Risks Are High For Extending Financial Services into China

The economic trajectory of 1.3 billion Chinese has Western financial services leadership giddy.  They project oceans of profits generated through services to China’s growing middle class and wealthy elites.  Shareholders read about our corporation’s efforts to plumb critical hubs of their global operations into Chinese joint ventures, and seem to support leader’s optimism.  In the rush for earnings, systems are rapidly being integrated across virtually all lines of personal and corporate finance.

In many situations, this vision seems out of phase with guidance from seasoned financial services security and risk management professionals.  All material players in global financial services distinguish their organizations from the competition through their market reach and human capital.  Some also tout the value of their brand or their access to non-human capital.  But a key differentiator remains proprietary business rules, investments analysis and operations platforms, and data.  These foundational assets exist in highly-portable digital form and cannot be replaced or easily re-factored if they are stolen.  It is already difficult and expensive to resist targeted cyber-attacks, many of which emanate from China.  Casually extending financial services infrastructure into China is an elevated risk gamble — of a magnitude rarely undertaken even by the most aggressive of our peers.  Plan to lose some of these bets as core intellectual property and data are appropriated into our Chinese competitor’s operations.

This should not be new news…

After years of reticence to engage the issue, it seems like the U.S. government is now changing course and attempting to help engage U.S. businesses in efforts to more effectively address some of the risks associated with Chinese cyber-threats.  Last fall House Intelligence Chairman Mike Rogers (R-MI) accused China of widespread cyber economic espionage.  Chairman Rogers said, “China’s economic espionage has reached an intolerable level…”

Late last month three individuals in positions to have extensive, long-running access to secret intelligence concerning cyber-threats against United States targets released an opinion column in the Wall Street Journal titled: “China’s Cyber Thievery Is National Policy—And Must Be Challenged.”  The piece was written by Mike McConnell (Director of the National Security Agency 1992-1996, and Director of National Intelligence 2007-2009), Michael Chertoff (Secretary of Homeland Security from 2005-2009), and William Lynn (Deputy Secretary of Defense 2009-2011).  Their central message was that “The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

Reporting on the topic, NPR’s Tom Gjelten quoted Mike McConnell: “We know, and there’s good evidence … of very deliberate, focused cyber espionage to capture very valuable research and development information, or innovative ideas, or source code or business plans for their own advantage.”  Writing about the WSJ column on the topic, Gelton went on to write that “One reason they were anxious to publicize China’s cyber espionage was to counter those who claimed there was little concrete evidence to link the Chinese definitively to major hacking activity.”

Attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against corporations, in some cases for years.  There are powerful forces influencing the dialog on this topic.  With few exceptions, representatives of companies doing business in China seem to have a pattern of stumbling whenever asked to discuss this topic in public.  As leaders in global financial services organizations intensify their focus on extracting value from Chinese markets, we need to ensure that sufficient fact-based risk management influence is applied to technology, infrastructure, operations, and information security decision-making.

References:
“US lawmaker: China cyber espionage ‘intolerable.’”
October 4, 2011, Susan Cornwell, Reuters.
http://www.reuters.com/article/2011/10/04/us-usa-china-cyber-idUSTRE7934L220111004

“China’s Cyber Thievery Is National Policy—And Must Be Challenged.”
January 27th, 2012, Wall Street Journal.
http://online.wsj.com/article/SB10001424052970203718504577178832338032176.html

“U.S. Not Afraid To Say It: China’s The Cyber Bad Guy.”
February 18, by Tom Gjelten, National Public Radio
http://www.npr.org/2012/02/18/147077148/chinas-hacking-of-u-s-remains-a-top-concern

Are You Better Prepared than Nasdaq?

Are You Prepared to Explain Why Your Enterprise Is Better Prepared than Nasdaq?

The value of any financial services corporation’s brand depends, in part, upon individual, investor, marketer, other intermediary, investor, analyst, and regulator faith that the corporation is effectively protecting the sensitive information and financial assets from abuse.

When the Wall Street Journal publishes “big” stories about successful hacking of major financial services institutions — like Nasdaq in this case — it seems reasonable to assume some of your customers, partners, investors, analysts, Board members, and more will have concerns about your capabilities to resist the same types of attacks.

This WSJ story is getting reflected throughout the press and beyond.  Additional facts about the situation are also being published — Reuters reported that an Internet-facing application vulnerability may have played a role, and the NYT reported that it was Nasdaq’s Director’s Desk, which is used by corporations, including their boards of directors, to store and share information.  After the original reports, Nasdaq revealed that the problem involved malware found in Director’s Desk, which had 5000 users…  It seems prudent for you to take the time to glance through these articles, think about your current situation and your plans, and then use some of the article content to prepare targeted communications about this issue in the context of your operations.

One key target population will likely be decision-makers throughout each line of business in your enterprise.  Unless your corporation is dramatically above the norm, you need to invest in exploiting opportunities like these.  It is time again to craft and deliver resources aimed at helping support better-informed decision-making about risk-appropriate investments in measures to protect information and financial assets, and supporting operations.

Updated 02-05-2011, 22:33, adding information about Director’s Desk.

-References-

“Hackers Penetrate Nasdaq Computers.” Feb. 5, 2011, by Devlin Barrett
http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

“Nasdaq Acknowledges Security Breach.” Feb. 5, 2011, by Devlin Barrett http://online.wsj.com/article/SB10001424052748704843304576126370179332758.html

“Nasdaq finds ‘suspicious files’ in hacker probe” Feb. 5, 2011, by Jonathan Spicer http://www.reuters.com/article/2011/02/05/nasdaq-hackers-idUSWEN712420110205

“Hackers Gained Access to Nasdaq Systems, but Not Trades.” Feb. 5, 2011, by Graham Bowley http://www.nytimes.com/2011/02/06/business/06nasdaq.html?partner=rss&emc=rss

WEF Risk Report Outlines Linkages and Risks to Watch

“World Economic Foundation Global Risk Reports 2011 Outline Linkages and Risks to Watch.

