Sarbanes Oxley News, April · PDF fileSarbanes Oxley News, April 2017 Dear Member, ... compliance-based CCRI against ... DISA led three pilots to develop

P a g e | 1

______________________________________ Sarbanes Oxley Compliance Professionals Association (SOXCPA)

Sarbanes Oxley Compliance Professionals Association (SOXCPA) 1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 Web: www.sarbanes-oxley-association.com

Sarbanes Oxley News, April 2017 Dear Member, Today we will start with the final official speech of Daniel Tarullo.

Departing thoughts Daniel K Tarullo, Member of the Board of Governors of the Federal Reserve System, at the Woodrow Wilson School, Princeton University, Princeton, New Jersey Tomorrow is my last day at the Federal Reserve. So in this, my final official speech, it seems appropriate to offer a broad perspective on how financial regulation changed after the crisis. In a moment, I shall offer a few thoughts along these lines. Then I am going to address in some detail the capital requirements we have put in place, including our stress testing program. Eight years at the Federal Reserve has only reinforced my belief that strong capital requirements are central to a safe and stable financial system. It is important for the public to understand why this is so, especially at a moment when there is so much talk of changes to financial regulation.

http://www.sarbanes-oxley-association.com/

P a g e | 2


The Post-Crisis Regulatory Response To understand the regulatory changes made in response to the 2007 to 2009 financial crisis, it is useful to recall the circumstances with which regulators and legislators were confronted. First, of course, was the sheer magnitude of the impact on the economy, which suffered its worst recession since the Great Depression. Second was the dramatic freezing up of many parts of the financial market, risking successive waves of fire sales that would send asset values plummeting anew. Third was the rapid deterioration of financial firms. Hundreds of smaller banks eventually failed. Bear Stearns, Merrill Lynch, Wachovia, and Countrywide were all close to failure when they were acquired by other financial firms with one or more forms of government support or assistance. American International Group was rescued directly by the government. Lehman Brothers did fail, which set off the most acute phase of the crisis. The impact of Lehman’s bankruptcy seemed to confirm fears that failure of the largest financial firms risked the complete implosion of the financial system. This, of course, is the too-big-to-fail problem: government officials may feel compelled to save private financial firms with public (that is, taxpayer) capital. Meanwhile, financing markets had nearly frozen up. Hence the extraordinary government actions that followed. Public capital was injected into all of the nation’s largest remaining banking firms following congressional enactment of the Troubled Assets Relief Program (TARP). The Federal Reserve and the Department of the Treasury provided financing and backstops, respectively, for money market funds and various forms of securitized assets. The Federal Deposit Insurance Corporation extended its guarantees to bank deposits and the senior debt of banks. To read the paper: http://www.bis.org/review/r170407c.pdf

http://www.bis.org/review/r170407c.pdf

P a g e | 3


PCAOB Announces 2017 Forums on Auditing in the Small Business Environment Topics include professional skepticism, risk assessment, substantive analytical procedures, auditing estimates, and related-party transactions

The Public Company Accounting Oversight Board announced that the Board will host two Forums on Auditing in the Small Business Environment in 2017, on May 19 in Los Angeles and July 20 in New York City. The New York forum will be livestreamed for the first time, offering an alternative to attending the event in person. The forums will feature topics including exercising professional skepticism, risk assessment, substantive analytical procedures, auditing estimates, and related party transactions. "We are exploring new and efficient ways to enhance our outreach efforts," said James R. Doty, PCAOB Chairman. "This will provide greater access for interested individuals to participate and engage with the PCAOB on the important oversight issues that affect them." Staff from the Securities and Exchange Commission will provide an update on recent SEC activities related to the new revenue accounting standard from the Financial Accounting Standards Board. SEC staff also will discuss changes resulting from FASB's new lease accounting standard and observations about common financial reporting issues facing smaller public companies. "This year's forums reflect feedback from prior forums and audit challenges that PCAOB inspectors and others have identified in small to midsized public company audits," said Mary Sjoquist, Director of the Office of Outreach and Small Business Liaison. Forums are live meetings and are generally hosted by a PCAOB Board member. They are open to members of smaller PCAOB-registered firms

P a g e | 4


that audit public companies. There is no fee to participate, but preregistration is required. Attendees also have the opportunity to earn continuing professional education credits. In addition to the Small Business Forums, the PCAOB will host two Forums for Auditors of Brokers and Dealers in 2017. Additional details for those, including registration information, will be provided at a later date.

P a g e | 5


New cyber assessment program focuses on operational risk

A new cyber assessment program, known as a Command Cyber Operational Readiness Inspection (CCORI), focuses on providing combatant commands and federal agencies with a greater understanding of the operational risk their missions face because of their cybersecurity posture. The CCORI model is a modification of the well-known Command Cyber Readiness Inspection (CCRI), which focuses on evaluating an organization’s compliance with DOD security orders and directives, and assessing network vulnerabilities, physical and traditional security, and user education and awareness. CCORI’s seek to provide a more threat-focused, mission-based assessment. “Commanders at sites where CCORIs are held will be able to understand that being 'compliant' does not necessarily mean their site is 'secure,’” said Jimaye Sones, director of the DOD Information Networks (DODIN) readiness and security inspections directorate, which is aligned within the Defense Information Systems Agency and conducts assessments under the authority of the Joint Force Headquarters-DODIN and Cyber Command. “Also, they will understand what impact the vulnerabilities found in a traditional CCRI have, in terms of the threat to their mission, if an adversary takes advantage of the vulnerabilities.” CCORIs will also provide the mission owner and the Joint Force Headquarters-DODIN commander a greater understanding of the level of risk to the DODIN. CCORIs analyze three levels of effort to review operational risk: mission, threat, and vulnerabilities. Mission analysis is phased in to the four phases of the operations order: site selection, scoping/pre-inspection, inspection, and post-inspection. “Once a site is selected, the team scopes the assessment based on the unit’s mission. A threat element simulates a contested work environment using

P a g e | 6


specific software tools across internal and external attack vectors of the network, while also conducting a standard, compliance-based CCRI against the highest priority vulnerabilities. In the end, an ‘operational risk’ maturity model is determined by a National Institute of Science and Technology Cybersecurity Framework maturity level,” said Sones. The CCORI inspection model supports the DOD Cybersecurity Culture and Compliance Initiative and the subsequent resource management decision to enable military service cyber components and federal agencies with DODIN inspection teams. From April 2016 through February 2017, DISA led three pilots to develop and test new processes using the CCORI methodology, leading to further refinement and maturation of operational assessment processes. The first full CCORI was conducted in October 2016 and subsequent CCORIs were conducted in January and February. While DISA moves forward with the CCORIs, the agency will continue planning traditional CCRIs, as well as cybersecurity service provider and public key infrastructure audits at other DODIN sites. “All of the federal agencies and combatant commands operating on the DODIN will benefit from this program aimed at providing mission assurance,” said Sones.

P a g e | 7


Quantum Computers May Have Higher ‘Speed Limits’ Than Thought How fast will a quantum computer be able to calculate? While fully functional versions of these long-sought technological marvels have yet to be built, one theorist at the National Institute of Standards and Technology (NIST) has shown that, if they can be realized, there may be fewer limits to their speed than previously put forth. The findings—described as a “thought experiment” by NIST’s Stephen Jordan—are about a different aspect of quantum computing speed than another group of NIST researchers explored about two years ago. While the previous findings were concerned with how fast information can travel between two switches in a computer’s processor, Jordan’s new paper deals with how quickly those switches can flip from one state to another. The rate of flipping is equivalent to the “clock speed” of conventional processors. To make computations, the processor sends out mathematical instructions known as logic operations that change the configurations of the switches. Present day CPUs have clock speeds measured in gigahertz, which means that they are capable of performing a few billion elementary logic operations per second. Because they harness the power of quantum mechanics to make their calculations, quantum computers will necessarily have vastly different architectures than today’s machines. Their switches, called quantum bits or “qubits,” will be able to represent more than just a 1 or 0, as conventional processors do; they will be able to represent multiple values simultaneously, giving them powers conventional computers do not possess. Jordan’s paper disputes longstanding conclusions about what quantum states imply about clock speed. According to quantum mechanics, the rate at which a quantum state can change—and therefore the rate at which a qubit can flip—is limited by how much energy it has.

P a g e | 8


While Jordan believes these findings to be valid, several subsequent papers over the years have argued that they also imply a limit to how fast a quantum computer can calculate in general. “At first glance this seems quite plausible,” Jordan said. “If you’re performing more logic operations, it makes sense that your switches would need to go through more changes. In both conventional and quantum computing designs, each time a logic operation occurs”—making its switches flip—“the computer hops to a new state.” Using the mathematics of quantum systems, Jordan shows is that it is possible to engineer a quantum computer that does not have this limitation. In fact, with the right design, he said, the computer “could perform an arbitrarily large number of logic operations while only hopping through a constant number of distinct states.” Counterintuitively, in such a quantum computer, the number of logic operations carried out per second could be vastly larger than the rate at which any qubit can be flipped. This would allow quantum computers that embrace this design to break previously suggested speed limits. What advantages might this faster clock speed grant? One of the primary applications envisioned for quantum computers is the simulation of other physical systems. The theoretical speed limit on clock speed was thought to place an upper bound on the difficulty of this task. Any physical system, the argument went, could be thought of as a sort of computer—one with a clock speed limited by the system's energy. The number of clock cycles needed to simulate the system on a quantum computer should be comparable to the number of clock cycles the original system carried out. However, these newly discovered loopholes to the computational speed limit are a “double-edged sword.” If energy does not limit the speed of a quantum computer, then quantum computers could simulate physical systems of greater complexity than previously thought. But energy doesn’t limit the computational complexity of naturally occurring systems either, and this could make them harder to simulate on quantum computers.

P a g e | 9


Jordan said his findings do not imply that there are no limits to how fast a quantum computer could conceivably calculate, but that these limits derive from other aspects of physics than merely the availability of energy. “For example, if you take into account geometrical constraints, like how densely you can pack information, and a limit to how fast you can transmit information (namely, the speed of light), then I think you can make more solid arguments,” he said. “That will tell you where the real limits to computational speed lie.” Paper: S.P. Jordan. Fast quantum computation at arbitrarily low energy. Physical Review A, Published March 6, 2017. http://journals.aps.org/pra/abstract/10.1103/PhysRevA.95.032305

http://journals.aps.org/pra/abstract/10.1103/PhysRevA.95.032305

P a g e | 10


Turning to Chemistry for New “Computing” Concepts DARPA explores approaches to store and process vast amounts of data using encoded molecules

