[SecurityRatty] tag: deloitte

EM7 helping customers make the Deloitte Technology Fast 50?

Thu, 09 Oct 2008 18:15:42 +0000

Now in its 14^th year, Deloitte’s Technology Fast 50 program recognizes the fastest growing technology companies in a given geographic area. The basis of the selection is a company’s revenue growth over a five-year period. These companies can be public or private and can encompass all technology, media, telecommunications and life sciences industry sectors. Not all the regions have reported winners, but the results are in for Virginia and Maryland and we’re happy to say EM7 customers are very well represented by the ones that made it.

Congratulations to:

EM7 at the Merkle NOC

And we must point out that Hughes topped the Maryland Technology Fast 50 list with an astounding growth rate of 138,762% over the past 5 years! Wow, it would be tough for any company in the world to beat that growth rate, but all kudos must go to Hughes and this incredible achievement. I’m sure we’ll see them on the National Technology Fast 500 list coming out soon.

Now I would like to say that without ScienceLogic and EM7 much of this would not have been possible, but of course that statement would be an incredible stretch. What I can say is that our product and our technology has had a profound impact on the operational efficiency for HughesNet, so perhaps you can give us, using a basketball analogy, 12 assists in the game.

Interesting to note, several other award winners are in the midst of product evaluations as we speak. I think that EM7 Meta-Appliances are a strategic weapon within each of these businesses to leverage our technology in interesting ways which create huge organizational value and operational efficiencies.

So to all those companies who have won this year… a BIG congratulations from the bottom of my heart. For our existing customers who made the list this year… keep working hard so you can make it again next year. For ScienceLogic, stay tuned in: We were not quite big enough to make the list last year, however I am very excited about our growth in 2008 and am quietly confident that you will see us on the Virginia Fast 50 list next year!

What can CISOs learn from the Societe Generale debacle

Tue, 19 Feb 2008 06:17:17 +0000

It is astounding, and in the words of Societe Generale's chairman and chief executive, Daniel Bouton “unbelievable” that a person could single-handedly circumvent the security of France’s second largest bank to cause so much damage. This event brings to bear what security professionals have been saying for years – focus on the insider threat. Mr. Kerviel cost the bank $7.2 billion by making huge unauthorized trades that he hid for months by allegedly hacking into the computers of the bank and creating fraudulent transactions to hide his tracks. The combined trading positions he built up totaled some €50 billion, or $73 billion. While this level of exposure going unnoticed boggles the mind, none of it could have happened without a fundamental failure of information security controls.

Here are ten lessons for us security folks to pass on to our executive teams.

· Security is first and foremost a people problem: Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won't necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

· Monitor privileged access: I have had many conversations with CISOs who are reluctant to monitor their system administrators and privileged access users because they feel that there is a level of trust that exists between them and they may send of a wrong signal by monitoring them. Although a majority of people are trustworthy, trusting your privileged users is not a defense that will hold in any court. You have to design security systems based on the assumption that every user is a malicious user.

· Policies without implementation are worse than not having policies. I’m sure Societe Generale had a policy of not sharing passwords and mechanisms to encrypt or mask the passwords. So how was Mr. Kerviel able to gain access to not one but multiple passwords? Having a policy creates a liability for the organization to ensure that it is implemented and gives the organization a false sense of security.

· Everyone is not after the money. One perpetuating myth about hackers is that they are all after financial gain. This may or may not be true. In Societe Generale’s case French prosecutors announced that they'll pursue four charges, including breach of confidence, misrepresentation, and illegal use of logins. The company is not charging Kerviel of trying to steal company secrets or financial fraud. All he wanted was to be seen as an exceptional trader, an astute market player.

· Policy, Implementation, and Audit should stay separate. We often forget that people who set the policy should not be the ones implementing or auditing it. Although all these groups work together to ensure the security of the organization, insider knowledge in one area should not be shared with other areas. This was clearly not considered when Kerviel moved from the auditing department to the department he audited (i.e., trading).

· You don’t need to be a genius to “hack” into systems. Kerviel was not a security expert nor did he ever claim to be. He had extensive knowledge of the back office processes that enabled him to side step the controls in place. Jerome Kerviel lists Microsoft Office and Microsoft Visual Basic as his only IT-related skills. That is hardly the profile of a “hacker”.

· Access restrictions must be implemented as people move within the organization. Access control processes are not implemented well in most organizations. Companies usually terminate access of employees who leave the company, but for people who change positions within a company, this is often the case. Hopefully Kerviel’s access privileges as he changed positions will be closely scrutinized as part of the investigation.

· Awareness and training serves as the first line of defense. Awareness and training can help reduce a significant amount of risk by informing users of their responsibilities to follow policies and to report suspicious activity. Sadly, this is one area that many organizations ignore. I would be very surprised if there weren’t tell-tale signs of suspicious activity during this episode that a properly trained employee would have been able to spot.

· Consistent monitoring triggers may be a bellwether of a bigger issue. Societe Generale had challenged Kerviel several times about risky operations, and each time he produced fictitious documents to justify himself. Eurex, a derivatives exchange, alerted Societe Generale in November 2007 about the positions taken by Jerome Kerviel. Not heeding these advance warnings and not understanding that they may have pointed to a much larger risk were clearly mistakes.

