Israeli Software

Media hype is like old soliders - it never dies - it just fades away. In the case of network security vendors though they are still reminiscing about wars from 5 years ago and hoping that customers will continue to buy their faded-out war stories.

You've all probably noticed that the media hype from vendors like McAfee is still about anti-virus and outside-in attacks (the title of their home page reads "Antivirus software and intrusion prevention solutions"). McAfee is now trying to pawn off threat analysis as a revolutionary new methodology for Security risk management.

I wonder how many people really trust McAfee to do a threat analysis and recommend a competing product or better yet, recommend a series of changes in manual procedures - like strict qualification of small vendors and business partners.

Our research suggests that the inside-out threats are a much larger financial risk to organisations than network security.

According to the 2006 Australian CERT report, the average loss related to viruses, worms and trojans in 2005 was just under
AU$30,000 per organisation in Australia. In comparison, and from the same report, the largest average financial losses reported from extrusion of data were as follows:

• Theft or breach of proprietary or confidential information (over AU$2 million on average);
  
• Computer facilitated financial fraud (over AU$100,000 on average);
  
• Telecommunications fraud (over AU$60,000 on average);
  
• Theft of laptop, handheld device or other hardware (over AU$45,000 on average).
  

The common denominator to ALL of these attacks is that they are almost all inside-out threats - whether it was collusion between an employee and criminal or whether it as fraud committed by a contractor - such figures indicate the financial risks that all organisations face by failing to protect their information assets.

Most organisations are still slogging through the vendor hype instead of making the effort to reveal the real costs and risks that result from inadequate business processes, unsecure software or shoddy deployments.

One of the best and most practical ways to improve internal ability to do threat analysis is to define and track metrics such as employee attrition, file transfer traffic and delivery performance on software development projects. More employees leaving may indicate vulnerabilities, spikes in FTP traffic in mid-month are a suspicious event and late software is always buggy software and buggy software is insecure software.

Skip the external hype.

Start with some practical threat analysis inside your company - you can
download a free threat analysis tool now and start improving your understanding of the operational risk of information today.

I strongly recommend doing this BEFORE you consider extrusion prevention technology from companies like Fidelis Security, Vontu or Reconnex - you will find that instead of overspending and underprotecting (which is what will definitely happen if you buy a proxy-based extrusion prevention product from WebSense) you will focus the vendor on your top risk threats - not their "best practice" templates.

We’re used to thinking about the insider threat as an angry employee with malicious intent and privacy compliance as 13 points you comply with in order to have Visa and Mastercard punch your PCI Data security ticket.

After a great experience I had last week I started thinking about compliance in a much more human light.

Sunday, I did a chilly early morning bike ride to the Ben Shemen forest - I had planned a short ride of about 1 hour and nothing was going right, I left late, the saddle got misaligned and was bothering my back - I just wanted to get it all over with.

Returning on the road from the Ligad Center to Modiin - I saw a wallet on lying on the pavement with a bunch of papers strewn around it. Stopped - looked like it had just fallen out of a car. I picked it up and started examining the contents. Hmm - a picture of a young woman, married, one child, husband, with the National Identity card showing an address in Modiin, two credit cards, a bunch of customer loyalty cards (now I know her taste in clothing, on the slim side...), a member card from Cellcom cellular provider, a picture of the baby, and expired Tel Aviv U student credit card, some small change, a bunch of credit card slips.

You get the idea - in less than 5' I had a pretty good picture (literally) of this person's life.

Except I didnt have a phone number.

Several phone calls later, after talking to Mastercard, Cellcom and Bezeq 144 information - I was in possession of the cell phone of her husband and the home phone in Modiin. No one home in Modiin, so I dialed the cell phone number - a woman answers - turns out it is the mother-in-law who is baby-sitting the 14 month year old. 15 minutes later I was on the phone with the gal - who it turns out - works for - no less than Mastercard.

The terrific part of the story is that NO ONE - not from Cellcom and not from Mastercard - revealed PII - personally identifiable information to me regarding the woman who lost her wallet.

The customer agent from Cellcom, Ilana was outstanding, and called me back to follow up and make sure that I had connected with one of the family members.

