Monday, July 16, 2007

Behind the 8-ball

I'm back, first off... so expect more regular writings from me. I've been doing a lot of moving, but I think I'm settled back down now, and have some good topics in mind to write on based on my travels and insights gained.

On a recent flight in to Westchester on business I had the pleasure of meeting a gentleman who gave me a whole new perspective on security, fraud, and the financial arena. He is a managing partner with a very large financial institution we've all seen and heard of, so I know he's seen many of the same issues that I have in my daily struggle. His perspective was invaluable because he wasn't seeing it from the technology side of things.

The topics I want to highlight here are fraud and consumer protection online. Those seemed to be the two biggest topics no matter how you see the industry. I'll address some of the key points, and leave some of the ideas we talked about on the table for discussion. The reality is that we came up with more questions than answers, and the more you seem to pursue the point, the deeper the rabbit hole gets.

Fraud sucks up a business's money no matter how hard it works to prevent it. In the end, the fraudster has a larger budget, more time, and a better attack strategy than we who protect the landscape do, period. Allow me to expand on this point a little bit. Fraud is a multi-billion-dollar industry, reported or not - this is the reality. It's committed around the clock, in large and small dollar amounts, around the world, and around the corner. What continues to fascinate me is the depth of the coffers of some of the fraudsters I've encountered and heard about through the grapevine. While we in IT security have limited funds, I mean let's be realistic our budgets aren't keeping up with the threats, the fraudsters scam money to make money to make more money and it only grows from there. Often, they don't actually need real money to scam you... they just need to steal someone else's! Let me address each of the above points in some detail for clarity of point.
  1. Money -- Fraudsters have a lot of it, and even if they don't, they don't need a lot to defraud for huge sums. This is the crux of the problem. IT budgets are always in a pinch, and security is even worse off typically. Surveys in recent history (check out this one [from 2006] from Deloitte, it's eye-opening) show that security budgets are typically not even a double-digit percentage of the entire IT budget. What does that tell us? While CISO's are spending more time in the board room, they aren't getting very good results if you look at the budgets we're getting. Let's take a hypothetical here... A company's IT budget is $10MM, which means (typically, based on statistical average) their budget for IT security is often less than $500,000.00. That really isn't much when you consider how expensive software licenses are, how much staff is needed, and how much 'bad stuff' is happening out there. I'm not advocating throwing money at the problem - I'm simply saying that often times we're left with empty coffers when it comes to affording the necessities. A fraudster doesn't have this problem, and here's why. We all know it takes money to make money, unless you happen to be engaging in fraud, that is. The whole premise of fraud is to steal money, right? Sure, it takes some start-up funds to get a scam or fraud going - but once the ball is in motion it is typically self-funding. Security professionals only dream of budgets as large as some fraudsters funds. I think it's rather obvious we need to concede defeat on the budget issue. We're never going to match the budgets that fraudsters have. So we move on.
  2. Time -- This point is even more interesting than the money angle. Let me start with the fraudster's point first, and then pose that against the IT security professional. A fraudster has nothing but time on their hands, time to plan, time to scheme, and time to execute. Every great heist movie I've ever seen has the criminals planning for weeks, months and maybe years before executing at the perfect moment. A fraudster can use time to his or her advantage. The criminal element is typically motivated by money, so they can use as much time as they need to in order to accomplish their goals. IT Security professionals are very limited on time. If you disagree with me, I would like to delegate some tasks to you. The typical security staffer is stretched so thin it's a wonder how we get anything done. We focus our time on trying to deliver to the business so often times sitting at a console and looking for signs of fraud is not on the schedule. This is where we can take back some of that disadvantage by making smart purchasing decisions, and buying good analytical tools and outsourcing monitoring and detection. I have more to say on this topic - but let's leave it at this for now.
  3. Attack Surface -- here is where we, the IT Security staff are behind the eight ball pretty badly. We have an entire network to protect with all the complicated working parts constantly moving and changing. We have wans, lans, vpns, servers, applications, web sites, and people just to name a few of the assets that are in need of protection. We have to keep a watchful eye on the entire attack surface that is our company landscape. Sure, we can be smart about it, reduce our exposures, monitor key assets and anticipate attack strategies of fraudsters - but in the end we're protecting everything, and they only have to attack and exploit one thing. Here is where we lose big. It's extremely difficult even for the best tools, the best analysts, and the best partners to protect every entry point, every key asset. Consider that all a fraudster has to do is find that one weakness, that one point of entry - and they own your money. This fact alone is enough to make you break down and give up sometimes.
There you have it. The main reasons, in this humble writer's opinion, why fraud is so difficult to combat and beat. I'll write on the second topic soon... stay tuned! As always, I value your opinions, anonymous or otherwise.

No comments: