風險薈訊
RMBI
On Business Intelligence
and Digital Consulting
商 業 智 能 與 數 碼
顧 問 服 務
2
Cyber Risk Management and Ethical HackingConsulting as a wider industry tends to be well known among business students, especially when it comes to classical management consulting and the �irms in the sector. Recent developments in technology and its increasingly widespread use in businesses have brought about changes to the entire industry, with many big �irms moving quickly towards developing deep technological expertise to satisfy their clients’ needs with ef�icient, cutting-edge business intelligence methods.
Enter digital consulting - the combination of traditional management consulting methods and practices with modern technology that is driving signi�icant changes in business.
Introduction
簡介
商科生都熟知顧問服務業,尤其是傳統的管理顧問以 及業界企業。近期的科技發展及其在商界愈來愈廣泛 的應用,為整個顧問業帶來改變,其中很多大公司均 研發專門技術,以透過先進而高效率的商業智能方案 滿足客戶的需求。 電子顧問結合了傳統的管理顧問和當代的科技,它的 出現為企業帶來重大的變化。這個領域的企業會另外 在一些較小的類別中尋找定位,如科技或系統的設計、 整合或實施等,以在競爭對手中突出自己。雖然大多 數顧問公司和大公司的顧問部門皆設有科技部,但是 在過去幾十年,電子科技的迅速發展促使大部分公On Buisiness Intelligence
and Digital Consulting
Cyber Risk Management
and Ethical Hacking
IN THIS ISSUE
1
7
1
On Business Intelligence and Digital ConsultingFirms working in this space may additionally target smaller subcategories such as design, integration and implementation of a technology or a system as a way to differentiate themselves among competitors. While most consulting �irms and larger �irms with a consulting branch have always had a technology arm, rapid technological advances, especially those in digital technology over the past few decades, have given rise to far larger internal divisions that specialise in digital technologies. The proportion of projects that incorporate technology has also changed completely as nowadays a project with a technological aspect to it is the rule, not the exception. The purpose of this article is to give readers a snapshot of today’s digital consulting industry as well as help them better understand it and predict its potential future developments.
司成立專攻電子科技的内部部門。 另外,包含科技的項目的比例也完 全地改變。今時今日,一個項目包 含科技部分已經成為常規,而非異 類。這篇文章旨在扼要介紹當今的 數碼顧問業,以及幫助大家了解這 個行業及其潛在的未來發展。
Mr. Lung has been working in the area of technology-focused
consulting for over 10 years. He received his undergraduate
degree in engineering from the University of Waterloo, Canada
and MBA from Cornell University, New York. Before joining
McKinsey & Co. seven years ago, he worked in several
technology companies.
McKinsey & Co. Digital is a newly established technology arm
of the renowned consulting �irm, which focuses on innovations
such as big data analytics, mobile technology as well as social
media on top of traditional IT consulting. Its project teams
consist not only of generalist consultants, but also designers,
data analysts and developers. Currently, nearly half of the
entire �irm’s projects are focused on digital topics, and the �irm
as a whole has experienced strong growth with positive projections
for the future.
Introduction to companies and people
受訪者及其所屬企業的簡介
Mr. Harrison Lung 龍謙信先生Associate Partner 副合夥人
McKinsey & Co. Digital 麥肯錫公司
龍先生從事技術型顧問逾10年。他分別在加拿大滑鐵盧大學和康 奈爾大學取得工程學士學位與工商管理學碩士。他於七年前加入 麥肯錫公司,之前則先後在多家科技公司任職。 麥肯錫公司(數碼)是著名的顧問公司麥肯錫新成立的一個科技 分部。公司除了提供傳統的資訊科技顧問服務外,更側重於創新 科技,如大數據分析、移動技術,以及社交媒體等。其項目團隊 除了有通才顧問人員外,還有設計師、數據分析師及開發人員。 目前,公司有近半項目側重於數碼科技,公司業務亦曾錄得強勁 增長,前景樂觀。 Mr. Chris Leung Managing Consultant 管理顧問
IBM Global Business Services
IBM 全球商業服務部
Mr. Leung has been working at IBM Global Business Services
for more than 4 years. He received his undergraduate education
from CUHK. Since then, he has developed a strong interest in
Digital Practices, which has led him to focus on big data,
advanced analytics and cognitive technology in his career.
IBM Global Business Services is a division of IBM, the technology
giant. GBS provides technical expertise on IT operations and
resources allocation to IBM’s clients through professional
management and strategy consulting services. One of their
recent innovations include Watson, a cognitive technology
which responds to enquiries in natural languages
梁先生服務IBM全球商業服務部已逾4年。他在香港中文大學取 得本科學位。對數碼技術的濃厚興趣促使他投身於有關大數據 、進階分析和認知技術的職業。 IBM 全球商業服務部是科技巨擘IBM的一個分部。公司透過專 業的管理和策略顧問服務,為客戶的資訊科技運作和資源分配 提供技術支援。他們近期的研發包括一個可以應對人類語言並 就查詢作出答覆的認知技術 – 華生。
2
Cyber Risk Management and Ethical Hacking1
On Business Intelligence and Digital ConsultingDigital consulting, despite its impressive and lofty undertones, is a very general term that gives little detail of a �irm’s focus and strengths; what kinds of projects, then, do digital consultants work on? Our interviewees, coming from different �irms with different focuses, were able to share some of their work and projects with us. Chris’ experiences at IBM range from data governance and warehouses to prediction models for various companies, whereas Harrison highlighted McKinsey Digital’s capabilities in traditional systems integration and implementation, as well as the social media and mobile technology areas. Both mentioned big data analytics as an important and fast expanding area due to the practically in�inite applications of the technology from optimisation to strategic analysis. At �irst glance, the two �irms seem very similar, and in fact they offer similar products, but they are different in their overarching strategy, McKinsey is far smaller than IBM when it comes to headcount, both overall and speci�ically in the technology sector. This difference in size is one major differentiator in what types of projects each �irm prefers.
McKinsey Digital simply does not have the headcount to compete with IBM when it comes to very large-scale implementation of solutions, and does not offer the ready-made suites of business software that IBM have at their disposal. Instead, McKinsey Digital’s focus is on smaller scale, but very high value projects that can guide a �irm’s strategy through, for example, understanding a �irm’s customer data better. One cannot call one �irm better than overall, because their different approaches to creating value mean that the �irms are fundamentally serving different needs of their clients.
數碼顧問是一個概括性術語,它並不詳細述及一家 公司的業務重點和優勢。那麽,究竟數碼顧問平日 會接觸什麽類型的項目?我們邀請了兩位來自不同 公司和有著不同背景的受訪者跟我們分享他們的工 作和項目。 Chris 在IBM的工作涵蓋數據管治、數據倉庫,以至 各種公司的預測模型;而Harrison則重點提及 McKinsey Digital 在整合和實施傳統系統以及社 交媒體和移動技術範疇的能力。他們都提到,大數 據分析在優化和策略分析上均有廣泛實際應用,是 一個重要而迅速擴展的區域。一開始,兩家公司可 能看起來很相似,實際上亦可以提供類似的產品, 但是他們的總體策略卻是不一样的。McKinsey Digital無論是整體或是技術部門的員工數目都比 IBM少,因此選擇的項目類型亦有所不同。在大規模 實施解決方案時,McKinsey Digital 沒有足夠的 人力跟IBM去競爭,也沒有像IBM般提供現成的套裝 商業軟件,因此,其著重於規模較小、但相當高價 值的項目,例如透過更好地了解客戶公司的數據來 幫助客戶制定策略。我們不可以說一家公司比另一 家好,因為他們各有不同的創造價值的方法,並各 自滿足客戶不同的需要。
The Digital Consulting landscape
數碼顧問業界生態
2
Cyber Risk Management and Ethical Hacking1
On Business Intelligence and Digital ConsultingBusiness intelligence via machine learning often involves optimisation, especially in production and service delivery. To illustrate this, Harrison shared his experience of a project on optimising the revenue and pro�it of a telecom operator’s new network. Instead of deploying the network and its base stations based on conventional measures such as population density, the team used customer data and large-scale analytics to devise a plan to maximise the service quality for the client’s best customers. For example, daily commuters tend to be heavy users of mobile data, so the client should make sure its network is strong and fast in such areas of heavy usage by these highly demanding customers. Resources that were previously allocated to areas with less pro�itable customers can now be reallocated more ef�iciently, increasing pro�itability and customer satisfaction for the client. 通過機器學習所獲得的商業智能通常都涉及優化,尤其是 在生產和服務提供方面。為了說明這一點,Harrison分享 了他的一個項目經驗:優化電訊商的新網絡的收入和利潤。 有別於平常根據人口密度來部署網絡及其基站,他的團隊 使用客戶數據和大規模分析來製定計劃,以提升對客戶的 最佳顧客群的服務質量。例如,上下班人群通常對流動數 據的需求量很大,因此其客戶應確保其網絡在高需求區域 維持強大和快速。而先前分配給利潤較低的客戶的區域的 資源,現在可以有效地重新分配,從而提高客戶的利潤率 及其顧客的滿意度。
Project work - use of automated tools in analysis
作業項目- 在分析中使用自動化工具
Thousands of containers are being shipped from Shenzhen to different destinations every month. It is, however, dif�icult to optimise the stowage of each container ship because the number of containers and their respective destinations are uncertain. In one project, Chris and his team collected data on the number of containers to various destinations. They then used the data to build a prediction model to help the client, a container terminal operator, to optimally load their cargo ships for quick off-loading and re-loading in ports to maximise ef�iciency and minimise delivery time through reducing unnecessary work. After the project, the client was able to better use its resources and reduce costs.
Consulting is not necessarily always pro�it oriented. IBM also introduced data management and advanced analytics expertise to the public sector. One of the typical smart city use cases is to leverage real-time transportation data , parking information and other information to improve citizen driving experience. We look forward to seeing more such innovations become a reality in Hong Kong.
