Anarchism in the Age of Cyber

An important announcement from my LEO channel. I thought it important to share with everyone for monitoring:

For situational awareness, the following message (in italics) was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.

In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department. We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.

Summer @ SBB

You may have notice a drop in activity on this blog. I’ve been busy seeking alternative means of income through professional and entrepreneurial endeavors. As the sole contributor to this site, that meant sacrificing the time I normally dedicated to bringing you timely and actionable information—the staple of the site. Be it as it may, I’m refocusing attention to important areas of security by working on a posting series to be published over the next few months.

I promised you the content would not disappoint. Being active in corporate security circles has given me unique insights into ideas we’ve been espousing since the site’s inception. Once such area I plan to drill down on is the role of security risk assessment in setting the pace for the strategic security plan.

 

Demystifying the Security Business Unit

By Francisco Mateo

Many organizations around the world have hired security professionals to man security departments.  The reasons are obvious, in a fragmenting world risk are ever more unpredictable. Companies can no longer sit around and wait for threats to inflict damage to their people, assets, reputations and brands (PARB), so they tap the professionals to do vulnerability and threat assessments and subsequently provide recommendations and action plans.

Security is unique among operations department, looking at the organization horizontally, vertically and laterally for risks. That is why when the going gets rough the company honchos look to security for solutions. Just look at the services many companies expect to be provided by their security business partners: physical security for staff and assets, travel security, loss prevention, investigations, crisis management, executive protection, guard force management, just to name a few. It is an incredibly complex matrix of mission critical solutions expected from an understaffed, under-budgeted and overworked department. That is indeed the reality of the security suite today. The experts are in agreement that security department is one of the business units that has suffered must since the economic downturn began.  The key indicators tell the story, from hiring freezes across industries to low attendance at trade shows and reduced security technology spending.

Ever the optimist, security practitioners have set out to deal with the new normal, a fragmenting global economy, crushed by the weight of debt, underemployment and under-consumption all having a detrimental effect on productivity and profit margins. There are also asymmetrical risks (illicit global business activities) working their way through from the periphery to the core of our global business environment. Through all of this the security suite must be a vanguard in understanding and mitigating its effects. Take for instance the trends in theft of hot commodity products and raw materials negatively affecting, on one end prices and on another production cycles, as well as, infrastructure capacity.  But, who can ignore the chronic piracy problem on the Horn of Africa; a hydra of risk events affecting this vital route of global commerce, eroding confidence and creating global supply chain inefficiencies.  You can rest assure there are many security suites at organizations large and small monitoring the gathering storm of violent protest in Europe driven by government austerity measures (and given the fragility in the state of global affairs) to determine the risk they represent and creating tactical plans to lessen the impact on their people and assets. It is this maelstrom of risk scenarios that fills a security executive’s agenda. It begs the question whether enough resources have been allocated to tackle these mission critical events. The answer may surprise you.

The truth is that there has been a new mantra in security, like any other service organization, for quite some time, “do more with less”.  Despite the shrinking budgets, the security executive is challenged to manage a peak performance organization without skipping a beat from the plumb times just a few years ago. Adopting efficient business operation methodologies like Lean Security have been paramount. Applying lean security principles requires focus on value-added activities on a continuous improvement loop that delivers result and enhances productivity.  The simple process that keeps the security practitioner from lamenting the lost of budget allocation for important security investment and instead making it work just as well, if not better than before is an act of lean thinking.

Allow me to illustrate the point: say you want to harness and enhance your security guard service’s return on investment (ROI). You identify which security guard activities cut across multiple functions. You zero in on building patrols, which from the outset offers a return on investment by reducing premises liability exposures, as well as leading to lower insurance rates. But this activity has greater potential as it can also be leveraged to cut maintenance cost. It is feasible that the retained security services staff would be trained and empowered to perform tasks such as: turning off lights and HVAC systems after hours; identifying defective building systems and calling for emergency service (elevators, data centers, electricity and water services, ect); as well as turning off space heaters, and coffee pots, which may elevate the risk of building fires. Such activities can reduce maintenance staffing cost, while constantly mitigating potential vulnerabilities. As you apply continuous improvement processes you determine some patrol routes only add time to the physical walk through, without the residual benefit previously described. The process is more effectively served with automation like adding an integrated CCTV with zone-specific sensors array to enabled virtual patrols of the area with clearly defined escalation protocols. The real power behind lean security principles is that it can be dynamically applied to asset protection (as previously exemplify) as well as people, reputation and brand protection problem solving.

