Emerging Concerns in IT Governance

July 11, 2007

MacDonnell Ulsch | Jefferson Wells

Managing Risk In a Hostile World

Speaker Biography: MacDonnell Ulsch

• Director of Technology Risk Management in Boston and the firm’s chief privacy specialist.• Distinguished Fellow of the Ponemon Institute.• Served on the U.S. Secrecy Commission under U.S. Senators Helms and Moynihan.• Advised counterintelligence staff of a Presidential Administration.• Worked with U.S. Senator Sam Nunn on information security policy.• Met with King Hussein of Jordan on Middle Eastern security and political policy.• Advised “DaVinci Code” author Dan Brown on the novel “Digital Fortress,” on U.S. national

security.• Interviewed Judge Leon Jaworski of the Warren Commission on the assassination of President

Kennedy.• On the Board of the National Security Institute, worked there 13 years, with U.S. intelligence

agencies.• Founded information security research program at Dataquest/Dun & Bradstreet and was Chief

Analyst at D&B.• Former Director of Global Risk at PricewaterhouseCoopers, LLP.• Former Sr. Director of Regulatory Compliance at Gartner, Inc.• Former Lecturer at Boston University.• Currently writing, “Threat! Managing Risk in a Hostile World,” to be published by the IIA Research

Foundation.

What’s On Your Horizon?

• Sabotage• Emerging State Statutes• Emerging Federal legislation• International legislation• Asymmetric Threats• Technology Proliferation• Integrated Security• Financial Loss• Reputation Loss• Valuation Loss• U.N. Public Policy• Executive Responsibility for

Data Crimes

• Security Officer Responsibility for Data Crimes

• Money Laundering• Lack of Awareness• Civil Liability• Criminal Liability• Economic Espionage• Trade Secret Theft• Low-Intensity Regional Conflict• High-Intensity Global Conflict• Privacy Strategy Confusion

and Inconsistency

28 Emerging Threats

CAUSAL THREAT AND RISK FACTORS

23 Existing Vulnerabilities 28 Enabling Conditions

PhysicalSecurity

AdministrativeSecurity

HROperations

Security

ClassificationManagement

Enterprise Assets

ProcessLinkage

Internal +External

Monitoring

EIGHT SPHERES OF TRUST

FOUNDATION

Conveyance

ITSecurity

LEGAL Civil ◦ Criminal

AUDIT U.S. ◦ Country-Level

REGULATORY U.S. Federal ◦ U.S. State ◦ Country-Level ◦ International

LAW ENFORCEMENT U.S. Federal ◦ U.S. State ◦ U.S. Local ◦ Country-Level ◦ International

STANDARDS U.S. ◦ Country-Level ◦ International INTELLIGENCE U.S. ◦ Country-Level ◦ International

EN

TE

RP

RIS

ET

RU

ST

Case Histories: Economic EspionageAnd Trade Secret Theft

A Matter of Coincidence?

United States Russian

Question: Did each government arrive independentlyat each design at the same time?

DuPont and Chemist Gary Min

• Former Chinese national.• Former DuPont chemist stole secrets worth $400MM.• Recently pleaded guilty to corporate espionage.• In the crosshairs: KEVLAR, TEFLON, NOMEX, LUCITE

and other products protected under trade secret.• May have intended to sell secrets to government of

China or to Chinese companies.• An employee for 10 years.• Had developed significant products. He had access to a

high-security electronic database at DuPont.• This enabled him, but it was also his downfall.

Tripping the Wire

• His biggest mistake was elevating his profile to security:– Over a short period of time he downloaded 22,000 abstracts and

documents from the secure DuPont database.– 15-20 hours at a time.– This level of activity represented 15 times more use than the

next highest user at DuPont.– Federal authorities were contacted at this time.

• Min leaves DuPont and goes to work for Victrex PLC. He transferred 180 documents to his Victrex computer.

• Min was in China when a DuPont investigator found documents at Min’s home and in an apartment he had rented. Other documents were found on his home PC.

The NYNEX Case

• Certain elements of this case were tried in federal court and were reported in the Wall Street Journal.

• Other aspects of this case have never been made public.

• I am making certain elements of the case public today.

• The case will be discussed more extensively in THREAT! Managing Risk in a Hostile World, to be published by the Institute of Internal Auditors Research Foundation.

• No individuals will be mentioned by name.

• Principal companies will be named.

• Several companies will not be named. Such disclosure would enable the identification of the individuals involved.