在深圳,每月都有數以千計的貨櫃運往全球各地。然而, 由於每天抵達港口的貨櫃數量及其各自的目的地都是不確 定的,因此客戶難以充分利用每個貨船的空間。在某個項 目中,Chris和他的團隊收集了貨櫃前往各目的地的數據, 並利用數據建立一個預測模型,從而幫助一家貨櫃碼頭營
Profit optimization of a Telecom Operator
電信運營商的利潤優化
Prediction model for Container Terminal
Operator in Shenzhen
深圳貨櫃碼頭營運商的預測模型
IBM Global Business Services
McKinsey & Co. Digital
2
Cyber Risk Management and Ethical Hacking1
On Business Intelligence and Digital Consulting運商計劃貨船卸載和重新裝載,藉此提升效率,並透過 減省不必要的工作,縮短交貨時間。項目完成後,客戶 終能更好地利用其資源並節省成本。 顧問服務也未必總是以利潤為本。IBM向公共機構引入 了數據管理和先進分析的專門技術和知識,其中一項是 在智能城市的用例中借助實時交通數據,泊車訊息和其 他資訊來提升公眾的整體駕駛體驗。我們期待在香港能 看到更多此類的創新。
Arti�icial intelligence has an increasing in�luence in many industries, and consulting is no exception. When comparing arti�icial intelligence with human consultants, Harrison and Chris share similar viewpoints, that technology is only complementary to their work, not a direct competitor or a potential substitute. Inevitably technology has transformed and will keep transforming the way consultants work. Technology allows �irms to analyse an exponentially increasing amount of data gathered from multiple sources while simultaneously reducing the time required for analysis of all this data. However, the consulting industry still relies on human expertise in many facets; client relationship management, for example, is an area arti�icial intelligence simply cannot compete with today.
Chris stresses that technological innovation is always associated with new demand, and there are new challenges to overcome. Machines can be taught to solve previously known problems, but humans are better at dealing with unanticipated problems. The key is teaching machines to work with uncertainty. In the future, consultants might face questions such as how to monitor advanced technology or how to make sure that technology �its into each organization seam-lessly rather than operational optimization or pro�it maximi-zation alone. 人工智能在許多行業中的影響越來越大,而顧問業也不 例外。在評估人工智能與人力顧問的價值時,Harrison 和Chris有類似的觀點:科技只是輔助他們工作,而非 他們直接的競爭對手或潛在的替代品。 科技的出現不可避免地改變了、並將不斷改變顧問人員 的工作方式。科技令公司可以於短時間内同步分析更多 來自不同源頭的數據。然而,顧問業仍然相當依賴人類 的專業知識,比如客戶關係管理就是人工智能無法跟人 類相比的一個方面。 Chris 認爲科技創新意是與人類的需求息息相關,也有新 的挑戰要克服。我們可以教機器如何解決以前看到的問 題,但是人類的創意往往能在面對新的問題時做出更好 的回應。所以,問題的關鍵是人類如何教會機器處理不 確定性。在未來,顧問可能會面臨一些問題,例如如何 監控先進技術,或如何確保該技術能在加強營運及提升 利潤的同時,顧及生態環境。 Harrison和Chris都強調,在當今社會,不論是作為一 個成功的顧問(數碼或傳統),擁有合適的軟硬技能較 爲重要。而其中,顧問的軟技能不能被認知技術所取代, 人類具有更好的溝通和協作能力,而這在顧問工作中至 關重要。
Human consultants versus
人力顧問與人工智能的比較
2
Cyber Risk Management and Ethical Hacking1
On Business Intelligence and Digital ConsultingBoth Harrison and Chris emphasised the importance of having the right mix of soft and hard skills when it comes to succeeding as a consultant – digital or more traditional – in today’s landscape. The soft skills of a consultant cannot be replaced by cognitive technology. Human beings have better communication and collaboration skills, which are crucial in consulting work.
To work in the consulting industry, one needs to collaborate with teams on multidisciplinary projects. Thus, a strong personal network in the industry is required as a consultant might need to pull resources and knowledge from their �irm’s global network. The consulting industry is forecast to change tremendously with the continued development of business intelligence. What a consultant can do to remain valuable is to be resilient and self-motivated because he or she needs to be a fast learner who can react to the rapidly changing demands of clients.
From smart city projects to telecommunications, from implementation to optimisation, the ever-growing digital consulting sector is sure to attract increasing attention in the coming years due to the increasing applicability of technological innovations, whether they are adapted from other companies or developed within the consulting �irms. The ideal consultant has to have multi- and interdisciplinary experience, but just as importantly should be well balanced when it comes to soft skills. With the sector projected to grow rapidly, digital consulting is worth taking a look at, today and in the years to come.
從智能城市項目到電通、從實施到優化範疇,數碼 顧問業務都在不斷增長。未來數年,隨著新技術創 新的廣泛應用,數碼顧問都將更加吸引客戶公司或 顧問公司本身的關注。要成爲最優秀的員工,顧問 人員必須擁有多方面和跨行業的能力和經驗;同樣, 軟技能也必不可少。隨著行業快速增長,無論是今 天或是未來數年,數碼顧問都值得大家留意。
Ending
結語
Text 文VIITALA Antti Isak Olavi (Year 2 Student 二年級學生)
LEUNG Wing Kei, Katie 梁穎琦 (Year 3 Student 三年級學生)
Risk Management & Business Intelligence Program 風險管理及商業智能學課程 從事顧問業的人士需要在各類項目上與團隊合作。此外 還需要在業内擁有一個強大的人際網絡,這樣才能從全 球的專才中獲取資源和知識。我們可以預見,随著商業 智能不斷發展,顧問業將面臨巨大變化。要保持自身價 值,人力顧問也要不斷自我激勵和接收新事物,以協助 客戶面對快速變化的市場。
2
Cyber Risk Management and Ethical Hacking1
On Business Intelligence and Digital ConsultingIntroduction to Cyber Risk Management
網絡風險簡介
Cyber Risk Management
and Ethical Hacking
網 絡 風 險 和 道 德 黑 客 攻 擊
2
‘Cyber risk’ means any risk of �inancial loss, disruption or damage to the reputation of an organization from some sort of failure of its Information Technology systems. ‘Cyber Risk Management’ is a set of guidance or framework established by regulation authorities that companies have to follow. Typically, cyber risk managment invovles risk-based control through this framework, risk assessment and scenario-based testing (which is the most demanding), and is carried out through four actions: Prevent, Detect, Recover, and Response.
