An AAXXISS.

COM White Paper

http://www.aaxxiss.com

The Current Threat to Corporate Security: Physical &

Technological

The forecast is not good…!

By George B Tselentis, CISM

Sr. Security Analyst

10/2/2009 1:17:17 PM © Copyright – AAXXISS.COM – George B Tselentis, CISM

 Contents Introduction
The Threat is Real …The report issued by The NIC
Introduction (The National Intelligence Council (NIC) is the
Intelligence Community's (IC's) center for midterm
The Issues and long-term strategic thinking). “Cyber attacks will
Comment provide both state and nonstate adversaries new
options for action against the United States beyond
Summary mere words but short of physical attacks ---strategic
options that include the selection of either nonlethal
or lethal damage and the prospect of anonymity”.
Reference The GLOBAL THREATS 2015 Project” NIC, Page 34.

The Continuing Threat is growing …

“Our wired society puts all of us US business, in
particular, because they must maintain an open
exchange with customers at higher risk from
enemies. In general, IT s spread and the growth of
worldwide digital networks mean that we are
challenged to think more broadly about national
security”. Reference Statement for the Record to the Joint
Economic Committee Lawrence K. Gershwin
National Intelligence Officer for Science and Technology 21 June
2001

Issues
The security issues that we face today in the Internet
space are increasing and the threats are becoming
more serious. Hackers, cybercriminals and
mercenaries working for governments and private
entities are scanning those networks, looking to
defraud, disrupt or even destroy the information that
the INTERNET provides to millions of people.
Lawmakers in the United States Congress are
attempting to empower the government to take action
with more than eighteen bills currently being
introduced. The threat is being treated seriously.

Comment on
Real World Security

Summary
The continuing threat of complexity of this problem
is something that all governments and corporations
should be working on with speed and diligence, as a
coordinated effort and with enforcement.

