Enterprise Architecture and Business Process Management

We know that Enterprise Architecture is a logical framework that helps forge a relationship between business, strategy and technology. Within those macro concepts lies various organizational structures, processes and informational flows that help businesses meet their end goals.

With respect to business processes, businesses themselves are dynamic and must change to adapt with the latest market conditions in order to remain a going concern. Thus, proper attention must be paid to processes and the continuous improvement of those processes.

As organizations grow, they need to continuously analyze and refine their processes to ensure they are doing business as effectively and efficiently as possible. Fine-tuning processes gives an organization a competitive advantage in a global marketplace.(Project Management Approach For Business Process Improvement, 2010)

EA and business process management (BPM) are not mutually exclusive. Redshaw (2005. Pg. 3) defines BPM as “the management of all the processes supporting a business transaction/event from the beginning to the end while applying the policies/rules needed to support an organization’s stated business model at a specific point in time.” BPM offers advantages to large institutions as it enables a linkage between IT systems and business processes. Jensen (2010) offers this summarization:

“When done together, BPM provides the business context, understanding and metrics, and EA the discipline for translating business vision and strategy into architectural change. Both are, in fact, needed for sustainable continuous optimization. It is important to realize the value of direct collaboration across BPM and EA boundaries. Only when supported by appropriate collaboration and governance processes can BPM and EA roles work effectively together towards the common goals of the enterprise.” (Jensen, 2010)

EA can support BPM projects by helping project teams become better acquainted with the very processes they are trying to improve. A project manager assigned to a new project can simply access the EA repository to get up to date information on the current processes pertinent to his/her domain. With respect to EA3 framework, “The enterprise’s key business and support processes are documented at the Business level of the EA framework” (Bernard, 2012. Pg. 127).

As processes are improved and changed and project wins or losses are accumulated, this knowledge is shared back into the EA repository for reuse and can be leveraged across the organization.

Quick process improvement wins and one off pinpoint projects may embody a “silo-ed” or parochial approach not in keeping with a broader strategic outlook. Ignoring emerging business strategies can be a costly mistake. For example, energy and resources could be mobilized by a bank to architect a new customer account management or card/payments processing system within the enterprise, accompanied by revised processes. The bank could simultaneously be moving forward with emerging cloud strategies that render the new architected solutions meaningless and obsolete. This hypothetical example of creating solutions in isolation from the overall strategy would be a very costly endeavor in terms of time and money and should obviously be avoided.

By definition, business process management projects embedded within an EA framework are guaranteed to align to the overall organizational strategy. EA becomes a key enabler to ensure process improvement projects are aligned to the strategy for the existing enterprise, as well as any future state strategies.

Wells Fargo and its use of Enterprise Architecture and BPM

As with most organizations of comparable size, Wells Fargo wrestled with issues from both the business and IT (Information Technology) ends of the house. The business had to gain a better understanding of what it needed. It also had to become better acquainted with the capabilities and solutions available from IT. On the other side of the coin, IT had to remain agile enough to deliver and react to changes in business conditions. In this manner IT could be better positioned to deliver solutions that met various business needs.

Olding (2008) found that Wells Fargo operated a very decentralized structure but lacked the coordinated ability to understand what was occurring in other groups that were employing business process management initiatives. A disadvantage of not embedding the BPM experiences within an EA framework was the failure to capitalize on successes that were gained across other “silo-ed” groups. Integrating EA into the approach dramatically simplified the process of capturing those wins for organizational reuse.

At Wells Fargo, a BPM Working Group was established with EA as its champion. The business set out to capture the current state of BPM technologies and approaches around a dozen lines of business. The results indicated that there were over 20 different BPM technologies being employed, each with their own varying approaches to implementation (Olding, 2008). In order to maximize the value of BPM, coordination had to occur across these lines of business.

A seasoned Enterprise Architect within the company made use of a communications strategy to raise awareness of the duplicative uncoordinated approaches dotting the landscape. Business analysts, project managers, executives, and technology professionals were engaged and best practices from the various approaches were discussed and reworked into an EA framework.

A year later, senior executives were presented with the best practices from various approaches, which had since been re-developed using a common framework. The commonality gained from the EA framework allowed for patterns of success to be easily identified, communicated and thus ultimately standardized. With senior level executive backing, the EA framework will persist in the organization allowing the bank to quickly identify opportunities for standardization.

Burns, Neutens, Newman & Power (2009, pg. 11) state, “Successful EA functions measure, and communicate, results that matter to the business, which in turn only strengthens the message that EA is not simply the preserve of the IT department.” This dovetails into the approach that Wells Fargo’s Enterprise Architect employed; the communication of pertinent information back to various business lines to gain acceptance.

The lessons learned from Wells Fargo’s use of BPM and EA as paraphrased from (Olding, 2008. Pgs 5-6):

  • Communicate at all levels of the enterprise.
  • Build BPM adoption from the bottom up. Approach business groups with proven examples and internal successes that will help drive the willingness to adopt new approaches.
  • Facilitate, do not own. Allow business groups to manage their own processes aligned within the framework.
  • Build EA from the top down.
  • Use BPM to derive the needed context and then incorporate it into the EA

As of 2008 Wells Fargo Financial (a business unit of the Wells Fargo & Co.) currently had nine BPM deployments in production and another four projects in the works. Gene Rawls, VP of continuous development, information services, for Wells Fargo Financial has stated that not having to reinvent the wheel saves months of development work for every deployment (Feig, 2008). Project turnaround time from the initial go-ahead for a BPM project to its actual deployment, is just three months.


Bernard, Scott A. (2012). Linking Strategy, Business and Technology. EA3 An Introduction to Enterprise Architecture (3rd ed.). Bloomington, IN: Author House.

Burns, P., Neutens, M., Newman, D., & Power, Tim. (2009). Building Value through Enterprise Architecture: A Global Study. Booz & Co. Retrieved November 14, 2012.

Feig, N. (2008, June 1). The Transparent Bank: The Strategic Benefits of BPM — Banks are taking business process management beyond simple workflow automation to actually measure and optimize processes ranging from online account opening to compliance. Bank Systems + Technology, Vol 31. Retrieved from Factiva database.

Olding, Elise. (2008, December 7). BPM and EA Work Together to Deliver Business Value at Wells Fargo Bank. Retrieved from Gartner October 29, 2012.

Jensen, Claus Torp. (2010, February 10). Continuous improvement with BPM and EA together. Retrieved November 13, 2012.

Project Management Approach For Business Process Improvement. Retrieved November 12, 2012 from http://www.pmhut.com/project-management-approach-for-business-process-improvement

Redshaw, P. (2005, February 24). How Banks Can Benefit From Business Process Management. Retrieved from Gartner October 29, 2012.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net



The Competitive Advantage of Process Innovation

This post summarizes a Harvard Business Review article entitled “The New Logic of High-Tech R&D“, written by Gary P. Pisano and Steven C. Wheelwright. The article focuses on the revelation that few companies within the pharmaceutical industry view manufacturing and process improvement as a competitive advantage. The authors assert that manufacturing process innovation is conducive towards product innovation. Companies traditionally spend money on product R&D but tend to neglect focusing on process R&D.

For example, Sigma Pharmaceuticals refused to invest significant resources to process development until the company was confident that the drug would win FDA approval. As a result, when demand for the drug increased they could not meet the higher demand without major investments in additional capacity. During this interim ramp up period the company lost two years of potential sales. Underinvestment in process development on the front end clearly put the company in a sub-optimal position to capitalize on additional revenue.

Process development and process innovation provide a litany of benefits. The first of which is accelerated time to market. According to one drug company, the time required to prepare factories for production generally added a year to the product-development lead time. Senior management was unaware of this fact while the managers within the process development organization were fully aware.

Rapid ramp up is also invaluable because it allows companies to more quickly realize revenue, penetrate a market, and recoup its development investments. Also the faster the ramp up occurs the faster critical resources can be freed to support the next product.

Innovative process technologies that are patent protected can hinder a competitor’s push into the market. Pisano and Wheelwright state that it is easier to stay ahead of a competitor that must constantly struggle to manufacture a product at competitive cost and quality levels.

Process development capabilities can also serve as a hedge against various forces in high tech industries. Shorter lifecycles elevates the value of fast to market processes. Semiconductor fabrication facilities can cost upwards of one billion dollars and depreciate at a rapid pace. For this reason, rapid ramp up is very important. Those companies with strong process development and manufacturing capabilities will have more freedom in choosing the products they wish to develop rather than forced to stick with simple to manufacture designs.

Pharmaceutical companies traditionally operated in the following manner. They delayed significant process R&D expenditures until they were reasonably sure that the product was going to be approved for launch. They didn’t delay product launch by keeping the process R&D off of the critical path. Manufacturing and process engineering were on hand to make sure the company could bring on additional capacity and didn’t stock out. Manufacturing was located in a tax haven even if it was far from R&D and process development, while process development was introduced later in the lifecycle in order to thwart the threat of generic competition. Today however, pharmaceutical companies find themselves squeezed by shorter product life cycles, less pricing flexibility and higher costs.

The article states that the earlier that a company makes process improvements the greater the total financial return. It is costly and time consuming to rectify process design problems on the factory floor. The earlier these problems are found in the development cycle the shorter the process development lead time.

Image courtesy of Areeya at FreeDigitalPhotos.net

The Benefits of Service Oriented Architecture for Financial Services Organizations

The banking and financial industry is an industry where legacy systems are prevalent. Banking systems tend to skew older and are very heterogeneous in nature. This heterogeneity of legacy banking systems is also coupled with the fact that replacement and integration of these systems is a difficult undertaking.

Mazursky (as cited in Baskerville, Cavallari, Hjort-Madsen, Pries-Heje, Sorrentino & Virili, 2010) states that older architectures complicate integration of enterprise applications because the underlying elements have created ‘closed’ architectures. Closed architectures restrict access to vital software and hardware configurations and force organizations to rely on single-vendor solutions for parts of their information computer technology. Thus, closed architectures hinder a bank’s ability to innovate and roll out new integrated financial products.

The flexibility of SOA facilitates easier connectivity to legacy backend systems from outside sources. Because of the size and complexity of most enterprise banking systems, a potential reengineering of these systems to flawlessly accommodate interaction with newer systems is not economically feasible. Inflexible systems can be difficult to modernize and maintain on an on-going basis. Furthermore, banks’ legacy systems can suffer from a lack of interoperability, which can stifle innovation.

“According to a survey commissioned by Infosys and Ovum in May 2012, approximately three quarters of European banks are using outdated core legacy systems. What’s more, 80% of respondents see these outdated systems as barriers to bringing new products to market, whilst 75% say such systems hinder, rather than enable, process change. Integration cost is effectively a barrier to service provision flexibility and subsequent innovation” (Banking Industry Architecture Network, 2012).

The greater the number of banking systems that can easily interact, connect and share data with other systems and services, the more innovative banks can become with respect to their product offerings for consumers. Market demands can be more easily responded to when new product creation is allowed to flourish with appreciably lower system integration costs. New applications can also be developed in much shorter time frames in order to react to customer demand as long as services are maintained and shared across the enterprise.

According to Earley & Free (2002), a bank that identifies a new business opportunity such as wealth management but has never provided such a service in the past can quickly ramp up functionality by utilizing services previously designed for other applications. The new wealth management application is designed without duplicating functionality in a more cost efficient and rapid manner. Smaller and mid-tier banks can capitalize on bringing new applications and services to market quickly and economically. This responsiveness allows smaller banks to offer similar products as those offered by their larger competitors. The modularity of SOA design precludes the need for substantial re-engineering of smaller/mid-tier banks’ information computer technology. This is an important benefit because smaller banks do not have comparable financial resources with respect to the more sizable industry players.

