has made Twitter's 140-characters limit the perfect launch pad for spam leading to diet pills, Viagra and viruses. The blind trust the search engines have in these results puts the user in jeopardy. While all three search engines have automatic and manual processes for detecting such links, the sheer volume of hackers using this strategy creates a cat and mouse scenario that is far from fool proof. Some general guidelines will come to your aid: 1. Donâ&#x20AC;&#x2122;t click on links from those who you arenâ&#x20AC;&#x2122;t familiar with. 2. If you are compelled to follow a link, use a short URL decoder that provides a glimpse into where the link goes. Otherwise make sure you have the most updated browser that informs you of entry to spoofed sites. And make sure your antivirus is fully up to date.

CTO FORUM 21 MARCH 2010

thectoforum.com

IDENTIT Y THEFT

S K C

Studies reveal that the

majority are doing to protect little themselve s on net

working forums. M ost

are unawa of what there ir

privacy settings a

By Robert Siciliano

A research has proved that a third of social networkers have at least three pieces of information posted on their pages that could lead to identity theft. Names, addresses, birth dates, mothers’ maiden names, kids’ names, pets’ names, employers and phone numbers are among the various types of data that could help a criminal piece together your identity. Social networkers are simply making it too easy for thieves. Almost 80% of those polled are concerned about privacy issues on social networks, yet almost 60% are unaware of what their privacy settings are and who can see their data. One third of social networkers admitted that they use the same password for all their social networking accounts. Most social networks have privacy settings

that many users never venture to manage. It is imperative to spend a few minutes and lock down your profiles so they can’t be seen by everyone in the world. It is not unusual for a potential identity thief to “friend” a potential victim. The thief poses as someone the target may know, or someone who is known within the target’s social circle. Once the thief has been accepted as a friend, he or she is in the target’s inner circle and gains a great deal of insight into the target’s daily life. From here it is child's play to cause mischief.

Front door wide open Ethical hackers are the tech industry's white knights, also known as “white hat hackers”. They are hired by companies'

re.

CIO’s to penetrate the network to determine where its vulnerabilities are. Find those vulnerabilities before a bad guy does. The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection or hacking a public facing website. Here's how to do it with a fake badge and a Facebook profile. The process begins like this: Scan social networks such as Facebook, Twitter, LinkedIn and Myspace for names of employees and vendors of the company to penetrate. Create an identity of an employee of the company or vendor and launch a social media profile of that person.

1 2

CTO FORUM thectoforum.com

21 MARCH 2010

IDENTIT Y THEFT

3 4

Begin to contact each person who is an employee of that company and invite them to be “friends”. Create a “Group” on a site such as Facebook. A group in social networking is a place where people having common interests gather. Once befriended, invite those same people into the companies group With the intelligence gathered from the posts by “friends” and other data available about the group, determine who works at which facility and what their level of access is, when they go on vacation, etc. Do some onsite intelligence gathering with hidden video to document dress and corporate behaviour. Recreate the identity, badge and business card of an employee or vendor who works at or services the company. Poising as an employee or an executive coming from a vendor, visit a remote facility to gain access to machines having proprietary data. This is an example of how people make themselves and their corporate networks vulnerable because of what they post to Facebook. Restricting the use of social media is certainly an option. However the “work around” to gain access can sometimes be even riskier.

5 6 7 8 9

Some guidelines to limit the threats from using networking sites: Implement policies: Social media is a great platform for connecting; however, it's important to have some type of regulatory policy in place. Teach effective use: Provide training on proper use of networking sites, and especially what not to do. Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny. Limit social networks: In my own research I’ve found 300-400 operable social networking sites, many of which have inadequate security measures. Train IT personnel: Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed. Maintain updated security: Whether hardware or software, anti-virus or critical security patches, make sure you are up to date. Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.

1 2 3 4 5 6 7

AS H H C R A E S A RE TA A H T D E V O L PR A I C O S F THIRDOORKERS HAVE NETW THREE PIECES OF AT LEAST ON D E T S O P ON INFORMATI THAT COULD S E G A P R I E H T Y THEFT.

IT T N E ID O T D LEA

Prevent social media identity theft: Register all your officers, company names and branded products on every social media site you can find to prevent twittersquatting and cybersquatting. You can do this manually or by using a very cost effective service called Knowem.com.

Social media phishing I’ve been getting the same “direct message” from several of my Twitter followers. Apparently, their accounts have been hacked, because it’s a phishing message that says, “Is this you?” and contains a shortened URL. Twitter phishing is sending tweets to update accounts or visit spoofed sites where users enter credentials that allow financial transactions. Users who follow these links are invited to submit their login credentials via a counterfeit Twitter login page. In the process, they surrender control of their microblogging account to hackers, who use it to send a fresh round of phishing lures. In the past, compromised accounts have sent pictures and links to spoofed websites. The new attacks mimic email address book attacks where the compromised account sends direct messages to the users' followers. Twitter only allows direct messages to people following you. While clicking links and downloading multimedia files, the victim may end up with a virus that spreads a keylogger and/ or harvests user login details. Criminals know many internet users have the same passwords for multiple accounts. After gaining access to a bank account, criminal hackers can transfer funds and write checks to themselves. Don’t just click on any link no matter where it’s coming from. Attackers understand a person is more likely to click a link from someone they know, like and trust. If someone direct messages you requesting you click something, their account may be in control of a criminal. Portions of these articles originally appeared in the Bank Fraud IT Security Report. —Robert Siciliano is the CEO of IDTheftSecurity.com a professional speaker and author. He can be reached via Robert@ IDTheftSecurity.com

CTO FORUM 21 MARCH 2010

thectoforum.com

JAPJIT SINGH | OPINION

CHALLENGES IN A

L A B O L G K R O W NET SECURITY IS A

tough nut to crack, even within domestic borders. When the scope goes international, the challenges are multiplied. In any organisation, there are three distinct aspects to security – people, processes and technology. When your organisation is operating in different geographies, managing all these three aspects becomes quite a challenge. In a large organisation (such as ours, which processes more than 10 million applications every year in 45 countries, across 325 offices while working with 27 governments of different countries) we need to handle extremely sensitive data that includes data taken from passports, financial records, medical records and other personal identifiable information (PII). Every government has its own data protection laws to deal with such highly sensitive data. Though you have standards like ISO 27001, there are still some holes that need to be plugged. Another challenge in such a scenario is managing people. We have more than 3500 employees across the world with different work cultures and different thresholds of security. As if that is not enough, we also have the challenge of dealing in different languages – the most difficult countries being Russia, France and Japan. And, finally there is the challenge of using the local software and hardware along side the globally used versions. To find solutions to all these problems, we have devised a comprehensive control statement in the form of a unified compliance framework. This is based on

“Every governmen as its own datth PROTECTI a LAWS TOON DEAL WITH SUCH HIGH SENSITIVELY DATA” —JAPJIT SINGH

Vice President and Head Information Security VFS Global Services Pvt. Ltd.

ISO 27001 with a local flavour to it. For instance in UK we have to adhere to the Data Protection Act and in Japan there is a privacy handbook. In Indonesia, one is required to keep audit trails for a year for all transactions. Thus, defining these rules was an important step in ensuring that all compliances were met and a comprehensive security environment was established. Once the framework was set, we set up an extensive self-help intranet portal which was localised for some geographies too. Though the knowledge was helpful for users, it was also important to ensure that we were able to get a single dashboard view of all the activities on our network. To manage a disparate infrastructure across the world, we also use application white-listing. It helps in control and ensures that local applications are developed to suit different countries. The critical data though is housed in two data centres in London and Mumbai to ensure better data security, redundancy as well better control. But, the task is only half done. We still need to ensure that all the systems across the world are compliant. For this we are working on a new self assessment process. Using this, all branch managers will be required to fill a questionnaire that will be mapped to the central system. This will help in defining the security holes and will ensure that the security staff spends less time on-site to plug the problem. It will also save the hassle and cost of travelling to all the locations to do a security audit.