· It could happen to the best of us. Societe Generale was a leader in derivatives and was considered by some to be one of the best risk managers in the world. The company seemed to understand a lot of elements of risk management really well, but still failed in a critically important area. There is often as assumption that things are more under control than they actually are. A recent Deloitte survey found that 46% of companies surveyed failed to have a formal security strategy in place. Still, 69% said they are "very confident" or "extremely confident" about their organization's effectiveness at tackling external security challenges.

Sadly, events such as these articulate the point much more effectively than a CISO saying that we should implement security. So we should take this opportunity to remind our executives of how we could be in similar situations if we don’t manage our information risks effectively.

Compliance costs not slowing down - technology automation to the rescue

Mon, 28 Jan 2008 10:34:00 +0000

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
Primary costs continue to be driven through applying people, not technology to the problem.
and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

Deloitte & Touche and IKON lose confidential information

Thu, 20 Dec 2007 11:23:09 +0000

Technorati Tag: Security Breach

Date Reported:
12/14/07

Organization:
Deloitte & Touche USA LLP

Contractor/Consultant/Branch:
IKON Office Solutions

Victims:
Current and former partners, principals, and employees of Deloitte & Touche and its subsidiaries

Number Affected:
Unknown

Types of Data:
Names, Social Security numbers, dates of birth, "and other information relating to those personnel, such as employee hire and termination dates"

Breach Description:
An un-encrypted laptop was stolen from an IKON Office Solutions employee on November 19th, 2007 that contained sensitive personally identifiable information belonging to current and former Deloitte & Touche partners, principals and employees. IKON was serving as Deloitte & Touche's document management vendor.

Reference URL:
The New Hampshire State Attorney General breach notification
SC Magazine Story

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

On November 21st, 2007, D&T USA's document management vendor, IKON Office Solutions, Inc. ("IKON"), informed D&T USA that a laptop containing a file with information about current and former partners, principals and employees of D&T USA and its subsidiaries had been stolen from an IKON employee's vehicle two days earlier.

The file included names, Social Security numbers, dates of birth and other information relating to those personnel, such as employee hire and termination dates.

IKON's employee reported the theft to the Walnut Creek, California police department. The police report number is 07-27609.

So far, the computer has not been recovered.

The laptop was not encrypted, but the laptop was password protected.

We have no information indicating the information has been misused.

we are in the process of notifying all affected individuals through first class mail, postage prepaid.

We have contracted with ConsumerInfo.com, Inc., an Experian company, to provide you with one year of credit monitoring, at no cost to you.

We are committed to protecting all confidential information that is entrusted to us. Accordingly, we have suspended all work with the vendor on the pension record scanning project until the vendor can demonstrate that it has implemented appropriate data security protections.
[Evan] Its not uncommon for an organization to overlook the information that vendors and other third-parties access and/or store. Information security controls surrounding vendor access must be addressed in policy, and then followed up standards and controls. I wonder what Deloitte & Touche's policy is around vendor access to confidential information.

if you have any additional questions about this incident, please call the Personal Service Network (PSN) at +1 800 DELOITT (+1 800 335 6488) and enter 12 to go directly to people who can answer questions about this incident.

Comments on the SC Magazine Story:

What makes Deloitte think that one year of monitoring will be all that is needed for the potential victims. I read where the average victim does not know til well beyond 12 months. - Mike

If "noted security experts" (so called in the article) can't get it right, then we're all in trouble. Laptop drive encryption is extremely easy to implement and manage corporate wide...and has been for years. So, why is this still happening? - Jim

Commentary:
According to the letter to affected individuals, IKON Office Solutions was responsible for scanning pension fund documents.

Although IKON definitely has blame in the cause of this breach, Deloitte & Touche certainly does to. It seems that Deloitte & Touche makes some attempts to deflect their responsibility. Deloitte & Touche was given the information in the first place and they are responsible for what happens to it until it is ultimately destroyed (if it ever gets destroyed). We advise any clients that contract with third parties to create and adopt a "Vendor/Third-Party Access Security Policy". Vendors are required to comply with the policy and many times it is even mentioned in the contract itself. The purpose of the policy is to ensure that vendors and other third-parties secure information at no less of a level than the original company.

The comments made by readers of the SC Magazine story really sum up my immediate thoughts.

Past Breaches:
Unknown

Industry trends - Survey results on Risk Management

Mon, 26 Nov 2007 10:11:00 +0000

Industry trends - Survey results on Risk Management -
Posted by: Ryan Shopp

While Bryan continues to blog about practical experiences in IT Risk Management, I'm going to aggregate some key trends and insights on the industry as a hole. As previously promised, we will continue to stay away from product advertisements, etc. Just useful (hopefully) insights.

The Convergence of Physical and Information Security in the context of Enterprise Risk Management. Survey and report conducted by Deloitte.

some key points/snippets from the report:

...As it stands today, senior management typically sees security more as a tactical function than a necessary component of business processes or decision making.

...one of the challenges that must be mastered to achieve value is “integrating security strategy across the enterprise.” Rather than approach security in an uncoordinated and functionalized fashion, businesses need a top-down approach coordinated by a senior executive to
optimize the effectiveness and efficiency of the overall security system.

...for effective risk management, it is necessary to:
• Adopt a common operational framework
• Reduce autonomy while retaining authority
• Collaborate on all forms of enterprise security risks
• Provide better risk information for decision making
• Go beyond data sharing to collaborative planning and decision making

The document is over 50 pages long and also includes example case studies and a ton more graphics with survey results etc. A must for any organization looking to better align their security program with business initiatives and goals. The document even offers a risk management maturity model and insights around climbing up the maturity model.