10/2/2009 1:17:17 PM © Copyright – AAXXISS.COM – George B Tselentis, CISM

Challenge – The Continuing
Technology Security Threat is only
getting worse.
It is critical for everyone involved to grasp
and understand that the current threat is
continuing pace that is faster than the
current authority can effectively manage.
Legislators and their staffs should be better
informed on the issues and have an
enhanced understanding of the threat (1)
What are the current threats? (2) What is
the impact of those threats? (3) How can
these threats be neutralized? Corporations,
large and small have prepared for these
threats in a way that is marginal at best. I
have been in meetings with senior
management that started and ended with
questioning the cost factor. Very few
attending these meetings ever took into
account the future impact these security
issues have on (1) Reputational loss (2)
Financial loss of customers, and subsequent
exposure to the firm of lawsuits (3) Business
interruption cost and subsequent exposure to
the firm of lawsuits.
The Complexities and Questions
The technology we all use today, and at take
for granted is extremely complex…most of
us will agree that the “help desk” plays a
vital role in our daily lives. As a user of
technology you only see what you need to
see when you are working, and members of
the IT team are behind a curtain, so to speak,
keeping things going. This all worked well
until approximately 1995, when the
INTERNET began to give all users even
more choices to access various types of data,
and data that we now depend. That
dependency has a value and that value
insures that the cyber-criminal can profit. A
perfect example is identity theft, which in
short could be described as someone who
takes your identity and adds it to their
financial gain, leaving you with financial
pain. This are some of the issues that are
very complex and must be focused These
are just a few of the issues (1) Legislation
10/2/2009 1:17:17 PM © Copyright – AAXXISS.COM – George B Tselentis, CISM
(2) Legal (3) Indentifying (4) Enforcement (5)
Privacy (6) Demilitarization of the INTERNET.
One of the current legal definitions “Identity theft is
governed by federal and state criminal statutes. State
laws vary, but typically define the crime to include an
intent to use another's identity to commit, aid, or abet
any unlawful activity. A person commits the crime of
identity theft if, without the authorization, consent, or
permission of the victim, and with the intent to
defraud for his or her own benefit or the benefit of a
third person…”
Reference http://definitions.uslegal.com/i/identity-theft/
To add to the confusion and complexity
“ID theft governed by federal and state criminal
statutes”, but there are also some cities that have their
own municipal code enforcement. “State laws vary,
but typically define the crime to include an intent to
use another's identity to commit, aid, or abet any
unlawful activity.” What about international law?
What about those types of crimes yet to be
committed? What if the corporation holding the data
did not follow the current security standards to
protect that data? Is that a crime? How will those be
classified? How do you educate a jury to understand
the complexities of technology crime when some of
the legislators do not have a grasp of all the issues
and possible solutions?
Solutions, Maybe?
The current corporate solution to these threats
includes the self-enforcement of audit and security
standards. These standards and bodies of knowledge
include COBIT (ISACA), PCI, NIST, CIS, BS7799,
all fine organizations which allow us to review and
work on the issues in a very concise and material
way. These organizations offer a great deal of value
in understanding those issues and translating those
issues into action. They all offer a body of
knowledge, when reviewed and mapped to each
other, offer some of the best solutions on the planet!
The criteria for standards are in place. There is one
problem however…and here may be the part most
people (consumers) do not really understand…there
is no enforcement, which translates to mean the
standards are sometimes performed by the
corporations and sometimes not because there is no
one to enforce at a governmental level.
To provide a perspective one needs to read
the following news:
*TJ MAX - Sweetbay – Hannaford – Hannaford
To have a really good grasp of all these
issues goes well beyond this whitepaper, but
understand this quick statistic. The
perpetrator to the above crime was also
alleged to be involved in separate
conspiracies relating to data breaches at
*TJX Companies, Dave & Busters, BJ's
Wholesale Club, OfficeMax, Boston
Market, Barnes & Noble, Sports Authority,
Forever 21 and DSW….to name ones that
law enforcement currently know about.
Again, keep in mind this was one person
doing serious damage to the credibility of
cyber-security. This does not take into
account the hackers, cybercriminals,
terrorists and mercenaries working for
governments and private entities scanning
those networks looking to defraud, disrupt
or even destroy the information.
One Key Element to the Solution is
Missing
1. ?
That one key element missing to insure
security issues are resolved is…enforcement
and the mechanism for instituting that
enforcement is legislation.
*Note: Copyrights© where they apply
10/2/2009 1:17:17 PM © Copyright – AAXXISS.COM – George B Tselentis, CISM
Summary
Security professionals can advise large-cap and
small-cap companies how to protect themselves, but
we cannot enforce, as a result the following steps
need to be taken:
1. Serious discussions to expose all the
possible technology security issues.
2. The US Congress in concert with
international counterparts (European Union)
need to address and legislate to provide:
a. Domestic and International
Security Standards
b. Domestic and International
Security Standards Enforcement.
Pending US Congressional Legislation
There are approximately eighteen bills which have
been introduced as Congress works carefully to give
federal authorities the power to protect the country in
the event of a massive cyber-attack. Beyond that they
not only need to legislate compliance standards used
by corporations, but enforce the legislation to protect
all consumers.
 http://www.senate.gov/pagelayout/committees/d_three_
sections_with_teasers/committees_home.htm
 http://www.house.gov/
See other white papers that we offer on security
topics including:
 Non-State Actors (NSA) Terrorist - Mercenaries
 The threats to Banking, Financial institutions.
 The threats to senior management.
 The threats to companies that maintain
intellectual material, copyrights, patents and or
special processes that are part of the institutional
knowledge of that firm.
 The threats to Insurance.
 The threats to Law Firms.
 The threats to Utilities.
AAXXISS.COM is a US veteran owned business with more than
thirty years experience in the security space. We have an
international scope that includes professional contemporaries that
have specialized skills and or expertise in areas such as electronic
counter measures (e-sweeps), fraud, internal investigations,
security testing, security assessments in fulfillment and supporting
corporations in meeting governance - compliance (SOX, FINRA,
GLBA, FICEN, AML program, HIPAA, OCC, Red Flag, OMB123
including FISMA, HIPAA, Sarbanes Oxley, SAS70, Personal
Information protection, reputational, and intellectual property.