The World Economic Foundation just released its created a collection of resources to support understanding, thinking, and decision-making about risk.  The Global Risks Report 2011 is available as an interactive web site, or a 60 page PDF.

For context, WEF staff outline some of the resources used to product the 2011 report:

• “The starting point for Global Risks 2011 was a risk perception survey of 580 leaders and decision-makers across the world.”
• “The survey was supported by 18 workshops and over 50 expert consultations to assist the (World Economic) Forum’s in-house risk analysis.”
• “Survey respondents assessed the potential impact, likelihood, and interconnections of a range of 37 global risks, looking forward over a ten year period.”

The report does not stop at the traditional likelihood-impact graph, but delivers another view of the situation by outlining the interconnections between each of the global risks, and by organizing the risks into logical groups.  Their discussion of the web of interconnections between the risks and groups of risks may be the most important output of the 2011 report.  There is a lot of content in this report and supporting materials.  Risk management professionals involved in financial services should be able to make use of this rich resource in a variety of contexts.

After a quick scan of the materials, a few things stood out as useful for me.  Most immediately, the analysis of linkages between information security and other global risks will support my work attempting to help others make decisions about risks involved in global financial services.

This report includes a discussion of what the authors called the “illegal economy nexus” within the Risk Interconnection Map.  At its core, were three broad risks: illicit trade, corruption, and organized crime.  The authors argue that “emerging economies suffer under chronic threats to development as well as acute threats to stability,” while the advanced economies drive “the demand for the illegal economy nexus, face regional and global instability, as well as the pressure to participate in corrupt practices.”  [see: http://riskreport.weforum.org/#/2/7 and http://riskreport.weforum.org/#/?re_layout=0&re_IDs=28]

In the World Ecomonic Forum Risk Report, links between online data and information security extend into the illegal economy nexus through organized crime, corruption, and also have direct linkage to regulatory failures, critical information infrastructure breakdown, infrastructure fragility, threats from new technologies, and terrorism.

For a slightly more extended discussion of these linkages see: “The global risks barometer,” also by the World Economic Forum.

On page 37 of the “Barometer,” it defines “Online data and information security” as “The accidental loss of data or fraud online triggers a loss of confidence in data sharing, negatively affecting e-commerce and communication,” and then identifies a set of key risk drivers and indicators:

These drivers increase this risk:

• Lack of transparency on meta collection of data and algorithms
• Difficulty of tracing altered data and infiltrator activity and the lack of agreement on how to intervene when erroneous data is created or misallocated
• Incompatibility of new and old systems, carrying risks of destabilizing the network
• Increased reliance on cloud services for data storage and analytics

This driver can both increase or decrease risk.

• Extent to which policy and regulatory frameworks can keep up, given the lag between innovation cycles and government decision-making cycles

These drivers reduce this risk:

• Deterrent effect of clear legal framework to penalize offenders
• Information sharing among governments and private firms regarding loss events
• Improved education and personal awareness on ethical and moral responsibilities of online activities, including a false sense of security from encryption
• Development of best practices for data security

The report then outlines a number of “Global Impacts:”

• Disruption of global e-commerce and network communication as security concerns make users retreat from online services
• Paralysis of business and governance as trust decreases in data collection, storage, distribution systems and organizations processing mass data
• Increased degree of tolerance to breaches of privacy
• Negative blow to the open source society affecting data and process sharing which hampers innovation and trust
• Unexpected second- and third-order effects through the interconnectedness of systems and data which are generally poorly understood

In their polling and research, the authors of the “Risk Report” found that “cyber thieves experience a substantially lower feeling of guilt than is apparent in other criminal activities.” [page 66]  This idea or finding has been around for quite some time, sometimes a slice of it is abbreviated into a discussion about how individuals behave differently “at work” than they do when they work from home — which some personnel leaders discount.  But delivering this message to participants at the World Economic Forum Annual Meeting in Davos might help factor it into senior decision-making circles.

I have only touched on an extremely small subset of the content in this rich set of resources.  I strongly recommend it as a serious read for all security professionals in financial services.

-References-

“Global Risks 2011, Sixth Edition – An initiative of the Risk Response Network.”
http://riskreport.weforum.org/ or in PDF format at http://riskreport.weforum.org/global-risks-2011.pdf
World Economic Forum (January 2011) in collaboration with Marsh & McLennan Companies, Swiss Reinsurance Company, Wharton Center for Risk Management, University of Pennsylvania, Zurich Financial Services, with Co-editors: Kristel Van der Elst and Nicholas Davis.

“The global risks barometer.” by the World Economic Forum, at http://riskreport.weforum.org/barometers-2011.pdf

Odd Lincoln National Breach Disclosure

Lincoln National Breach Disclosure Breach Of 1.2 Million Customers.

There are many legacy behaviors that result in sharing of user name/password pairs.  Some of the most difficult examples to deal with involve the use of “shared” administrative credentials.  The articles today about Lincoln National’s credential-sharing incident present a challenge to all of us in financial services businesses.  I have been involved in a number of merger/acquisition efforts and was never surprised to find the use of shared passwords throughout the technology and operations ranks.  It seems to be a legacy assumption expressed by software architects, engineers, and developers.  Too many of those responsible for database administration seem to assume that credential sharing is an integral part of what they do.  Lincoln says that they are going to carefully research operations across their organizations and eliminate the use of shared credentials.  If they can achieve this goal, much of the rest of this industry will be on the defensive.

