[SecurityRatty] tag: frank

Chairman Tata Surprised by Tricky Terrorists

Sun, 30 Nov 2008 22:29:00 +0000

Chairman Rata Tata, whose company owns the Taj hotel in Mumbai, gave a frank and honest interview to CNN. I would imagine that the Tata Group's PR people and General Counsel are scrambling at the moment trying to do as much damage control as possible.

The sad part of this unfolding story is the feeling one gets that the terrible loss of life at the hotel may have been prevented or at least mitigated had proper security measures been implemented and if the security that had been in place prior to the attack had not been removed.

One eye witness who stayed at the hotel a week before the terrorist assault spoke about metal detectors and baggage being checked. The same witness then went on to say that those security measures had been removed within the last week, allowing people to enter without being checked.

The most surprising news to surface must be the Chairman's comments regarding the terrible event. Unbelievably, he actually said; "They knew what they were doing and they did not go through the front. All of our arrangements were on the front entrance".

Who is Tata's security advisor, a kitchen worker? Actually, he might have been better off if that were the case since the terrorists entered the hotel through the rear kitchen door. ANNOUNCEMENT TO ALL CHAIRMEN AND CEO's; Terrorists are Tricky. That is their job. They are watching your businesses and will do the opposite to what you expect.

In the case of the TAJ HOTEL, you made it easy for them. Did nobody in Mumbai ever stop to think that a bad person can go through the back door? It is one thing for a cafe in a pedestrian area to be attacked as anyone can walk right by or walk through the front and open fire, but how can a major landmark that attracts Western vistors drop their security measures AFTER they have received terrorist alert warnings that the hotel may be the target of terrorsit attacks?

I don't know if it was the case with the Taj Hotel, but cutting corners where security is concerned is common place in corporate culture. Security is often seen as a necessary evil and usually the first department to experience budgetary cutbacks. It is very difficult to convince some clients that nothing happening is really a good thing and that by cutting out security may open the door to evil.

This appears to have been the case with the Taj. There is no doubt that the terrorists had conducted hundreds of hours of surveillance in and around Mumbai. Was it a coincidence that the attack occurred the week after security measures had been removed? What might have been the result if security had remained tight (if you could call watching the front entrance and disregarding the back as "tight security")? Maybe the terrorists would have held back another month or two...maybe in that time they would have been detected...

One thing is for certain, places like the Taj Hotel have to get serious about security. Mr. Tata's claim that; "If I look at what we had...it could not have stopped what took place", must be replaced by more progressive, proactive thinking. If the Tata Group had spent an adequate amount of funding on ensuring that a strict security policy was in force - if only for the period in question - then they might not now be facing a 5 Billion Rupee reconstruction bill. Who knows how high the civil suits against the Taj will run when compensation and punitive costs are calculated.

Kudos though to Chairman Tata for at least recognizing that the Indian authorities may not be able to handle the situation on their own. "These attacks underscore the need for Law Enforcement to seek outside expertise for training, equipment and strategic operations", he said.

We agree Mr. Tata. We also hope that you will recognize the need for the Tata Group to seek similar outside expertise to assist you with your security planning and training.

A sneaky security problem, ignored by the bad guys

Thu, 13 Nov 2008 21:00:00 +0000

Frank Boldewin had seen a lot of malicious software in his time, but never anything like Rustock.C.

Risk or Security Management: What's In a Term?

Tue, 11 Nov 2008 11:59:18 +0000

When Gartner security and risk analysts give presentations, write research or talk to clients, we often get criticized for using the terms security and risk management interchangeably. This is deemed to be confusing by the audience as they try to articulate a clear differentiation between these terms. Indeed, in large sections of our client base, vigorous debate is being held on defining, differentiating and positioning information security vs. information risk management.

Well, maybe such a clear differentiation is not always required. Maybe security and risk management is so intertwined that continuously trying to separate them becomes counterproductive. Let's try to look at this objectively: I can make a clear argument that security is an integral part of risk management. But I can make a similarly cogent argument that risk management is an integral part of security management. The definition is largely in the eye of the beholder. It is contextual and situational. Maybe security and risk management are not the two sides of the same coin - maybe these disciplines are so integrated that they ARE the coin. The business is interested in the coin, not the pictures embossed on either side of it.

I am not arguing that the security and risk management are one and the same. They are indeed discrete disciplines with different functions and activities. And from an organizational perspective, is it important the different roles are named appropriately to the responsibilities of the individuals concerned. But let's be frank, does your business really care whether you call yourself a security manager or a risk manager? All they want is for (both of?) you to help them manage your information security and IT risks appropriately.

Risk management and security management. It's not either/or. Black or white. So here is my call: Let's spend less time debating and arguing the differences, and more time on using and maturing these extremely important, completely interrelated disciplines.

Stop Me if This Sounds Familiar

Sun, 02 Nov 2008 19:30:30 +0000

My favorite book from last year was Charlie Munger's "Poor Charlie's Almanack", there are so many fascinating parts in the book I can't go into them all here. Charlie Munger is Warren Buffett's partner at Berkshire Hathaway, the book is a collection of a number of his speeches, and serves as a great backdrop for today's events, an investing education, and a way to think through complex problems ("invert! always invert!"). It goes without saying that I think you should buy this book.

Chapter Three is a collection of Munger's unscripted remarks at Berkshire Hathaway and Wesco annual meetings. The below sections were transcribed by Whitney Tilson, from annual meetings around the 2003-4 time period, and are pretty interesting given our current financial predicament.

Warnings About Financial Institutions and Derivatives
Risks of Financial Institutions
The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].
Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.
We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.
We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.
Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.
People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.
Somebody has to step in and say, "We're not going to do it - it's just too hard."
I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.
It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.
Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system.
In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.
Accounting for Derivatives
I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.
It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.
It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.
Likelihood of a Derivatives Blowup
We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.
I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.
I think we're he only big corporation in America to be running off its derivative book.
It's a crazy idea for people who are already rich - like Berkshire - to be in this business. It's a crazy business for big banks to be in.
Yo would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

These are very blunt warnings from a legendary investor over many years, yet no one listened. It does explain why it is so hard for Infosec to make its case for building margins of safety into the system.

Accenture CIO Modruson is not just putting out fires

Mon, 27 Oct 2008 21:00:00 +0000

Being an IT leader is tough enough at the best of times, but what do you do when your company is stacked with IT experts? 'Make the most of it' would appear to be the attitude of Frank Modruson, CIO of Accenture, one of the world's biggest management consulting, technology services and outsourcing companies.

Are You a Builder or a Breaker

Wed, 10 Sep 2008 12:30:00 +0000

I am reading Brain Rules; great book! In the opening chapter there is a wonderful quotation from an interview with Frank Lloyd-Wright that resonates with how I feel about the application security industry. “When I walk into St. Patrick’s cathedral here in New York City, I am enveloped with a feeling of reverence”, said Mike Wallace. [...]

Straight Talking Warren Buffett

Mon, 25 Aug 2008 08:45:00 +0000

For those who did not hear Warren Buffett being interviewed last Friday morning on CNBC, he did not beat about the bush when talking about the former Presidential hopeful, John Edwards.

Mr. Buffett came straight out and accused Mr. Edwards of soliciting and taking money by deceitful means during his unsuccessful Presidential bid earlier this year. According to Mr. Buffett, John Edwards knew back then that it was only a matter of time before the media uncovered the story of his mistress and alleged love-child.

Unfortunately, this did not stop him from asking suporters to fund his campaign. Had people knew about the extra-marital affair, they most likely would not have sent in their hard earned dollars as there was no chance that he could continue in the race once the damning news broke. Mr. Buffett suggested that Edwards should cut back on a few of those expensive haircuts and return those fifty and one hundred dollar donations that came in from ordinary hard working followers.

This sentiment rings true for my industry. At our training courses, we focus on Ethics at the beginning of the course and it runs throughout the training. Nobody is saying that we are not human and we do not make mistakes - we all do, but covering up the truth to further your own selfish goals is a practice that would probably even disgust the animal Kingdom - except the reptiles possibly.

Thank you Mr. Buffett for being so frank and forthright in this era of sterile political correctness. This is why I enjoy working with successful business people and despise the empty promises and double-talking of policticians, to whatever party they belong. To those of you in the security world, again I implore you to never forget that your word is your bond and at the end of the day, your reputation will live on after you are long gone.

Cryptic Reading

Mon, 04 Aug 2008 00:28:59 +0000

Frank Hayes reports that there's much for IT to learn from a study of the government's failure to implement a data encryption mandate.

One Risky Point

Mon, 28 Jul 2008 03:32:42 +0000

The city of San Francisco's problem with one network engineer hints at management issues for all IT shops, says Frank Hayes.

Who Pays?

Mon, 21 Jul 2008 00:31:19 +0000

Frankly Speaking: Frank Hayes observes that the lesson learned from a rogue network administrators actions is an old one: The best IT is built by teams not lone wolves.