As the complexity and volume of global digital data grows, so too does the need for more capable and compact means of processing and storing data. To address this challenge, DARPA has announced its Molecular Informatics program, which seeks a new paradigm for data storage, retrieval, and processing. Instead of relying on the binary digital logic of computers based on the Von Neumann architecture, Molecular Informatics aims to investigate and exploit the wide range of structural characteristics and properties of molecules to encode and manipulate data. “Chemistry offers a rich set of properties that we may be able to harness for rapid, scalable information storage and processing,” said Anne Fischer, program manager in DARPA’s Defense Sciences Office. “Millions of molecules exist, and each molecule has a unique three-dimensional atomic structure as well as variables such as shape, size, or even color. This richness provides a vast design space for exploring novel and multi-value ways to encode and process data beyond the 0s and 1s of current logic-based, digital architectures.” Molecular storage concepts, such as those based on DNA sequences, have advanced in recent years and show promise for archiving digital data in a format that takes up extremely small physical space, Fischer said. But DNA storage doesn’t allow for rapid retrieval and processing of selected portions of the DNA-encoded data without having to first decode the molecule-based data back into an electronic digital format to use with existing information systems. The primary technical challenge posed by the Molecular Informatics program is the integration of dense storage concepts with processing of molecule-encoded information via completely new, non-binary information structures. The intent of the program is to explore such opportunities in the much broader design and encoding space of millions

P a g e | 11


of molecules, which offers far more opportunity than do the four building-block molecules (As, Ts, Cs, and Gs) of DNA. To achieve its goals, the program will require a diverse, collaborative community of researchers from fields including chemistry, computer and information science, mathematics, and chemical and electrical engineering. These integrated teams will need to answer foundational questions such as: How can data be encoded in molecules? What types of data operations can molecules execute? What does “computation” mean in a molecular context? By addressing mathematical and computational problems that challenge our current capabilities, the Molecular Informatics program aims to discover and define opportunities for the use of molecules in information storage and processing. “Fundamentally, we want to discover what it means to do ‘computing’ with a molecule in a way that takes all the bounds off of what we know, and lets us do something completely different,” Fischer said. “That’s why we absolutely need the diverse knowledge of many different fields working together to jump into this new molecular space to see what we can discover.” A webinar-based Proposers Day for Molecular Informatics will be held April 7, 2017. For additional information and registration details, please visit: https://go.usa.gov/xXKvQ A Broad Agency Announcement solicitation with more details on the program will be made available soon on FedBizOpps: http://go.usa.gov/3W53j

https://go.usa.gov/xXKvQ

http://go.usa.gov/3W53j

P a g e | 12


The “Manufacturing Profile” of the Cybersecurity Framework This document provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. The Profile gives manufacturers: • A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system • An evaluation of their ability to operate the control environment at their acceptable risk level • A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security The Profile is built around the primary functional areas of the Cybersecurity Framework which enumerate the most basic functions of cybersecurity activities. The five primary functional areas are: Identify, Protect, Detect, Respond, and Recover. There are 98 distinct security objectives within the primary functional areas. These 98 objectives comprise a starting point from which to develop a manufacturer-specific or sector-specific Profile at the defined risk levels of Low, Moderate and High. This Manufacturing “Target” Profile focuses on desired cybersecurity outcomes and can be used as a roadmap to identify opportunities for improving the current cybersecurity posture of the manufacturing system. The Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals. Relevant and actionable security practices that can be implemented to support key business/mission goals are then identified.

P a g e | 13


This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

To read the paper: http://csrc.nist.gov/cyberframework/documents/csf-manufacturing-profile-draft2.pdf

http://csrc.nist.gov/cyberframework/documents/csf-manufacturing-profile-draft2.pdf

http://csrc.nist.gov/cyberframework/documents/csf-manufacturing-profile-draft2.pdf

P a g e | 14


“We have broken SHA-1 in practice”! This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, including credit card transactions, electronic documents, open-source software repositories and software updates. It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.

For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract. To learn more: https://shattered.io/static/shattered.pdf https://shattered.io/static/infographic.pdf

https://shattered.io/static/shattered.pdf

https://shattered.io/static/infographic.pdf

P a g e | 15


America's Central Bank - the history and structure of the Federal Reserve Jerome H Powell, Member of the Board of Governors of the Federal Reserve System, at the West Virginia University College of Business and Economics Distinguished Speaker Series, Morgantown, West Virginia I am delighted to have this opportunity to speak at West Virginia University. Thanks to Brian Cushing for inviting me here today. Gathered in this part of West Virginia, we are located in the Fifth Federal Reserve District, which stretches down from here to South Carolina and east to the Atlantic Ocean. More than 100 years ago, the organizers of the Federal Reserve System divided the country into 12 of these Districts, each with its own Federal Reserve Bank. Together, the Board of Governors in Washington and the 12 Reserve Banks are the key elements of the Federal Reserve System. Today I will discuss how the Federal Reserve came to have this unique structure. The Fed's organization reflects a long-standing desire in American history to ensure that power over our nation's monetary policy and financial system is not concentrated in a few hands, whether in Washington or in high finance or in any single group or constituency. Rather, Americans have long desired that decisions about these matters be influenced by a diverse set of voices from all parts of the country and the economy. The structure of the Federal Reserve was designed to achieve this broad representation and promote a stronger financial system to build resiliency against the sort of periodic financial crises that had repeatedly damaged the country in the 19th and early 20th centuries. This structure was forged from compromise; the result of that compromise was a vitally needed central bank whose decisions take into account a broad range of perspectives.

P a g e | 16


Before the Federal Reserve The question of how to structure our nation’s financial system arose in the early years of the republic. In 1791, Congress created an institution known as the Bank of the United States, often considered a forerunner of the Federal Reserve. The Bank was created in part to assist the federal government in its financial transactions, a typical responsibility of central banks at that time. It was also designed to help America’s financial system meet the needs of a growing economy--the same purpose behind the founding of the Federal Reserve more than 100 years later. The most famous proponent of the Bank was Alexander Hamilton, who has recently achieved the central banker’s dream of being the subject of a hit Broadway musical.

To read more: http://www.bis.org/review/r170330d.pdf

http://www.bis.org/review/r170330d.pdf

P a g e | 17


From Lubyanka Square, Moscow, Russia?

1. From at least in or about 2014 up to and including at least in or about December 2016, officers of the Russian Federal Security Service ("FSB"), an intelligence and law enforcement agency of the Russian Federation ("Russia") headquartered in Lubyanka Square, Moscow, Russia, and a successor service to the Soviet Union's Committee of State Security ("KGB"), conspired together and with each other to protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the United States and elsewhere. The FSB officers, defendants DMITRY DOKUCHAEV, IGOR SUSHCHIN, and others known and unknown to the Grand Jury, directed the criminal hackers, defendants ALEXSEY BELAN, KARIM BARATOV, and others known and unknown to the Grand Jury ( collectively, the "conspirators"), to gain unauthorized access to the computers of companies providing webmail and internet-related services located in the Northern District of

P a g e | 18


California and elsewhere, to maintain unauthorized access to those computers, and to steal information from those computers, including information regarding, and communications of, the providers' users. 2. In some cases, the conspirators sought unauthorized access to information of predictable interest to the FSB. For example, as described in more detail below, the conspirators sought access to the Yahoo, Inc. ("Yahoo") email accounts-of Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and internet-related service providers whose networks the conspirators sought to further exploit. 3. In other cases, the conspirators sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm ("Russian Financial Firm"); a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline. 4. One of the criminal hackers, BELAN, has been the subject of an Interpol "Red Notice" and listed as one ofthe Federal Bureau of Investigation's ("FBI'') "Most Wanted" hackers since 2012. BELAN resides in Russia, within the FSB' s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him. They also provided him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers. It was BELAN who provided his FSB conspirators, including DOKUCHAEV and SUSHCHIN, with the unauthorized access to Yahoo's network described above. 5. In addition to executing DOKUCHAEV and SUSHCHIN's taskings, BELAN leveraged his access to Yahoo's network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and

P a g e | 19


(c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme. 6. When the FSB officers, SUSHCHIN and DOKUCHAEV, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task BARATOV to access the target's account at the other providers. When BARATOV was successful, as was often the case, his handling FSB officer, DOKUCHAEV, paid him a bounty. 7. For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. ("Google") webmail accounts of: a. an assistant to the Deputy Chairman of the Russian Federation; b. an officer of the Russian Ministry of Internal Affairs; c. a physical training expert working in the Ministry of Sports of a Russian republic; and d. others, including additional examples described below. To read more: https://www.justice.gov/opa/press-release/file/948201/download

https://www.justice.gov/opa/press-release/file/948201/download

P a g e | 20


Annual Report, Financial Stability Oversight Council (FSOC)

In the past year, concerns about slowing global growth, supply gluts in commodities markets, and shifts in exchange rate and monetary policies abroad led to significant price swings across a range of financial assets as U.S. interest rates remained low. Although these developments have created challenges for particular firms and sectors, financial regulatory reforms and a strengthening of market discipline since the global financial crisis have made the U.S. financial system more resilient, as vulnerabilities remained moderate. U.S. financial regulators and market participants made progress in addressing a number of structural vulnerabilities highlighted in the Council’s previous annual reports. The Federal Reserve finalized a rule requiring that global systemically important banks (G-SIBs) increase their holdings of common equity relative to risk-weighted assets (RWAs) and proposed standards for mandatory long-term debt and total loss-absorbing capacity for G-SIBs. The Federal Reserve and the FDIC completed their review of the 2015 resolution plans of eight of the largest, most complex U.S. bank holding companies (BHCs).

P a g e | 21


The agencies jointly determined that five of the firms had submitted plans that were not credible or would not facilitate an orderly resolution under bankruptcy and have notified these firms of the deficiencies in their plans. The Federal Reserve and the FDIC informed all eight firms of the steps they must take in response to the agencies’ findings. The International Swaps and Derivatives Association (ISDA) expanded the scope of its Universal Resolution Stay Protocol to cover securities financing transactions. In February 2016, the CFTC and the European Commission announced a common approach to the supervision of central counterparties (CCPs) operating in the United States and the European Union (EU). U.S. prudential regulators and the CFTC issued rules establishing minimum margin requirements for swaps that are not cleared through CCPs. The SEC finalized rules setting forth reporting requirements for securities - based swaps and establishing a process for the registration of securities - based swap dealers and major securities-based swap participants. The OFR, Federal Reserve System, and SEC collaborated on pilot projects to improve the collection and analysis of data on securities financing transactions. These and other actions undertaken over the last year can be expected to make the largest, most interconnected financial institutions more resilient, improve regulators’ and firm managers’ ability to manage potential distress at such institutions, and reduce the impact of contagion that may arise from interconnections among firms and markets. Despite these important, positive steps, this report identifies a number of structural vulnerabilities and emerging threats in the U.S. financial system that require action from market participants, regulators, and policymakers. In addition, the Council continued its analysis of potential financial stability risks that may arise from certain asset management products and activities.