Here is my outline of the of what I have seen released today:

1. User credential sharing at Lincoln was initially reported to the Financial Services Regulatory Agency (FINRA) by an “unidentified source.”
2. Lincoln’s response said that the credential was used only at two of their investments-related subsidiaries.
3. The credential provided administrative access to a customer portfolio information system that consolidates detailed customer account data from “hundreds of disparate sources” including transaction-level activity from what appears to be all lines of their business.
4. The portfolio information system contained records for 1.2 million customers.
5. Shared user credentials are forbidden by Lincoln policies.
6. Lincoln hired outside council.
7. The outside council then hired a specialty forensic investigation organization to assess what happened.
8. Lincoln subsequently found a total of 6 shared user name/password pairs associated with the portfolio information system in question.
9. The user name/password pairs were “created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity.”
10. In a carefully-worded conclusion, Lincoln wrote that they are “unaware of any reported instance of identity theft or fraud related to this vulnerability” and that they have “determined that this incident does not constitute a breach of security as defined under New Hampshire law.”
11. Nevertheless, Lincoln wrote to the New Hampshire Attorney General that “All shared usernames and passwords have been discontinued.”
12. And that Lincoln has “heightened their enforcement of the existing (Lincoln) policy that prohibits shared usernames and passwords.”
13. Lincoln also said that “Individuals whose personal information was exposed to this vulnerability will receive voluntary notification, and the offer of free credit monitoring.”
14. The company also committed to conduct a “comprehensive review of their client information systems for similar vulnerabilities.”
15. Lincoln will be notifying their customers in at least 13 states.
16. This will necessarily result in non-trivial expense and (possibly) some amount of damage to Lincoln’s reputation.

I am curious about how this will play out with retail and institutional customers.  Will they press for more evidence of policy-compliant behaviors, will the institutional crowd include this in negotiations for a better deal, will anyone bolt?

This was an expensive exercise, and Lincoln is not finished investing in the “cleanup.”

To some extent Lincoln’s public behavior sets a precedent for other financial services corporations.  Lincoln’s behaviors when confronted with this incident, and their follow-on commitment to hunt down (and, they imply, eliminate) the use of shared credentials throughout their infrastructure and operations establishes a high bar.

Regardless of its applicability in U.S. courts, this is something that more than a few financial services organizations will need to deal with.

For those in the financial services business, shared user credentials are also prohibited by our security policies.  This is just one of the entry-level security requirements for all corporations in our business.  Those who are unable or unwilling to ensure that a risk-reasonable proportion of their workforce align their behaviors with that commitment are now on notice.

– References –

“Lincoln National Discloses Breach Of 1.2 Million Customers.”
http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034 and http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf

One Promise of Social Media

One Promise of Social Media.

“Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong.” ["Cisco 2009 Annual Security Report." page 6]

Cisco security is not the first organization to deliver this message.  They do, though, present the case well, within a much broader 2009 study.

The authors highlight how criminals take advantage of the way social media users tend to trust a person or a resource because someone they know did so.  The problem here is that is has been relatively easy for criminals to:

• Create large numbers of on-line identities,
• Inject themselves into social media sites most appropriate for any given set of identities,
• Succeed at making a critical mass of associations (friends or connections), for each of them, harvest the list of everyone they know, and then
• Based on your relationship(s) with people they know, begin to coax them all to “click” on your invitation to share in something of value…

At that point, a criminal can use established techniques and technologies to deliver a trojan down-loader to the PC of everyone who “clicks.”  Remember, the key message is that Cisco research in 2009 suggests that criminals are increasingly successful at exploiting social media user’s belief that there is effective “protection in being part of a community of people they know…”

There is vast potential for crime here.  Facebook reported 350 million users at the end of 2009, and Twitter had 23.5 million users in the U.S. alone and more than twice that many worldwide (Quantcast or TechCrunch).  When a criminal gets a virtual “foothold” in any given network of “friends” the power of “trust between users” kicks in — and the “success” rate or, in business terms, the return on investment, is vastly higher than in a more random, mass-mailing approach to hooking unsophisticated Internet users.

So, why should you care?

In financial services, many leaders and infrastructure service owners seem to be nearly intoxicated with an urge to exploit the power of “free” social networking for profit.  They want corporate staff to work this new territory from within the enterprise, as well as from where ever they are.

Play it forward:  This could result in tighter integration of business operations and infrastructure with many types of social networking sites.  Staff would be motivated to inject themselves into existing webs of individuals as well as to build new ones in order to deliver targeted information, offers, opportunities, etc.

Based on what we know about criminal activity and techniques in this environment, how long would it be before your infrastructure was polluted with credential-stealing malware, and your new “friends” are feeling digially assualted by their interactions with your brand?

At the same time, corporate staff will become the targets of top tier attempts to heist enterprise-internal credentials, with special attention to those who have access to bulk customer data — think database and server administrators — and those who have access to corporate accounts and wire transfer systems — likely in finance and investment divisions.

Either scenario — customer abuse, or credential theft from corporate insiders — presents serious risk issues in the financial services industry.

Criminals are expert at delivering high-quality malware to PCs for the purposes of extracting value — stealing credentials and other sensitive information is a key capability because in they are a liquid commodity in the global criminal marketplace, or holding control of PCs in order to extract a ransom from owners.  Both lines of illicit business seem to deliver attractive profits.  Internet-enabled crime has established itself as a potent and nimble force.  It continues to demonstrate tremendous sensitivity and creativity, and a capacity to quickly evolve as needed.

So, what can we do?

This is a tough one.  The first move appears to be executive education.  Senior leaders need to understand that the social media marketplace is at least as rich with risk as it might be with revenue and profit potential.  I believe that the risks of moving into the social media arena without careful risk management plans grossly outweigh the potential benefits.  That said, I believe that the potential for finding value in technology-assisted social networking is real-enough to warrant our serious attention and some of our best human resources.