CTO FORUM thectoforum.com

21 MARCH 2010

CLOUD COMPUTING

D U O L C LIGHTNING IN THE

IN 1975 MY FATHER,

a doctor, was approached by some entrepreneurs. They had a brilliant idea. They were going to purchase a mainframe computer and sell computing on a timeshare basis to anyone who wanted to connect to it. Charges would be based on compute cycles and applications would be provided pre-loaded. Sounds familiar? That was cloud computing! Today’s cloud is certainly different in scale. The flexible computing platform is provided by multiple virtual instances of many computers. The applications are provided by specialist companies like Salesforce.com for customer relationship management (CRM) and Google or Yahoo! for email, calendaring and document creation. The network is different from 1975 and the computing infrastructure has improved but the real difference between then and now is in the nature of the threat.

Changing scenarios Since 2003, there has been a rapid increase in cyber crime. It is like watching a new economy grow on the back of the Internet. The criminals target anything that can be turned into profits. And those profits fund new research and development as well as the expansion of the criminal networks needed to execute elaborate money laundering schemes. In his just published book, Fatal System Error, Joseph Menn documents the rise of cyber crime. Menn traveled to Russia to see firsthand the economic, political and legal environment that gave rise to disperse

CTO FORUM 21 MARCH 2010

thectoforum.com

87.5%

Respondents to a recent IDC survey rate security as the top challenge in cloud computing.

networks of hackers, extortionists, carders, cashers, and mules that systematically pull off phishing attacks, launch distributed Denial of Service (DDoS) attacks and feed the proceeds back into their organisations. He follows Andy Crocker, a policeman with the UK High Tech Crime Task Force as he tracks one such hacker to his apartment and eventually arrests and prosecutes three cyber criminals and has them sent to Siberia for eight years’ hard labour. It is such criminals and the legions that join them every year that pose a serious threat to the popularity of the emerging cloud computing model. There used to be a common defence used by most organisations. It was called “security by obscurity” and was evoked in the statement “I am just a car dealer/ attorney/shop keeper, why would someone from St. Petersburg want to hack me?” Those days are gone. If there are assets of any sort, financial accounts, intellectual property, or a social network – they will be targeted. And if there are security vulnerabilities, they will be broken into. We have already seen cloud services hacked using elaborate techniques. Lexis-Nexis, the big information database, was hacked repeatedly. Lexis-Nexis made the common mistake of trusting their customers. An individual could use a credit card to purchase access to their database of records. Hackers used stolen credit cards to purchase access and ran computer programs to systematically deplete their database.

CLOUD COMPUTING

The cloud is fast c a t ching on as the preferred computin g model, but nothing suggests that secu rity issu

taken care of. By Richard Stie es are nnon

Beware of the evil

Let’s talk about what could happen. First Salesforce.com! This service is becoming the operational backbone for thousands of companies. Sales contacts, quotes, pipeline, order processing, invoicing and reporting all go through a single platform that is available on-demand and from anywhere. The only authentication asked for is an email address and password. It is trivial for an attacker to determine the email address of say the VP of sales of a target organisation. Getting the password is equally trivial. Just send a trojan horse to that email address and every key stroke is recorded when the VP of sales logs in to his account. Once in the attacker has access to everything the VP of sales has: the company's strategic plans, financials, and a view of the sales pipeline. Imagine the stock manipulation possible if one had a complete view of a publicly traded company’s sales forecast in the last week of the quarter! Salesforce.com is a lesson in the weakness of simple username/password. The cloud offers other possibilities to cyber criminals. Shared platforms: Computing on demand services, the so called publiccloud, such as Amazon Elastic Compute Cloud (Amazon EC2) is built on thousands of physical servers running tens of thousands of virtual machines. A hosted

application is granted as much computing power as it needs. What happens if a customer of Amazon EC2 is pummelled with fake requests for its services? That application owner may face charges that far exceed its revenue from real customers. What if one service, such as Twitter which is hosted in part on Amazon’s infrastructure, suffers a global DDoS? What happens to other services on the same platform? They all go down together. Authentication: Sometimes it seems like every new computing platform, be it mainframe, client-server, web-based, or cloud, must re-learn the lessons of the past. Most cloud services are launched with few protections against attackers. Within weeks, the developers learn to lock out accounts after too many failed login attempts (a defence against password guessing attacks) and they require the user to read and enter the content of a CAPTCHA. Vulnerabilities: Microsoft has contributed its share of vulnerabilities to the world of desktop computing. Cisco, Sun, Oracle have all done it for their platforms. As sure as there will be new vulnerabilities in OS’s and applications, there will be vulnerabilities in the implementations of cloud computing platforms. The beautiful thing about cloud services is that the patch cycle is simplified. No disclosure, no distribution of a patch, no bad publicity. The scary thing about cloud computing is that the

provider may not discover the vulnerability until after it is exploited.

How to secure the cloud? The answer is again layered defence. The cloud must be segmented in such a way that a hosted application can only see its own data. And each user’s data must be segmented too. To guarantee that segmentation, the data must be encrypted, only to be unlocked by a user’s key. Access to the application must be through strong, twofactor authentication, a onetime password token, or a cellphone used to provide SMS verification. Firewalls and DDoS defences must be put in the front and all connections should be filtered to block everything that is not explicitly allowed. As major cloud services arise, expect to see these lessons to be learned the hard way. Along with new efficiencies, enhanced service delivery and lower costs, there will be massive data breaches, service outages and elaborate schemes. The security industry is scrambling to provide protections that will enable the safe deployment of clouds but most organisations may not make those investments until they have suffered the worst. Richard Stiennon is a security expert and industry analyst. He is the founder of IT-Harvest, an analyst firm that researches 1,200 IT security vendors.

CTO FORUM thectoforum.com

21 MARCH 2010

GRC REL ATIONSHIP

R U O Y E G MANA

K S I R ENTERPRISE RISK

is all about uncertainty. It concerns the potential for an unexpected, or uncertain, event to threaten an enterprise objective (Westerman and Hunter 2007). When we talk about Enterprise Risk Management (ERM), we are looking at the best way possible to manage that uncertainty, so that we can minimise threats to our enterprise objectives. Ergo, ERM should be seen as a critical factor in the determination of the companyâ&#x20AC;&#x2122;s long term sustainability (Fox, 2009). Due to the recent world events, there has been a greater need for a more holistic approach to risk and, in particular, managing complex risks within the enterprise (Wheeler, 2009). Organisations should not be thinking about risk in silos (Beasley, 2009); they need to look at all the risks that are stretched out across the enterprise and align treatment strategies intimately with business objectives. This paper is designed to highlight how ERM, Risk Governance and Policy Compliance are inexorably linked together to address the many risks that organisations face in their efforts to maximise long term business value. The paper does not deal with any specific ERM frameworks and this may be viewed as a limitation. Its focus is on risk assessment and the decision-making framework that supports the outcome of such assessments. Furthermore, the governance framework presented has been adapted from Weill and Ross (2004) and is used as an example of a risk management decision-making framework and not as a holistic governance framework.