Industrial Espionage Case History II

PU

BLI

C U

TIL

ITY

CO

MM

ISS

ION

Bas

ic R

ate

Set

ting

NYNEX

SUBSIDIARY

SUBSIDIARY

SUBSIDIARY

TEXTILEST

wo

Set

s of

Bo

oks

Loss

Thr

oug

h F

raud

Illeg

al P

UC

Inf

luen

ce

CO. X

IBM

DEC

Client

Client

ROGUE

Col

lect

Rep

ort

OTHERS

Rep

ort

$

$ $ UlschEnters

CallsUSDOJ/Immunity

USDOJBriefs

USGAO

UlschBriefs

USGAO

C O

N S

P I

R A

C Y

Aftermath

• NYNEX exited the information products and services business at a loss estimated to be in the hundreds of millions of dollars.

• NYNEX discharged senior executives over the incidents.• A number of Co. X executives were terminated.

– A senior executive was restricted from serving on any public board for several years.

– His employment was terminated.– He was fined but avoided imprisonment.– He was recently honored for his industry contributions.– He is currently the CEO of a privately held, successful company.

Aftermath …

• The rogue consultant was granted full federal and state immunity from prosecution:– He was not fined and faced no prison term.– He runs a very successful research and consulting

firm.– He is financially secure.

• Another senior executive formed a company afterwards and then sold it, making about $100MM.– He was never charged in the case.

The Emergence of Social Networks

The Rise of Social Networks

Drugs Pornography Terrorists

Unregulated. Unrestricted. Unreliable. Unknown.Organized Crime?

Blogging: A Growing Risk

• Rapid growth: 34.5MM to over 100MM blogs worldwide.• Rapid growth: blog audience: 20 percent the size of total

newspaper reading audience.• 9 percent of computer users have created blogs.• Blogging from laptops and Internet-enabled PDAs.• In an organization of 100,000 employees:

– 25 percent blog or 25,000.– Blogging an average of twice per week is 50,000 messages a

week or 2.4MM annually.– Many blog from work.– Others blog from mobile platforms.

• Organized crime is believed to be behind or influence a number of gambling and pornography blogs.

Here’s the Problem With Blogs

1. EmployeesUse Work

Email Accounts

Blog DatabasesWith Billions of

Messages

2. Blog DatabasesArchive

Messages

3. 34.5 – 100MM

Blogs andDatabases

4. DatabasesScanned by

Organized Crime,Hostile faction

7. Identity Thieves,Internet Scams,

SpammersAcquire Data

8. Many OfficesHave No Blog

RestrictionPolicies

5. Millions of MessagesAnalyzed

Using SophisticatedData Mining

Software

6. A Rich Source ofInformation forTrade Secrets

When Analyzed

Blogs …

• Case History:– Company was being hacked weekly, resulting in expensive

downtime.– Targeted by unidentified foreign hackers.– Key IT employee perceived blogging as neutral threat factor.– He needed help in defending the enterprise more effectively.– Internal solutions were not solving the problem.– Company’s proprietary data was at risk.– Blogging made it worse

• Prediction: – Blogs and social networks, left unchecked, will contribute to ID

theft, crime

The Trend of Internet Crime

Complexity of Identity Theft

ID Theft DriversOrganized

CrimeNarcoticsTrafficking

Terrorists

Money Laundering$2 Trillion in Profits Laundered

Emerging NationParticipation in Organized Crime

Black Peso Market Exchange& Money LaunderingDistribution

Channel &Infrastructure

CoreProduct

Manufacture

Operations Financing

Terrorists

Protest Groups

Drug Cartels

OrganizedCrime

EspionageAgents

RogueEmployees

MoneyLaundering

Recruitment

Communication

CapitalFormation

Fraud

Hacking

VirusDevelopment

VirusDeployment

Information Security Crime: Identity Theft is Key

Find the SSN

277-33-1899 185-09-9380 231-54-8274 904-00-1232184-99-3837 275-44-5162 231-44-2005 992-33-4646

“Just a quick note to say hi. Thought this was a cool picture.Call me when you can: I’ve got a business question for you.”

Laptops

PDAs

Internet-EnabledCell Phones

Portable Drives

Flash Drives

Blogs

CDs

Organized Crime Growing

• Organized crime is involved in trade secret theft, economic espionage, terrorist financing, narcotics trafficking, pornography, ID theft … and technology.

• Russia has emerged as a major international influence in organized crime. Many countries participate in organized crime. Russia is but one example.

• Compare organized crime in the US and Russia (American Russian Law Institute):– US:

• 24 crime families• 2,000 active members

– Russia• 5,000 – 8,000 groups• 100,000 active members

Russian Organized Crime & IP Theft

• The theft of intellectual property by organized crime is escalating in the following states, in particular:– New York– California– Pennsylvania– Massachusetts

• According to a report from Michigan State University School of Criminal Justice:– Russian activity is accelerating as a result of the dismantling of the

Soviet Union.– Federal authorities are currently investigating and infiltrating these

criminal enterprises.– “The threat from … economic crimes (such as the theft of intellectual

property, industrial espionage … and computer-related crime) is increasingly recognized as a matter of national security.