Maybe some combination of a vendor-provided scrubbing of all corporate interactions with targeted social networks — think highly customized filtering web proxies that include reputation services — along with authorization to participate provided only on a strictly-managed “need-for-my-role” basis, and clearly communicated and simply documented “rules of engagement” for all staff involved.  All the standard anti-malware measures, network monitoring, event correlation, alerting, alarming, reporting, incident management processes, and more need to be in place as well…

Again, this is a tough one.  What do you think?

-Update on 01-24-2010-

The BBC published a story today about a football powerhouse attempting to protect their brand by attempting to “pull out” of social media all together.

“Manchester United Warns About Social Networking.”
Manchester United Football Club has posted a message on its website explaining that its players do not belong to online social networks.
It advises users to treat any profiles in the names of its players with “extreme scepticism”.
The club says this is because of the high numbers of people impersonating team members online.

http://news.bbc.co.uk/2/hi/technology/8470735.stm

-Resources-

“Cisco 2009 Annual Security Report.” (the report covers a lot more material that I refer to above)
http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

One Promise of Social Media.

“Social media users believe there is protection in being part of a community

of people they know. Criminals are happy to prove this notion wrong.” [page

6]

Cisco security is not the first organization to deliver this message.  They

do, though, present the case well, within a much broader 2009 study.

The authors highlight how criminals take advantage of the way social media

users tend to trust a person or a resource because someone they know did so.

The problem here is that is has been relatively easy for criminals to:

create large numbers of on-line identities,
inject themselves into social media sites most appropriate for any given set

of identities,
succeed at making a critical mass of associations (friends or connections),

for each of them, harvest the list of everyone they know, and then
based on your relationship(s) with people they know, begin to coax them all

to “click” on your invitation to share in something of value…

At that point, a criminal can use established techniques and technologies to

deliver a trojan downloader to the PC of everyone who “clicks.”  Remember,

the key message is that Cisco research in 2009 suggests that criminals are

increasingly successful at exploiting social media user’s belief that there

is effective “protection in being part of a community of people they know…”

There is vast potential for crime here.  Facebook reported 350 million users

at the end of 2009, and Twitter had 23.5 million users in the U.S. alone and

more than twice that many worldwide.

(http://www.quantcast.com/twitter.com#demographics and

http://www.techcrunch.com/2009/08/03/twitter-reaches-445-million-people-

worldwide-in-june-comscore/).  When a criminal gets a virtual “foothold” in

any given network of “friends” the power of “trust between users” kicks in –

and the “success” rate or, in business terms, the return on investment, is

vastly higher than in a more random, mass-mailing approach to hooking

unsophisticated Internet users.

So, why should you care?

In financial services, many leaders and infrastructure service owners seem to

be nearly intoxicated with an urge to exploit the power of “free” social

networking for profit.  They want corporate staff to work this new territory

from within the enterprise, as well as from where ever they are.

Play it forward:  This could result in tighter integration of business

operations and infrastructure with many types of social networking sites.

Staff would be motivated to inject themselves into existing webs of

individuals as well as to build new ones in order to deliver targeted

information, offers, opportunities, etc.

Based on what we know about criminal activity and techniques in this

environment, how long would it be before your infrastructure was polluted

with credential-stealing malware, and your new “friends” are feeling digially

assualted by their interactions with your brand?

At the same time, corporate staff will become the targets of top tier

attempts to heist enterprise-internal credentials, with special attention to

those who have access to bulk customer data — think database and server

administrators — and those who have access to corporate accounts and wire

transfer systems — likely in finance and investment divisions.

Either scenario — customer abuse, or credential theft from corporate

insiders — presents serious risk issues in the financial services industry.

Criminals are expert at delivering high-quality malware to PCs for the

purposes of extracting value — stealing credentials and other sensitive

information is a key capability because in they are a liquid commodity in the

global criminal marketplace, or holding control of PCs in order to extract a

ransom from owners.  Both lines of illicit business seem to deliver

attractive profits.  Internet-enabled crime has established itself as a

potent and nimble force.  It continues to demonstrate tremendous sensitivity

and creativity, and a capacity to quickly evolve as needed.

So, what can we do?

This is a tough one.  The first move appears to be executive education.

Senior leaders need to understand that the social media marketplace is at

least as rich with risk as it might be with revenue and profit potential.  I

believe that the risks of moving into the social media arena without careful

risk management plans grossly outweigh the potential benefits.  That said, I

believe that the potential for finding value in technology-assisted social

networking is real-enough to warrant our serious attention and some of our

best human resources.

Maybe some combination of a vendor-provided scrubbing of all corporate

interactions with targeted social networks — think highly customized

filtering web proxies that include reputation services — along with

authorization to participate provided only on a strictly-managed “need-for-

my-role” basis, and clearly communicated and simply documented “rules of

engagement” for all staff involved.  All the standard anti-malware measures

need to be in place as well…

Again, this is a tough one.  What do you think?

-Resources-

“Cisco 2009 Annual Security Report.”

http://cisco.com/en/US/prod/collateral/vpndevc/cisco_2009_asr.pdf

Ready For Employee Theft and Sabotage

Are You Ready For Employee Theft and Sabotage?