The linchpin behind the successful application of these methodologies is reflective leadership or when the managers actively apply new ideas to transform on-going initiatives and concerns.  We thrive under these difficult times because like other high performance organizations the security suite resides in a problem solving space, making us adept at evaluating personalities; constantly looking for collaboration opportunities (decimating silos); leveraging institutional synergies and culture. One of the reasons that executives at many organizations have come to rely on security professionals for mission critical activities at their outfits is because they’ve come to expect this level of transformational results.

It is quite evident when you look at the job descriptions for security managers at many organizations that they aim to obtain more than assurances.  For the most part they’re not disappointed, but don’t make the mistake of expecting a pad on the back. Do expect however to be challenged at every junction to demonstrate your worth regardless of the risk scenarios.  For senior company executives the real issue is obviously one of perception, any threat to revenue and shareholder value can be partially transferred to the security suite with the expectation that it won’t hit the balance sheet. Unfortunately as the pendulum has swung to bust cycles on the bursting of global financial bubbles the security suite has been a prime target for trims.  We are well prepared though. It does not change the basic fact that as our risk mitigation strategies improve (lower cost, greater output), and the economic recession deepens…insert your expected outcome here: _______________________________________________________________________.

Security Risk Management On-Demand

By Francisco Mateo

It appears to be prime time for corporate security units across Europe. During the last few months Greece, Portugal, Spain, France and England have seen a resurgence of labor protest as austerity measures are enacted to contain the onslaught of a worsening global economy.  With that in mind it is important for security managers to prioritize strike and violent protest protocols and have their teams at the different facilities ready for any collateral or spillover risk from violent confrontation between protesters and police.

When strike action involves countrywide protest, road and critical infrastructure blockades, it is necessary that you assist your supply chain team prevent disruptions by protecting in-route cargo and seeking alternatives for continued operations.   It is important that contingency plans be drawn in advance and that duties for carrying out specific actions under the plan are top of mind for each member of the team. Although many of the security decisions that need to be made at this time are situation-driven, your knowledge of internal business operation; clients, routes, labor and police leadership, as well as open-source intel can give you the most leverage.  In short know the terrain and know the stakeholders, so that you can intelligently steer your contingency team and navigate clear of any risks your company may face. 

Do not underestimate how much demand for third party service (cargo security escort) would peak during these times. My experience has been that, in anticipation of such events, the security departments must secured agreements with key vendors way in advance of such events to ensure preferential treatment when it is must critical. You don’t need to be psychic to know these protest have been brewing for a while and as a result of the burden the sustained economic recession has put on government’s purses.  It is also very likely that these protest will continue to spread other European Union member countries.

Another thing I want to share with you is that the protesters have shown signs of sophistication and a high degree of organization. If you take into the account the way protesters in France have aimed to provoke systematic disruption of critical supplies by blocking fuel depots and creating choke points against delivery, where it is most needed.  If you are responsible for risk management in the affected industry don’t forget to bring your A-game when crafting your response. If your organization lacks the leadership to tackle these risk management efforts than now may be a good time to consider hiring a knowledgeable and experienced security practitioner that can set a roadmap to protect your PARB.

Additional Recommendations:

• Increase your operation’s alertness level; encourage staff to provide status updates of risk conditions, in and around the facilities and main routes, to your command center
• Update  your key contact list, and test communication systems
• Keep a detailed activity log
• Advise staff to be aware of localized bouts of unrest with the potential to result in violent confrontations
• Also advise staff to avoid all demonstrations and if caught in the middle of a violent confrontation seek immediate safe haven in a predetermined location where assistance can be summoned
• Have additional security staff on stand-by in case you need to ramp up your protective presence at any facility

Security Jobs Are Evolving

Over the last few years I’ve witnessed a transition of the security role within global organizations. The pace at which asymmetrical risks develop appear to have quickened and so have demands for the security practitioners to step up to the plate and lead preparedness and response efforts, often times on multiple fronts.  When you mix in the cloud of a global recession, you should start to get the picture. No easy pickings these days.

What does this all mean from a strategic stand point? For one think core physical security practices are not enough anymore; if they ever were.  New trends have taken hold over the security suite; the practitioner is expected to navigate geopolitical rip currents, which more than ever, shape an organization’s fortunes. You’re also required to develop meaningful relationships with Law Enforcement Agencies (LEA) and intelligence services; which in some locales means jumping right into a cesspool of corruption and double dealing.

