Naavi.org

As a consultant in the difficult area of “Cyber Dispute Risk Management” (More easily understood as Legal Compliance Consultancy),  I often encounter a situation where a Company appears fully in agreement with the need to  implement some suggestions made such as need for ITA 2008 compliance  but on the ground, no action seems to happen.

I have been encountering a similar experience when I try to convince users that the Online Dispute Resolution mechanism under ODR Global is a great thing for them.

As consultants we are responsible for “Making it happen”, and cannot take “No” for an answer . We therefore  keep trying  again and again and when we get the reply, ..”Yes….But”, we feel frustrated that what we believe is good and should happen is taking a longer time than it should. In the meantime if something untoward happens which could have been mitigated if the suggestions had been implemented, some consultants feel “Deja Vu” and “I told you so..” . But most genuine consultants feel “Pained and Angry” that their suggestions were ignored.

When an assessment of “Due Diligence” under ITA 2008 compliance is made, the fact that a consultant had suggested some measures for mitigating a risk but was not implemented may actually be treated as negligence. HIPAA directly addresses such issues by increasing a penalty if an identified risk is not addressed.

Information Security Professionals and Corporate managers who deal with legal compliance (as well as other managerial responsibilities) need to be fully aware of this “Yes…But” syndrome and avoid being a victim. This is part of the third dimension of Information Security Risk Management namely the “Behavioural Science” aspect that works along with Technical and Legal dimensions in the Naavi’s “Total Information Assurance” concept.

“Yes…But” is classified as a “Psychological Game” by Eric Berne. It is a frequent response that a person gives when something is suggested to him either voluntarily or on specific request. The subject some times comes to a friend (in the present context, a consultant) and holds out a problem. The friend genuinely comes up with a suggestion which the subject says.. Yes…. but it does not suit my requirement..because…… The friend suggests some thing else..and gets the same excuse. This game goes on until the friend gives up.

Eric Berne identified that there is a method these game players follow as described below.

Method

Agree, then show how you do not agree. Their argument may make perfect sense in many ways, but it does not work as a persuasion with you.

‘Yes, but’ is a classic way of agreeing and not agreeing.

Example
Yes, I know it’s important. But I don’t have time at the moment.

That’s a really good idea. Though when you think about it, it will cause subtle problems.

Yes, we could go out. And no, I don’t want to.

Discussion
Agreeing first mollifies the other person or maybe lulls them into a false sense of success. The refuting of their argument then acts as a shock, such that they may well not be able to fully respond to your words.

‘But’ effectively says that what has just been said is not true, or at least is not completely true. The following words then reveal the real truth.

Why does this happen?. After all the subject had identified a problem and infact approached the friend/consultant to find a solution. Eric Berne identified this as a “Psychological Game” deliberately played by the subject for the feeling of “Self Gratification” that he is in trouble but there is no body who can help him and he is doomed to suffer.

It is difficult for some of us to accept that we are playing a “Yes…But” game because we want to remain in problem and donot want it solved.

Resolving an “Yes..But” situation is more through a self-realization than the external person attempting a therapy. Hence, the consultant needs to have an enormous patience and try to achieve his goal in small steps where the subject sees some benefit quickly and tries to get over his own self doubting attitude.

I invite readers to share their own experience in this regard in their professional life and how they resolved it.

Naavi

More Details of Yes… But Game (See page 49)

Also see here

In a reply to a PIL in Nagpur, the Government of India is reported to have indicated that a Chair Person has finally been appointed to the Cyber Appellate tribunal in Delhi. The incumbent is reportedly a retired judge from Chennai.

However, the official website is yet to confirm the appointment. Last time, when Mr S.K.Krishnan was appointed, he was appointed as a member and not designated as Chair person for more than 9 months and he reached his superannuation without being able to discharge any work.

We have to therefore wait until a final announcement is made. However, this time the appointment may actually happen and after 5 years, CAT may become functional once again.

Naavi

Naavi has been a long time advocate of the use of electronic means of communication in Judicial matters. Whenever we hear that accused escapes while in transit to a Court or see the enormous police force deployment just to bring in convicts and under trials to the Court and escorting them back again, we have regretted the inefficient systems that drains out the resources of the Government and come back to haunt us in the form of increase in taxes.

For various compulsions such as the need to make a progress in the 26/11 trials and the inability to get David Coleman Headley, a key accused to be brought physically to the Indian Courts, his  deposition as an approver was obtained by the Mumbai Sessions Court through a video conference. Now this video evidence will be a key to  further proceedings in India and discussions in international counter terrorism circles.