Additionally, SOA has the potential to free up development resources sooner, enabling those resources to engage in other development initiatives. “Few banks will be able to buy or build new capabilities quickly enough to satisfy market requirements without an SOA” (Earley & Free, 2002). In the survey conducted by Infosys Consulting and Ovum (a London based research organization), 100% of banks responded that SOA would become the “dominant, accepted future banking architecture“ (Banking Industry Architecture Network, 2012).

Furthermore, banks can employ multiple services to complete a business process. One service that determines the value of a portfolio of financial assets at market rates (mark to market calculations) could be coupled with another service that calculates the Value at Risk (VaR) of the bank’s entire portfolio. In a similar fashion to the new wealth management application example previously cited, the dual components could be made available to many other enterprise wide financial services and applications that require portfolio valuation and risk related information. In this manner, the functionalities are not inefficiently repeated across every application where they are requested.

Additionally, via use of SOA, “New technology provides the ability to mix and match outsourced business processes with on-premise assets and services” (Essvale Corporation Limited, 2011). Software designed or in use by third party vendors can become more easily integrated with bank systems and processes due to the high connectivity of an SOA approach. According to Gartner research, smaller and mid-tier banks are adopting SOA in order to make the most of their limited IT budgets and resources. “Until now, midtier banks had to rely on customized software packages from a single vendor, and assumed all of the maintenance costs and function limitations inherent in a single, proprietary set of solutions” (Earley et al., 2005). Due to a rising interest in SOA, technology vendors that serve the financial services industry are increasingly working with integration providers to offer a standard set of component integration (Earley, et al., 2005).

One of the benefits of SOA standardization is the enablement of more functionality, performed by much less underlying code. This leads to less complex, more cost effective system maintenance; thereby reducing operational risks.

“A fully implemented SOA provides a bank with a highly predictable application environment that reduces risk in day-to-day operations, due to the minimization and isolation of change to the production systems. Banks that fail to take this approach must constantly change their interfaces as external and internal requirements change. This introduces significant risk and the need for near-continuous testing to ensure that the customer ‘touchpoints’ and the back-end processes do not fail, while ensuring that one data or service change doesn’t adversely affect other data changes integrated through an interface” (Earley et al., 2005).


SOA has an important role to play in the architectural repertoire of banking and financial organizations. Its loosely coupled design characteristic allows services to be shared and reused across the enterprise without disparate systems concerning themselves with the underlying development code. Multiple services can be combined together to form reusable chunks of a business process. Outside sources can connect to legacy backend systems via an API, which increases the opportunity to mix and match vendor capabilities with in-house assets. SOA also helps banks and financial firms ramp up new applications and functionality quickly and economically, increasing product responsiveness to market demands. When SOA is combined with Event Driven Architecture, dynamic event driven systems can be developed that do not rely solely on the less proactive request/reply paradigm.

Banks and financial companies need to remain innovative, cost effective and anticipate customer needs in order to remain profitable. SOA allows organizations to become more agile and flexible with their application development. The rise of applications on mobile cloud enabled platforms means that customers will need to connect to data wherever it dwells. “Bank delivery is focused on reactively providing products on customer request, and mass-market, one-size-fits-all products (for mainstream retail banking). However, it is no longer feasible to force-fit mass-market bank products when technology devices, context and location are key elements to the type of customized bank service a customer needs” (Moyer, 2012). As SOA continues to mature with cloud enabled solutions and the rise of mobile computing, it is primed to be the building block for the next generation of banking application functionality.


Baskerville, R., Cavallari, M., Hjort-Madsen, K., Pries-Heje, J., Sorrentino, M., & Virili, F. 2010. The strategic value of SOA: a comparative case study in the banking sector. International Journal of Information Technology and Management, Vol. 9, No. 1, 2010

Banking Industry Architecture Network. (2012). SOA, standards and IT systems: how will SOA impact the future of banking services? Available from https://bian.org/wp-content/uploads/2012/10/BIAN-SOA-report-2012.pdf

Early, A., & Free, D. (2002, September 4). SOA: A ‘Must Have’ for Core Banking (ID: SPA-17-9683). Retrieved from Gartner database.

Early, A., & Free, D., & Kun, M. (2005, July 1). An SOA Approach Will Boost a Bank’s Competitiveness (ID: G00126447). Retrieved from Gartner database.

Essvale Corporation Limited. (2011). Business knowledge for it in global retail banking: a complete handbook for it professionals.

Overview of Service Oriented Architecture


Service Oriented Architecture (SOA) can be described as an architectural style or strategy of “building loosely coupled distributed systems that deliver application functionality in the form of services for end-user applications” (Ho, 2003). Ho (2003) proclaims that a service can be envisioned as a simple unit of work as offered by a service provider. The service produces a desired end result for the service consumer. Another way to envision the concept of a service is to imagine a “reusable chunk of a business process that can be mixed and matched with other services” (Allen, 2006). The services either communicate with each other (i.e. pass data back and forth) or work in unison to enable or coordinate an activity.

When SOA is employed for designing applications and/or IT systems, the component services can be reused across the enterprise, which helps to lower overall development costs amongst other benefits. Reuse fosters consistency across the enterprise. For example, SOA enables banks to meet the needs of small, but profitable market segments without the need to redevelop new intelligence for a broad set of applications (Earley, Free & Kun, 2005). Furthermore, any number of services can be combined together to mimic a business processes.

“One of the most important advantages of a SOA is the ability to get away from an isolationist practice in software development, where each department builds its own system without any knowledge of what has already been done by others in the organization. This ‘silo’ approach leads to inefficient and costly situations where the same functionality is developed, deployed and maintained multiple times” (Maréchaux, 2006).

Architectural Model

Services are only accessed through a published application-programming interface, better known as the API. The API, which acts as the representative of the service to other applications, services or objects is “loosely coupled” with its underlying development and execution code. Any outside client invoking the service is not concerned with the service’s development code and is hidden from the outside client. “This abstraction of service implementation details through interfaces insulates clients from having to change their own code whenever any changes occur in the service implementation” (Khanna, 2008). In this manner, the service acts as a “black box” where the inner workings and designs of the service are completely independent from requestors. If the underlying code of the service were switched from java to C++, this change would be completely oblivious to would-be requestors of the service.

Allen, (2006) describes the concept of loose coupling as, “a feature of software systems that allows those systems to be linked without having knowledge of the technologies used by one another.” Loosely coupled software can be configured and combined together with other software at runtime. Tightly coupled software does not offer the same integration flexibility with other software, as its configuration is determined at design-time. This design-time configuration significantly hinders reusability options. In addition, loosely coupled applications are much more adaptable to unforeseen changes that may occur in business environments.

In the early 1990’s some financial firms adopted an objected oriented approach to their banking architecture. This approach is only superficially similar to a service oriented architecture approach. In an object oriented (OO) approach, the emphasis is on the ability to reuse objects within the source code. SOA emphasizes a “runtime reuse” philosophy in which the service itself is discoverable and reused across a network (Earley, Free & Kun, 2005). SOA also provides a solution to the lack of interoperability between legacy systems.


Allen, P. (2006). Service orientation: winning strategies and best practices.

Early, A., & Free, D., & Kun, M. (2005, July 1). An SOA Approach Will Boost a Bank’s Competitiveness (ID: G00126447). Retrieved from Gartner database.

Ho, H. (2003). What is Service-Oriented Architecture? O’Reilly XML.com.

Khanna, Ayesha. (2008). Straight through processing for financial services: the complete guide.