「網絡風險」是指由於資訊科技系統的某種故障而導致組織聲譽受破壞、損害或蒙受財務損失的風險。「網 絡風險管理」是監管機構為公司製定的一套指引或框架。 網絡風險管理通常透過框架、風險評估和基於場景 測試(這是最吃力的)來進行以風險為基礎的控制,並可分為四個行動:預防,檢測,恢復和回應(嘗試跟 踪黑客) 。
“
In Cyber Risk Management, ‘Three lines of Defense’ is suggested in terms of risk governance.
1
2
3
1. Three Lines of Defense
三線防禦
第二道防線是企業的合規和風險職能,對第一道防線的風險管理活動提供獨立監督。 合規和風險職能可能有自己的管 理和治理委員會並構成企業風險管理(ERM)框架的一部分,或者直接匯報至適當的 企業風險管理架構。
在網絡風險管理下,建議採用「三線防禦」來建立風險治理。
第一道防線是前線員工,他們必須了解他們在處理交易方面的角色和責任,以及誰必須遵循系統性風險流程,並透过內 部控制和其他風險應對措施來對應與這些交易相關的風險。 第三道防線是內部和外部審計師和美國薩班斯 - 奧克斯利法案合規團隊(如適用),他們會向在風險問題方面代表企 業持份者的高級委員會提交獨立報告。2. Scenario Planning
情景規劃
Under Cyber security, scenario planning is an important tool. Stakeholder teams are assembled to create plausible scenarios of possible future threats. Repercussions are predicted to help quantify risk and justify investments in technology and changes to policy and operations.
Several types of cyber security scenarios are described below and some of them are real life cases. While the incidents covered may affect adjacent or even unrelated industries, it is advisable that IT security practitioners and other stakeholders be aware of the threats posed by the culprits of these scenarios.
情景規劃是網絡保安範疇的一個重要工具。 組建持份者團隊可創建可能發生的未來威脅的情景。 預測將有助於量化風 險,並有助減少技術投資和將政策和運營變化合理化。
以下是幾個網絡安全場景,而其中一些更已經發生。 雖然所涵蓋的事件可能影響相鄰或甚至不相關的行業,但是資訊 科技保安從業者和持份者都應該意識到先前發生的這些情景所構成的威脅。
1
On Business Intelligence and Digital Consulting2
Cyber Risk Management and Ethical HackingThe �irst line of defense is the front-line employees who must understand their roles and responsibilities with regard to processing transactions and follow a systematic risk management process and apply internal controls and other risk responses to contain the risks associated with those transactions.
The second line of defense is the enterprise’s compliance and risk functions that provide independent oversight of the risk management activities of the �irst line of defense. The compliance and risk functions may have their own management and governance committees that are part of the ERM (Enterprise Risk Management) framework, or they may have direct reporting lines to the appropriate ERM framework structures.
The third line of defense consists of internal and external auditors and the US Sarbanes-Oxley Act compliance teams (where applicable) who report independently to the senior committees with the role of representing the enterprise’s stakeholders on risk issues.
2
3
1
Scenario
情景
Reality
現實
Collateral damage from cyberwar
網絡戰的附帶損害
由兩個或多個國家之間的敵對行動 而構成的廣泛攻擊會導致網絡中斷, 並波及地緣政治參與者之外的範疇。 俄羅斯於2008年8月8日在攻擊格魯吉亞時,亞特蘭大的託管網站服務受到了損 害。亞特蘭大的託管服務提供商Tulip Systems慷慨地為格魯吉亞總統薩卡什維 利(president.gov.ge)和格魯吉亞電視台(rustavi2.com)網站提供寄存。 DDoS攻擊立刻把矛頭指向Tulip,打亂了其所有美國客戶的流量。政治示威者利用社交媒體展開攻擊
內部人員使用特權來竊取客戶數據
激進份子利用社交媒體為他們傳播 信息,並展開群體攻擊。 示威者在2009年抗議對伊朗選舉結果期間,招募Twitter用戶向政府網絡服務器 展開大規模的阻斷服務攻擊。 雖然這示範了如何有效地利用社交網絡上的羣眾, 但同樣也顯示,讓人們參與攻擊並不容易。 這就像要令體育場人群製造人浪一 樣:必須有持續的歡呼才能保持勢頭,稍有分心便很容易令熱情冷卻。 某授權用戶收集並出售信用和財務 資訊。 在2006-2008年的抵押狂熱期間,Countrywide的一名員工偷取了數百萬記錄, 並將裝載在USB設備上的數據賣給了網絡犯罪分子。Political activists enlist social media for politically motivated attacks
An insider uses privileged access to steal customer data
Widespread attacks in conjunction with hostilities between two or more nation states leading to network outages that spread beyond the geo-political participants.
Website hosting service in Atlanta came under cyber attack when Russia attacked the country of Georgia on August 8, 2008. Tulip Systems, a hosting service provider in Atlanta, graciously offered to host the web sites of Georgian President Saakashvili (president.gov.ge) and the Georgian television station (rustavi2.com). A �ire hose of DDoS attacks targeted Tulip, disrupting traf�ic to all of its US-based customers.
Activists enlist social media to spread their messages and generate crowd-sourced attacks.
During the 2009 protests over Iranian election results, Twitter users were enlisted in massive denial of service attacks against government webservers. While this was the most signi�icant demonstration of how crowdsourcing over social networks can be effective, it also demonstrated that getting people to engage in such attacks is not easy. It is like getting a stadium crowd to do the “wave”. It needs constant cheer leading to keep it up and slightest distraction can dissipate it.
An authorized user gleans credit and �inancial information and sells it.
During the 2006-2008 mortgage frenzy, an employee of Countrywide, a major mortgage loan provider, absconded with millions of records and sold the data, loaded on USB devices, to a cyber-criminal.
香港金融管理局(金管局)於2016年推出了網絡防衛計 劃(CFI),目的是為了提高銀行生態系統在網絡保安威 脅下的網絡安全水平。 CFI的核心是「網絡防衛評估框架」,該框架旨在為銀行 建立一個共同的基於風險的框架,以評估其自身的風險狀 況,並確定所需的防禦水平和恢復力。 CFI的最後一部分是網絡智能共享平台,以便在銀行之間 共享網絡威脅情報,從而加強協作和提高網絡恢復力。這 類似於金融部門資訊共享與分析中心(FS-ISAC),後者 是金融服務行業用於網絡和物理威脅情報分析和共享的全 球資源。 在現實中,由黑客問題發生至發現的平均時間約為100至 500天(美國為100天,亞洲為500天)。大多數時間花於 監視網絡流量。因此,人們始終認為在現實世界中難以實 行全套網絡風險管理。
In Hong Kong, the Cybersecurity Forti�ication Initiative (CFI) was launched in 2016 by the Hong Kong Monetary Authority (HKMA) to raise the level of cybersecurity at banks under the ever-present and growing cyber security threat to the banking ecosystem.
At the heart of the CFI is the Cyber Resilience Assessment Framework, which seeks to establish a common risk-based framework for banks to assess their own risk pro�iles and determine the level of defense and resilience required. Another component of the CFI is the Cyber Intelligence Shar-ing Platform which enables the sharShar-ing of cyber threat intelli-gence among banks in order to enhance collaboration and strengthen cyber resilience. This is similar to the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global resource and the �inancial services industry’s go-to resource for cyber and physical threat intelligence analysis and sharing.
In reality, the mean time between the occurrence and discovery of hacking is around 100 to 500 days (100 days in US and 500 days in Asia). Most of the time being it is being used is to monitor network traf�ic. As a result, it is always seen to be dif�icult to execute the full set of cyber risk management in the real world.
Ethical Hacking Helps the Companies
Safeguard Their Network
道德黑客攻擊幫助公司
保護他們的網絡
In cyber risk management, ethical hacking often targets some servers to conduct penetrating testing based on known bugs. Usually a company will hire independent security risk accessors to conduct the testing. Penetration testing involves much planning and a number of procedures, in particular, legal permission from company management is essential. Speci�ically, a contract will be signed between the company and the ethical hacker, which de�ines the scope of the testing and describes the provision of the server (such as IP address or speci�ic applications) the ethical hacker can execute testing on and ensures the external parties have good ethics
在網絡風險管理中,道德黑客攻擊經常針對某些伺服器進 行基於已知錯誤的侵入測試。通常公司會僱用獨立的安全 風險訪問者進行測試。而侵入測試涉及許多規劃和程序, 特別是要獲得公司管理層的法律許可。從法律和合法的角 度來看,公司與道德黑客之間將簽訂一份合約,以定義和 描述道德黑客可以執行測試的伺服器(如IP地址或特定 應用),並確保外部各方有良好的道德,不會在日後攻擊 公司。在對外方面,道德黑客將與不同國家的公司討論不 同的要求。此外,規劃還規定了時間(通常在系統啟動之 前以及用戶驗收測試(UAT)和日期結束(EOD)之後進 行)和位置(通常在不同的時區,如美國和香港)。
and will not attack the company afterwards. In terms of facing external parties, ethical hackers will discuss with the companies their different requirements in different countries. Moreover, the planning also speci�ies the timing (usually conducted before a system is launched and after user acceptance testing (UAT) and end of day (EOD) and the locations (usually in different time zones such as the U.S. and Hong Kong). More speci�ically, penetration testing can be categorized by infrastructure systems such as servers, end stations, infrastructure products and �irewall bypass. For network systems, denial-of-service attack (DoS attack) is often used for �irewall checking and known bugs are used for router checking. For applications, ethical hackers will check the database and user interface.
One thing worth mentioning is that more and more banks nowadays have their own penetration team. This shows that banks are increasingly concerned about cyber security under more stringent regulations.
