Download each from the Federal Register public inspection desk

Alternatively, download the documents (PDF) directly:

1. Medicare and Medicaid Programs: Electronic Health Record Incentive Program
2. Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology

Comments and insights welcomed,

James DeLuccia

Central to Avalanche’s success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.
There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

In addition, the domains / IP addresses hosting these malicious sites break down in the following manner (demonstrating how important global controls are important):

Of the 28,775 phishing domains, we identified 6,372 that we believe were registered maliciously, by the phishers. Of those, 4,141 (66%) were registered by Avalanche. Virtually all of the other 22,403 domains were hacked or compromised on vulnerable Web hosting. Malicious registrations apparently took place in just 51 TLDs.

The takeaways here are the following (please comment on other perspectives):

1. By centralizing / controlling the Phishing attacks Avalanche is gaining rapid knowledge of target infrastructures; security defenses; and massive amounts of intellectual property that can be re-deployed in future attacks against other parties (or for sale).
2. Expansion of these attacks resulting from the accumulation of such knowledge combined with the 700 million + records of sensitive data on consumers creates the opportunity for a massive spear-phishing campaign
3. The leveraging of dynamic hosts and botnets is introducing a frontier whereby we can no longer have black lists / white lists as a simple solution.  In addition, the idea of perimeter defenses and trusted site-to-site open VPNs is drawn into question.

The evolution of these attacks is expanding, as the evolution of worms demonstrated.  Malware artists generally go from proof of concept -> proof of distribution -> proof of non-detection -> proof of percision.  It is the crossing from distribution to non-detection and then precision that has the highest rewards for attackers.  Safeguards for companies should consider social approaches.  People are the target here, and technology cannot block every attack.  Organizations could consider process and people as their main line of defense.  This in partnership with mature detection and response capabilities will limit the impact of any embedded threat.

Thoughts?

James DeLuccia

• Here is a link to the nice summation of the presentation at Forrester
• Here is a link to the remarks online
• Here is a link to the slides (pdf):

Thoughts?

James DeLuccia

Given that - here is the direct link to download the Design Exposure Draft for COBIT 5.0, and here is the questionnaire for you to fill out afterwards.  It is a short 16 pages in length (compared to the hundreds the final iteration will possess), but it is exceptionally important that this document reflect the correct direction.

Best,

James DeLuccia

• The definition of Data Governance is often different for different people throughout the organization

Creating a great opportunity to establish relative context and personal ownership across the myriad divisions and geographies of the business

• 36.4% think the chief information officer (CIO) should be the sponsor and accountable for data governance in an organization

Full accountability I accept, but responsibility must be across those that have personal and business concerns directly related to Data Governance

• 15.5% consider data asset specification optimization as a top problem

Reading these findings I cannot help but hear a certain management guru seeking to hear the contrarian position.  This is not to say that Data Governance is bad or good, but perhaps provide supplemental support to a very difficult challenge.
A great challenge of Data Governance is shifting culture and human behavior to instill control around the data in question.  An interesting approach would be to seek to find what is already being done within the business operations that can provide a control and monitor with some form of natural feedback.  This would allow for data governance to occur naturally relative to every organization, while allowing for a broad adoption across the board with low cost impact.

Such controls can be found in the manner in which data is accessed from the databases and file servers.  Controls can be pulled from how the desktop / laptops are deployed and supported.  This approach looks at the entire business as a system, and can allow for controls to be recorded.  In essence, the objective is to (at least partially) establish data governance and spot level controls without labeling a new server / gadget / process as data governance.
Again, this is not an argument against a mature and prudent data governance program across an enterprise, but simply an identification of possible supplemental avenues that can bring those greatly desired early wins.

Other contrary native controls?

Reflectively,

James DeLuccia

The notice stated that personal health records; financial account information; data protected by PCI DSS, HIPAA, and HITECH; and other PII data records were available and discovered by the FTC to be exposed.

These notifications are a great step however, as they provide business with awareness and guidelines on reducing the threat and provide guidance on how to minimize the impact of these data breaches.  Unfortunately, as these file sharing systems go - the data is likely released permanently and the owners of this information will need to establish monitoring and preventive measures moving forward.

A few things suggested by the FTC on protecting sensitive information from being exposed to P2P networks include:

• Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved.
• Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information.
• Use appropriate file-naming conventions.
• Monitor your network to detect unapproved P2P file sharing programs.
• Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls.
• Train employees and others who access your network about the security risks inherent in using P2P file sharing programs.

In addition, the use of personal computers and smart devices (PDA, Ipod Touch, Iphone, Android device, iPad, etc…) should be carefully reviewed and their use defined.  The velocity of data creates a need for DLP at multiple points.  As the utility of such devices increases, the need for managing this information and protecting it will also increase.

Thoughts on how to minimize the release to P2P networks?

- James DeLuccia

Points that should be carefully considered:

“One challenge to improving risk management systems has been poor integration resulting from multiple mergers and acquisitions”

This is especially dangerous considering that many businesses choose to operate separately initially to insulate interruptions to the business at large.  Information systems are generally incompatible at the beginning of any integration.  This is due to the lack of pre-planning and enterprise M&A integration methodologies within the acquiring firms.  Organizations should take immediate action if they have acquired entities without consolidating these technology systems, or at the very least routing ALL traffic, logs, compliance controls, and processes through the acquiriing entity.  This creates both friction and a need for efficiency - two very powerful forces that will result in immediate transformation of these information technology environments, in the right direction.

