I think that a more relevant question is “Is information protection possible?”

The  author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data.  However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.

Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the “copyability” of data

Companies already manage access and control “copyability”. This is not new, nor is it effective against the threat of a major data loss event.

Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.  Controlling access and copyability in the service of business objectives is precisely the objective of these systems.

If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.

If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection. DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.

However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford. The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he  or she wants.

We need information protection,  not copy protection; and in a way and at a cost that is a good fit for the business.

Information protection is possible by taking a value-based approach that integrates with the business operation.   Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like  enterprise information protection from Verdasys, agent DLP from Mcafee or a gateway DLP solution from  Fidelis Security.

It sounds like an internal vendetta which has spilled over into the media since Mylan CEO Robert Coury has personal money at stake – about 40% of his total compensation package is in Mylan stock – which in itself is a good thing as it provides a significant performance incentive.

Data leakage of safety and compliance related documents is a commonly overlooked use case in the enterprise information protection space – as Mylan security staff are discovering – it is next to impossible to detect data leakage after the fact – unless you are using a network DLP system like Fidelis XPS or an agent DLP system like Verdasys Digital Guardian or Mcafee Agent DLP.

My guess is that the Mylan CIO is getting a lot of sales calls from DLP vendors this week – offering to help them monitor unauthorized network transfer of internal, confidential documents.

Having said that – there is no indication that the documents were not simply printed and handed to the reporters.  In that case – the only data loss prevention solution that is applicable is agent DLP like Verdasys or Mcafee agent DLP.

Then again – sometimes the best and cheapest data security countermeasures are low-tech – checking bags of employees leaving the plant..

A common data security use case is protecting MS Office documents on personal workstations from being leaked to competitors. In 2003 Gartner estimated that business users spend 30 to 40 percent of their time managing documents. In a related vein, Merrill Lynch estimated that over 85 percent of all business information exists as unstructured data .

However – the key question for enterprise information protection is value – not quantity.

Ask yourself – what is your most valuable asset and where is it stored?

For a company developing automated vision algorithms, the most valuable assets would be inside unstructured files stored in engineers’ workstations – working design documents and software code. For a customer service business the most valuable assets are in structured datasets stored in database servers and data warehouses.

The key asset for a customer service business (retail, e-Commerce sites, insurance companies, banks, cellular providers, telecommunications service providers  and government agencies) is customer data.  Customer data stored in large structured databases includes  billing information, customer contract information, CDRs (call detail records), payment transactions and more.   Customer data stored in operational databases is vulnerable due to the large numbers of users who access and handle the data – users who are not only salaried employees but also contractors and business partners.

Due to the high levels of external network connectivity to agents and customers using on-line insurance portals, one of the most important requirements for an insurance company is the ability to protect customer data  in different formats and multiple inbound/outbound network channels.

This is important  from a privacy compliance (complying with EU and American privacy regulation)  and  from a business security perspective (protecting the data from being stolen by competitors).

Fidelis XPS Smart Identity Profiling provides a powerful way  to automatically identify and protect  policy holders information without having to scan databases and files in order to  generate fingerprints.

Fidelis XPS operates on real-time network traffic (up to 2.5gigabit traffic ) and implements multiple layers of content interception and decoding that “peels off” common compression, aggregation, file formats and encoding schemes, and extracts the actual content in a form suitable for detection and prevention of data leakage.

Smart Identity Profiling

Unlike keyword scanning and digital fingerprinting, Smart Identity Profiling can capture essential characteristics of a document or a structured data set but tolerates some significant variance that is common in database updates and document lifetime: editing, branching into several independent versions, sets of similar documents, etc. It can be considered as the successor to both keyword scanning and fingerprinting, combining the power of both techniques.
Keyword Scanning is a simple, relatively effective and user-friendly method of document classification. It is based on a set of very specific words, matched literally in the text. Dictionaries used for scanning include words inappropriate in communication, code words for confidential projects, products, or processes, and other words that can raise the suspicion independently of the context of their use. Matching can be performed by a single-pass matcher based on a setwise string matching algorithm. As anybody familiar with Google can attest, the signal-to-noise ratio of keyword searches varies from good to unacceptable, depending on the uniqueness of the keywords themselves and the exactness of the mapping between the keywords and concepts they are supposed to capture.

Digital Fingerprinting (DF) is a technique designed to pinpoint the exact replica of a certain document or data file with the rate of false positives approaching zero. The methods used are calculations of message digests by a secure hash algorithm (SHA-1 and MD5 are popular choices).  Websense uses PreciseID (a sliding hash algorithm that is a variation on the DF technique – which is more robust than DF for unstructured data, but still requires frequent update of the signature and is unsuitable for protecting information in very large customer databases due to the amount of computation required and the need to access customer data and store the signatures which creates an additional data security vulnerability.

Here is an example of a Fidelis XPS Smart Identity Profile that illustrates the simplicity and power of XPS.

# MCP3.0 Profile
# name: InsurancePolicyHolders
# comments: Policy Holders
# threshold: 0

pattern:    MemoNo    P[A-Z][A-Z]
pattern:    BusinessUnitName    PZUInternational
pattern:    ControlNo    d{9}
pattern:    PolicyNo    4d{7}
use:    DateOfPolicy(PolicyNo,Date,Name,Phone,e_mail):Medium
use:    Medication(PolicyNo,Drug_Name,Name,Phone):Medium
use:    NamePhonePolicyNo(BusinessUnitName,PolicyNo,Name,Phone):Medium
------------------------------
prob: DateOfPolicy 0.200 0.200 0.200 0.200 0.200
prob: Medication 0.201 0.398 0.201 0.201
prob: NamePhonePolicyNo 0.000 0.333 0.333 0.333

As you can see in the above example – Smart Identity Profiling uses tuples of data fields – for example, the DateOfPolicy tuple which contains 5 fields – PolicyNo,Date,Name,Phone and e_mail address.  Although the probability of not detecting a single field might be fairly high, the probability of not detecting a given tuple of 5 fields is the multiple of 5 probabilities  – for example if the miss probability of a single field is 70% then the probability of missing the entire tuple is only 16.8%.

SIP (Smart Identity Profiling) is used successfully in Fidelis XPS appliances at gigabit deployments at large insurance companies like PBGC and telecommunication service providers like 013 and Netia.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data.

Although US legislation requires disclosure of a data loss event, it does not require disclosure of the root causes of  the event.

In the Hannaford Supermarket data breach case of over 4 million credit cards, the State of Massachusetts refused to provide details on their investigation.  Hannaford claims that malware attacked their store servers and promptly signed a contract with IBM to replace over 250 store back office servers.

Let’s take closer look and see if this makes sense.

Store back office servers in a retail POS system are never connected to the public Internet and therefore could not be attacked directly by malware. It is possible that there was network connectivity from the company’s internal administration network of Windows users to store back office servers and this may have served as a vector for malware delivery. Possible and if true, a reason to segregate the store networks from the administration network using technology such as Waterfall Systems but not a reason to replace all the back office servers.

My gut feeling is that Hannaford may have had a case of credit card authorization requests being saved in temporary files that were accessible from a Windows share on the administration network. Which made it childs play to steal by an insider with reasonable knowledge and access to the network.

Does this look simple to you?

I think it’s time to get back to security basics after reading the news this morning.

Yesterday, there was a  run of high profile data security events: the  Mozilla store data breach, the  DDOS attack on Twitter and Web defacing  by a Palestinian cyber-terror group on leftist Israeli Kadima party (second time in the past 18 month – this seems like biting the hand that feeds you, considering the Kadima record in attempting to attain peace with appeasement and corruption).

So – let’s get back to basics.

Here is a security policy with  6 basic security countermeasures for effective enterprise information protection and data loss prevention.

1. Change default passwords that come with applications. Change those admin/admin username/passwords and change default Oracle passwords.
2. Forbid shared username/passwords for systems with sensitive data
3. Review user account privileges once / quarter.  You may be surprised that a one-time privilege granted to a user is still there. In a large company – this should be done by a supervisor. Doing this will raise awareness and place more responsibility on employees and line managers.
4. Identify critical systems and perform a software security assessment.  In our data security practice in Israel and Central Europe, we have discovered that over 50 percent of data breaches were related to software bugs.  Use the 7 step Business Threat Modeling methodology to do the software security assessment
5. Patch to operating system vendor requirements. In Windows, Ubuntu and Red Hat Linux it’s automated and work that can be scheduled.
6. Monitor for data security events on the network using the Fidelis Security XPS system (which can monitor and prevent data loss events bi-directionally inside the network or at the perimeter) or with Verdasys Digital Guardian agents at the point of use.