P a g e | 22


Based on this work, the Council identified areas of potential financial stability risks and, in April 2016, publicly issued a written update regarding its evaluation. Since May 2015, the SEC has issued several proposed rules affecting the asset management industry. The SEC has proposed rules to enhance data reporting for registered investment companies and registered investment advisers of separately managed accounts, strengthen liquidity risk management programs and disclosure for registered funds, and limit the amount of leverage that registered investment companies may obtain through derivatives transactions. To read the report: https://www.treasury.gov/initiatives/fsoc/studies-reports/Documents/FSOC%202016%20Annual%20Report.pdf

https://www.treasury.gov/initiatives/fsoc/studies-reports/Documents/FSOC%202016%20Annual%20Report.pdf

https://www.treasury.gov/initiatives/fsoc/studies-reports/Documents/FSOC%202016%20Annual%20Report.pdf

P a g e | 23


Asian cyber criminals demonstrate ongoing professionalization

According to a report by security research group Check Point, cyber criminals in Asia are using fake mobile base stations to impersonate legitimate telecommunications companies while conducting SMS phishing ('SMiShing') campaigns. Their text messages link to malware dubbed the "Swearing Trojan" (due to the profanity included in its code) which steals bank details. It circumvents mobile-based two-factor authentication by replacing text messenger apps with malicious duplicates. SMS spam is a lucrative business for criminals in Asia, who can also mount fake base stations in a vehicle and drive through cities. Nearby mobile devices mistakenly connect to the high power signal, allowing the spammers to transmit large numbers of SMS messages, often displaying false sender information, without paying network fees. SMS spam is currently less common in the UK and, unlike email spammers, operators rarely operate across national borders due to the cost of sending text messages internationally. Nevertheless, this development abroad illustrates the ongoing professionalisation of cyber crime, and the readiness of criminals to combine existing techniques in innovative ways to exploit their victims.

P a g e | 24


Revisiting design with security in mind

Design Principles: Making services hard to compromise

Designing with security in mind means using concepts and techniques which make it harder for attackers to compromise your service using commodity techniques

1. Validate or transform all external input before processing it. Simple data formats that can be validated are preferred to complex formats which can’t, though transformation can help where there is a need to process complex formats. Strictly validate or transform your content depending on your scenario: - Validation – Validate structure and content of suitable file types (eg

structured text). This should ensure that the input is not going to inject malicious code or have unintended effects on your service.

- Transformation – It is very difficult to check for malicious code in

complex file formats such as PDF, spreadsheet or word-processing documents. In fact, parsing the file is itself a high-risk activity. In these cases it’s best to transform the content into another format to effectively ‘neuter’ any malicious content.

2. Render untrusted content in a disposable environment. If you need to keep an original copy of some untrusted and complex content received from an external source, it’s safest to only ever render it in an environment designed to handle malware. Consider using virtualisation techniques to create an environment that is non-persistent and is reset after processing potentially malicious content.

3. Only import trustworthy software and verify its legitimacy. Ensure you trust the vendors or communities providing software. Prefer software which has signatures you can verify to prove its integrity. Both the

P a g e | 25


software and any updates should be verified when imported. Ideally this should be automated to ensure it actually happens.

4. Design for easy maintenance. A poorly maintained service is a vulnerable one. Make sure you are monitoring for security advisories and patches. Security vulnerabilities need to be easily fixed, either through software patches or by taking other mitigating actions in the short term. Frequent small updates are preferred over infrequent large ones. Smaller updates have lower risk profiles, and increasing the frequency of deployments creates confidence in deployment mechanisms. It also ensures teams are well disciplined in rolling back changes if they need to. Design your system so you don’t need to have outages in order to apply updates.

5. Use tried and tested frameworks rather than reinventing the wheel. Writing your own complex software from scratch rather than building upon a common framework is a high-risk strategy. Assuming you choose a popular framework which is actively being maintained, you can often benefit from the testing performed by a wide community of users who are actively discovering and fixing vulnerabilities.

6. Reduce your attack surface. Only expose interfaces necessary to operate the service. If would-be attackers can’t reach an interface, they can’t attack it. Remove all default accounts, passwords, scripts and demo capabilities. Don’t expose software you don’t need to. When building upon common frameworks, disable any components and libraries you don’t need.

7. Users with access to data should be identified and authenticated.

P a g e | 26


Identification should be to the individual, not to the role. Data should only be released through an access control function that can verify the identity, authentication status and appropriate attributes of the user. This includes normal and privileged users.

8. Make it easy for administrators to manage access control. Having a unified view of access control for the service can help administrators maintain granted permissions more easily. Your design should support the identity lifecycle management processes (eg for joiners and leavers, people changing roles and ‘break glass’ credentials where you need them).

9. Don’t design or implement your own cryptographic protections. Designing new cryptography techniques is incredibly difficult and you should never need to do this. Use existing algorithms and protocols, preferably those exposed by your chosen software stack. To protect communications with service users we advise you follow our TLS guidance. For communication between the components of your service, you should encrypt using TLS or IPsec. This is particularly true if your goal is to minimise reliance on the security of any underlying network infrastructure.

10. Protect your management/operations environments from

spear-phishing and watering-hole attacks. These two attack vectors are very popular. Systems administrators should not view email or browse the web from their administrative account or device. As a minimum, administration should be done using bastion hosts. Though, with this approach there remains the risk that malware could take control of an administrator’s session with the bastion host. This risk can only be mitigated through removing the opportunities for malware to gain access to the administrator’s device.

11. Make it easy for users to do the right thing.

P a g e | 27


Security breaches often occur because users have developed workarounds for system inadequacies. Be sure to think about the potential for this when performing user research. For users interacting with your service, make the easiest method the most secure method.