Great customer service and great PII data security, and they did it without extrusion prevention technology (I know - I tried selling an extrusion prevention system to both service providers and failed miserably).

The regulations state that you must prevent internal disclosures—including electronic disclosures—from happening. If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk.

The customer service people at Mastercard and Cellcom in Israel that I encountered were service-oriented and diligent.

An unprepared CSO, CIO or even CEO can pose a threat but at the end of the day it boils down to people following simple procedures and common sense.

Do we need to be able to see threats in order to assess them?

The leading concerns on the Net today are privacy theft, customer data protection and extrusion prevention, but 7 years ago online convenience and personalization were the dominant themes. Sometimes, we need to go back in time to get a little perspective.

The other day I was cleaning out some old files and I found an article I had printed and saved, dated April 27, 2000. The article appeared on www.emarketer.com and since has been removed from their database due to old age. There were gems on the same page like "Where has all the funding gone?" and "the turbulent stock market has would-be net entrepeneurs wondering whether they'll find backers".

The article states:

In April 2000, Internet users dont seem highly concerned about giving up personal information in exchange for improved online service. Only 15% of of users polled by the newly formed Personalization Consortium stated their unwillingness to do so. More than twice as many had no opinion on the subject while a slim majority of 51% said they would be willing to trade information for service. As always, convenience rules: 73% find it convenience and helpful when Websites keep their information on record and 62% dislike being asked to resupply information they already provided.

Having worked at Commerce.net in Israel at the time, I recall very well the reigning environment of personalization as well as the various privacy consortia that started and then withered on the vine because the online shopping experience was overwhelmingly more interesting (and lucrative) than technical, public policy and implementation aspects of customer data protection. For the technology vendors - there was simply no market for privacy products; content was king then and, well, today it still is king.

This is free market economics at work. People want access to goods and services and they want it where and when and how they desire. When the cost of access and ownership of a product or service gets too high or the economic cost of using or acquiring the product (getting mugged on the way to the market to buy lettuce) gets too high that is when the buyer changes her way of doing business. A good case in point is online banking - its a lot more convenient to bank from your PC at home using a broadband Internet connection; but with rising privacy issues - more and more banks are opening small walk-in offices with extended office hours. Its a physical touch point with the customer and reassuring to deal with a real human being providing service.

However, I would argue that there is more involved here than free market economy. I submit that people need to be able to physically see a threat in order to be able to acknowledge and assess its impact. In 2000, a lot of people were discussing, researching and developing software for privacy protection. VISA had introduced SET and it was going nowhere - not only because it was complex, clumsy and expensive but because the consumers and merchants could not visualize what only the card issuers and acquirers knew - namely that fraud and credit card theft on the Net were already big issues in 2000.

The card associations, like any other organization faced with a risk, had three options - mitigate, transfer risk or ignore. They chose to transfer the risk by raising chargebacks and merchant processing charges. The merchants responded by raising prices (i.e. transferring risk) and the consumers responded by ignoring the risk since they couldn't see the risk.

The three dimensions of seeing a threat: clarity, coherence and border

Consumers ignored the risk because they could not visualize online threats; however today, with the rise in identity theft due to dumpster diving and physical theft of credit cards and drivers license - the consumer can easily visualize the threat and method of attack. The media, publicizes these cases and aids in the process of awareness, however it seems to me that there are three additional factors at work in threat assessment.

The first factor is clarity - how clear and immediate is the threat and exploited vulnerability; jay-walking a busy intersection and having a car come at you is a clear and present danger. The second factor is coherence - is it one threat or a lot of threats; if you live in a bad neighborhood and people get mugged all the time - you get used to it, or in other words - the threat gets drowned out in the noise of current events.

The third factor is border .If you live in Nebraska, the threat of a Palestinian suicide bomber and inflammatory speeches in Arabic by Abu Abbas calling for the destruction of the Zionists is on the other side of your border, even though the threat is clear and perhaps even coherent - inside your border you are safe.

These are just some preliminary thoughts, but I bet with some further consideration, it might develop into a longer essay.