“…acquisitions over the years have produced an environment in which static data are largely disaggregated”

This effects the ability to ensure daily consistent delivery of data and information technology services.  In addition, historic activity is just as important in managing current data environments.  Lacking such clarity and statistics requires executives to manage blindly without any context and sensible barometer of delivery and achievable commitments.

“…certain products and lines of business have not been included in data aggregation and analysis processes”

Technology historically has been disconnected from the business delivery objectives, and actual exclusion of specific products and businesses only ensures budgets will be misplaced; service will be inappropriate; and risks will not be addressed properly (if at all)

“…two systems for the same business results in duplication of processes”

This finding simply highlights waste - waste in resources; talent; time; bandwidth; budget, and brainpower.  In an age of interconnected capabilities such requirements for dual systems should becoming sparse and rare.

An interesting message echoes throughout the report was risk managements lack of complete visibility into the firms’ risks.  A point that is both similar in nature and impact to CIO and Technology executives alike.  How well do we professionals truly understand what is happening and has happened within the business information systems?  Is all the data that is pertinent provided and managed?  Peter Drucker would certainly ask - Are you fully aware of the system (not the one computer or the e-transactions, but the technology system as a whole)?  Are you making choices based on all the right information, or based on the information you have (right or wrong)?

The crossovers from professional risk management and technology leadership are clear, striking, and very relevant.  It is prudent that today’s leadership is aware and armed with the skills across many trades - risk management in particular - to truly leverage the centuries of experience that exist within arms reach.

Additional perspective - please leave a comment,

James DeLuccia IV

Check out my other thoughts here on IT Controls and PCI DSS

A recent survey, albeit funded by a GRC vendor, conducted by the Aberdeen Group reinforces the returns corporations receive through adopting GRC into their organizations.  I find these results to be in-line with my own personal experience.  The link to the press release is here.  A quick bit of the numbers they highlight include:

Some of the main results pointed out by the research shows that Best-in-Class companies:

1. estimated that business-critical decisions are made 10% faster, based on improved management visibility into current risks.

2. eliminated redundant risk management activities and processes, with a reduction of 8.5%.

3. improved efficiency of their compliance tracking and reporting processes by 12% and their ability to provide clear, timely communication of risks and compliance status to shareholders and board of directors.

4. increased their flexibility to adjust to new or updated regulatory requirements by 11.5%.

I strongly encourage organizations to develop a culturally correct IT Governance process and create an ongoing GRC initiative.  Only when technology, business risk, and innovation are moved together can organizations truly capitalize on the benefits of their existing assets.

A separate report, Managing Risk, Improving Visibility, and Reducing Operating Costs was released in May 2009 which is also quite good and highlights the IT GRC benefits.  As with any industry report, be aware of the samples, scope, sources, funding for report, and how your organization differs and is similar in nature.

Other considerations?

James DeLuccia IV

(Please note, I was unable to locate the actual report beyond the broken link in the press releases.  I will check periodically and see if I can locate it when it becomes available.  If you find it, please post a comment and I will update here)

• Right to Audit clauses to ensure operations meet marketing materials
• Background check summaries on contractors
• AV and Malware running on contractor systems (or in the U.S. government, no p2p)
• Vendor management procurement procedures

Awareness is necessary for when these jobs begin to be sourced through open market places.  The fidelity of the business providing the services, protection of intellectual property, and the proper review of software against best practices is only the beginning of the new and expanded risks that must be considered.
Businesses and leaders should certainly embrace these open markets that allow greater access and better price transparency, but it must be done in a manner that reflects the risk capability of the business to ensure a balanced operating environment.

Additional thoughts and ideas on best practices for vetting outsourcing vendors?

James DeLuccia IV

Fraud is up on a worldwide basis.  The attacks and scams are increasing, and it is occurring across all sectors.  An excellent breakdown the “KPMG Forensic Fraud Barometer” states that fraud for the UK and areas that over 1.1 billion Pounds of fraud have come to court in 2008.

The Association of Certified Fraud Examiners (ACFE) has a great amount of detailed statistics here, a nice simple guide for small businesses seeking to minimize/prevent fraud, and a nice bit of information on the past ACFE fraud conference (highly recommended)

We are definitely seeing these frauds perpetrated in common channels - such as in Las Vegas at Conferences (below are several links to articles referring to two ATMs found during the DefCon 17 Conference - very interesting read):

• Hack a Day Article
• Engadget Article
• Slashdot Article
• Computerworld Article
• Wired Article

In addition organized crime groups are also leveraging the technologies of today (Facebook, twitter, SMS) - and the attack vectors (i.e., phishing).

Protection; Prevention; Detection:

1. Being aware of trends is vital to erecting current and appropriate (even if temporary) safeguards - such as required by the FTC Red Flag
2. Communicate with peers and collaborate - that may be accomplished by being a part of message boards; Twitter Groups, and attending Conferences.
3. Evaluate your fraud programs and determine the current success rate, and implement corrections.

These are simply single high level areas to consider - review your fraud programs seriously and consider the resources available by the above referenced parties.

As mentioned by Vivien Osborne of KPMG UK in the KPMG Forensic Fraud Report:

“In these harsh economic times, internal fraud could become the tipping point between the survival and demise of an organisation.  Companies need to be rigorous about re-enforcing their anti-fraud measures.  By reviewing their high risk and key operations, having effective reporting channels and deploying detection mechanisms such as data analytics they may give themselves a better chance to fight fraud.”

Additional Fraud Resources, please add below in comments.

Best,

James DeLuccia IV