P a g e | 28


Identifying Faces in Video Images is Major Challenge, NIST Report Shows

In movies and television, computers can quickly identify a person in a crowded arena from tiny, grainy video images. But that is often not the reality when it comes to identifying bank robbery perpetrators from security camera video, detecting terrorism suspects in a crowded railway station, or finding desired individuals when searching video archives. To advance video facial identification for these and other applications, the National Institute of Standards and Technology (NIST) conducted a large public test known as the Face in Video Evaluation (FIVE). The FIVE project has now released an interagency report detailing its results and aiming to provide guidance to developers of the technology. The report shows that video facial recognition is a difficult challenge. Getting the best, most accurate results for each intended application requires good algorithms, a dedicated design effort, a multidisciplinary team of experts, limited-size image databases and field tests to properly calibrate and optimize the technology. FIVE ran 36 prototype algorithms from 16 commercial suppliers on 109 hours of video imagery taken at a variety of settings. The video images included hard-to-match pictures of people looking at smartphones, wearing hats or just looking away from the camera. Lighting was sometimes a problem, and some faces never appeared on the video because they were blocked, for example, by a tall person in front of them. NIST used the algorithms to match faces from the video to databases populated with photographs of up to 48,000 individuals. People in the videos were not required to look in the direction of the camera.

P a g e | 29


Without this requirement, the technology must compensate for large changes in the appearance of a face and is often less successful. The report notes that even for the more accurate algorithms, subjects may be identified anywhere from around 60 percent of the time to more than 99 percent, depending on video or image quality and the algorithm’s ability to deal with the given scenario. “Our research revealed that the video images’ quality and other properties can highly influence the accuracy of facial identification,” said lead author Patrick Grother, who heads several of NIST’s biometrics standards and evaluation activities. In video, many faces are small, or unevenly lit, or not forward-facing—three critical points for accurately identifying individuals because the algorithms are not very effective at compensating for these factors. In traditional face-matching evaluations that NIST has performed since the 1990s, algorithms compare a photograph of a person’s face against a database, or gallery, of millions of portrait photographs. Today’s match rates for portrait photographs can exceed 99 percent in some applications. But in the new study, NIST limited galleries to just 48,000 because the lower face quality in video undermines recognition accuracy. NIST also measured “false positive” outcomes in which an algorithm incorrectly matches a face from the video with an image in the gallery. The report notes that deployers of face identification technologies must consider this problem, particularly in crowded settings in which the vast majority of individuals in the video may be absent from the gallery. The report states that accuracy in these video-based applications may approach that of still-photo face recognition, but only if image collection can be improved. To this end, the report provides guidance to a wide group of individuals involved with the technology, from algorithm developers to system designers. In addition, the report can inform policymakers’ decisions regarding the use of these systems.

P a g e | 30


Algorithm designs can be improved by requiring high levels of accuracy to avoid false matches, according to the guidance. Limiting the gallery size and using only high-quality images are other suggestions. For example, when using video algorithms for access control to a secure building or transportation, Grother recommends keeping only the necessary individuals in the gallery. Using only good still photos for matching is another key point. The report also endorses using a multidisciplinary team of experts to design systems that capture high-quality video images. Experts in videography can determine optimal lighting and optics, camera positioning and mounting. The NIST document provides guidance for researchers to consider when assessing the deployment of video face identification systems. Accuracy, as important as it is, is not the only factor to analyze when considering the deployment of video face recognition, according to Grother. Other concerns include the costs of computer processing time and having trained facial recognition experts on hand to ensure that the matches are accurate. Implementers also need to study network infrastructure and scalability, which is the ability of its software to work easily on small datasets as well as large ones. “Whether video is appropriate for a particular facial identification application requires quantitative analysis and design—and the FIVE report aims to inform those processes,” Grother said.

P a g e | 31


‘Indoor GPS’ Apps Closer to Reality With New NIST Challenge

GPS usually works great outdoors, but what if you’re disoriented in a large building such as a museum or a mall? There are no smartphone apps for indoor navigation, but new data collected by the National Institute of Standards and Technology (NIST)—and a competition to find the app developers who can make the best use of it—may help solve the problem. A NIST-led research team spent more than 18 months collecting data from four different smartphone models to facilitate the development of indoor navigation apps. The data, which includes smartphone sensor readings, radio frequency (RF) signal strengths and GPS fixes, should help developers create better apps to assist users in finding their way inside unfamiliar buildings. Such “indoor localization” tools could help emergency responders find victims—or each other—when seconds count. They also could assist with locating specific works of art in large museums or misplaced equipment in hospitals, factories, or warehouses. In the future, if you ask your smartphone where you are, it will create the answer using many bits of disparate information—among which are signals received from Wi-Fi access points and local cell towers that it can use to triangulate your location. It will also use its internal sensors, such as accelerometers and gyroscopes, which tell it how far you might have moved and in which direction since its last signal check. But the lack of validated testing has made their results untrustworthy. “The user community has expressed the need for careful testing of indoor localization solutions,” said Nader Moayeri, NIST’s principal investigator on the project. “Fire departments, for example, strongly desire ways to find a comrade who’s fallen inside a burning building, and who may die because he cannot

P a g e | 32


determine the exit location due to low visibility from smoke or some other reason. Fire departments need to know how well these solutions are going to work before they invest their limited financial resources in them.” The people who first responders are seeking to help need a solution just as badly. The FCC estimates (link is external) that more than 10,000 lives can be saved annually with better and timely location information for 911 calls placed from cellphones, many of which are made from indoor locations. The NIST team walked the smartphones along 30 different set courses in four different buildings, including factory, warehouse and subterranean settings. At numerous predetermined locations along each course, the researchers created “timestamps” on all the phones corresponding to the times the person collecting the data was going over test points on the floors, whose locations had been professionally surveyed. The resulting data is now freely available online to the general public for developing smartphone indoor localization apps. To encourage their development, NIST is sponsoring a competition called PerfLoc to generate the best apps from the developer community. Developers have until August 17, 2017, to create computer algorithms that can make sense of the data and to submit their estimates of the smartphones' locations along the courses. The team has developed a methodology to evaluate the algorithms’ performance over the internet. By making the data available to everyone, NIST is giving a chance to individual app developers and smaller companies that may not have the resources to collect their own data. In addition, by using the same data sets for developing the apps and evaluating their performance, it will be possible to compare the performance of the resulting apps. NIST is offering cash prizes of $20,000, $10,000 and $5,000 to the top three submissions. The grand prize winner will also be flown to a conference in Japan to present their idea and do a live demonstration of their app.