更具體而言,滲透測試可以按基礎設施系統分類。 對於 網絡系統,阻斷服務攻擊(DoS攻擊)通常用於防火牆檢 查,而已知的錯誤用於路由器檢查。 對於應用程式,道 德黑客會檢查數據庫和用戶界面。 值得一提的是,越來越多銀行有自己的滲透團隊。 這表 明銀行越來越關注在更嚴格的法規下的網絡安全。
In this article, we interviewed Mr. Micky Lo, the Chief Information Risk Of�icer of BNY Mellon. Mr. Lo has
extensive experience in Information Risk Management. He answered a series of questions related to cyber
risk management and ethical hacking methodology.
在本文中,我們訪問了紐約梅隆銀行的資訊風險總監 Micky Lo 先生。他在資訊風險管理方面擁有豐富的經驗。
Mr. Micky Lo
Chief Information Risk Officer 資 風險總監
BNY Mellon 紐約梅隆銀行
Q: Can you give us some common methodologies you use for hacking?
There are four typical hacking methodologies acquired by white and black-hat hackers, which are DoS attack, security scanners, keystroke logging and buffer over�low.
1. DoS attack
Denial-of-service attack (DoS attack) is a cyber attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or inde�initely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by �looding the targeted machine or resource with super�luous requests in an attempt to overload the systems and prevent some or all legitimate requests from being ful�illed. A DoS attack is analogous to a group of
people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting its normal operations.
Criminal perpetrators of DoS attacks often target sites or services hosted on high-pro�ile web servers such as banks or credit card payment gateways. Revenge, blackmail and activism can motivate these attacks.
2. Security scanner
Security Scanner or Vulnerability Scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. In plain words, these scanners are used to discover the weak points or poorly constructed parts.
They can be run either as part of vulnerability management by those tasked with protecting systems, or by black hat attackers looking to gain unauthorized access.
Furthermore, there are different types of security scanners like port scanner, network vulnerability scanner, web application security scanner and database security scanner.
3. Keystroke logging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that his or her actions are being monitored. Keylogging can also be used to study human–computer interaction. Numerous keylogging methods exist: they range from hardware and software-based approaches to acoustic analysis.
Key logger is one of the main reasons why online banking sites give their customers an option to use their virtual keyboards. 4. Buffer over�low
In computer security and programming, a buffer over�low, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer over�lows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, if an anomalous transaction produces more data, it could cause the program to write past the end of the buffer. When overwriting adjacent data or executable code, this may result in erratic program behavior including memory access errors, incorrect results, and crashes.
Exploiting the behavior of a buffer over�low is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well de�ined. By sending in data designed to intentionally cause a buffer over�low, it is possible to write into areas known to hold executable code, and replace it with malicious code. Buffers are widespread in operating system (OS) code, so it is possible to initiate attacks that lead to privilege escalation and gain unlimited access to the computer's resources. The famed Morris worm use this as one of its attack techniques.
問題:你能告訴我們一些常用的黑客入侵方法嗎?
白帽和黑帽黑客有四種典型的黑客攻擊方法,包括阻斷服務攻擊,安全掃描程序,鍵盤監聽和緩衝區溢位。 1. 阻斷服務攻擊 阻斷服務攻擊(DoS攻擊)是一種網路攻擊手法,其目的在於使目標電腦的網路或系統資源耗盡,使服務暫時中斷或停 止,導致其正常用戶無法存取。阻斷服務攻擊通常以過剩的請求衝擊目標機器或資源,以試圖使系統過載並阻止其處 理一些或所有合法用戶的請求。DoS攻擊類似於一群人擁擠進入商店的入口,並且不允許合法方進入商店,以破壞其正 常操作。DoS攻擊的犯罪者經常針對在高級網絡伺服器(如銀行或信用卡支付網關)上託管的網站或服務。復仇、勒索和行動主 義都可能激發這些攻擊。 2. 安全掃描程序 安全掃描程式或漏洞掃描程式是一種旨在評估電腦、電腦系統、網絡或應用程式的弱點的電腦程式。簡言之,這些掃 描程式是用於發現系統的弱點或構造不良的部分。這些程式既可作為漏洞管理的一部分,以履行保護系統的任務,亦 可由希望獲得越權存取的黑帽攻擊者運行。安全掃描程式具有不同的類型,如通訊埠掃描程式、網絡漏洞掃描程式、 網絡應用安全掃描程式和數據庫安全掃描程式等。 3. 鍵盤監聽 鍵盤監聽(又稱鍵盤側錄)是指在使用鍵盤的人不知情的情況下,透過隱蔽的方式記錄下鍵盤的每一次敲擊行為。鍵 盤監聽也可以用於研究人機互動。鍵盤監聽方法包括:硬件方法、軟件方法,以及聲學分析等。網上銀行網站為客戶 提供虛擬鍵盤選擇,其中一個主要原因便是為了避免鍵盤監聽。 4. 緩衝區溢位 緩衝區溢位是針對程式設計缺陷,向程式輸入緩衝區寫入使之溢位的內容(通常是超出緩衝區最大儲存數據量的資 料),從而破壞程式執行、並取得程式乃至系統的控制權。緩衝區是一個儲存區域,通常在將數據從程式的一部分移 動到另一部分時或在程式之間移動時用於保存數據。緩衝區溢出通常可能由格式錯誤的輸入觸發; 如果程式假定所有 輸入都小於某個預先設定的大小,並且緩衝區被創建為該大小,或如果發生異常事務而產生更多數據,則可能導致程 式寫入超過緩衝區的末尾。當寫入的數據覆蓋相鄰數據或可執行代碼時,可能會導致程式運行不穩定,包括記憶體存 取錯誤、出現錯誤結果,甚至程式無法運行等。利用緩衝區溢出的行為是眾所周知的保安漏洞。許多系統都對程式的 記憶體佈局或整個系統作出了良好的定義。透過發送有意造成緩衝區溢出的數據,可以寫入已知保存可執行代碼的區 域,並用惡意代碼替換它。緩衝區在操作系統(OS)代碼中是最廣泛使用的,因此可以擴大權限並獲得對電腦資源的 無限次存取。臭名昭著的莫里斯蠕蟲便是將其用作攻擊技術之一。
Q: Can you explain to us how this methodology helps companies prevent their computers from
being attacked?