If you follow security recruiting, like I’ve done over the years, for obvious reasons, you’d notice a shift in what companies believe to be important trade skills to tackle their most pressing needs.  The security jobs I’m refereeing to focus heavily on key competencies like business acumen; conflict management; customer focus; interpersonal savvy; priority setting; time management; as well as problem solving. Most of all you have to bring an uncanny ability to blend these soft skills with more traditional hard-wired security experience.

Another major development over last few years has to do with the location where talent is being sourced from. Companies are increasingly deploying talent at important business hubs. They’re being pushed to where company operations take place, which for a multinational organization it is most likely in the global south. There is not only a greater concentration of company operations in some of these countries, but that’s also where they face the greatest challenges to protect their people, assets, reputation and Brands (PARB).  As a result of these transitions the composition of the security team is more reflective of the social make up (ethnicity, gender, and age) of the countries where operations are based from. I for one thing this is a positive change since much current innovation in business overall has been emanating from emerging markets; the security suite is bound to get a boost as well.  Unfortunately those of us who live closer to company HQ find ourselves at a disadvantage, which means that like our brethren from emerging markets we need to put on our thinking caps and flesh out a round of innovation to stay competitive. Of course these are mere observations from the periphery as there are experts in the thick of these mammoth changes going in our profession who can provide a much deeper analysis. Part of staying current and having an opportunity to influence these changes by staying involved, networking and sharing your expertise with the general security professional community.

The Global Illicit Pharmaceutical Business; A Scourge of the 21st Century

“As much as fifty percent of the medicine sold on the Internet is counterfeit” – WHO

“Counterfeit medicine sales will reach seventy-five billion dollars worldwide this year” – CMPI

Have you consumed fake prescription drugs?  Odds are you have purchased and ingested these concoctions at some point or another, especially if you live in a developing country; with their lax health regulatory environment and acutely corrupt institutions.

“The World Health Organization says the problem with counterfeit medicines is especially bad in Africa, Asia, Latin America and the Middle East. The W.H.O. estimates that up to thirty percent of the medicines on sale in many of those countries are counterfeit.” Up to know industrialized nations, like the United States, Canada, Japan and New Zealand, have kept the problem relatively under control, restricting fakes to approximately one percent of the total prescription and over-the-counter drug’s market. But that is no solace, judging from the effectives of counterfeiters to innovate their packaging and overall appeal online, as huge profits would provide the incentive to continue injecting these often deadly products into the drug supply chain, and in the process grabbing market share (competing as low cost substitutes, effective in a down economy) from legitimate drug companies.

The best weapon in the fake drug profiteers’ toolkit happens to be consumer’s ignorance of the real source of drugs they think will cure them or alleviate an ailment. Product that could be in reality a toxic mix of chemicals; that end up being expensive (cost in human lives/livelihood) placebos.  The stakes are high for the pharmaceutical industry; these companies have had to come up with ways to make fake drugs easy to spot. After all the most effective prevention and eradication method is to disrupt the consumer’s propensity to be duped by worthless and deadly knock-offs, whether they’re in the developed or developing world.

Combating counterfeit medicines is no walk in the park, as small, yet nimble organized crime groups (A loosely federated collection of manufacturers, distributors, and even marketing operations) are dedicated to this racket. They often use new media and social networks (for their anonymity and mass reach) which allows them to hawk their dangerous products while skirting the risk of ever getting caught. To make affront to this global illicit business the pharmaceutical industry would have to go beyond the technology solutions it has implemented and try the true and tested awareness campaigns to make consumers worldwide sensitive to the issue. In closing, I’d advocate bringing these campaigns to the criminals’ own turf, online and through social networks.

Learn More:

• The Partnership for Safe Medicines: http://www.safemedicines.org/
• World Health Organization: http://bit.ly/cNA2ko
• International Medical Products Anti-Counterfeiting  Taskforce –IMPACT: http://www.who.int/impact/en/index.html

High Stakes in the Protection of Corporate Secrets

Two headlines caught my attention recently. First WikiLeaks the open source intelligence dynamo has been making headlines with the release of a most shocking video which they were able to decrypt using borrowed supercomputing time.  On the other hand, there is a March Forrester research report on the state of protecting corporate secrets. Considering the reports findings that “Compliance, not security, drives security budgets…Firms focus on preventing accidents, but theft is where the money is” and you tying the fact that activist organization like WikiLeaks can pry open government secrets with such great dexterity; can you imagine what can happen to corporate secrets using the same means. Perhaps we’re witnessing that information power is shifting to the people. I have only one thing left to say: corporate grifters beware.