For many in the financial services industry, the global economic catastrophe has increased the frequency of employee theft and sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence (identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal activities.  One component (there are many others) of reasonable processes required for dealing with this situation include “computer forensics.”  This is also a key component of our tooling and processes dealing with new insider crime linked to the toxic economic environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The Sleuth Kit and Autopsy, download a current copy of BackTrack (or one of the many other forensic toolkit bootable CDs) and start training — the important issue is starting somewhere.  Or, alternatively, get in touch with your favorite risk management consulting house and get their advice about becoming better prepared.  They might just point you to one or more of the specialty forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint at this range and complexity, a sampling of what they include (but are not limited to) appears below:

• Respond to live incidents (The attack is ongoing).
• Respond to recent incidents (hours or days old).
• Respond to historical incidents (months old or longer).
• Determine whether an attack/theft/sabotage/etc has actually occurred.
• Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
• Analyze volatile data and nonvolatile data.
• Safely perform and document forensic duplications.
  Create a bitstream image of the evidence.
  Prepare for subsequent verification of the evidence using one-way hash functions.
  Understand hash and signature analysis.
• Collect and analyze network-based evidence.
• Identify and analyze print spool data.
• Identify and analyze files of unknown origin.
• Identify and document all start-up and shutdown activity.
• Identify and document authentication and authorization activity.
• Identify and document system and data access.
• Reconstruct web browsing behaviors.
  Including recovery and analysis of cookies.
• Document all e-mail activity.
• Identify & document domain name ownership and the “real” source/destination of e-mails.
• Identify and analyze system and application changes – invest special effort to privilege changes.
  This includes the Windows registry and event logs, as well as application residual files.
• Identify and analyze data changes – with special attention to creation and destruction activities.
  Includes analysis of slack and unallocated space, and recovery of deleted files.
• Identify and analyze errors and faults.
• Perform keyword and email searches.
• Build time-lines of user and application behaviors.
• and lots, lots, more…

If computer forensics are not something that you or your staff are well prepared to execute, I strongly recommend that you consider moving on an immediate plan to develop a minimum competency in this area starting today.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3. http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html, and finally,
http://www.cybercrime.gov/cclaws.html.

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical interface to TSK.  http://www.sleuthkit.org/

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you in your forensic work: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center for Forensic Science & Department of Engineering Technology University of Central Florida
http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.
http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.
http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose. Addison-Wesley Professional, October 3, 2005.
http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a 2008 list of web resources on forensics: http://geschonneck.com/security/forensics/

For many in the financial services industry, the global economic catastrophy has increased the frequency of employee theft and

sabotage (broadly-defined).  While some of these incidents are little more than inconvenient reminders that “people are our

weakest link…” others will require an immediate and comprehensive response, along with the creation of court-ready evidence

(identification, copying, preservation, and documentation of the incident-relevant digital evidence).  We all need to ensure that

we are effectively resisting these behaviors, but those efforts will necessarily be imperfect.

This is not a new obligation.  Career criminals continue to expand their use of technology in the course of their illegal

activities.  One component of reasonable processes required for dealing with this situation include “computer forensics.”  This

is also a key component of our tooling and processes dealing with new insider crime linked to need in the toxic economic

environment.  Increasingly, “computer” includes a broad range of mobile devices, but I will defer that discussion for another

post.

If you have not yet prepared for this situation, you (or your surrogate) might go to http://www.sleuthkit.org/, read up on The

Sleuth Kit (http://sourceforge.net/projects/sleuthkit/) and Autopsy (http://sourceforge.net/projects/autopsy/), download a

current copy of BackTrack (http://www.backtrack-linux.org/) (or one of the many other forensic toolkit bootable CDs) and start

training — the important issue is starting somewhere).  Or, alternatively, get in touch with your favorite risk management

consulting house and get their advice about becomming better prepared.  They might just point you to one or more of the specialty

forensic consulting practices — and you could do a lot worse than to get one of them on retainer.  The time to start getting

ready for a criminal incident at your business is not the moment you get the call from your boss, or one of your corporate

lawyers, compliance officers, or accountants — even worse, a reporter from the Wall Street Journal.

There are a number of good books on this topic (search google or amazon).

There are a broad spectrum of activities that are included under the label of “computer forensics.”  In order to give you a hint

at this range and complexity, a sampling of what they include (but are not limited to) appears below:

Respond to live incidents (The attack is ongoing).
Respond to recent incidents (hours or days old).
Respond to historical incidents (months old or longer).
Determine whether an attack/theft/sabotage/etc has actually occurred.
Assemble and maintain a toolkit you can employ at the scene of a computer-related crime.
Analyze volatile data and nonvolatile data.
Safely perform and document forensic duplications.
Create a bitstream image of the evidence.
Prepare for subsequent verification of the evidence using one-way hash functions.
Understand hash and signature analysis.
Collect and analyze network-based evidence.
Identify and analyze print spool data.
Identify and analyze files of unknown origin.
Identify and document all startup and shutdown activity.
Identify and document authentication and authorization activity.
Identify and document system and data access.
Reconstruct web browsing behaviors.
Including recovery and analysis of cookies.

Document all e-mail activity.
Identify & document domain name ownership and the “real” source/destination of e-mails.
Identify and analyze system and application changes – invest special effort to privilege changes.
This includes the Windows registry and event logs, as well as application residual files.
Identify and analyze data changes – with special attention to creation and destruction activities.
Includes analysis of slack and unallocated space, and recovery of deleted files.
Identify and analyze errors and faults.
Perform keyword and email searches.
Build timelines of user and application behaviors.

-Resources-

U.S. Secret Service’s “Best Practices For Seizing Electronic Evidence.” Version 3.

http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf

“Searching and Seizing Computers and Obtaining Electronic Evidence Manual — Chapter 5 — Evidence”
http://www.cybercrime.gov/ssmanual/05ssma.html, and more broadly http://www.cybercrime.gov/ssmanual/index.html and the Federal Rules of Evidence: http://www.law.cornell.edu/rules/fre/overview.html.

http://www.cybercrime.gov/cclaws.html

The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools).  They run on

Windows and Unix/linux systems.  They can be used to analyze NTFS, FAT, HFS+, Ext2, Ext3, UFS1, and UFS2 file systems and several

volume system types.  The Sleuth Kit (TSK) is a C library and a collection of command line tools. Autopsy is a graphical

interface to TSK.

http://www.sleuthkit.org/,

The Sleuth Kit: http://sourceforge.net/projects/sleuthkit/
Autopsy: http://sourceforge.net/projects/autopsy/
BackTrack: http://www.backtrack-linux.org/