• Use of IT and communications professions by organized crime is growing.

Linkage to Child Pornography

• The majority of child pornographic images and videos seized are produced primarily in:– The former Soviet states.– Southeast Asia (including Japan).– South America (increasingly).

• The proliferation of commercial pay-per-view technology and Internet payment systems technology that provide anonymity are in demand.

Case History: A Boston Police Officer

• Police in Boston– Several rogues involved with local crime gangs,

offering protection of• Drug transactions• Prostitution

– Target owners of luxury automobile• Use police access to database to obtain personal identity

information• Use personal identity data to acquire credit information about

the target individual. This is accomplished through an employee at a local bank

• Credit information is sold to East Coast identity thieves, who in this case are undercover FBI agents

Employee Crime

• A financial institution network used for XXX-rated web sites• A corporate data center used by rogue employees operating their

own profitable business• A man buys a SSN online, commits ID theft

– But then he engages in cyberstalking the woman to whom the SSN was assigned.

– This turns in to physical stalking, as many cases do.– He ended up assaulting and killing her– What if the SSN came from your data base?– What are the moral and ethical implications?– What is the reputational impact?– What is the financial liability?– What if the security controls were sub-standard?

An Attack Trend?

• The first information warfare occurred during the Kosovo war: web site defacements of U.S. Department of Defense and U.S. corporate entities, including IBM.

• An interesting DDOS attack on Estonia– Bots or Zombies used in attack– Parliament disrupted– Nation’s largest bank severely disrupted– Traced attacks to inside the Kremlin– Significant because of KGB linkage to organized crime– Zombies linked to organized crime– Three weeks to block the attacks

• Many attackers make precise attacks: don’t want to disable Internet because of its usefulness to them

Managing the Mobile Risk Force Multiplier

• Mobile technology contributes to the dimension of risk:– Greater distribution of target information.– Less institutional monitoring.– Fewer employee observations about risky behavior.– Less attention to security policies and procedures.– Greater likelihood of losing a mobile device.– Greater likelihood of mobile device theft.– Greater likelihood of a breach.

Mobile/Wireless: A Risk Force Multiplier

Mobile Device Theft

• More than two million a year reported stolen worldwide.• 1,600 a day reported stolen in the U.S.• A laptop is stolen every 53 seconds.• Chances of a laptop being stolen are one in ten.• 97% are never recovered.• Most common crime after identity theft.• Contains the most sensitive data, including social security numbers,

as well as intellectual property, and trade secrets.• Six of one hundred government and defense workers in the United

Kingdom are said to have lost or had stolen a laptop computer.• Many stolen laptops have passwords written on paper and taped to

the underside of the laptop.What is on your laptops?

What policies are in place to prevent mobile device theft?

The Mobility of Logical Information

• Electronic information seldom resides in one place.

• Information structures are designed for redundancy.

• Then behavior reinforces the principle of redundancy.

• Where does data exist and where is it at risk:– Desktop computer– Laptops– Handhelds– Cell phones– Flash drives– Portable backup drives– Data centers: domestic and

foreign– Email servers

– Databases– Home computers– Data management third-

parties– Internet Service Providers– Spouse’s and children’s

computers– Hotels & resorts &

conferences– Neighbors homes– Restaurants– Taxis– Office– Subway– Rental & personal cars

• E-Discovery Act Implications?

The Legislative Trend

Legislative Uncertainty

The passage of any privacy statute is uncertain. But trends are developing that will shape emerging legislation.

Don’t expect preemption.

12 C.F.R. 30 Will Influence Legislation

Interagency Guidelines Establishing Standards for Safeguarding Customer Information

Set forth standards pursuant to section 39 of the Federal DepositInsurance Act (section 39, codified at 12 U.S.C. 1831p-1), and

sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of theGramm-Leach-Bliley Act. These Guidelines address standards for

developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of

customer information.