Maréchaux, J., (2006, March 28). Combining Service-Oriented Architecture and Event-Driven Architecture using an Enterprise Service Bus. IBM developerWorks. Retrieved from http://www.ibm.com/developerworks/library/ws-soa-eda-esb/

How Timken Manages the Business Cycle

Capital Expenditures

In Peter Navarro’s book entitled “The Well Timed Strategy: Managing the Business Cycle for Competitive Advantage”, the professor of business at the University of California-Irvine defines the master cyclist as “A business executive who skillfully deploys a set of well-timed strategies and tactics to manage the business cycle for competitive advantage”[1]. With respect to capital expenditures, firms headed by master cyclists will increase capital expenditures during recession in order to develop new and innovative products and be better positioned to satisfy pent up demand once a recovery takes place. These firms will also modernize existing facilities during economic slowdowns [10].

The overall financial performance of the Timken Company was disappointing in 1998. Although the company was able to set a new sales record at that time, earnings as compared to 1997 dropped 33% [2]. A combination of difficult market conditions and unusual occurrences such as a prolonged strike at General Motors contributed to the decline. “A nearly global economic slow down — which started last year in Thailand, spread to Japan, then to most of the rest of Asia, South America and Russia — has squashed demand for many U.S. products”[3]. The modernization of existing capacity in many countries along with volatile currencies and a strong dollar placed substantial downward pricing pressures with respect to bearings worldwide [1]. Competitors in Asia found the U.S. market appealing since demand was drying up in their home markets. Consequently, the amount of imports into the United States for the products Timken manufactured increased, while exports decreased during this time period.

In this global economic slowdown for players in the steel and ball bearings industry, conventional wisdom would dictate that a company would need to decrease their capital expenditures to better position themselves. Timken during this period of time executed some strategies that were contrarian to conventional wisdom in an attempt to manage the business cycle. From their 1998 annual report Timken states, “We made record capital investments to prepare for the future and lower costs”[4]. During the third quarter of 1998, Timken dedicated a $55 million dollar (~$69 million in constant dollars) rolling mill and bar processing investment at its Harrison Steel Plant in Canton, Ohio [11]. Modernization expenditures were also announced for Timken’s Asheboro plant which opened in 1994 and produces bearings used in industrial markets. “The expansion will increase the size range of bearings the Asheboro plant is able to produce, hike plant capacity and add options available to Timken’s industrial customers” [5].

Timken has a record of increasing its capital expenditures in the face of economic slowdown or recessions in keeping with the strategies and tactics of a master cyclist. Their last new steel making plant prior to 1998 was the Faircrest Steel Plant in Perry Township, Ohio [6]. The plant was announced in the middle of the early 1980’s recession and opened in 1985 [12]. Timken took a huge gamble and invested $450 million (~1.1 billion in constant dollars), which was two-thirds of Timken’s net worth at the time — to build the only completely new alloy steel plant in the U.S. since World War II” [7]. At the time, the so-called experts said the U.S. steel industry was dead and companies didn’t need to build any new plants ” [12]. Similarly during the recession year of 1991, Timken boosted capital expenditures to $144.7 million up from $120 million in 1990 [12].

In order to differentiate its products from pure commodities Timken invested in research and development during this period of economic uncertainty for its products. This strategy is also in keeping with the master cyclist philosophy of increasing capital expenditures to develop innovative products and new capacity in time for a recovery. While Timken’s largest research and development center is in Canton Ohio, it added another large facility in Bangalore India to focus on new product development. Timken Research has four centers located in the US, Europe, Japan, Romania and India. The Timken Engineering and Research India Pvt Ltd is part of the company’s “work with the sun” concept where it is day time in at least one of the company’s centers [8].