First, penetration testing companies often keep their eyes on black hat hackers and monitor hackers’ information in order to update their approaches. This can help companies update and modify their original penetration methodologies so that they can provide clients with up-to-date protection.
Second, social engineering is usually used in both hacking and anti-hack-ing. Social engineering refers to psychological manipulation of people into performing actions or divulging con�idential information. As a type of con�idence trick for the purpose of information gathering, fraud, or system access, it differs from a tradi-tional "con" in that it is often one of many steps in a more complex fraud scheme.
One example of social engineering is an individual who walks into a building and posts an of�icial-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help, the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information. Another example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Slowly and gradually, the hacker gains the trust of the target and then uses it to access sensitive information like password or bank account details.
Third, based on the threat posed by social engineering, penetration testing companies develop different testing methods such as phishing simulated scenario and phishing emails to simulate the client’s server being hacked and give recommendation and produce evaluation reports. Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "veri�ication" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN or a credit card number. By spamming large groups of people, the "phisher" counts on the e-mail being read by a percentage of people, who already have listed credit card numbers with some online marketplace legitimately, and respond-ing to it.
問題:你能解釋一下這種方法如何幫助公司防止被攻擊嗎?
首先,滲透測試公司經常關注黑帽黑客並監控黑客的資訊,以更新他們的方法。這可以幫助公司更新和修改其原本的 滲透方法,從而為客戶提供最新的保護。 第二, 社會工程常用於黑客攻擊和反黑客。社會工程是指透過與他人交流來使其心理受到影響,從而做出某些行為 或是透露某些機密資訊。它作為一種用於資訊收集、欺詐或系統存取的信任技巧,與傳統的「騙局」並不相同,因為 它通常是更複雜的欺詐計劃中的許多步驟之一。 社會工程的一個例子是一個人走進一棟建築物,並 在公司公告上發布一個官方公告,表示服務台的號 碼已經改變。因此,當員工要求幫助時,欺騙者會 要求他們提供密碼和個人編號,從而獲得存取公司 私人資料的能力。社交工程的另一個例子是黑客在 社交網站上聯繫目標並開始與目標的對話。慢慢地, 黑客獲得目標的信任,然後使用它來得到敏感資訊, 如密碼或銀行帳戶詳細資料。 第三,基於社會工程的威脅,滲透測試公司開發了 不同的測試方法,如網絡釣魚模擬場景和網絡釣魚 電子郵件以模擬客戶端的伺服器被黑客攻擊,並列 出一些建議和評估報告。網絡釣魚是欺騙性地獲取 私人資料的技術。通常,網絡釣魚者發送似乎來自 合法商家(銀行或信用卡公司)的電子郵件,請求 「驗證」資料,並警告如果沒有提供將會有某些可 怕的結果。電子郵件通常包含到似乎合法的欺詐性 網頁的連結,其具有公司標識和內容,並且具有要 求填寫從家庭地址到ATM卡的PIN或信用卡號碼等資 料的表格。通過向大群人發送垃圾郵件,「釣魚者」 指望一部分已經用eBay列出信用卡號碼並閱讀了電 子郵件的人可能會作出回應。Handling spams and malicious hacking is very challenging and dif�icult due to cross-broader jurisdiction. There was a case that spanned several countries. The company’s main of�ice was in Hong Kong, its data center was set up in Singapore, the affected customer is a British, and the hacker was located in India. Therefore, the case was very dif�icult in terms of time and effort and the four countries all denied the investigation on the case by claiming that this case is outside of thier jurisdiction. Finally, none of the law enforcement agencies of the four counties took the responsibility to investigate and to arrest the hacker which made it dif�icult to stop the spam.
問題:你能簡要描述一個你遇到的實況和你的團隊如何處理這種情況嗎?
Mr. Lo提到,處理垃圾郵件和惡意黑客因跨國管轄權而非常具有挑戰性和困難的。他提到一件涉及幾個國家的案件: 公司的總部在香港,其數據中心設在新加坡,受影響的客戶是英國人,而黑客則在印度。因此,這個案件在時間和實 行方面都很難處理,四個國家都拒絕接受這一案件,並聲稱他們沒有管轄權。最後,四個國家中沒有一個想要負責調 查和逮捕,令發放垃圾郵件的黑客更難被阻止。Q: Can you brie�ly describe a case that you have encountered and how your team dealt with
it ?