Is This the Future of Journalism? Why Wikileaks matters.  BY JONATHAN STRAY

The Value Of Corporate Secrets, How Compliance And Collaboration Affect Enterprise Perceptions Of Risk

Into the Wild!! An economist Does Security

I found this post from Miguel angel Ferrer, Mexican writer, economist and self-taught security thinker (he should know a thing or two about the subject matter with all of Mexico’s ills in this respect) remarkable for its simplicity. In a few lines it takes us on a brief historical journey of how the fraud mindset has evolved, with some tips on improving your security posture. Read more below to learn from his insights:

 http://bit.ly/benEMd

Happy New Year!

May this 2010 be the year of happiness, prosperity and good health for you and all the members of your tribe.  It’s time to look deep inside and reach for that optimism that has laid just beneath the surface throughout the most trying year in quite some time.

I want to take this opportunity to remind regular and new visitors to this blog of the information resources available through links and subject-matter-expert researched article, published throughout 2009.  The blog is dedicated to advancing knowledge in the global protection of People, Assets, Reputation, and Brands (PARB), by applying the right Strategies and Tactics.  Both security practitioners and a lay persons would find a wealth of information here to make their protection situation more resilient. The site is broken into five rubrics: Risk Management; Security Awareness; Travel Security; Crisis Management and Global Security Glossary.  The aim is to organize the information logically into areas of expertise that would make a significant impact to those who choose to apply it.  I encourage you look around and more importantly contribute with your comments and suggestions for improvement.  Expect great things from the site throughout 2010.

Francisco Mateo

Security Practitioner, Editor

What Does Money Laundering Means for Multinational Corporations (MNCs)?

“The Black Market Peso Exchange system is the primary money laundering conduit used by Colombian narcotics traffickers in repatriating revenues to Colombia and is the single most efficient and extensive money laundering scheme in the Western Hemisphere…between $3 billion and $6 billion is laundered annually”

Prior to the notable money laundering scandals involving major financial institutions, many in the Multinational Corporation community did not take money laundering seriously or even associated the problem to their operations.  Recent incidents and regulations have forced a major shift in perception about how money laundering can present serious risk to their operations and reputations.   

The methods used by money launderers go as far as their imagination can drive them.  There is really nothing they’re not willing to try to achieve their aims.  According to Michael D. Shepard “MNCs, as well as any export companies are exposed to the risk of money-laundering schemes. Criminally derived funds may already be in the financial system, but that does not make them “clean.” Purchasing goods from a multinational corporation — or any company for that matter — can be considered money laundering if the ultimate source of funds is illegal activity and the requisite intent is present.”  In other words companies must be aware of the sophisticated schemes devised by money launderers disguised as clients in an clever attempt to funnel dirty money from illicit activities.   

One such money laundering system targeting manufacturers and distributors is the Black Market Peso Exchange (BMPE). According to Bonnie Tishchler from the US Customs Service, “The BMPE process starts with a peso broker. For a fee, these brokers arrange the financial transactions necessary to launder the drug cartels’ money. Broker activities include receiving and coordinating orders for money, locating sources of U.S. dollars, arranging pickups and directing placement of funds. Within the broker’s network are others who perform various services for a percentage of the broker’s earnings. Those working for the brokers pick up cash, buy money orders and checks, open checking accounts, transport and smuggle money, among other things.”

The primary market in Colombia for large blocks of U.S. dollars is Colombian importers. The Colombian government has strict currency controls and the only way to get US dollars in Colombia was to buy them from government banks. These government banks also asked lots of questions about what was being bought with the dollars and whether import tariffs would be paid. So a nascent black market economy flourished with importers eager to get cheap goods circumventing the heavily regulated foreign exchange market, as well as the customs tariffs, and drug traffickers, not the ones to give up an opportunity to turn their dirty dollars into clean pesos.