A list of bootable CDs with The Sleuth Kit & Autopsy, as well as large collections of additional utilities designed to assist you

in your forensic work.

http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy

“Computer Forensics Procedures and Methods.” By Dr, J. Philip Craiger, Assistant Director for Digital Evidence, National Center

for Forensic Science & Department of Engineering Technology University of Central Florida

http://ncfs.ucf.edu/craiger.forensics.methods.procedures.final.pdf

“Windows Forensic Analysis DVD Toolkit.” (Second Edition)  By Harlan A. Carvey. Syngress, June 11, 2009.

http://www.amazon.com/Windows-Forensic-Analysis-Toolkit-Second/dp/1597494224/ref=dp_ob_title_bk

“File System Forensic Analysis.  By Brian Carrier.  Addison-Wesley Professional, March 27, 2005.

http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/ref=pd_sim_b_1

“Real Digital Forensics: Computer Security and Incident Response.”  By Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.

Addison-Wesley Professional, October 3, 2005.

http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693/ref=pd_rhf_shvl_4

And a list of web resources on forensics: http://geschonneck.com/security/forensics/

A Signal That You Are No Longer Targeting Effective Risk Management

Over the years, I have been witness to many instances of “responsible”/”accountable” word feuds.  In truth, I have been maneuvered into the early stages of these tangents on more than one occasion.  I believe that their presence is almost always an signal that effective risk management is no longer the mission.

Whenever compliance discussions evolve into arguments about the meaning of “responsible” versus “accountable,” stop and think about the trajectory of your effort.  Chances are that you are no longer involved in “risk management.”  The key is generally to ensure that there remains a strong link to compliance monitoring, reporting, and enforcement.  Where there is no link, there is no information security, infrastructure, or infrastructure operations risk management activity.  If you are a lawyer, and your focus is to use the “responsible”/”accountable” vocabulary to achieve some gain or to dodge some liability for your corporation, you have my support, but it is not related to the security business.

Tight-enough coupling between the descriptions of what must or should be achieved, and the monitoring, reporting, and enforcement used to ensure an appropriate level of compliance is a key indicator of an effective risk management focus.

Absent that coupling, attempt to re-focus the effort participant’s energy away from “responsible”/”accountable” word-smithing, and back toward the job at hand.

Mass Misunderstanding in Global Business — Can It Happen on The Information Security Front

Leaders in many industries seem to employ hope, and a belief in “what others are doing” as a primary risk management technique.  I recently read a piece about the biofuels industry and watched a documentary on Bernie Madoff’s Ponzie scheme that seem to demonstrate weaknesses in the way we manage key risks in globalized industries today.  In financial services, we use software to integrated much of our operations in hostile environments.  I believe that it would be useful for our most senior leaders to invest some of their best resources in an intense re-evaluation of their risk management strategies across all dimensions of their business.

Philip Brasher wrote a brief blog entry earlier this week about how over the last few years, biofuel entrepreneurs, producers, investors, farmers, and politicians all failed to deal with some relatively well-established market risks.  In the U.S. Midwest, biofuels generally means ethanol and biodiesel.  During the recent ethanol boom years, boosters seemed to reason that “what product could fail when it had no competitors and government was prepared to make its consumption mandatory?  Many in the industry assume their government mandates and subsidies are a virtual guarantee of success.  Both ethanol and biodiesel are now in a deep slump.  The price of, and demand for these biofuels is relatively-tightly coupled to traditional energy markets (primarily oil) and to agricultural commodity prices.  As a result, the biofuels industry operates in an international market.  The dynamics of oil and agricultural markets are extensively documented, analyzed, and reported on — and mandates and subsidies are not distributed evenly across the globe.

Creating the infrastructure to produce ethanol and biodiesel on a commercial scale is a complex engineering and capital-intensive exercise.  Whole hordes of intelligent people worked out every facet of this new industry.  Most of this effort took place in public, and with relatively extensive academic support from major universities.  How could they have gotten it so wrong?  And are they preparing to do so again?  Mr.Brasher references work by Ross McCracken, that seems to suggest they might by expecting both rising oil prices and falling production costs, while at the same time neglecting to deal with their own product pricing and raw materials costs.

So what does all that have to do with information security in the financial services industry?

Software is increasingly and enabler for “everything” in our business.  Every facet of our businesses depend upon layer after layer of software, most of which is expressed in interface after interface.  Our business leaders have been wringing “savings” out of our infrastructure for years.  Many seem to think that this savings-train is both endless and under their command.  Unfortunately, there are other forces that can influence the costs and risks associated with operating a large, complex, often globally-distributed infrastructures.

Much of our infrastructure is now connected to the Internet, as well as to our partner and customer infrastructures.  Our business “plumbing” and our brands require this connectivity in the financial services industry.  All of it is exposed to more or less hostile influences.  Many of our leaders depend upon contracts, laws, regulations, and regulators to work out how we will deal with the risks.  Some add informal reviews of “what others do,” or search for “industry best practices.”  Some include insurance in the mix as well.  My translation of this behavior is that it means they hope that “their” corporation will not experience a related loss on their watch.  And hope is not a viable risk management plan.

When you need to protect $ millions or $ billions of other people’s money, writing and deploying risk-appropriate software, even a relatively simple application, is fiendishly difficult.  This task is made more challenging because nature, scope, and intensity of the threats in the deployment environment are evolving.  Many applications never receive even an informal security code review or a vulnerability assessment.  At the same time, the “tools” available to criminals, insiders or outsiders, continue to mature and pose serious threats to our information, operations, and assets.  Most of these tools attack, in one way or another, our applications.  From one perspective, this is a very dynamic battle-space (war-fighting vocabulary intentional).  That is not the perspective of most of our executive corp.