P a g e | 33


“Of course the biggest reward will not be the cash prize,” Moayeri said. “The prestige that goes with it will matter to the designer.”

P a g e | 34


Putting Social Science Modeling Through Its Paces New program seeks to develop simulated social systems of varying complexity against which to test the accuracy of social science modeling methods

The social sciences can play important roles in assisting military planners and decision-makers who are trying to understand complex human social behaviors and systems, potentially facilitating a wide range of missions including humanitarian, stability, and counter-insurgency operations. Current social science approaches to studying behavior rely on a variety of modeling methods—both qualitative and quantitative—which seek to make inferences about the causes of social phenomena on the basis of observations in the real-world. Yet little is known about how accurate these methods and models really are, let alone whether the connections they observe and predict are truly matters of cause and effect or mere correlations. To improve knowledge of social science modeling’s capabilities and limitations, DARPA today announced its Ground Truth program. The program aims to use artificial, yet plausible, computer-based social-system simulations with built-in “ground truth” causal rules as testbeds to validate the accuracy of various social science modeling methods. “The real-world operates according to dynamic, interactive, non-linear, and sometimes adaptive and changing rules that we don’t understand very well, all of which limit our efforts to determine causality in social systems,” said Adam Russell, program manager in DARPA’s Defense Sciences Office. “We want to develop computationally simulated worlds where we create and therefore understand all the causal processes and rules. Then we can test a variety of social science modeling methods to see how well they identify the known causal processes built into the simulation.” The plausible simulations developed in Ground Truth will serve as objective testbeds for calibrating social science modeling methods. “By

P a g e | 35


creating a testbed environment, we’re essentially seeing if social scientists can develop models that accurately ‘reverse engineer’ an artificial social system by correctly identifying the causal rules designed into the simulation,” Russell said. “We call it forensic social science. Researchers are like detectives trying to unpack why and how agents in a system act in a certain way under different circumstances. It’s much easier to test how good any given method is if you have an objective set of known rules by which we can measure success.” Ground Truth will solicit one group of researchers to create social simulations with associated ground truth rules, known only to them, while challenging another group of researchers to create innovative teaming approaches to “discover” the rules in those simulations. DARPA and its independent test and evaluation team will score the modeling teams’ abilities to identify and predict causal ground truth in different simulations with different degrees of social complexity. If successful, Ground Truth will demonstrate a principled approach for testing the power and limitations of various social science modeling methods; explore new modeling approaches for describing and predicting different kinds of complex social systems; and inform future modeling investments for research and operations. A Ground Truth webcast Proposers Day for interested proposers is scheduled for April 20, 2017. DARPA seeks expertise in social sciences (economics, political science, anthropology, sociology, social psychology); computational social science; modeling and simulation (including agent-based modeling, system dynamics modeling, Bayesian generative modeling, etc.); quantitative and qualitative social methodologies; complexity sciences; mathematics; and forecasting. For information on webcast registration and other details, see the Special Notice on FedBizOpps here: https://www.fbo.gov/index?s=opportunity&mode=form&id=70478bff1a5176c1b123cb16f0b2c81a&tab=core&_cview=0

https://www.fbo.gov/index?s=opportunity&mode=form&id=70478bff1a5176c1b123cb16f0b2c81a&tab=core&_cview=0

https://www.fbo.gov/index?s=opportunity&mode=form&id=70478bff1a5176c1b123cb16f0b2c81a&tab=core&_cview=0

P a g e | 36


DARPA Wades into Murky Multimedia Information Streams to Catch Big Meaning AIDA to provide better understanding of trends and events, separating out irrelevant and deceptive data

The U.S. government has always had an interest in developing and maintaining a strategic understanding of events, situations, and trends around the world. In recent years, however, information complexity has exceeded the capacity of analysts to glean meaningful or actionable insights as data pours in from disparate sources, across a variety of genres, and a mixture of structured and unstructured forms, from military intelligence to social media to accurate and inaccurate news. Now, in a new effort, DARPA seeks to overcome the noisy, conflicting, and potentially intentionally deceptive nature of today’s data environment through a program called Active Interpretation of Disparate Alternatives (AIDA). The goal of AIDA is to develop a multi-hypothesis “semantic engine” that generates explicit alternative interpretations or meaning of real-world events, situations, and trends based on data obtained from an expansive range of outlets. The program aims to create technology capable of aggregating and mapping pieces of information automatically derived from multiple media sources into a common representation or storyline, and then generating and exploring multiple hypotheses about the true nature and implications of events, situations, and trends of interest. “It is a challenge for those who strive to achieve and maintain an understanding of world affairs that information from each medium is often analyzed independently, without the context provided by information from other media,” said Boyan Onyshkevych, program manager in DARPA’s Information Innovation Office (I2O).

