Warnings About Financial Institutions and Derivatives

Risks of Financial Institutions
The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].

Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.

We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.

We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.

Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.

People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.

Somebody has to step in and say, "We're not going to do it - it's just too hard."

I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.

Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system. 

In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.

Accounting for Derivatives
I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.

It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.

It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.

Likelihood of a Derivatives Blowup
We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.

I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.

I think we're he only big corporation in America to be running off its derivative book.

It's a crazy idea for people who are already rich -  like Berkshire - to be in this business. It's a crazy business for big banks to be in.

Yo would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

I find that legacy code poses a unique challenge for organizations rolling out a new security process.  Often, the resources dedicated to maintaining older code are a small fraction of those devoted to new features or products.  Furthermore, the original developers for such features have often moved on, leaving no subject matter experts to drive reviews.  The astute reader will ask “How do I apply the principles of the Microsoft SDL to legacy code when I have no development resources and nobody knows how it works?”

The answer is “Start small, and build expertise over time.”

A Rising Tide Lifts All Boats

The best thing a security engineering team can do to improve security in the short term is to drive code quality, and the first step in this process is to define and enforce a secure coding standard.  This helps on two fronts: 

1.       It will improve code quality and reduce implementation flaws across the entire code base.  Unlike other security processes, driving a secure coding standard is relatively easy to accomplish across an entire code base, regardless of the code’s age, by a focused security team.  That is not to say that it is easy without qualification – a large batch of spaghetti code will require a lot of work to untangle!  Such an effort can only be called “easy” when compared to, say, comprehensive identification and remediation of design flaws across legacy features.  Even so, improving code quality through the use of secure coding standards offers a unique combination of high impact, applicability to features, and ability to be carried out by a core team that makes it a sensible first step.

2.       The security team might notice that some sections of code have more standards violations or outright flaws than others.  This is an instance of vulnerability clustering, a concept that has been used to predict vulnerability rates and improve quality in the functional realm.  The evidence is anecdotal, but it stands to reason that portions of code that consistently violate secure coding standards are good places to start looking for other classes of security flaw.  These are security hotspots, and should be high on the prioritized list for further review.

Security testing may also be applied to legacy code, but initial activities should be considered on a case-by-case basis based on the expected return on investment.  Such testing ranges from using inexpensive off-the-shelf tools to exercise common interfaces to rather expensive custom testing and formal analysis.  It is worthwhile to begin with off-the-shelf tools, such as those that target file parsers or web applications, and tools created as part of your greater secure development efforts.  These can help identify easily-found flaws and suggest improvements to the coding standards.  Comprehensive security testing, on the other hand, is best tackled after the Legacy Security Push.

The Legacy Security Push

Coding standards and basic testing provide bang for the buck, but formal security processes seek to provide security assurance.  The challenge for legacy code is that it needs to play catch-up.  Security processes that occur early in the development cycle, such as requirements analysis, design review, and threat modeling, are particularly difficult to achieve years after the fact.  The main goal of the Legacy Security Push is to create the deliverables from these efforts, the most important of which are security requirements and a full risk analysis.

It may sound trivial, but security requirements are essential.  Not only do they define proper operation for the system in question, they also define assumptions that are suitable for relying systems.   It is very common to find security flaws in legacy systems that arise from well-intentioned but incorrect assumptions such as “I assume that the Foo authenticates server Bar when initiating a bank transfer.”  It stands to reason that Foo would do so for such an important activity, but this assumption must be validated.  It is very common for older features to have been deployed in and written for different environments where the security assumptions that are "obvious" today just didn't apply at the time.

When reviewing legacy systems, the first step is to identify such requirements.  If the original architects, developers or managers are available, they can provide valuable insight at this stage.  More often than not this is not the case, and analysis must instead rely on what documentation is present and interaction between the software and its consumers.  The goal is the same as in requirements analysis during project inception, except that in this case one must turn the process on its head and reverse engineer requirements from system behavior.  At the conclusion of this effort, requirements can be theorized – “Foo must authenticate its server Bar before initiating a bank transfer.” 