問題:你能給我們一些關於網絡風險管理職業發展的建議嗎?
要做一個道德黑客並不容易,要勝任這個位置,需要掌握多方面的知識和技能。在硬技能方面,Mr. Lo建議取得與計 算機科學相關的學位或有關系統保安的經驗,以算是掌握了足夠的技術技能。另外,對IT基礎設施的興趣以及對計算 機系統操作的深刻理解也非常重要。認可道德黑客(CEH)、認可資訊系統保安專家(CISSP)、網絡及資訊保安研究 會議(CISRC)及認可資訊系統審計師(CISA)等並不是必需的,但對學生而言是一個優勢。 擁有相關的軟技能也有助於成為道德黑客人選。最重要的是,求職者應該有邏輯思維和良好的解難能力。 此外,網絡風險管理重視誠信。由於道德黑客掌握了黑客攻擊的知識和資訊,他們必須誠實對待所服務的公司,並承 諾除非得到公司的許可、以助公司找出弱點,否則不會對公司系統作出攻擊。最後,強大的溝通技巧對每個職位也是 至關重要。道德黑客並不例外,因為他們必須與客戶溝通,並擅長團隊合作。Being an ethical hacker is not easy, different knowledge and skills are required in order to excel in this position. In terms of background knowledge, attaining a bachelor degree related to Computer Science or experiences in system security would be a good start in order that candidates have adequate technical skills. Interest in IT infrastructure and a deep understanding of the operation of computer systems are also very important. Certi�icates or quali�ications such as Certi�ied Ethical Hacker (CEH), Certi�ied Information Systems Security Professional (CISSP), Cyber & Information Security Research Conference (CISRC) and Certi�ied Information Systems Auditor (CISA) are not mandatory but could be an advantage.
Having relevant soft skills also helps a candidate become a good ethical hacker. It is of paramount importance that he or she has logical thinking and good problem solving skills.
Furthermore, integrity is emphasized in cyber risk management. As ethical hackers have relevant knowledge and access to sensitive information which allow them to hack a company , they have to be a hundred percent trustworthy and conduct their business in an ethical manner. Action must be taken only with the permission of the company they work for and for the sole purpose of discover weaknesses for them. Last but not least, strong communication skills are crucial as ethical hackers also need to communicate with clients and work as a team.
Q: Can you give us some suggestion for career development in cyber risk management?
Future development of
Ethical Hacker in Hong Kong
道德黑客在香港未來的發展
In the near future, suggested by Mr. Lo, there will be a high demand for professionals in cyber security risk management, including risk accessors, scenario testers and ethical hackers. There are currently more than 200 banks regulated by the HKMA, yet some of them do not have a robust risk management system or department. Furthermore, the HKMA is considering tightening banks’ cyber security regulations. Therefore, they will engage third-party companies to conduct testing for them regularly thus creating demand for cyber security services.
Yet, Hong Kong currently lacks cyber security talents and relevant training. The government is already communicating and cooperating with local higher education institutions to provide training on cyber security in order to nurture more talents in this area. Mr. Lo encouraged students who are interested to work in cyber security or plan to become an ethical hacker to take examinations or engage in self-learning actively so they could understand more about the industry and become well-prepared when the opportunity arrives.
Mr. Lo認為,在不久的將來,社會對網絡保安風險管理 的專業人員有很大的需求,這包括風險評核人員、情景 測試人員和道德黑客。目前金管局轄下有超過200間銀 行,但有些公司仍沒有穩健的風險管理制度或部門。不 過,金管局現正考慮加強銀行網絡保安的規管。因此, 他們將透過第三方公司定期對其系統進行測試,網絡保 安市場和需求亦應運而生。 然而,香港目前缺乏網絡保安人才及相關培訓。政府已 經與高等院校溝通和合作,以提供有關網絡保安的培訓, 為香港培養更多這方面的人才。Mr. Lo鼓勵有興趣從事 網絡保安工作或成為道德黑客的學生積極參加考試或自 學,以便進一步了解這個行業,做好準備迎接機會的來 臨。 Text 文
TAM Cho Him, Anson 譚祖謙 LEE Pui Yu, Finn 李沛茹 Year 3 Students 三年級學生
Risk Management & Business Intelligence Program 風險管理及商業智能學課程
Advisors 顧問
Prof. Lei CHEN (Program Director) 陳雷 教授 Prof. Lancelot JAMES (Program Co-director) 在林壽 教授 Prof. Xianhua PENG (Program Co-director) 彭獻華 教授 Dr. Jiying Wang (UG Coordinator) 王繼英 博士 Risk Management and Business Intelligence Program The Hong Kong University of Science and Technology Phone: 3469 2399 Fax: 3104 0026
Email: [email protected]
Website: http://www.rmbi.ust.hk
All contents and information are subjected to copyright protection. Republication, redistribution or unauthorized use of any content is expressly prohibited without the prior written consent.
Photo credits - cdn.business2community.com - www.mig-events.com - media.licdn.com - marketingland.com - mckinsey.co.cr - uploads.skyhighnetworks.com - www.asiagreenbuildings.com - privacylawblog.ignite.lexblog.com - www.mig-events.com - chiefexecutive.net - www.whatmobile.net - tctechcrunch2011.�iles.wordpress.com