P a g e | 37


“Often, each independent analysis results in only one interpretation, with alternate interpretations eliminated due to lack of evidence even in the absence of evidence that would contradict those alternatives. When these independent, impoverished analyses are combined, generally late in the analysis process, the result can be a single apparent consensus view that does not reflect a true consensus.” The AIDA program hopes to determine a confidence level for each piece of information, as well as for each hypothesis generated by the semantic engine. The program will also endeavor to digest and make sense of information or data in its original form and then generate alternate contexts by adjusting or shifting variables and probabilities in order to enhance accuracy and resolve ambiguities in line with real-world expectations. “Even structured data can vary in the expressiveness, semantics, and specificity of their representations,” said Onyshkevych. “AIDA has the potential to help analysts and military decision makers refine their analyses so that they are more in line with the larger and more complete overall context, and in doing so achieve a more thorough understanding of the elements and forces shaping our world.” The AIDA program’s Broad Agency Announcement (HR001117S0026), which details technical goals and performer requirements, is available at: https://www.fbo.gov/index?s=opportunity&mode=form&id=4f1d0fe6252398047fec7b386470cb5b&tab=core&_cview=0

https://www.fbo.gov/index?s=opportunity&mode=form&id=4f1d0fe6252398047fec7b386470cb5b&tab=core&_cview=0

https://www.fbo.gov/index?s=opportunity&mode=form&id=4f1d0fe6252398047fec7b386470cb5b&tab=core&_cview=0

P a g e | 38


Advice on managing enterprise security published after major cyber campaign detected

- Third parties who manage large organisations’ IT services attacked - NCSC leading investigation in partnership with Cyber Incident

Response partners - Advice urges enterprise security teams to discuss risk with Managed

Service Providers TARGETED expert advice aimed at Managed Service Providers and their customers has been published after a global cyber attack was uncovered by a multi-organisation collaboration led by the National Cyber Security Centre (NCSC). The attacks are against global Managed Service Providers (MSPs), which are third parties who help to manage large organisations’ IT infrastructure and services. MSPs are particularly attractive to attackers because they have privileged access to other organisations’ systems and data. Due to the incident affecting mainly larger organisations, the NCSC believes the risk of direct financial theft from individuals is unlikely. The attacks provide a reminder about the importance of organisations choosing and monitoring their outsourcing partners carefully, so the NCSC has posted a range of advice on their website about what people should be done to mitigate against risks. Ciaran Martin, CEO of the government’s National Cyber Security Centre Said: “This scale of hostile activity is significant and our intervention is aimed at giving the UK the ability to tackle this threat head-on by giving organisations the tools and information they need. “We always encourage enterprises to discuss this threat with their MSP, even if they have no reason to believe they have been affected. This

https://www.ncsc.gov.uk/information/global-targeting-enterprises-managed-service-providers


P a g e | 39


incident should remind organisations that entire supply chains need to be managed and they cannot outsource their risk. “The response to this attack is an example of the new NCSC at work with our partners. It would not have been possible to uncover the scale and significance of this incident as quickly without our close partners in Cyber Incident Response (CIR) initiative, including PWC and BAE Systems.” The guidance reflects the technical advice and mitigation measures offered to U.K. industry and government departments on the Cyber-security Information Sharing Partnership (CISP) platform. Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately. The NCSC recommends that MSPs who are unwilling to work closely with customers or are unwilling to share information should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk. The NCSC, which is part of GCHQ, is the UK’s technical authority on cyber security. The NCSC was opened by HM The Queen in February 2017 and provides a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. The UK government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. A five year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9billion of transformational investment.

Notes - Managed Service Providers are third parties that provides a set of

defined services to a customer and assume the responsibility of running, maintaining, and securing those services.

- If MSPs are targeted the impact can be quite large as they are a single

point of entry into their customers. However, having a third party

https://www.ncsc.gov.uk/cisp


P a g e | 40


manage complex services can result in a better provision of service due to the economies of scale, contractual obligations.

- There is a lot of information in the public domain around this series of

attacks. We have notified all members of the Managed Service Provider Information Exchange (MSPIE) and all Managed Service Providers on CISP have access to our technical information.

- In addition to following the advice and guidance detailed on the NCSC

website and CISP, we also recommend that business follows published best practise guidelines, such as 10 Steps to Cyber Security and the Cyber Essentials Scheme.

- Cyber-security Information Sharing Partnership (CISP) is a joint

industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.

- The cyber security of the UK is a top priority for the Government which

is why we are investing £1.9 billion and have opened the National Cyber Security Centre to help make the UK the safest place to live and do business online.

- The UK Government can’t do this alone. Every citizen, business and

organisation must play their part. Government can help provide some of the tools and information needed to manage cyber security risks. However, organisations and company boards are also responsible for managing their cyber security risks and should ensure that their networks are protected and secure.

To read more: https://www.ncsc.gov.uk/information/global-targeting-enterprises-managed-service-providers




P a g e | 41


Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; - should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; - is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites.

P a g e | 42


Sarbanes Oxley Compliance Professionals Association (SOXCPA) 1. Membership - Become a standard, premium or lifetime member. You may visit: www.sarbanes-oxley-association.com/How_to_become_member.htm 2. Monthly Updates - Subscribe to receive (at no cost) Sarbanes-Oxley related alerts, opportunities, updates and our monthly newsletter:

http://forms.aweber.com/form/30/1922348130.htm 3. Training and Certification - Become a Certified Sarbanes Oxley Expert (CSOE). You must follow the steps described at: www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm For instructor-led training, you may contact us. We can tailor all programs to your needs. 4. Authorized Certified Trainer, Certified Sarbanes Oxley Expert Trainer Program (SOXCPA-ACT / CSOET) - Become an ACT. This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more: www.sarbanes-oxley-association.com/SOXCPA_Authorized_Certified_Trainer.html

http://www.sarbanes-oxley-association.com/SOXCPA_Authorized_Certified_Trainer.html

http://www.sarbanes-oxley-association.com/How_to_become_member.htm

http://forms.aweber.com/form/30/1922348130.htm

http://www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm

http://www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm

