Israeli Software

Identity Theft is on the rise but is porn a contributing factor?

75% of business is at risk from malware , but is there a correlation with surfing to porn sites?
Anecdotal evidence is overwhelming that phishing attacks, which have multiplied 100-fold in the past year are often launched from adult sites but is an employee who surfs porn more vulnerable to white -collar crime?

I had an interesting call with a customer yesterday, the security officer at a mid-sized Telecom Service Provider/ISP. He stated (rather categorically) that their CEO doesn't believe in URL filtering - from the CEO's perspective - employees can surf to as many porn sites as they want.

I asked him - "You're not concerned about bandwidth wasted on video uploads?" No.
I asked him - "What about sexual harassment court suits from women who feel harassed by men surfing openly to adult sites at work?" No. This is Israel - You only get charged for sexual harassment if you are a Justice Minister trying to drive reform in the Supreme Court judge selection process (make it open, not behind closed doors).

I asked him - "What about the connection between employees who violate AUP - accepted usage policy and data theft?" Wait - Do you have any stats or research to support that?

Well - I do not. BUT - that got me thinking about what the real issue is: identifying assets, vulnerabilities and mitigating threats.

The problem of porn in the workplace has received a huge amount of attention - my client's CEO is mistaken to ignore the problem and not to write and enforce an AUP. The problems range from sexual harassment to loss of productivity - there are ample stats that visiting porn sites have become daily practices for about 25 percent of the workers in U.S. companies that
have access to the Internet in their offices. The illegitimate and personal use of the Web by employees has become commonplace. And when the boss is not around, improper use of the Web is normal. (See Your employees surf porn, among other things

Employees are vulnerable to surf to adult sites while the boss is not looking. That is a threat to a key asset - the employees work hours. Even if the bandwidth is free - the employee's time is not.

What about the threat to data assets - not employee time. Is porn a contributing factor?

With PII (personally identifiable information) such as the credit card numbers; the average CEO feels on safe ground knowing that if he's completed a PCI self-compliance check list - he is covered with Visa and Mastercard. But intellectual property such as financial information, contracts and agreements is the CEO's neck on the chopping block of the stockholders.

An employee who surfs unrestricted will be less careful with intellectual property of the company. He will be less engaged and committed to the objectives of the company.

This is an area that requires some research but it may be much more significant than the moral/behaviorial issue of porn in the workplace.

There is a new technology being looked at by doctors and public health officials as a better way to detect heart blockages early on, before they cause a heart attack.

Screening exercise treadmill tests are hardly accurate, and they’re really not for healthy patients with no symptoms. CAT scans, on the other hand, are expensive.

My cousin Lois Bruckner-Parks is a lawyer for PBGC in Washington - she and her husband Dick have a home in Fairfax VA - I try to get out there and visit whenever I'm in town meeting with my software security colleagues in the DC area. Dick is a very talented engineer, with a great set of hands for building stuff and a tremendous cornet, banjo, flugelbone and trad jazz player - he and his quintet have a regular gig every Thursday night in Alexandria.

Dick and his engineering team have been working for several years on developing a system for detecting Coronary Artery Disease at an early stage with an old pal, Sailor Mohler, founder of SonoMedica. Mohler was recently interviewed on NYC's channel 11 where he is getting the NYC Fire Department interested in using the product as a screening device.

Here's a link to the article and the TV story. Video shown on WPIX11, New York Monday night - Empowered Doctor.

You'll see a small electronic box with four silver knobs, where the sound pickup plugs in - that is one of about 24 units that Dick built with his own two hands.

When choosing an IT hardware or software vendor, one of the first things to look for is transparency in the answers from the customer service department. When you ask a question about local service in your country or SLA (service level agreement) beware of the "mushroom theory of management (keep them in the dark and feed them shit").

The "mushroom theory of management" went out of fashion at Data General in the 70's when their CEO Ed De Castro had a sign over his desk that said "Not everything worth doing is worth doing well". See The Soul of a new machine. If you have not read this book - go out and buy it now.

Why does this happen?

Probably, because the vendor is cutting costs by outsourcing.

Some hardware vendors outsource their global hardware support to companies like Source Support who then contract with individual local sub-contractors to provide service. Their SLA is tailored for American SME customers and leaves customers in EMEA (Europe, Africa and the Middle East) without coverage for 20% of their work week and 75% of their business day.

If you're located outside the US - Source Support may not be a good fit for you - you should ask your IT vendor if he has other options that are more suitable.

Outside the US, customers are used to buying products with global support from HP and IBM and expect local service: namely: a) Next business day response b) local support, local phone number, local business hours and local language speakers, c) locally stored spares and off-the-shelf replacement systems.

It is discouraging and difficult to accept a mushroom theory of management approach towards customers outside the US when the IT industry provides solutions and service globally and when customer service is a key differentiator.

I just came back from a week in Warsaw with a customer - one of the big Telecoms service providers in Poland. We implemented an extrusion prevention system for them after several months of project planning; looks like it will be a hit with them. It was my second visit and underscored how dynamic Poland is - with a young population and fast-growing economy. One of the indicators of growth is real-estate and property values in Poland along with the zloty have grown 70 percent in 2006. Doing business in Poland is not easy - there is still a lot of government regulation and old-communist-style double talk. Neighboring countries like Czech Republic and Albania that have gotten rid of the old regulation are growing even faster.

By comparison - the world's number 2 economic power Japan has a different story.

As usual, my friend Todd Walzer had some interesting insights about the Japanese economy - his company iLand6 specializes in sales and business development in Japan. Todd (aka Itzik) worked with me at Intel in the 90s and has been in Japan with his family for over 12 years and seen a lot.

Japan’s population shrank to 127.76 million last year, and is projected to sink below 90 million by 2050 The reason is simple – the birthrate of 1.29 per woman’s lifetime is far below replacement level.

With the longest life expectancy in the world, one would expect Japan’s population to increase. But the low birthrate more than offsets it, and Japan doesn’t have much stomach for immigration. It’s mathematics. If you check how many people there are in each age group, the conclusion is that even if the birthrate jumps to 1.8, and even if immigration jumps from the current 1-2% of population to Germany’s level of 7%, the population will still fall under 100 million in 2050.

Tokyo University Economics professor Akihiko Masutani published an interesting book called “Shrinking Population Economics: Lessons from Japan”. His thesis goes like this: “Japan’s government is stuck in post-war boom thinking, that the economy must grow via increases in mass-production capacity. This policy will be disastrous in a shrinking population phase, leading to over-investment and ballooning public debt.

However, if we re-align policy to emphasize consumption (e.g. by the aged), demand-driven economics, niche markets, and corporate profits rather than sales, the citizens can live well in time of shrinking population and flat GNP.

Footnote – after a record low 1.26 birthrate in 2005, the 2006 rate increased to 1.295. Maybe it’s turning the corner – but for now, I’m not buying real estate in Japan - but it may not be too late to acquire income-properties in Krakow.

A surprising number of companies think that that protecting intellectual property (IP) isn't a high priority. Biotechs say that once it's patented - their IP is in public domain, many telecom service providers don't think they have IP.

But stop for a moment.
IP is not just inventions and technology - it is also the way you make that viral vaccine and how you are building the merger with a competitor. In neither case its patentable, but in both cases it may be critical to the survival of the company. The difference between a viral vaccine and a soup can be few degrees at a particular stage of the recipe and the difference between success and failure of the merger might be keeping certain details secret.

My experience with customers in extrusion prevention projects illustrates the value of knowing where and also how IP flows in and out of the network.

It's no longer about "data leakage" (I never liked that term anyhow) - it's about being able to see who is accessing a sensitive project file from home or who is sending commercial documents to a business partner using a private Web mail account. In other words - it's very much about what you are sending (the data), how you are sending or receiving (the channel) and who is doing the sending and receiving.

A recent survey by the Enterprise Strategy Group (ESG) found that one-third of enterprises surveyed acknowledge loss of sensitive data in the past 12 months and another 11 percent were unsure if such a breach had occurred. Also, a new Ponemon study noted that nearly 60 percent of U.S.-based businesses and government agencies believe they are unable to effectively assess or quantify insider threat risks within their organizations, leaving them open to breaches of private data, failed audits, and potential fraud. More info can be found at :

Source
Insider threats