Enterprise Risk Management Managing uncertainty within an enterprise is not an easy task. It involves participation from a large percentage of employees and can be a significant organisational challenge. It requires ongoing analysis and effective

36% of the 111 financial institutions included in Deloitteâ&#x20AC;&#x2122;s Risk Management Survey had an enterprise risk management program

GRC RELATIONSHIP

An appropri decision-m ate ak

framework ing includes g risks and rading right stra the tackle themtegy to . By Da

ILLUSTRATION BY BINESH SREEDHARAN

ne Warren

GRC REL ATIONSHIP support processes that are geared towards minimising losses within an enterprise (McGinn, 2009). ERM entails an effort by the entire organisation to assess and respond to all uncertainty, that is, an organisation-wide approach in the evaluation and treatment of risk (Loghry and Chad, 2009). In addition to this, ERM needs to be flexible in response to the many different risks in the hope that an organisation can be better at predicting and responding to uncertainty (Gurevitz, 2009). Some risk assessments correlate likelihood and impact together to produce a weighted rating. Other risk assessments use a comparative approach where risks can be compared across business objectives, such as access to data being compared to the accuracy of the data (Westerman and Hunter, 2007). For the purpose of this paper, I will look at risks that are assessed through a correlation of likelihood and impact. Comparisons against other risks are assumed as part of the impact assessment. Risk assessments can be qualitative, quantitative or both. The outcome from the assessment is typically a stepped severity rating that can grade the risk from low to very high. Note: Models are usually unique to organisations and the naming of levels, and the number of levels can vary. Figure 1 provides and example of a typical risk assessment matrix. Figure 1 As can be seen from Figure 1 there is a link between the likelihood (technical assessment) and impact (business assessment). One of the key benefits in using an assessment matrix, such as this, is that all risks will be identified, categorised,

Figure: 1 Severe

Major Moderate Minor Negligible

Rare

Unlikely

Possible

Likely

Almost Certain

CTO FORUM 21 MARCH 2010

thectoforum.com

Figure: 2 RID

Risk Catalyst

Treatment Type

Category

Likelihood

Treatment Controls

Impact

Inherent Risk Rating

Treatment Implementation Date

Executive Owner

Manager Assigned

Residual Risk Rating

Review Date

Figure: 3

Risk Strategy

WHO?

Input

Decision

ALL

RGB

Risk Ownership Medium LM

KEY ALL

Anyone can contribute

Line Management

Executive Management

RGB

Risk Governance Board

BRD

Company Board

assessed and communicated in a consistent manner. Hence, one risk that affects finance can be directly compared and contrasted against another risk that impacts IT operations. Once risks are identified, they will need to be stored and managed. A good method of doing this is with an enterprise risk register. This is the master database where all risks will reside. An example is given below of some the fields that can be captured within your risk register. Figure 2 Some of the key fields which I believe are important in driving and maximising business value through risk treatment strategies are: Executive owner: This is the owner of the risk treatment strategy. This person will be responsible for sponsoring the risk treatment strategy. Treatment type: This will be determined by the executive owner. Some examples of treatment would be: 'accepting a risk', 'mitigating a risk' and 'transferring a risk'. Treatment implementation date: This is the date when the risk treatment strategy will commence. Treatment controls: This will provide details around what the organisation is doing in order to deliver a successful risk treatment strategy. This field is important for identifying leverage opportunities for

Risk Treatment

High

Very High

Medium

High

Very High

BRD

your risk treatment strategies that can be applied to different risks. Residual risk rating: This is how the risk will be assessed following the implementation of the treatment type. Review date: This is the date of reviewing the risk treatment strategy to determine whether the strategy has been successful or has failed. If the risk register is managed well, and there is ongoing communication around the risks and the progress of risks, the risk register will provide leadership with a number of benefits. Some benefits include: 1. Identification of multiple risks with the same resolutions; 2. Opportunity delivery through mandatory control requirements; and 3. Identification of discrete cashflows that can assist in capital budgeting analysis and working capital management. Management needs to understand the nature of risks that are impacting the organisation, translate those risks into what it means to the business, and assess whether they will impact the businessâ&#x20AC;&#x2122; ability to meet its objectives (Engle, 2009). Risk registers can be used to create a management reporting capability that communicates risks and tracks the progress of the many different risk treatment strategies.

Risk governance Corporate governance has been described as the structure that determines what objectives the organisation wants to achieve and monitors the progress to achievement (Weill and Ross, 2004). IT governance has been defined as â&#x20AC;&#x153;specifying decision rights and accountability framework to encourage

GRC RELATIONSHIP desirable behaviour in the use of IT” (Weill and Ross, 2004). Risk Governance has been defined as “the structural, cultural, processes and accountability improvements that support good decision making and serve as the foundation risk management” (Atkinson and di Florio 2009, p.32). For the purpose of this article, I will refer to Risk Governance as the decision-making framework that: 1. is used to create and deliver a risk management strategy. 2. assigns risk ownership and treatment to the appropriate decision makers. The aim of this paper is not to provide a detailed risk governance process but to look at the decision making framework that is required to manage enterprise risk effectively so that organisational objectives can be achieved. It is this decision making framework that serves as the foundation for ERM. Risk Governance is a good way to streamline the decision making processes which are associated with risk strategy, risk ownership and risk treatment. It provides senior leadership with a clear understanding of what their obligations are in relation to enterprise risks. It ensures that decisions are addressed by the appropriate level of leadership and that there is a clear demarcation point within the organisation’s hierarchy regarding accountability and ownership of risks. I have provided a very high level risk governance framework in Figure 3 (facing page). Assignments and categories may be more or less extensive than what is contained in the matrix below. The

E T A R O P COR ANCE GOVERN CTURE

U IS THE STR INES M R E T E D T THA HE T S E V I T C E WHAT OBJ S TO T N A W N O I ORGANISAT MONITORS

D N A E V IE H C TO A S S E R G O R THE P . T N E M E V IE ACH intent of the matrix is to show how decisions about risk are allocated and owned by different organisational stakeholders. The basic fundamentals that are contained within Figure 3 should ideally be transported into the different departmental governance frameworks around the organisation, such as IT, Legal, Procurement or Corporate. This will ensure that the decision-making frameworks, in relation to risk, are consistent across the enterprise.

Figure: 4 EXEMPTION ID

EXEMPTION PURPOSE

COMMENT

NAME

SIGNATURE

RESIDUAL RISK

IMPACT

LIKELIHOOD

Low

Minor

Unlikely

Inherent Risk

IMPACT

LIKELIHOOD

Very High

Severe

Likely

REQUEST DATE

APPROVED DATE

REVIEW DATE

Requester: System Name: APPROVERS System Owner: Business Owner: Enterprise Risk:

COMPENSATING CONTROLS

Figure 3 As can be seen from this example, everyone in the organisation can provide input into the risk strategy but the direction of the risk strategy ultimately belongs to the Risk Governance Board (RGB). Ownership of risk is assigned to different levels of the management team within the organisation, with very high risks being owned by the company board. This ensures that appropriate accountability is aligned with the appropriate level of risk. The risk register (Figure 2) documented an Executive Owner. That Executive Owner will be determined through this governance framework. For example, if the risk is associated with your billing system, and the risk has been determined as high, you would look to your CFO for sponsorship of the treatment strategy Treatment of risk is also assigned to different levels of the management team within the organisation. The person that has been identified as being responsible for treating the risk – see Risk Treatment in Figure 3 - will implement the treatment strategy. They will ensure that the project which is to deliver the treatment strategy is resourced and managed appropriately.

CTO FORUM thectoforum.com

21 MARCH 2010

GRC REL ATIONSHIP The designations that are contained within Figure 3 are by no means arbitrary. The requirements need to be presented to the most senior leadership team through the Chief Risk Officer (CRO) and they all need to come to an agreement on how the ownership and accountability needs to be distributed. Senior management sets the overall tone for the programme and they are also the key to the success of the programme (Atkinson and di Florio, 2009). This task is not a simple one; it may take a number of sessions for the leadership team to agree on both the content and the outcome of the governance process. Once you have your most senior leaders agreeing on the way that risks are managed, then you have a greater chance of successfully implementing a risk management programme. It is recommended that you assess this framework at least annually, or whenever there is a significant change to the business. The end goal for a successful risk strategy is to ensure that risks associated with the corporate strategy are mitigated to an acceptable level (Director, 2009). This review is conducted to ensure that the risk strategy evolves with the business strategy and is in a position to deal with any new changes, or uncertainty, which may arise.