Risk Management

 Firms that geographically diversify into new countries and regions can reap the benefits that this hedging strategy provides against business cycle risk. “The effectiveness of geographical diversification as a hedge is rooted in the fact that the business cycles and political conditions of various countries are not perfectly correlated ” [5]. The privatization of Brazil’s steel mill industry in 2001 opened up the door for North American companies to do business there [9]. Timken responded by forming a joint venture with Bardella S.A. Industrias Mechanicas (Bardella) to provide industrial services to the steel and aluminum industries in Brazil. In 2001 the company also acquired Bamarec which operated two component manufacturing facilities in France. The presence of French facilities allowed Timken to expand their precision steel components business unit. Timken CEO James Griffith believed that there was an opportunity to grow this business in Europe and entering the French market provided a base from which to launch their European strategy [10]. Both of the moves during a recession provided Timken an opportunity to hedge against the business cycle risks they faced in the United States.


[1] Navarro, Peter. The Well-Timed Strategy: Managing the Business Cycle for Competitive Advantage. New Jersey: Wharton School   Publishing 2006.

[2] The Timken Company 10K Report. 1999.

[3] Adams, David. “Canton, Ohio Steel Executive Favors Federal Reserve Rate Cut.” Akron Beacon Journal, Ohio. 13 November 1998. KRTBN Knight-Ridder Tribune Business News: Akron (Ohio) Beacon Journal.

[4] The Timken Company Annual Report. 1998.

[5] “Timken plans $20M boost for bearings. 16 July 1997.” American Metal Market. Vol. 105, No. 136, ISSN: 0002-9998

[6] Adams, David. “Steel Bearings Maker Timken Co. Opens New Canton, Ohio Mill.” 11 August 1998.

[7] Industry Insider. “How Timken Turns Survival into Growth.” http://www.businessweek.com/magazine/content/03_14/b3827027_mz009.htm 7 April 2003.

[8] Business Line (The Hindu). “Timken Company R&D base in India.” 11 February 1999.

[9] Robertson, Scott. “Timken expects to benefit from Brazil steel privatization.” 9 April 2001. AMM.

[10] “The Curse of a Strong Dollar; Timken CEO James Griffith says his outfit could sell a lot more bearings if the greenback wasn’t ‘overvalued…on the order of 30%.’” Business Week Online. 28 November 2001.

[11] “Continuity and Change in the Growth of a Family Controlled U.S. Manufacturing Firm.” Humanities and Social Sciences Online.   16 April 2007. <http://www.h-net.org/reviews/showrev.cgi?path=16914932502209&gt;

[12] Excerpt from Bear Stearns Industrial Internet Special. “The Wall Street Transcript – Questioning Market Leaders for Long Term Investors.” May 2001.


Spear Phishing

Regarding this New York Time article: Hackers in China Attacked The Times for Last 4 Months

Spear phishing attacks against businesses, diplomatic and government agencies seem to be very popular with cyber espionage networks. You only need one person to take the wrong action and the entire system is compromised as the New York Times is discovering.

China in 2012 used spear phishing and a .pdf file that exploited a vulnerability in Windows to launch spear phishing attacks against Tibetan activist groups. Antivirus software did not widely recognize the threats as was the case with the NYT’s imbroglio. [1]

In a similar vein to the attacks on the NYT, targeted spear phishing was used in a very recent incident called Operation Red October (lending to the fact that the attacks emanated from a Russophone country). The malware produced from this attack is called ‘Rocra’ and it is aimed at governments and research institutions in former Soviet republics and Eastern Europe.

The New York Times article states “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”

It’s intriguing that the Red October attacks embody the spirit of that quote in the design of its malware:

“Red October also has a “resurrection” module embedded as a plug-in in Adobe Reader and Microsoft Office applications. This module made it possible for attackers to regain control of a system even after the malware itself was discovered and removed from the system.”

This is pretty scary stuff but ingenious nonetheless. Organizations need to take heed and make sure they are doing absolutely everything they can to combat attacks and training users about the dangers of spear phishing.

[1] http://www.scmagazineuk.com/chinese-spears-attack-tibetan-activists/article/231923/

[2] http://www.wnd.com/2013/01/red-october-cyberattack-implodes/