Risk analysis can be performed once a plausible set of requirements have been identified.  Threat modeling is a more structured means of performing such an analysis, with the eventual goal of identifying means by which requirements can be violated by an attacker. 

As with requirements analysis, original developers would be a valuable resource to consult.  With or without such help, the first step is to identify how the software works.  In many cases, help is not available and performing this task requires a great deal of effort.  For features of moderate size, this author has spent upwards of a month reading code, using process profiling tools, and walking through the software with a debugger to identify program flow and security-sensitive functionality.

Once completed, actual system behavior should be documented and compared against the requirements theorized.   It might be that the requirements should be re-evaluated (New requirement:  Do not assume that Foo requires server authentication) or the system may need to be changed (New bug:   Foo does not verify the CN for Bar).  At the end, this information should be sufficient to support a comprehensive threat modeling exercise where security requirements, risks, and their mitigations can be documented.

Next Steps

Bringing a legacy feature up to par with its newer kin requires a relatively small number of items:  improved code quality, clear security requirements, and a thorough threat model.  As we have seen, performing even these tasks is quite the effort!  I am sure that it is little comfort to be reminded that accomplishing these tasks has simply laid the foundation, and that the true benefit is that the newly-reviewed legacy feature is able to participate fully in the security processes that remain: reviewing cross-component security requirements and assumptions, comprehensive testing, and incident planning, to name a few.

Unfortunately, there is no silver bullet in security assurance.  The soundness of the design and implementation of legacy software is just as important as in newer software, which is why any complete secure software development process will look backwards as well as forwards.  Feature by feature, from higher priority to lower, the overall security of the software improves as legacy code receives the full security treatment it deserves.

On 13 August, jcorey asked about how to deal with those who firmly believe that the only answer to any security problem is to inspect everything at the edge. This is an important question, and I wanted to give Joe an answer. (You might have to scroll down when you click the previous link, it seems that linking to individual comments is broken.)

Today, 15 October, I wrote a little thesis as an answer to his question. I’m calling it out in a separate post because I want to make sure those of you with aggregators that don’t update when posts receive new comments still have a chance to reply with your thoughts. I’ll also repost it here:

jcorey-- You've nailed the biggest obstacle to deploying something like direct connect. Many security professionals have been taught that there simply is, and never will be, a process or technology that allows you to trust anything that originates from outside your corpnet. These professionals cling to this belief, and have been the cause that allowed the whole “detection” market to bloom.

Let me be clear: this total lack of trustworthiness is no longer absolutely true. Of course there will be times when unknown machines will be used by known and unknown people to access your information. But what about one particular subset -- known humans, with known portable computers -- can't we do something better than treat them as toxic invaders?

Indeed we can. And that's what I'm proposing with direct connect. The technology -- managed, of course, with the right processes -- exists so that you can extend the trust to known computers even though you don't trust the network they're connected to. This is because you have mechanisms that:

1. Allow you to configure the machine according to your requirements (domain join, group policy)

2. Dictate computer and user authentication requirements (IPsec policies, smart cards)

3. Limit what the users of these machines can do (UAC, non-admin, Forefront Client Security, Windows Firewall, even software restriction policies)

4. Validate the health of machines initiating incoming connections and remediate if necessary (NAP, System Center Configuration Manager)

5. Limit the threat of attacks against stolen computers (domain logon, smart cards, BitLocker with TPM)

With the robust authentication, validation, configuration, and control mechanisms available to you, I simply don't see that there's any need to fall back to “detection” now. Detection technologies were -- and remain -- necessary for the times when we have no clue about the health of client computers and when we had no way to gauge the intent of the users. But it is truly reflective of a head-in-the-sand mentality to assume that this is a complete description of what's capable today.

You know, someone once asked me what it takes to be a security professional. I answered that there are two primary elements: become a networking/packet wonk, and be willing to change your opinions when the right evidence comes along. Indeed, I suspect that many security folk have forgotten the need to keep their wonikness updated, which in turn makes them resist new ideas regardless of the strength of the evidence. I'm not very proud of what I just wrote, because I loathe generalities, but I'm not sure what else to think here. Sigh.

Joe’s question is important and strikes at the foundation of what it means to be a security professional today. I’m eager to continue this conversation, because it’s reflective of what I sense to be a radical shift in our jobs—we are, or should be, no longer the wolf-crying propeller-head who sits in the basement and twiddles with the firewall. Instead, our job should be defined as one who’s charged with protecting the organization’s information from attack, while maximizing its utility to authorized users, according to the principles of least privilege. Your thoughts?

COBIT rivals ITIL from The IT Skeptic

“Everyone is tiptoeing around the fact that COBIT offers a significant competitive body of knowledge (BOK) to ITIL. Sure ITIL goes into more depth in places, but to say COBIT sits over the top is to grossly understate the overlap. COBIT extends a long way down into the “how” and it does it with an intellectual rigour that ITIL lacks.”

Interesting stuff that.  A detailed mapping might help some folks.  Either way, the good news for those keen on understanding risk management is that governance metrics, done right, allow us to understand a part of that “capability to manage risk” we’re always looking for.   Assurance, verification and the acquisition and interpretation of knowledge is king.   Speaking of which….

How To Tell When “Nothing Happens” by Pete Lindstrom

“…problem is that, it isn’t really true that “nothing happens” when you employ some specific security control to prevent an exploit. Not only that, but even when it is difficult to collect data on what didn’t happen, one can devise experiments to tell how frequently that nothing occurred.”

Good analysis is all about the uncertainty.   Speaking of accounting for uncertainty…

Assets Good Until Reached For by Gunnar Peterson

“If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.”

And there’s the trick.  We might call “abstraction assurance” an analog to “confidence” or “uncertainty” in certain priors (metrics) or posteriors (calculated values based on those metrics).  The stronger that abstraction assurance is, the less uncertainty we have in our knowledge and the better our ability to create wisdom from that knowledge (you know, make decisions).

Epstein, Snow and Flake: Three Views of Software Security by Adam Shostack

Adam’s focus is on software security, but the discussion here can be abstracted out into the broader realm of risk management quite nicely.

Two-thirds of firms hit by cybercrime from Security Focus

The US DoJ says that in 2005 (there’s some timely data) 2/3 of their surveyed firms detected at least one cybercrime.  “Cybercrime” is “classified … into cyber attacks, cyber theft, and other incidents.”  Pretty general.  Also from the report:  “Computer viruses made up more than half of all cyber attacks.”

(That sound you hear is me tapping my forehead lightly on large iron object)

Lessons Learned from “Personal” Risk Management By: Christopher Daugherty

“This process is what I call “personal risk management.”  All of us have done it and will continue to do so.  Why is it, then, many companies have ignored following similar principles with the on-going health of the business?  This is a debate with many different answers so I ask you to select the best answer for your employer:

a) Have not ignored as this keeps me awake at night!

b) Please restate the problem, I cannot hear well with my head buried in the sand.

c) We passed our SOX audit so we checked this off the list!

d) We are informed of the challenge but we have a business to run and profits to make

e) Is this what internal audit and risk management has been telling us?”

For example, the “Average Joe Investor” does not care about “best order execution” or “smart order routing,” this is for “the big boys.”  As we all know, saving a few pennies or dollars per transaction to “Average Joe Investor” does nothing for them when their retirement nest egg is lost due to corporate greed and negligence.     The folks who “really care” about shaving a few milliseconds off market execution are the companies that are trading high volumes of exotic derivatives and baskets who have, for the most part, zero interest in the personal financial portfolio of “Jane in Iowa” or “Joe in Kansas.”

I am really amazed to see the dominance of greed in corporate America and the lack of corporate social responsibility.  Risk taking and “split second trading” does little for any small. individual investor and has proven to destabilize our society.    Who cares about saving a few pennies or dollars in market executive?

The answer: Only the greedy corporations, the same people responsible for the current destabilization, chao and near collaspe of our entire financial system.   Homes lost, unprecedented bankruptcies. and money market funds less than par value!   You no doubt have read that folks in the Reserve Money Market funds cannot even withdraw their “safe money.”  Investors in the Reserve Funds are being told that for every dollar they invested in a money market, they now only have 97 cents and cannot withdraw their capital as the Reserve waits for a government bailout.

What is to blame? Greed and profits over corporate social responsibility are to blame.

I read where some folks think the government needs to regulate market-related news, supposedly to stabilize trading based on news.   Regulating news has another name -  “censorship” - but who cares about the US Constitution when money and split second algo trading is involved?    I am amazed.   Folks in financial services just will say or do anything to make a buck, or keep from losing one, even at the expense of society and our basic constitutional freedoms.  News is not regulated in our democratic society, nor should it be to make algorithmic trading “better”.     What we need is less split second, computerized algo trading and more stablity.   Machine processing should not dicate nor mandate changes to our democratic principles.

Nor should our lives in a free society be censored or regulated because of the trading requirements for split second transactions that benefit large corporations.    The average investor does not need an unstable financial system trading exotic derivatives and baskets at the speed of light.  This requirement is driven by corporate greed that destabilizes the core economy and fabric of our society.

Of couse, many of the same folks would like for us to believe that technology is the answer.  This is a fallacy.

Corporate greed is destabilizing society.   What need to be regulated is not the news, but corporate risk taking and corporate goverance.  Individual investors do not need lightspeed transactions in an unstable world.   Citizens and families need a secure, stable economic infrastructure, something that has been lost in the culture of corporate greed, but hopefully not forever.

I have to admit that I was already a fan of Collins’ quantitative style blended with clever insight, but this was the first time that I had seen him in person, and he was just spectacular. He has a vivid, animated way of telling a story, and had a great sense of humor. This combination of presentation skill was put to immediate use with his first statement drawing a hearty laugh from the audience full of entrepreneurs.

“How many of you in the room are constitutionally unemployable?”

Much of his remaining presentation provided interesting stories and insight from the research that he has done to understand the make-up of exceptional companies.

As Jim said, he has spent years studying the contrast between average companies and exceptional companies. They faced the same set of variables… similar economic conditions, similar competition for top human resources, and a similar set of huge unknowns.

What is the single biggest element of difference?

Not a function of the cards you are dealt, or circumstance… it is conscious choice and discipline.

Jim’s key principles & disciplines that have come from the studies we have worked on:

1. Building greatness is a cumulative never ending process! The idea that no matter how exceptional, you are always only relatively as good as to what you can do next.
2. Most overnight successes are 20 years in the making…. Wal-mart  took 13 years to get to 125 stores. Starbucks required 17 years to get to 38 stores.

“If you start to break Packard’s law, and there are very few laws of business, it is like breaking a law of physics for building great companies.” - David Packard (Co-founder of HP)

If you allow growth to exceed your ability to get enough of the right people to fill the key seats to execute on the growth brilliantly, you will fall as surely as a stone dropped from your hand. This is one of those timeless truths that extends beyond technology and economics.

The number one constraint on growth and sustained success…

An ability to get enough of the right people in the key seats to achieve that sustained growth.

The discipline that WHO comes before WHAT. Collins always kept coming back to the “who” thing over and over again. He said, “The more turbulent the world, (given the great current economic uncertainty of our financial system) the more important this issue is.”

A question from the audience came near the end of his session… How do you figure out who are the right people to put in key seats on the bus?

Collins responded with “Given that I stand here amidst a room full of unmotivated people… the right people are self motivated, self disciplined, self managed, The task is not to motivate unmotivated people, the task is not to have to manage people… self motivated, figured it out from there… self motivated people don’t need tons of management … when you have to start managing, you know that you have the wrong person at the task.”

Final thoughts:

Greatness is not a function of circumstance. Greatness is a function of conscious choice and discipline. It is not a matter of circumstance, it is one of choices.

I believe that every one of the Inc. 500 companies that I met at this conference achieved the list because they did not embrace the status quo. Incredible passion, an unwillingness to accept failure and an excessive and compulsive willingness to solve customer’s problems were key ingredients in the business building formula for the entrepreneurs that were at the conference.