AN EFFECT IVE WAY TO MANA

RISK IS TO

MANAGE T HE DECISION-M AKING FRAMEWO RK THAT SUPPORTS THE A

CCOUNTAB AND TREATMILITY ENT OF RISKS IN

A CONSIST ENT MANNER A CROSS THE ENTER PRISE.

Compliance management

can be time consuming and extremely costly. As compliance is an ongoing, continuous process, it needs to be managed through a risk based approach (Muller and Supatgiat, 2007) whereby exemptions to compliance, or articles of non-compliance, are assessed through a risk based approach and managed in line with all other risks associated with the enterprise. Figure 4 provides an example of what can be used as a policy exemption form.

Compliance management can come in many different shapes and sizes. You can have external forces, such as Sarbanes Oxley (SOX) or Payment Card Industry Data Security Standard (PCI-DSS) or you can have internal forces, such as security and corporate debt compliance policies. For the purpose of this paper, I will deal with compliance to internal policy and suggest that all external compliance obligations should be captured as part of an internal policy framework and managed in accordance with your ERM processes and policies. Compliance to all standards at all times

Figure 4 As can be seen in this form, an inherent and a residual risk assessment is aligned with the enterprise risk assessment processes and includes a likelihood and impact assessment. This means that the business owner and the system owners, who need to sign off on this exemption, have already been determined through the governance framework. This risk is now to be tracked and actioned through the risk register (Figure 2) and reviewed at the time that has been indicated in the form (Figure 4).

CTO FORUM 21 MARCH 2010

thectoforum.com

By managing non-compliance activity through the ERM framework, all instances of non-compliance, enterprise wide, are assessed and actioned in a consistent manner. The risk treatment strategies to non-compliance items can be viewed centrally, which helps to identify cashflows that can be used in capital investment analysis and to identify opportunities to improve asset utilisation through greater leverage.

Summary ERM requires senior leadership backing and appropriate diligence in managing the tasks and communication associated with it. It therefore can cover the many different organisational objectives that can be negatively impacted through the introduction of risks. This article suggests that an effective way to manage risk is to manage the decision-making framework that supports the accountability and treatment of risks in a manner that is consistent across the enterprise. The decision-making framework should then be the cornerstone of the ERM, where communication and activity is directed and streamlined through more efficient communication protocols and outcomes that are owned by the appropriate level of leadership. Risk management is strategic in nature and is much more than just a compliance exercise (Shimpi, 2010). In this paper, I have argued that compliance to policy is paramount and all internal and external factors should be contained within organisational policies and managed through a risk based approach. This is the basis of the GRC Relationship.

â&#x20AC;&#x201D;Dane Warren is the CISO of Virgin Mobile, Australia. Dane is a business savvy Senior Security and Risk Leader with broad cross industry experience. He has a proven track record in managing large network and security environments as well as implementing complex, multimillion dollar, international, programmemes of work, across AsiaPacific & Japan.

NADEEM QURAISHI | OPINION

E H T G N I R U SEC

S Y E K CAR

IN MANUFACTURING, and more so in the automobile industry, the final product is very much the sum of its parts! In order to ensure proper integration of the automobile's parts, organisations need to share design and work in a coordinated way with their co-sourcing partners because if there is even one part in the entire product which does not integrate with the other assembly the whole project could be a disaster. There is also a high possibility that the same co-sourcing partner may be a supplier to a number of other organisations and some of them may be your competitors. In such cases, there is a possibility of your sensitive information being compromised! In order to ensure information security in such an environment, organisations needs to ensure that the co-sourcing vendors are reliable and that they have the necessary information security policy and processes in place. This calls for a high level of awareness among the organisation's employees and among those of its co-sourcing partner. Information has to be available strictly on a “Need to Do, Need to Know” principal. You also need to deploy tools which would ensure that employees and co-sourcing partners do not download sensitive information and that such information is available only on organisations' shared controlled resources. Implementing high levels of informa-

“There is a h risk of sens igh information itive COMPROMbeing ED MORE DUIS TO IGNORA E THAN ONNCE PURPOSE. ” —NADEEM QURAISHI

Assistant General Manager (Information Tech.), Tata Motors

tion security awareness at each of the plant is a challenge as the education level among the factory workers is often low. Besides, there is a huge work force who are employed on contractual terms and this results in a high employee turnover. In case of manufacturing organisations, there is a high risk of sensitive information being compromised more due to ignorance than on purpose. There is a high possibility that hackers will use social engineering skills to obtain sensitive data without the employee knowing the impact of the same. Some other points have to be kept in mind while framing an information security policy: Physical and logical access control mechanism in place. The controls can be automated control, semi automated controls, manual controls, compensating or mitigating controls. Mapping the key requirement of the information security policies into a procedure document and deploying it through standardised forms. Having a complete inventory of all information assets within the organisation and designating an owner for each of the information asset. The information can be in a soft copy or hard copy. Classifying the information assets based on sensitivity and ensuring protection based on the sensitivity level. Ensure maker checker concept is in place. Documenting the process across the length and breadth of the organisation.

CTO FORUM thectoforum.com

21 MARCH 2010

INTERVIEW | THERESA PAYTON

Y R E P P A SLI

E P O SL ents g that governm in d n a m e d re a Citizens l data. Citizens a n o rs e p n o g tter give up sneakin to give them be ts n e m rn e v o g want k at's a tough tas h T . ts s ri o rr te arn protection from citizens must le d n a , s e ti ri o th u for the law a es FORMER u rg a , g in th e m to cede so E HOUSE, CIO OF WHIT rview with in an inte

YTON THERESA PA NY M. FREED O H T N A r o it d E Guest

What do you see as the single greatest risk to information security in 2010? I am greatly concerned about the security of the infrastructure. Many people do not realize that the majority of a nation’s critical IT infrastructure is controlled by the private sector – which means everyone plays a role but nobody is really in charge. However, if you ask me to name the single greatest risk I would say it is each individual. We will keep our citizens, our nation, and our companies safe, one person at a time. We are the best weapon in the arsenal to defend against what is coming our way. Technology is sometimes the easy part of security: you can patch and harden your defences and tweak your appliances and alerts to give you better defences. Training the human factor is so much harder to do. SO THE BIGGEST THREAT TO SECURITY IS THE INSIDER THREAT?

This conversation about the insider threat is on the nonsexy side of security, but it is the cause for some of the greatest chinks in the armour. The “insider threat” is

CTO FORUM 21 MARCH 2010

thectoforum.com

often like carbon monoxide poisoning – silent and hard to detect. I break the threat down into three character profiles: First up – Intentional: Robert Hanssen was a former U.S. FBI agent who turned over information to Russian intelligence services for cash and diamonds. It is also suspected he did it because he wanted to prove something to himself and others. This employee-type knowingly wants to cause harm either because they want to make a buck or because they feel it is their version of payback time. Second is Unintentional Public Disclosure: Eve from the movie Wall-E is on a mission and she wears that mission on her chest. She’s after plant life and does not care who she broadcasts that mission to. She cannot keep a secret and she is overjoyed and beams when she

THERESA PAYTON | INTERVIEW berant Microsoft employee was caught talking about the virtues of Windows 8. His posts have since been removed, but before they were, we did manage to learn that the next version will be “unlike anything users expect of the operating system,” and that they are moving to 128-bit a tough blow for their competitors, and for bad guys that want to be ready to hack the new version the moment it arrives.

without giving up individuality, competitive data, and our freedoms? The only way we can protect our citizens and our nation’s interests in the cyber age is through collective security. This has to be a collective effort across government, private sector, and each individual. DO YOU SUGGEST GOVERNMENTS SHOULD TAKE THE LEAD IN CYBER SECURITY?