Any population in financial services depending on hope, and a first-person experience of avoiding disaster, ought to review the recent FrontLine documentary on “The Madoff Affair.”  In the presence of a relatively vast regulatory apparatus, thousands of top tier investors, investment advisors & analysts, brokers, hedge fund gurus “lost” as much as $65 billion U.S. in a Ponzi scheme.  That was also in spite of a small cadre of investment specialists and a few reporters who repeatedly pointed out that Madoff’s returns were not supported by market or mathematical facts.  The primary regulator performed several review of Madoff’s investment operations and reported that there were no problems.  From our perspective today — Dec. 11, 2008, Bernard L. Madoff confessed that his investment buisness was all a lie — this seems like some mass madness.  Professional and wealthy elietes do not make mistakes of this magnatude — but now many of them lost much, or in some cases, all for their fortunes.  So much for hope and regulation…

It is risk-inappropriate to wait for a catastrophic attack on our financial services infrastructure before investing in intellectually-viable information, infrastructure, and infrastructure operations risk management practices.  I believe that it is time for our most senior leaders to invest some of their best resources in an intense re-evaluation of their risk management strategies across all dimensions of their business.

– References –

“Biofuels at risk.” Philip Brasher, May 11, 2009, http://blogs.desmoinesregister.com/dmr/index.php/2009/05/11/biofuels-at-risk/

There was also a follow-on article in the Sunday Des Moines Register (print edition), “Lawmakers try to ease regulation on biofuel’s environmental effect.” May 17, 2009, page 4D.”The Madoff Affair.” FrontLine, PBS, http://www.pbs.org/wgbh/pages/frontline/madoff/

What Motivates C-Level Executive Investments in Security?

Boards of financial services corporations appear to exist in a bubble that isolates them from most of the types of information security and infrastructure & operations risk management issues that fill most of our days.  I admit, I am not even an intermittent member of that club, and that I have not figured out the relevant dimensions or characteristics of the Board bubble.  As a result, it just confounds me.  Information from my board is conveyed via direct questions that get passed my way, and via hints and statements in our standard SEC filings.  Sure, boards of all major financial services corporations have a broad suite of issues they must understand and influence.  It does not seem that many hold information security and infrastructure & operations risk management in their set of top priority considerations.  Given the regular drum beat of data loss in the news, this is not a healthy signal for our industry.  I have worked with executives in financial services for years.  Senior executives seem to consistently service their boards.

So, what motivates our C-level executive investments in security?  Generally, it seems like it is the existence of legal and regulatory mandates.  Information Week reported that in a recent Information Week Analytics survey of 326 IT professionals, their

“data points strongly to a single source: regulations.  Industry and government compliance mandates are cited as the top influence on information security programs.”

If compliance — with the law, governmental or industry regulations, or even customer and partner contracts — is the only goal, we are sunk.  Depending on which of the major financial services corporations you work for, we are tasked with protecting anywhere from hundreds of billions to trillions of dollars worth of other people’s money, while attempting to:

• interconnect almost everything,
• connect all that to the Internet,
• make all types of interactions easier for the end users.

In business, technology infrastructure & operations, and software environments as dynamic and complex as are found in all large financial services corporations, it seems relatively easy to understand that we begin every day at seriously-elevated risk.  Law and rule-making processes in United States are messy — generally rich in compromise, sometimes transparently corrupt, and often strongly influenced by the industries being targeted with controls.  As a result, compliance is usually not a high bar.  It may not, and in my experience, is usually not a close relative to risk-appropriate information security.

We need to do a better job communicating with senior leaders.  Our infrastructures incorporate and expose real vulnerabilities.  There are real and relevant threats.  And we owe more to our customers, partners, employees, and shareholders than the cheapest and easiest route to technical compliance.  Checking some boxes, printing reports, and passing a contract compliance assessor’s review must not be the only corporate security goal.

We are living through a global financial decline of still-unknown proportions.  It was caused in part by too many people, especially, but not exclusively, at the top of our financial services corporations, choosing to set grossly-inappropriate goals.  We all know that the scope and breadth of criminal, and national-centric, activity focused on critical Internet-connected infrastructure is expanding every week.  I believe that treating information security and technology infrastructure & operations risk management as a compliance exercise will lead to a similarly dark downturn — and I believe will result in the end of some more of our financial services peers.

What do you think?

– References –

DatalossDB: http://datalossdb.org/statistics

Information Week Analytics Survey Summary: http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=213901162

Full report “A Unified Front: Exploring What Executives Really Think Of Security.” https://i.cmpnet.com/custom/cxoreport/assets/InformationWeek-Analytics-Dark-Reading-CEOs-And-Security.pdf .  You might want to link from the article above and fill out the form so that they earn enough money to keep doing these surveys.

What is Information Security and How Does it Help?

A peer recently pointed me to a discussion about information security as a “business enabler.” Daniel Miessler argued that:

‘Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing things wrong, as part of overall quality.’

and later in his essay that

“In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense.”

There followed a number of thoughtful comments, and dialog.

The same day, Jeremiah Grossman [WhiteHat Security] wrote an essay about selling application security. He offered that application security should enable:

“solutions to be implemented in the time and place that maximizes return, demonstrates success, and by extension justifies the investment to the business in the language they understand.”

He linked to a number of other’s writing about the topic and argued that one of the critical goals must be to help CIOs and CSOs “understand the relevant issues.” He appears to have worked with the Web Application Security Consortium (WASC) and The SANS Institute to initiate a joint open community project to build out a “risk-based enterprise website security strategy.” Mr. Grossman’s essay was followed by more thoughtful commenting and discussion.

After reading a number of the links and thinking about these two threads, I think that both have value. Any rant about sales “lines” that get repeated without a thought is a good thing in-and-of-itself. I think that both writers express frustration at the difficulty of motivating senior corporate leaders to part with their money for “security-related” investments. That is understandable. “Investment” funding is difficult for everyone today. I am working in financial services — where trillions of dollars of assets that we depended upon have simply disappeared. Money is very tight here. I understand why product and services vendors have been increasingly manic, frantic, and sometimes even bullying in the messages they email and leave on my phone.