• 110th Congress, 2007, Sen. Leahy:– Personal Data Privacy and Security Act of 2007

• Require data brokers to disclose information held on individuals

• Requires companies that have databases with personal information on more than 10,000 U.S. residents to implement data privacy and security programs

• Increases criminal penalties• A crime to conceal a security breach• Requires government to establish rules protecting data

privacy

U.S. Federal

• 110th Congress, 2007:– Data Accountability and Trust Act

• Authorizes the U.S. FTC to write data privacy requirements for businesses

• Mandatory vulnerability assessments• Policies for obsolete data disposal: feasibility study for

standard processes– Includes paper records

• Data breach would result in FTC audit of security practices• Administrative, technical, and physical security controls• ID reasonably foreseeable vulnerabilities• Enhancing punishment for ID theft

U.S. Federal

U.S. Federal

• 109th Congress: Specter-Leahy Personal Data Privacy And Security Act of 2005, S. 1789• Increased penalties for electronic ID theft• Section 102: Adding fraud as a predicate offense for RICO (Racketeer

Influenced Corrupt Organizations), recognizing organized crime• Section 103: Making it a crime to conceal ID theft• Give individuals access to, and the opportunity to correct, personal

information held by data brokers• Require entities with personal data to establish internal policies that

protect data• Require that entities notify consumers of a breach, as well as law

enforcement• Prohibits companies from requiring consumers to disclose Social

Security Numbers• Authorizes $100M over four years to help state law enforcement fight

misuse of personal information

U.S. Federal

• Data Security Act of 2006– National data protection and breach notification standard– Impacts financial institutions, retailers, and government agencies– Requires timely investigation of security breaches– Law expands the reach of current laws-both state and federal-that

require only financial institutions to protect personal information– Modeled after Gramm-Leach Bliley Act of 1999– Failure to comply:

• Levy fines• Impose corrective measures• “Even bar individuals from working in their respective industries”

• H.R. 1263: Consumer Privacy Protection Act of 2005• … (2) Policy … shall be … approved by the senior management officials

U.S. Federal

• H.R. 620: Security Measures Feasibility Act [addresses driver’s license and ID cards, assesses cost to states for security]• Establishment of State motor vehicle databases that contain all

fields of licenses. [A report to Congress states that] any recommendations … that the Comptroller General considers necessary to better protect the security of driver’s licenses and identity cards issued by states

• This could have significant legislative impact and, eventually, commercial impact

States & Privacy

Many entities make the mistake of mapping privacy policy to 1386

State Legislation is Proliferating, Changing

California: Established the precedent, SB-1386 SB-1386 Safe Harbor:

– Businesses may forgo consumer notification if the information contained in the breached database is encrypted

– SB-1297 and paper

Arkansas: Act 1526 of 2005: Disclosure of Personal Information to Consumers Notification Law Similar to 1386 but includes Medicare information

Indiana: Addresses government agencies only

Montana: Broadens the range of personal identifiers

North Dakota: Similar to 1386 but includes DOB and mother’s maiden name

Washington: Similar to 1386

Georgia: Applies only to data brokers such as ChoicePoint

– New Jersey• Identity Theft Prevention Act requires destruction of unneeded customer data• Limits use of social security number sent by the U.S.P.S.• Consumer notification

– Louisiana• Database Security Breach Notification Law• Consumers must be notified, as well as state government officials

– Illinois• Personal Information Protection Act• Does not require state government notification

– New York• Information Security Breach and Notification Act• $150,000 fines• Disclosure timeframes vague

– Wisconsin• Includes DNA profile. Requires notification for unauthorized access, even paper

access. Also in North Carolina.

States

Notification Triggers Variable

• California: no threshold triggers. All California residents must be notified

• In some states, notification required only when there is reasonable likelihood that the information at risk will result in harm

• In California, businesses required to notify only those affected by the breach. In other states, only consumer reporting agencies must be notified

• In New York and North Carolina, businesses hit with a security breach must notify the Attorney General’s office.

• In New Jersey, the State Police must be notified• The trend is toward legislation that protects the consumer• Multiple complex state laws encourage more federal legislation in

order to reduce regulatory and trans-state conflict and jurisdiction

International Section 304 of H.R. 1263:

• Harmonization of the International Privacy Laws, Regulations, and Agreements

“... the Secretary of Commerce shall provide notice of the provision of the Act to other nations, individually, or as members of international organizations or unions that have enacted … information privacy laws, regulations, or agreements, and shall seek recognition of this Act by such nations…. The Secretary shall seek the harmonization of this Act with information privacy laws … to the extent such harmonization is necessary for the advancement of transnational commerce, including electronic commerce.”

International: Fortress India

• Fortress India is an initiative backed by the National Association of Service and Software Companies (Nasscom) in response to U.S. legislation and interest in protecting U.S. information overseas– Background investigations are difficult in a nation hampered by a

lack of online databases and high attrition rates– Fortress India, as an element of Nasscom, wants to change this

security and privacy dynamic– At ICICI OneSource, a call center, employees swipe ID cards to

enter the center, empty pockets of cell phones, PDAs, pens notebooks, calls are monitored and recorded, data is guarded

Contact

MacDonnell Ulsch

One Liberty Square

Boston, Massachusetts 02109

(617) 428-7705

Don.Ulsch@JeffersonWells.com