Free online workshops in information security Join us for an exciting series of 6 free online workshops on data security best practices at work, at home and for SMEs – Register for the workshops now! Preventing intellectual property abuse Protecting information at pharmaceutical firms What is the right way to protect intellectual property from theft and abuse? Start by testing two hypotheses – 1) that information leakage is currently happening and 2) that a cost-effective risk mitigation plan can be defined and implemented. Read more Preventing intellectual property abuse Professional services Data loss prevention solutions For creative, effective and out-of-the-box data security solutions contact us. Ten reasons you should work with us What risks really count for your business? Use the 7 step Business Threat Modeling methodology to diagnose and quantify threats to customer data, strategic plans, marketing and pricing data. Business threat modeling information assurance Your employees send confidential documents to Gmail, but how do you quantify and mitigate the risk? The Great Financial Crisis is a new spin for security vendor PR people, but in our experience most firms don’t know what data is leaving the company. Your first step to being more robust to an unexpected, high-impact data breach isdata discovery and business threat modeling. Contact us today and learn more. Free download Business threat modeling Business management Preparing for a disaster Be prepared with a good disaster recovery plan. The DRP is designed to assist companies in responding quickly and effectively to a natural disaster or terror event and restore business as quickly as possible. Read more Preparing a disaster recovery plan. Security management If you know what your assets are worth, it’s easy to ask for, and get a discount Data security is often brushed aside due to budget limitations disregarding the value of company data assets. Take a clear position on which data assets are important and how much they’re worth to the company Read more Ten steps to protecting customer data and intellectual property. Software development risk 10 Top Mistakes of Embedded Linux Users Picking a large foreign company for support is not the best way to go for various reasons and for smaller embedded systems, Intel isn’t necessarily the best choice. Read more The 10 Top Mistakes of Embedded Linux Users make. Risk assessment IT Risk Assessment is dead Does your IT security look like TIA – a lot of senseless shooting? Risk assessment, as currently practiced in IT security, is dead, but if we take a brick and mortar approach – we can improve security at reduced costs. Read more The death of risk assessment. Join the Software Associates network today : : Contact us Subscribe to our RSS Feed Free risk assessment software

1. Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
2. We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
3. Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I posted this question  on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing;  I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.

Darian Stultz reminds us that people are the weakest link and brings some insights into organizational politics.

Both psychology and technology are equally important. From a technology perspective, vendors tend to promise the world, but people install, configure and operate the security technology.

Systems are vulnerable to incorrect configurations, mis-cabling, or open unnecessary  open ports. The best training for employees may not be sufficient to handle all possible configuration scenarios and use of external/internal experts can mitigate these risks through discovery, and a remediation plan. This costs money. External Auditing is more costly, but provides a politically neutral assessment because the auditor is more likely to report findings. For the manager who hired the auditor, an external audit can be stressful since the auditor wants future business from upper management, and is likely to prove his worth by high-lighting even small issues.

From a psychology perspective – prevention of security events is not a sign of weakness, but of resolute strength. Yes, prevention costs money. The larger the scope of the business, the more opportunities there are for security risks. The optimum (utopian) way to handle security is for the CEO to support fully efforts to secure the business from internal and external security threats. The sell from middle management is easier with full buy-in. Most companies I have worked for or consulted for have a “middle ground” where a security department exists, but was an afterthought of the business. Therefore they jockey for human resources, and funding for projects to secure vulnerabilities.

Michael Seese agrees that people are key to understanding security vulnerabilities

Just as Willie Sutton said that he robbed banks because “that’s where the money is,” attackers will go after end users because that’s where the valuable information is.

As security technologies continue to improve, attackers will focus on the weakest link: our people. The quick and cynical explanation is that people are more easily prone to being fooled by a scam or to become lax in following procedures than technology solutions.

People have emotions egos. They want to help, if they can, when asked. They don’t want to be yelled at. They trust. They get busy and they get stressed out. In some cases, they get greedy. But oftentimes, they simply don’t realize the value of what, to them, seems to be a trivial piece of information.

Gabriel Bar-Giora feels that psychology  is more important than the technology side of security but stresses the need for an integrated management approach

A company must integrate both aspects, getting managements to define and implement security policy, translated into budget and manpower and regulations, then – and only then – the product pieces will start falling into place – VA, DLP, DRP, HA etc.

Joe Peck is director of product management at Code Green  Networks and brings a perspective of a vendor selling DLP solutions in a tough economy  and competitive market space.

Most companies did not allocate 2009 budget for a DLP project. That’s neither a technology or a psychological constraint. It’s an issue  of having  budget for new requirements. Some customers have been able to use budget for email encryption or content filtering use it to purchase our data loss prevention solution. As awareness of information protection grows, I expect more companies to allocate 2010 budget explicitly for DLP.

The market is still pretty early. Many customers don’t know yet what DLP really is and how it fits into their security portfolio so there is a need for educating IT on the need for data-centric security as opposed to traditional system or network-centric security.

DLP is hot and the marketing hype has resulted in many vendors slapping a DLP label on their product and providing incomplete or even irrelevant solutions (e.g. device control solutions with no data inspection capability or email and web gateway solutions that can do keyword matches but will generate a false positive flood when an employee shops at Amazon).

Even with knowledgeable customers, some folks prefer not to be early adopters, they want to be a technology follower as a way of reducing risk. That has both a technology and psychological aspect to it.

Finally – data security crosses organizational boundaries – it’s not just the network security team. It often involves Legal, Compliance/Audit, the data owners, and the IT group. That slows down the evaluation, justification and purchasing process significantly. DLP is not a standalone IT solution.

John Martin, a security practice leader at IBM NZ reminds us that people are not machines, they need technology safeguards.

People cannot be trusted to make the right decision 100% of the time? Given the current economic recession, more cases of fraud emerge every day. Techniques such as DLP, can make up for the the human factor or re-enforce what is on the spur of the moment conveniently forgotten. Understanding the psychology assists us to appreciate the appropriate technological solution(s) from a risk management perspective and during the justification – business case.

Kyle Quest who works for Vericept reminds us that  human behavior is the main driving force behind most things in life, not just security, but he is pessimistic about a company’s ability to utilize security technology effectively.

Look at the GFC for example, Alan Greenspan thought that companies would follow logic and wouldn’t engage in risky financial activities… The results were not forecasted and have affected the entire world.

There is one key reason for data loss events: the checkbox mentality. “Need to have a firewall.. check that… now we safe”. Obviously, this is an oversimplification… This checkbox mentality creates an illusion of security. It all starts from the top. Executives don’t really care about data security. They’ll either ignore the issues or do just enough to get a piece of paper that says that they are secure. As a result, even when money is spent on the data security technology, customers don’t get anything useful ROI.

Data security is not even on the third place when it comes to running a business (yes, there are exceptions, but I’m talking about the majority of customers. The security process in the enterprises is broken. Marcus Ranum does a great job talking about this subject in his “Anatomy of Security Disasters“

Jerry Bell is a Technology strategist at IBM and believe that without the psychology in place, you cannot deliver the technology.

Done right, controls mitigate weakness, whether they are technological or people controls. No technology or “management support of security” platitude is going to reduce risk on it’s own. By definition, security is about making trade-offs that the organization must make based on their risk profile. The risk management part of managing a company starts with the CEO. Good CEO’s hire CIO/CSO’s that they trust to ensure that the business in soundly controlled. Other CEO’s hire CIO’s to simply keep the wheels from falling off the car.

If security is not a business priority after a presentation of the risks and possible securit ycountermeaures, there isn’t a lot to do. Keep good records of the discussions and risk assessments presented to use as defense to keep the job after a security breach happens.

Sadly, most companies don’t find religion around security (or disasater recovery) until bad things happen.

Richard Ryan – an independent security consultant notes that regardless of technology, the entire organization needs to have a culture of security.

It takes everyone working together to create a secure organization and then its only secure as its weakest link, which can be people, technology, or a combination of both.  The psychologies of some people are geared to take advantage of someone else’s weaknesses. For some reason, their desire to have more than someone else takes over, and the scheming starts, flaws are found, and security is breached.

Nicholas Key is an independent security consultant from the UK wishes that people could assured secure.

People are the first line of defence in security policy and normally overlooked. Although there is assurance and certification of security technology like C2 and Common Criteria, there is no facility which gives assurance that ‘our people’ have a first-class level of security awareness.

DineshBareja has yet to see a client who says – please go out and raise the awareness factor in my organization.

Usually the implementing team cobbles together a bunch of sad slides that are passed off as awareness programs for the purpose of compliance with the certification program. The will to spend on professionally designed programs which will be really effective is (sadly) very weak, and organizations are losing out on their security investment.

I see this  bike streak by down the main street.

A father riding a bike (with a helmet) and baby in back seat (with helmet) – talking on a cell phone.

Now That’s Foolish and Dangerous.

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.