Presentation on theme: "Risk Management BUILD WALLS, I WILL GET AROUND THEM."— Presentation transcript:
Risk Management BUILD WALLS, I WILL GET AROUND THEM
Abraham Lincoln THE ENEMY WITHIN “At what point then is the approach of danger to be expected? I answer, if it ever reach us, it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher.” THE ENEMY WITHOUT “If I had eight hours to chop down a tree, I’d spend six hour sharpening my ax.”
Family of hackers HACKER? CRACKER? BLACK HAT? SCRIPT KIDDIE? INSIDER?
Our own survey 2013 - regulatory GOOD REASONS TO ORGANISE 2/3 + reported greater scrutiny from regulators in 2012 20% had faced an issue which led to a regulatory or internal investigation in the last twelve months. 1/3 anticipate will face greater risk in 2013 80% engaged a technology vendor to help identify instances of malfeasance and, in the event of an investigation, to allow them to efficiently retrieve and sift through data quickly and cost-effectively
Greater China Risk Environment Traditionally, security risk in China is rated as “low” At a macro level, much of China is rated as a “medium” risk The medium operational and political risk environment is impacting on the security environment within China Aspects of the security environment therefore pose challenges to business Three significant operational issues that are having a direct impact on security: labour and commercial disputes during restructure information security and protection of intellectual property integrity risks that attract security risks These concerns appear alongside the on-going need to improve physical security, supply chain integrity and business resilience
China Corporate Restructuring –risks Government 1.Bureaucratic/regulatory delays and complications 2.Government retaliation 3.Inconsistent government support 4.Intellectual property theft Labour 5.Legal and procedural difficulties 6.Unrest and protests 7.Industrial action 8.Denial of access Direct threats 9.Illegal detention 10.Coercive bargaining 11.Physical intimidation and threats Extreme Major Moderate Minor Insignif. RareUnlikelycredibleLikelyAlmost certain 1 2 3 4 5 6 7 8 9 10 11
Pro-active Measures Broad Measures – Strategic Audit and review – Anti-corruption training and compliance – Due Diligence (on partners, agents, suppliers etc) – Compliance lines and whistleblowing – Risk assessment – Practical guidance on detecting ABC red flags and resisting bribery – Endorsements by the board/leadership from the top Electronic evidence Measures Email usage policies Social networking usage policies Data archiving and destruction policies Litigation hold measures Data identification and mapping
Examples of keywords suggesting fraud??? How to get the evidence suggesting motivations?
PRESSURE KEYWORDS Meet the deadline, make sales quota, under the gun, problem, committing, creative, concern, not sure, spread, revise OPPORTUNITY KEYWORDS Override, write off, recognise revenue, correct, appropriate, reserve, misconduct, departing, discount, difficult, fail, critical RATIONALISATION It’s ok, sounds reasonable, I deserve, therefore, find out, get back, find it, figure out, catch, doesn’t make sense RED – worked from experience GREEN – second level Lexical analysis
15 Slack space – slack habits THE 3 GOOD “C”S – Care, control and chain of custody THE 3 BAD “C”S – People are candid, casual and careless from time to time Chain of custody – signed documentation that the evidence moved / changed hands Digital currency / IP Addresses / Deleted data / USB history – tell-tale signs
Four horsemen of the social apocalypse SOCIAL ENGINEERING – Ability to manipulate a person to give you personal and sensitive information FRAUD SCHEMES – using social media to advertise fraud schemes and investment vehicles. Either used as schemes that seem legitimate used to trap and entice potential investors. Another possibility is the use of a fraud scheme to offload counterfeit or stolen goods. PHISING SCHEMES – social media used to gather IDs and passwords to commit identity theft. Send fraudulent links across followers / friends of an account with the hope they will click on the links and be prompted to enter passwords DATA MINING – companies using vast amount of information which is sold either for advertising or market research purposes.
Smaller companies more likely than large to have policy 71% of mining, oil and gas industry employers prohibit any use of social media 70% of recruiters and hiring managers use social media to review online information about potential hires. Cisco produced a report stating that 64% of college students would ask about social media usage in a job interview 59% of companies in the media industry encourage the use of social media 53% have a formal policy on social media, of which 65% in retail, 62% manufacturing, 59% biz support, 31% real estate, 29% construction, 36% wholesale trade Social media
Social networking Destroy productivity Loss of confidential data Misuse of personal data and privacy concerns Damage to brand or reputation Casual manner of use Once disclosed hard to prevent dissemination Employees become publishers Burden of preservation for regulatory / legal purposes Spoliation of evidence once created Kill or control?
Sina Weibo Launched 14 Aug 2009 56.5% OF Microblogging market 300M registered users Similar penetration to Twitter in the US 100M msg / day English version to be further developed (subject to CN law) China
Sina 86% of blogging time in China Tencent may be catching up – stats unreliable Verification for “known person” user (similar to Twitter) Top 100 users have 485M followers 5,000 companies use 2,700 media organisations use Blocking of blacklisted terms (manual and automatic) China
Hide and follow Jan 5, 2012 Sina launch hide and follow function No longer show up as a follower, following secretly Cyber-stalking issue Sensitive words list Twitter proxy use (Several Regulations on Microblog Development and Administration Enacted by the Beijing Government exist)
Who is talking to who LEFT Top ten fans of one persons Weibo blog in any given week RIGHT Potential fans who commented and republished this blogger’s posts (some may be Zombies) Also by geography
“Real name” policy March 16, 2012 Sina, Sohu, Netease, Tencent Register name which corresponds to government ID card March 19, 2012 Rumoured “fake number generator” issues Information stored in the identity database for biometric ID cards documents information such as work history, educational background, religion, ethnicity, police record, medical insurance status, landlord's phone number and personal reproductive history.biometric
Unstoppable storm 围脖 Scarf around neck (or noose?)
People problems You + your top guys Your travellers Your help desk Sub-cons / distributors Social engineering Social media IT updates Aggressive reuse policy Lack of corporate education Move away from Blackberry (preference) Data storage / Cloud
Vulnerabilities USB Wifi Bluetooth VPN Mobile device Windows update / other user-installed updates Locally stored data Passwords (brute force attack) Identity theft / keylogging Spear phishing / whaling A security specialist recently said, “Interested in credit card theft? There’s an app for that.”