Though this is not the first time, an Indian Court has used “Video Conference” to interact with the accused or the witnesses, this will be the most significant and noticed incidence of the use of Video Conference in judicial proceedings in India.

The current proceedings took place directly in the presence of the Judicial authority at one end while at the other end of the Video conference, a foreign prison agency was present. At this point of time, we are not aware what procedures the Court used to enable the evidence meet the requirements of law.

The procedure which Naavi has been advocating for such purposes involves a trusted third party being able to produce a Section 65B certificate to make the video file admissible as evidence. It is also recommended that a representative of the Court be present at the end of the deposer just to confirm his identity and the process used at his end to depose.

These principles of Cyber Law Compliant video conferencing has been incorporated in the new service that Naavi has launched in his “ODR Global” project through www.arbitration.in.

The “ODR Global Project” is the first leg of a series of activities that Naavi has planned to bring more and more dispute resolutions online. ODR Global uses the “Virtual Arbitration Room” as the key to conducting such proceedings and also provides for the virtual presence of a neutral observer who provides the Section 65B certification.

The “ODR Global Project” is now kept open for investors to join so that it could be scaled up to its potential level of operation.

The David Coleman Headley’s deposition in a similar system is considered in this context as a reminder to the potential that such systems hold for civil judicial process and the ADR process. There is no reason why this should not become a default alternative system of conducting all judicial processes with the consent of all the stake holders.

For more on the advantages of the “ODR Global Project”, visit www.arbitration.in or this investor’s link.

Naavi

Carbanak is one of the dreaded attacks which is reported to have been used to steal over $1 billion from the Banking systems since 2013. After a brief absence, security specialists now report that the attack is active once again.

Investigators estimated at the time that the attackers breached the networks of more than 100 banks across 30 countries, stealing up to $1 billion. JP Morgan Chase and the Agricultural Bank of China are reported to have suffered heavy damages on account of Cabanak attack.

The attackers either transferred money to their own accounts, ordered the money distributed to remote ATMs where an associate waited to receive or, in some cases, penetrated the banks’ accounts systems to change bank balances and then order transfers. The attack went undetected for periods in excess of 18 months.

Unlike other attacks that target the customers of the Bank, Carbanak is an APT (Advanced Persistent Threat) designed to attack the Banking systems directly and execute transactions without the need to impersonate the online users. It also attacks the internal financial systems of large corporations.

Carbanak is a well organized system that uses several known exploitation techniques executed as an organized industry effort.

Initial infiltration was achieved through spear phishing and exploit laden attachments that compromised employee endpoints with malware, eventually stealing the credentials and taking over control. Once inside, the security controls are weak and enable the attacker to simply execute fund transfer transactions with ease.

The latest variant of the attack indicates that this is a  mix of multi channel fraud that abuses both online and physical systems from within and via the banks’ service channels.

The attackers did the following:

• Infected computers attached to ATMs so the machines dispensed cash at the same time the gang’s mules were there to pick it up;
• Compromised internal Oracle databases, created fraudulent accounts, issued cards and modified account balances to wire out more money each time;
• Abused the Society for Worldwide Interbank Financial Telecommunication system to move large amounts of money into accounts they controlled;
• Used the online banking vector for e-pay fraud and fraudulent transactions.

Experts are of the view that Carbanak attack was preventable. It was a well-orchestrated crime operation but not necessarily considered a sophisticated operation at technical level. It was the failure to protect the end point systems of the employees that enabled unsafe downloads to start with and subsequent failure to detect and stop exfiltration of data that led to the success of the operation.

In another attack involving malware known as Metal and Corkow, attackers infected the target  bank’s corporate networks via spearphishing e-mails.

In one of the Russian banks hit by this attack , it was discovered that millions of rubles were withdrawn by its customers in one night from the ATMs of other financial institutions. An investigation revealed that the attackers actually gained access to the bank’s money processing systems and made some changes to automatically roll back ATM transactions.

This allowed the gang’s members to withdraw money from several ATMs and the balance on their cards remained the same.

In yet another attack named GCMAN, a time based script executed fund transfer instructions of $200 every minute to multiple e-currency services without being reported to any system within the Bank.

These developments indicate that as Banks and Large corporates migrate to the use of Digital ways of doing business, they are exposed to risks that need to be addressed with a greater resolve than they are doing at present.

The Cyber Insurance industry also has to look at how they would be able to cover such risks and how they will treat the failure of security for extended periods of time.

Related Articles:

1. Securityintelligence.com
2. Scmagazine.com
3. Securityweek.com