HOW IS THE ROLE OF GOVERNMENT CHANGING WITH THE INCREASED SECURITY DEMANDS OF THE CYBER AGE?

finds plant life. The generation joining the workforce now and for the next 10-15 years is a lot like Eve. When they experience emotions, they will wear them openly via cyber space. That openness may also include blogging, tweeting, and Facebooking posts about the latest project they are working on. Third is when “Mr. Incredible” Breaks Your Defences: I tell organisations that their biggest threat may actually be their “Mr. Incredible” employees. These are the people that will do whatever it takes to work for you: days, nights, weekends, and holidays. They are the fearless defenders of creating the latest report or implementing the last technology for your company. If that means downloading tons of information to a portable device so they can work on their vacation, so be it. It could also mean throwing the laptop in the car on the way to pick up their kids with a stop at the grocery store and leaving the laptop unattended…whoops! They do not mean to put the company at risk, but their drive to get the job done exposes company data. No matter what we do, it seems that unintentional public disclosure will be tough to plug. As an example, recently, an overly exu-

The role of government and the private sector needs to evolve to collectively ensure security. I can illustrate it best by using a quote from James Lewis, who is the senior fellow at the Center for Strategic and International Studies: "We do not expect airlines to defend our airspace against enemy fighter planes, and we should not expect private companies to defend cyberspace against foreign governments." In the pre-cyber age, this was a little easier to define – protect land, stand up to those that wish to do, and defend and protect the constitution and the citizens of our country. In the cyber age, this is much harder to define; a lot of questions regarding the role of the government are still unanswered. For instance, what constitutes a national border in the cyber age? If a criminal or another nation steals intellectual property from a company, is this crime to be handled by local law enforcement, or should the government should get involved? How do we develop a system of collective security across individuals, companies, and government organisations

I believe the governments should pursue a framework that allows for vigorous debate and discussion regarding what cyber age freedoms citizens are willing to give up in the interests of staying safe. A neighbour said to me he did not like the idea of the government scanning social network posts or emails for “key words”. I asked him that if the government saw key words that averted a terrorist attempt to kill people where his kids were working and going to college were okay, he replied, “Yes, of course!”. This is the cyber age conundrum. We need to see that the private sector makes a way to remove the obstacles so they can work with the government. Their economic livelihood depends upon it. Unfortunately, the private sector may not see the “value” in working with government until the worst happens. Case in point, Google is working with the NSA (National Securities Agency) after accounts and intellectual properties were compromised. This illustrates that it is possible for private sector companies to work with the government for the greater good of a nation. DO YOU FEEL THE SOLUTIONS TO INFORMATION SECURITY PROBLEMS

CTO FORUM thectoforum.com

21 MARCH 2010

INTERVIEW | THERESA PAYTON WILL BE DERIVED FROM REGULATORY AND COMPLIANCE EFFORTS, OR DO YOU FAVOUR INCENTIVISING FREE MARKET SOLUTIONS?

This is a great question. I prefer and favour free market solutions. It can drive incredible innovations. I believe there are several factors that drive solutions to security problems and the buying decisions. I see a variety of drivers that push an organisation to make investments: Fear of the bear: This is that drive to secure your organisation so the event that happened someplace else does not hit you. Many executives believe they don’t have to outrun the bear, but that they just have to outrun someone else. I disagree with this philosophy, if we all banded together, we would not have to sacrifice the slowest among us to the bear. Reactive: All too often, this creates the teachable moment, the aftermath that crashes upon an executive following an event. It is amazing how organisations seem to find the money and the priority to make investments once they are breached. Innovative: Leaders who see security as a differentiator find new and creative ways to protect their organization and their customers. When word of a new regulation or compliance requirement comes out, organisations make the time to incorporate changes. There can be a dangerous sense, among executives and individuals, that all is well just because an organisation is in compliance. Compliance does not translate into 100% fail proof security.

I believe that just as global nations came together to define the rules of engagement during war, about how prisoners are to be treated, the treaties to be negotiated, and soon, in the same way, this framework too needs to be extended to cover cyber tactics. For example, it will be hard to determine if a country is spoofing an attack so that it looks like the attacks originated from a different country. It would be disastrous if a country retaliated against another country but they had the wrong party. DO YOU FEEL AN EFFICIENT CYBER DEFENCE STRATEGY MUST INCLUDE PROVISIONS FOR A VIGOROUS CYBER OFFENSIVE CAPABILITY?

A cyber offensive capability is critical. There have been several media announcements about military and intelligence agencies establishing cyber commands and capabilities. All are a step in the right direction.

OTHER SECTORS ARE EXPERIENCING DRAMATIC INCREASES IN DATA SECURITY REQUIREMENTS AND THEIR ASSOCIATED COSTS, WHILE THE RECESSION HAS REDUCED REVENUES - WHAT STRATE-

NATED CYBER ATTACKS, UP TO AND ON THE TABLE – HOW LIKELY IS A CYBER EVENT TO TRIGGER MILITARY ACTION ON ANY SCALE?

This is a real scenario. Estonia and Georgia are prime examples. Both had near simultaneous cyber attacks along with military movements. There are lessons to be learned, regardless of what you believe happened during those events. The Wall Street Journal pointed at the Russian Business network as the potential cyber culprit. Cyber events can be the trigger for coordinated response with military action.

CTO FORUM 21 MARCH 2010

thectoforum.com

BETWEEN BUDGET, COMPLIANCE, AND COMMON SENSE?

This is a great question because any CIO or CISO knows that 100% security is not achievable. They have the unenviable role of asking for investments for an event they hope never happens, asking for dollars after an event happens, and trying to explain the business value of the investment to their C-level executives. I tell CIOs and CISOs, use me as the bad guy and take in this quote, “No organisation has the time, resources, or budget to block every hole and anticipate what’s coming next. It is a risk vs. reward tradeoff discussion.” MANY EXPERTS HAVE CONCEDED THAT THERE WILL NEVER BE ABSOLUTE DATA LOSS PROTECTION - DO YOU SEE SECURITY EFFORTS SHIFTING FROM A PREVENTION FOCUS TO A DETECTION, ISOLATION, AND RESILIENCE STRATEGY?

EDUCATION, HEALTHCARE AND

MILITARY RETALIATION TO COORDIINCLUDING NUCLEAR OPTIONS, ARE ALL

GIES SHOULD BE APPLIED TO THE BATTLE

n nisatio a g r o "No time, e h t s a h es, or c r u o s re ET

BUDGLOCK TO B Y HOLE EVER ate

ticip and an oming c what’s is a risk vs. t next. I trade-off reward ion." s discus

The good news is that the industry has been making the shift to data loss prevention frameworks that provide the ability to monitor and protect data whenever it is stored and used. It can even track the data when it is downloaded off of the main network. The tough part is the implementation. Many organisations have not outlined their data architecture to identify each asset they have responsibilities for. I recommend that organisations spend the time to map their data assets. Organisations also need to remember that if you make it too tough on your employees, then some of them, especially the “Mr. Incredible” will find a workaround so they can get the job done. One organisation I know locked down the ability to download data to thumb drives. Some innovative employees print what they need to review and take it with them. Theresa Payton is currently the Chief Advisor and CEO of Fortalice, LLC a firm offering security, risk, and fraud consulting services to private and public sector organisations. From May 2006 until September 2008, Theresa worked for the Bush Administration as the White House Chief Information Officer (CIO). She was the first woman to hold this position.