So, what do I have to offer?

As a bumper sticker, “security as a business enabler” is just more vacuous blather. But if it is used as part of a more serious attempt to get at the problems of taking business-appropriate risks, or performing risk-appropriate business, then work like that proposed for “risk-based enterprise website security strategy” might be useful. I believe that the most effective information and technology operations risk management decision-making today happens because of the joint efforts of serious information security professionals and leaders (formal and informal) across the various organizations that make up modern corporations in most fields today. Depending on the given corporate culture, this is less or more process-driven.

• Sometimes it is strictly a matter of personal relationships (a risk-elevating situation).
• In other situations, project processes link these communities for long enough to work out understandings and plans that can facilitate effectively dealing with risks.
• Some organizations have broad and deep formalization of their organizational relationships, and the processes and information flows to maintain a shared understanding of threats, risks, controls & mitigations, current state, etc.

I believe that the first two situations above dominate, and that the third is an exception. As a result, what ever we do to support creation of a “risk-based enterprise website security strategy” or to find a new broad description of what information security is valuable, it needs to be useful in those organizations that depend heavily on cross-domain relationships between serious professionals to prioritize risk management investments. This is not meant to imply that information and application security specialists are not valuable. They are critical to the success of most organizations. I am responding to the focus on “selling.” Successful sales will require connecting with and delivering an effective message to those who can pay, or can materially influence those who can pay. My experience has been that this is an increasingly-small population.

For a number of years, I was intermittently called upon to assist a large corporate merger & acquisition team. We would review the target infrastructure, its operations, and the staff in the context of that target requiring quick and efficient on-boarding. There appeared to be a pattern, where the “best” IT, information security, and risk management teams were most tightly integrated into the broader corporate business operations. They viewed themselves as an integral member of the team — the only team, the one that served customers, partners, and investors. Sure, that is difficult in large, diversified corporations. It just didn’t stop some individuals, orother groups of IT and security professionals. A couple years ago, Gunnar Peterson wrote that

“The role of the security architecture is not to steer the business away from risk, but rather to educate their business partners about the risks they are taking and provide countermeasures that enable the business to take as much risk as suits their goals.”

This seems like a good description of a small slice of what I saw at those few M&A targets where there was a minimum of cultural separation between executive management, marketing, sales, product development, logistics, support, security, and the IT organization’s technical specialists who kept the “plumbing” humming so that it all worked. All this is not to imply that everybody needed to know everything. Decision-makers of all kinds understood that they needed a threshold understanding of short and long term goals along many of the specialty-dimensions that were required to operate in their field.

None of that excluded the kind of data-rich analytical work proposed recently by Ron Charette. His notion of collecting specific buckets of “strongly-typed” information about application security to support analysis and reporting — essential for making informed decisions, makes a lot of sense.

It seems, though, that in many corporate environments, it requires data, along with individuals having a critical mass of professional risk management experience and what I will abbreviate as “adult business behaviors,” to effectively join teams of leaders (at all levels) to deal with risk in a manner that expresses a time-product-and-location-bound risk tolerances. That professional and “adult” combination is still a barrier for too many, and no new strategy will break through that barrier.

There is little, and shrinking room for techno-centric (“geek”) information security pros in the business communities where serious information or technology infrastructure operations risk decision-making takes place. Similarly, there appears to be dwindling room for experience-light or even experience-free “professional leaders.” Some career security team members engage all their work-life energy in the details, technologies, and operations of what is a modern information security organization, and then attempt to apply what they know to the various projects that come their way. They serve a valuable purpose, but they require constant management attention. They will tend to be of little assistance when we need to help translate pools of valuable data into a material resource for business decision-making, and even less when we have only a fine mist of information available.

A serious, expert, security professional is not only the holder of a credential. They need to have worked through at least a decade (see: “The Making of an Expert.” HBR 1 Jul 2007) of intense practice and dedicated coaching, constantly pushing themselves beyond their comfort zones to understand enough of the history, theory, craft, and rigorous intellectual practices that support risk management in a modern diversified corporate environment. A key component of that professionalization is learning how to share with and learn from leaders (formal and informal) throughout a business. In a highly dynamic business environment, they need to be able to synthesize new knowledge from their learning and experiences. Some are able to “simply” join that broader business environment. Others need to help construct more formalized processes, even new organizations to facilitate the level of cross-domain interaction required to effectively align risk decision-making and implementations with the other business dimensions essential for success in the marketplace. In either situation, this is what I meant by “adult business behaviors” above. Get a new model for “selling” information security as an enabler, or a new enterprise website security strategy into their hands, and I believe that you will begin to get traction.

– References –
The Problem With Selling Information Security as a “Business Enabler” By Daniel Miessler on March 26th, 2009: http://dmiessler.com/blog/the-problem-with-selling-information-security-as-a-business-enabler

“Website security needs a strategy.” By Jeremiah Grossman, Thursday, March 26, 2009: http://jeremiahgrossman.blogspot.com/2009/03/website-security-needs-strategy.html

“Security Architecture Blueprint.” By Gunnar Peterson: http://arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf and http://1raindrop.typepad.com/1_raindrop/2007/05/security_archit.html

“Proposal of Web Application Security Metric Framework to Compliance/Configuration Management Vendors.” By Ron Charette: http://roncharette.blogspot.com/2009/03/proposal-of-web-application-security_26.html

“The Making of an Expert.” HBR 1 Jul 2007, By K. Anders Ericsson, Michael J. Prietula, and Edward T. Cokely (requires login or purchase to access most of the article): http://hbr.harvardbusiness.org/2007/07/the-making-of-an-expert/ar/1