Together a motley crew of characters has turned some of the most well known MNCs into unwilling participants of their schemes.  The authorities first became aware of the elaborate system by studying trade patterns in the Tobacco Industry, but anti-money laundering (AML) authorities soon began to track drug money to the bank accounts of many of the Largest US MNCs. Companies in the global trade of appliances, cigarettes, liquor and other products are exposed to this mode of money laundering.  A common thread among the products and industries targeted is an apparent appetite for high end products which would normally pay high tariffs in Colombia.

The most likely scenario in which MNCs can fall victims (willing or unwilling) to money laundering is through the payments for goods made with illegitimate funds: The corporation and/or its products may be used by criminals in the process known as “layering” — distancing the ill-gotten gains from the criminal activity by moving it further from the illegitimate source.  

For their part the MNCs have argued in court that they were innocent owners of the drug funds and the government gave the money back. The US Justice Department has taken the tactic that it is better to seize the money, educate companies and try to get their cooperation to fight the black market peso exchange. In some cases, the Justice Department asked companies to sign a “Consent Decree” saying that the company now understood this problem and would never be able to claim innocence if it happened again. 

Thereafter MNCs could be charged with and convicted of money laundering under federal statutes that make it a crime to engage, or attempt to engage, in a financial transaction knowing that the property used in the transaction represents the proceeds of some form of unlawful activity. Furthermore; according to former IRS investigator Michael McDonald, “there’s a legal principle called Willful Blindness, which means if you totally disregard all the facts and circumstances that would lead you to believe and know that this is illegal money, that’s the same as knowing it’s illegal money.”

The costs of a money-laundering conviction can be significant. Penalties can include a fine of $500,000 or up to twice the amount of the criminally derived property involved in the transaction (whichever is greater), and/or imprisonment of up to 20 years. Legal and post-event remediation costs can be staggering. Reputational damage can be incalculable.

Prevention Strategies

Like financial institutions, MNCs should adopt AML programs that include policies and procedures, training and compliance protocols in their mitigation strategies.  More importantly under the Federal Organizational Sentencing Guidelines, implementation of corporate compliance and training programs can help avoid or minimize prosecution and civil money penalties when employees commit wrongdoing in violation of those policies. 

One of the most effective risk mitigation factors in an AML program, especially for MNCs in light of the trade-based schemes often used by money launderers, is a comprehensive and risk-based “Know Your Customer” due diligence program.  When evaluating the risk for money laundering, MNCs should consider at least the following factors when dealing with potential customers, clients, vendors, business partners and even outside sales representatives:

• Who are the owners of the entity?
• Is there any negative news about them or the entity?
• What is the entity’s source of funds?
• Is the entity located or operating in a high-risk area for fraud, corruption, drug trafficking and/or money laundering?
• How long has the entity been in business?
• Does the entity have a physical address?
• What are the entity’s business model, sales volume and revenue?
• Who are the entities customers?
• What is the entity’s level of transparency and willingness to provide information?
• What is the entity’s legal structure?
• Can the entity’s existence be verified through searches of publicly available documentation and databases?

As far as reporting is concern Once KYC due diligence has been performed and documented, monitoring transactional activity will help detect unusual patterns of customer behavior. Questions to consider:

• Is this transaction unusual in and of itself?
• Is this transaction, when aggregated with the customer’s other transactions, unusual or suspicious?
• Is this transaction comparable to transactions for other customers in the same geography?
• Is this transaction comparable to transactions for other customers of the same size/business model?

As for financial institutions, MNCs may be able to use existing systems, create risk-based rules against which to evaluate transactions, generate alert reports showing patterns of activity that should be of interest and develop investigative protocols to determine if the activity is indeed suspicious and possibly tied to money laundering or other illegal activity.

AML programs require a multi-discipline approach, which means a that subject matter experts from legal, finance, security/investigations, compliance as well as sales should be part of a team working under the direction of the executive board.  The working team should have long term objectives, as the risk of money laundering to MNCs don’t simply go away with the stated countermeasures, but morphed into different M.O.’s as organized crime has been notoriously able to do. 

In closing, MNCs may have been caught by surprise by clever money laundering schemes, which are indeed very subtle in their execution.  But once the veil has been lifted, MNCs can no longer claim ignorance and would instead face hefty fines and even criminal prosecution under AML laws, if such regulations are in place in their home countries.  To avoid the eventual damage to their reputation that may result from prosecution MNCs must gain superior knowledge of their organization’s transactions through due diligence and know your customers program.