SATISH DAS | OPINION

G N I T T E G

L A C I S PHY THE DEVELOPMENT

of physical security can be traced back to the origin of human kind. One tends to think physical security is nothing more than deploying few security guards, installing some cameras and erecting a barbed wire fence. What is worse, in most companies physical security gets managed by administration or facility management. That further makes physical security seem less important. Then again, with the emergence of information security, physical security got pushed further in the priority of management. But for experienced security campaigners, physical security comes first. This is because if physical security is not taken care of, all other security controls will fail. As a CSO, my biggest worry all the time is physical security and not so much information security. Physical security controls are designed to manage the following types of risks: Risks to life and assets due to natural disasters, terrorist attacks, civil unrest, epidemics and similar threats; Risk of intrusions into campuses, buildings or work areas; Risk of damage, loss or misuse of assets; Risk of legal or regulatory non-compliance; and Governance risks for services provided by third parties and shared facilities owners. There are around eight types of physical security controls to mitigate the above risks. These are controls to: Deter – visible physical security measures installed to induce individuals to seek other less secure targets

“If physical security is n taken care oot ALL OTHERf, SECURITY CONTROL WILL FAIL”S —SATISH DAS

CSO and AVP-ERM, Cognizant

Detect – physical security measures installed to detect unauthorised intrusion Delay – physical security measures installed to delay an intruder’s access to a physical asset and provide time for incident assessment and response Assess – the process of evaluating the legitimacy of an alarm and the procedural steps required to respond Communicate – communication systems utilised to send and receive alarm/ video signals and voice and data information. Also, includes the documented process to communicate detected intrusions Respond – the immediate measures taken to assess, interrupt, and/or apprehend an intruder Intelligence – measures designed to collect, process, analyse, evaluate and interpret information on potential threats Audit – the review and inspection of physical security measures to evaluate effectiveness The cost of setting up a good security system can be much more than what business can afford in one financial year. It is important to prioritise the investment and work on a road map. Physical security works best when it is simple and not when we make it complicated. In fact complicated systems increase the level of risk. Most of tragedies happen as some of these processes are not configured properly or fail to function properly as they were not continuously tested or the systems and people haven’t gone through enough number of drills to ensure proper operations during such disasters.

CTO FORUM thectoforum.com

21 MARCH 2010

OPINION | VISHAL MORE

S R E S U E H T E R A

? E R A AW

IN TODAY’S

highly networked and globalised world, organisations have woken up to the fact that information security needs to be ingrained in the very organisational culture and psyche, in addition to just technology and business processes. Organisational excellence is becoming more and more dependant on a well informed, policy driven, process oriented and ethical workforce. Information security has many formal definitions; however, some of them are not very appropriate. From an employee’s perspective, accepted definitions like ‘Confidentiality, Integrity and Availability’ are perhaps too clichéd and macro. Other accepted definitions like ‘Information security is management’s appetite for risk’, appear to be narrow by leaving out the employee angle completely. It seems to hold well from a compliance and audit perspective. The definition I feel is closest in conveying the direct meaning is: ‘Information Security is as strong as its weakest link’. Though it may be an oversimplification of the situation, yet, just the acceptance of this definition changes the security paradigm completely and conveys the meaning and urgency that information security conscious organisations can’t have any weak links and need to do much more in managing the security of their information assets. Needless to say, the employees are the weakest link. Top level executive participation is crucial for successful sustenance of any Information Security program. A security risk-aware culture can only be created and maintained when line-of-business

CTO FORUM 21 MARCH 2010

thectoforum.com

“Information security has many forma definitions, l however SO OF THEM AME NOT VERYRE APPROPRI ATE” —VISHAL MORE

Head, Information Security, Raymonds

managers, who play a big role in revenue generation, take personal ownership of risks, including IT risks. Information security awareness initiatives need to consist of clear objectives, and the communication should be through easily noticeable mediums. Employees need to be encouraged to modify behaviour, given the fact that employees tend to assess risk poorly and choose convenience over security. Awareness programs are not trainings. However, if formal training is required, then many questions need to be addressed, such as whom to train, how much to train, what to train, what are the training metrics. While conducting awareness programs, employees need to be especially sensitised about information security breaches through social engineering, which essentially falls outside the domain of technological controls. Some of the social engineering techniques and associated risks are: ignorance of controls leading to inadvertent exposure, deliberate attempts to subvert controls and rank pulling. Securing unstructured and tacit business critical information available with employees is where the challenge lies. The perception and appetite of information security changes with employees based on personal orientation and background. Even if the organisation employs the best technological controls, this lack of behavioural homogeneity is the cause for ad hoc security incidents, which adversely impacts the organisation. This paradox is faced by all organisations.

Author: Nirmalya Kumar

HIDE TIME | BOOK REVIEW

“Indian global activity tilted from manufacturing to services”

Bharat’s Broadening Behemoths Brand India

has made heads turn, but will the formula hold good in the years to come? TATA STEEL has entered a joint venture with Canada’s New Millennium Capital and LabMag for a direct shipment ore project in Canada. Essar Group is to buy Trinity Coal of the US for US$600 million. And Fortis Healthcare is looking to acquire Parkway of Singapore. There were 53 M&A deals done in January 2010 alone, amounting to a value of nearly $3 billion (monthly deal report of VCEdge). Into this heated environment comes the book India’s Global Powerhouses: how they are taking on the world, by Nirmalya Kumar, together with co-authors Pradipta Mohapatra and Suj Chandrasekhar. Nirmalya Kumar is professor of marketing at the London Business School and co-director of their Aditya Birla India Centre. Pradipta Mohapatra is the co-founder and chairman of Executive & Business Coaching Foundation India and sits on the board of several multinational companies. Suj Chandrasekhar is president of Strategic Insights, a business strategy firm based in Washington,

52A

D.C. and a frequent speaker on marketing and globalisation. Four happenings have driven India’s recent acquisition movement: the success of the IT sector and Lakshmi Mittal opened Indian businesses to global opportunities; the success of outsourcing tilted Indian global activity from manufacturing to services; noting the success of the IT sector in the West, India began to focus their foreign investment on North America and Europe; and not having the strong brands, product lines, and distribution networks to succeed in the developed world, the Indian firms decided to acquire the resources. Indian firms have the three traits to make these foreign acquisitions a success: many are part of a group of companies and therefore can leverage the group assets; they are prepared to accept high debtequity ratios; and they are controlled by powerful individuals who can take quick decisions. To this must be added the personal traits of Indians to work well both in the dichotomous cultural and linguistic milieu of

CTO FORUM 21 MARCH 2010

thectoforum.com

ABOUT THE REVIEWER

Ranjani Iyer Mohanty is a writer and businesss/ academic editor, based in Delhi. She has also contributed to the International Herald Tribune, the New York Times, the Wall Street Journal and the Mint. Details are available on LinkedIn: http:// in.linkedin.com/ pub/ranjaniiyer-mohanty/ a/51a/48b .

India and the West. The authors spend most of the book detailing the rise of some of the biggest Indian global players, including ArcelorMittal, Infosys, Hindalco, Suzlon, and the Tata Group. They round up with a general discussion of the current roles of Indian firms in the global marketplace as not just acquirers, but also as customers, competitors and collaborators. The book’s aim is primarily to educate the uninitiated foreign businessman on the key Indian global players. However, the Indian businessman will find most parts quite interesting. In the conclusion the authors talk about the challenges that Indian multinationals face. In addition to the well-known problems of bureaucracy and infrastructure, they discuss the intriguing challenge of reforming and expanding Brand India. They also warn of unfettered acquisition simply to stroke national pride and counsel the need to cultivate the creative functions of the business, keeping in mind a sound long-term business perspective.

HIDE TIME | CIO PROFILE

ARVIND G. TAWDE Sr. VP & CIO, M&M

WHATEVER one does should add value – that's the success mantra for Arvind G. Tawde, Sr. VP and CIO at Mahindra and Mahindra (M&M). Tawde, who comes from a typical middle class Maharashtrian family, was born in the state's Ratnagiri district and did his schooling in Mumbai. He is a reserved and kind-hearted person who does not like to talk much about himself. He is the eldest of his six siblings – four sisters and a brother. His father is his source of inspiration. “My father was the source of inspiration and encouragement. He worked hard so that we get good education from reputed educational institutes. He always went an extra mile so that we get all facilities,” says Tawde. He completed his engineering from VJTI, Matunga, Mumbai and then went on to do a Diploma in Industrial Management (DIM) from Mumbai

FOND OF CLASSICAL MUSIC: Tawde’s father had a multifaceted personality. Besides working in a textile mill, he was a classical singer, actor and dedicated devotee. “I too was interested in learning classical music but did not have much time as I had to focus on my studies, but in future I want to study it,” reveals Tawde. He loves to listen to old songs, ghazals and Marathi songs. Some of his favourite singers include Talat Mahmood, Ghulam Ali, Lata and Asha. PLAYS HARMONIUM: Tawde’s father taught him to play it, though he does not get time to play it often now. In his

youth, he would even participate in Marathi plays. “I love to watch Marathi plays and movies. I am also found of old movies and a big fan of Dilip Kumar. The day I get a chance to meet him, it would be one of the greatest moments of my life,” says Tawde. PASSION OF READING: Right from his adolescence, Tawde was fond of reading. Earlier he used to read novels, but now he is more interested in books on management. “Since the last 40 years I have been a member of British Library and I used to borrow books, but now I buy books and have a good collection of them.”

CTO FORUM thectoforum.com

21 MARCH 2010

PHOTOS BY JITEN GHANDHI

A Music Lover

HIDE TIME | CIO PROFILE

University and Masters in Administration Management (MAM) from Jamnalal Bajaj Institute. Learning new things has always excited him. “There are so many new things happening in IT and in the management fields,” he says. During his years with Mahindras, he got an opportunity to complete an executive development course from IIM - Ahmedabad. During his career which has spanned over four decades, he has worked on shop floor, design engineering, production planning, materials planning, procurement, management audit and corporate affairs. He has been in the division of Corporate IT for the past nine years. “I am proud of the fact that today Corporate IT at M&M is one of the best Corporate IT departments in the industry - recognized by many institutes in India and abroad. I feel that is my most important achievement,” asserts Tawde. Tawde’s family consists of his mother, wife and two daughters. His elder daughter, Tejashree, is married and after her MBA she works as a HR executive in a reputed IT organisation. His younger daughter, Mugdha, completed her diploma in Marketing Management, and then went on to do a Early Childhood Care and Education and Cambridge International Diploma for Teachers & Trainers. She loves children and is presently teaching and taking care of kids in pre-school. “My wife Anagha is a home maker who has been a source of strength and perseverance. My mother is 80 years old and since our childhood she had always provided support and has taken good care of all of us,” says Tawde. —By Vinita Gupta

CTO FORUM 21 MARCH 2010

thectoforum.com

Snap Shot Snap Shot

Consider his team as a family: He feels he is lucky to have a good team with whom he has gone through various educational and training programmes. He is very generous to his team but admits that at times he does get angry with them. At such times, they understand him, he says. He has given them the right to tell him if he is wrong as he is very open to any criticism and wants to learn from them too. The team members have their own IT connect programme which helps to bring all the IT people together once a year. The group has also formed football and cricket teams and likes to celebrate the birthdays of each and every team member.

Plans after retirement: Soon Tawde is going to retire. He has not given much thought to what he would be doing in his retirement, but he will make sure that he keeps himself active by doing some work that requires his expertise. He also wants to try and spend more time with his family, which he was unable to do earlier.

CTOF CUSTOM SERIES

CASE M ANAGEME NT AUTOM ATION

The Case for Automating Case Management Workflows Case management allows organisations to automate routine tasks and aggregate multiple sources of information in a collaborative work environment for rapid decision-making, while improving their agility and efficiency.

n todayâ&#x20AC;&#x2122;s challenging economy, organisations must be more agile and work smarter in order to create value for their customers quickly. A recent survey of 350 executives conducted by The Economist magazine found that over the next three years the number one business challenge for over half of the respondents was reducing operational costs. (Organisational Agility: How business can survive and thrive in turbulent times. The Economist Intelligence Unit. March 2009. www.bit.ly/orgagility) The study also revealed that

nearly 90 percent of executives believe that organisational agility is critical to business success. These executives identified three critical traits of an agile business: rapid decision making and execution, a high-performance culture and the ability to access the right information at the right time. Achieving agility through case management Organisations have been mandated to operate with fewer resources, yet are still expected to deliver superior services while increasing efficiency and pro-

CTO FORUM 21 MARCH 2010

thectoforum.com

ductivity. As a result, they can no longer tolerate the inefficiencies of limited information access and manual, time-consuming processes. Organisations need to transform their critical business processes and leverage multiple sources of information to adopt a better way of working. To make this transformation a reality, leading organisations have turned to case management solutions to reduce operational costs and organisational risk, acquire and retain customers, improve decision making, and process work faster and more effectively.

Working smarter with case management Many of todayâ&#x20AC;&#x2122;s organisations process cases manually, making cases difficult to manage, track and control. Case files can be lost, misplaced or mishandled, resulting in failure to meet operational and service performance goals, and/or regulatory mandates. In addition, maintaining physical case folders increases the time and cost associated with processing each case. For many reasons, traditional, paper-based methods for case processing are no longer viable. First, the amount of information produced for each case and the variety of formats in which this information is submitted make manual processing inefficient and prone to risk. This accumulated data also makes searching case-relevant information difficult. Second, todayâ&#x20AC;&#x2122;s global and mobile workforce cannot collaborate or consult efficiently through paper-based methods, which require the physical transfer of case files from location to location for review. Finally, governance and regulatory compliance requirements

CASE M ANAGEME NT AUTOM ATION

necessitate the retention of full documentation for each use, including how and why decisions were reached, discussion threads, policies reviewed and opinions rendered. Moving to a virtual case environment Without greater control of case information organisations cannot improve their agility and efficiency. Improving case management through case processing requires integrating people, processes, and information; automating structured processes; and expediting the unstructured case processes – all while fostering more collaboration among case workers. For example, capturing case information electronically allows organisations to eliminate manual data entry, misplaced information and related data entry errors. This action can then initiate the creation of a virtual case folder that aggregates all digital information relevant to the case (e-mails, faxes, forms information, images, audio and video files, photographs, policies, discussion threads, and collaborations). It is this virtual case file that becomes the focal point for each case. With a secure virtual case folder – the cornerstone of case processing – workers can easily collaborate with other business users, independent of their geographic location. The folder view includes tasks, rules and

policies, events, history, reporting, documents, people and even other processes, providing the necessary context to make the most accurate decisions quickly. By moving to a virtual case environment, organisations readily gain access to case information that is up-to-date, tracked and visible across the organisation. Workers have a holistic view of their work form beginning to end as well as a sense of ownership. With all information and its context aggregated into a single folder, workers can consult internal and external resources, and review and make better decisions to resolve the case. A virtual case folder also enables tasks that would require sequential processing to be done in parallel, speeding case resolution. How it works Case processing involves process and content management; intelligent capture; monitoring and reporting; collaboration; personalised customer communications; and compliance and archiving. Data and documents are transformed into digital assets and managed in a virtual case folder for the entire case lifecycle. Adopting a case processing strategy that involves the complete case lifecycle – from incoming information captures to communication of the final resolution or status to customers or

To manage the flow of activities within a case, managers should be able to easily track processes toward milestones, productivity goals and service level agreements. Case processing also automates simple and repetitive tasks. stakeholders – is crucial to success. Some organisations fail to meet their case processing goals because they focus on only one element of the equation. To manage the flow of activities within a case, managers should be able to easily track processes toward milestones, productivity goals and service level agreements. Case processing also automates simple and repetitive tasks to enable workers to focus on more complex work. It allows organisations to: Decrease processing time by eliminating the need to locate and physically transport information stored in various areas and locations. Monitor and control case processing through real time reports and dashboards. Give workers the ability to interact and participate in real-time discussions.

CASE-BASED BUSINESS PROCESSES ACROSS VARIOUS INDUSTRIES Public Sector

CTOF CUSTOM SERIES

Financial Services

Insurance

Healthcare

Back-Office

Grants Management

Loan Operations

Claims Processing

Virtual Patient Records

Accounts Payable Automation

Tax Processing

New Account Opening

Underwriting

Claims Processing

Contracts Lifecycle Management

Unemployment Benefits

Wealth Management

New Account Opening

Patient Enrolling

Employee On-Boarding

Welfare Services

Dispute Resolution

Policy Management

Revenue Cycle Management

Employee Performance Review

Provide security and information rights management to the contents of the virtual case folder. Apply retention policies and records management to meet government mandates and regulatory guidelines. More cases can be resolved faster by using automated and streamlined business process, and by incorporating business policies and business models. By ensuring more efficient access to information, case processing provides improved worker productivity, increased work visibility, enhanced service delivery, controlled compliance, and enforced retention policies. Excerpted from Case Management: A Blueprint for Success. How case management can create business agility and efficiency. © 2009 EMC Corporation. The expanded white paper is available for download at www.emcindia. co.in/ctoforum Edited by Falguni Sarkar, Head of Marketing for Content Management and Archiving Products for South Asia at EMC Corporation. He can be contacted at Sarkar_Falguni@emc.com

CTO FORUM thectoforum.com

21 MARCH 2010

EVENT REPORT

S Y B A S E R O U N D TA B L E

Event

Decisionmaking Using BI CIOs deliberate on the importance of using Business Intelligence Cloud Computing is the latest buzzword in enterprise technology. Panelists in Mumbai discussing the pros and cons of the technology.

Delegates in New Delhi were very curious to know more about business intelligence and analytics

Participants in the Bangalore roundtable make their point

he CTO Forum-Sybase ‘Enterprise Analytics Roundtable’ engaged and informed more than 50 CIOs on the application of business intelligence

solutions. It is often said that when the going gets tough, the tough get going. This is even truer for enterprise IT managers who face the double-edged sword of cutting costs

CTO FORUM 21 MARCH 2010

thectoforum.com

Participants in Mumbai had a very interesing discussion

even while strategising for growth. However, there is one solution that lets them do both—Business Intelligence (BI) and Business Analytics (BA). By implementing BI solutions, CIOs can not only help improve enterprise productivity, but also aid and abet growth by delivering insights to the sales and marketing function. These and other such issues were discussed, debated and deliberated at the

‘Enterprise Analytics Roundtable’ for CIOs. The event was jointly organised by CTO Forum and Sybase, and drew over 50 CIOs from four cities—Delhi, Bangalore, Chennai, and Mumbai. As a run up to the roundtable, CTO Forum had conducted a nation-wide survey to understand the usage of technology and issues related to BI and BA. The findings were shared at the roundtable.

S Y B A S E R O U N D TA B L E

EVENT REPORT

Study results The survey revealed that the rapid increase of data volume and data sources among enterprises had added to the demand for adhoc queries and reporting. The survey also found out that while companies were mainly using analytics to monitor and manage their business, access to intelligence was limited to a few— top level management, and departments like finance, accounting, marketing and sales. “Just in time information and the ability to take decisions instantly is what business users desire. In challenging times, where changes are happening at the speed of light, new products are coming and the markets are changing, so you need to have the ability to crunch data very fast and you need to be able to look at different dimensions that are getting created due to business opportunities,” says Sumesh Mahendra, Vice President, Business Intelligence, IFFCO-TOKIO. The interactive roundtable was designed to provide insight on how BI solutions can be leveraged within the enterprise, and also provided tips that could help CIOs in the implementation process.

Sybase team interacts before the start of the event in New Delhi

Atul Batra Director, Arjan Auto during the session in New Delhi Mannikam Subramaniam, CIO, Henkel making a point during the roundtable session in Mumbai

Mixed Opinion “Analytics is a key area that every business, especially in the financial and banking sector, are looking at seriously. It is important from both business and risk perspectives. With regard to the ING Vysya bank, we look at Business Analytics as an important tool to retain customers, service them well and keep a tight check on anti-money laundering practices,” said Dharmaraj Ramakrishnan, Head, Core Banking Unit at ING Vysya Bank. Talking about the need for smarter analytics, Chase Hacker, Senior Technical Evangelist (Asia Pacific) at Sybase said, “On account of the growing competition, organi-

V Subramanian, CISO of IDBI Bank making his point during the discussion in Mumbai

sations need faster, more accurate answers delivered to all their decision-makers from all their information sources.” He further added that businesses not only lose market share and competitive advantage, they also lose opportunity because decision-makers don’t always get the right

answers and very often the answers are drawn from incomplete information. But there were counter views too. V Subramanian, CISO, IDBI Bank, thinks, “Business Intelligence and Analytics is certainly overhyped. We are ourselves taking time to get convinced on the return on investment. Also, there is a lack of ‘Proof of Concept’ which can tell us about the tangible benefits of adopting BI solutions. A transparent analysis of pros and cons will help in taking a decision.”

CTO FORUM thectoforum.com

21 MARCH 2010

VIEWPOINT STEVE DUPLESSIE | steve.duplessie@esg-global.com

Why the Cloud Will Vaporise? Use the cloud.

ILLUSTRATION BY PHOTOS.COM

But don't hang on to it for ever.

THE “CLOUD” market is not a market – it’s a construct. The SSP market 10 years ago wasn’t a market either – it was a bad idea. Both had absurd levels of “buzz” which led to absurd levels of VC money being poured in. Both will end the same way – with disillusionment. The reason the SSP market never was is fairly simple to understand – the premise was fundamentally flawed. The SSP wanted to solve a problem that didn’t really exist. Companies were not interested in pushing their critical data assets out the door to be handled by a third party – unless the cost advantage was so stunningly compelling to merit them doing so. Well, turns out it wasn’t cheaper – if anything it was more expensive. Multi-tenancy wasn’t real nor trusted and as such there was almost zero economic benefit delivered – which destroyed any hope of this market ever becoming legitimate. There were dozens of SSPs, but not one had a legitimate business model,

because there wasn’t a legitimate market opportunity. They all died. There are a zillion wanna-be providers of “capacity” services. VCs are pouring money into anything that says Cloud. They will die. You can’t build a sustainable business selling capacity unless you have a distinct advantage – like you build disk drives or you have a model so vastly superior to everyone else that you dictate the terms (Amazon, for example). It’s going to be hard for even an outrageously well funded start-up to beat EMC, or IBM, or AT&T or Seagate at this game. Someone will fail soon. Then it will be a snowball effect. VCs will swing to the other end of the pendulum and run and hide from all things Cloud. Companies that have branded themselves Cloud will panic and try to remove the stigma from them. Valuations will plummet. It is inevitable that this happens again. My advice to those who want to survive the coming collapse is to quickly find a legitimate valuable ser-

CTO FORUM 21 MARCH 2010

thectoforum.com

ABOUT THE AUTHOR: Steve Duplessie is the founder of and Senior Analyst at the Enterprise Strategy Group. Recognised worldwide as the leading independent authority on enterprise storage, Steve has also consistently been ranked as one of the most influential IT analysts. You can track Steve’s blog at http://www. thebiggertruth.com

vice to offer the market – something they actually need. It’s fine to use “Cloud” as an enabling component to that service – economically or technically – but if you believe that simply being “cloud” is going to provide you sustained value, you are screwed. You need to change your messaging, and change it quickly. Plus, I hate to tell you this, but it wasn’t working anyway. People don’t buy “clouds” just like they don’t buy “ILM.” They are constructs. They use the constructs, but they don’t buy them as a “product.” Companies that provide arms and means to leverage the cloud will do fine. 99% of companies that are cloud will not. You got a great A round valuation by being cloud yesterday, but your B round will be a death march if you are still clinging to that moniker in six months. Use the cloud – don’t be the cloud. Use the cloud to deliver your high value services that everyone needs and you’ll do fine. Sell “cloud” capacity and you’ll be gone within a year.