Israeli Software

I am thinking about writing an essay on euphemisms in the security industry.

A customer data breach is "I copied some DB extracts to a server in the DMZ using a Windows file share, just for a couple days while we test.". ILP (Internet leakage prevention) sounds like " the threat of attackers exploiting vulnerabilities in production software can be mitigated by wrapping teflon tape on server pipes. AUP enforcement is "employees will not come to work dressed like Monica Bellucci on a movie set".

Today, we shall talk about "Compliance ROI" and the ineffectiveness of compliance checklists and compliance controls. The Institute of management accountants offers that compliance projects that use BPM can produce shareholder value and compliance ROI:

"...building assessment and assurance capabilities from the inside lead to improved ROI on compliance tasks and create value for shareholders...you can improve your compliance ROI...and be on the leading edge of new thinking in the area of Enterprise Risk."

Whew. Talk about overuse of euphemisms. This is why we have a problem.

An external regulatory body like ISO or Sarbanes-Oxley or PCI Data Security provides general guidelines and a checklist for compliance. They have absolutely no knowledge of your specific business situation, your corporate culture or how well you're already protecting your company's assets. Your auditors say you need to be SOX-compliant. You retain a compliance consultancy for an audit. They busload in a team who inform you that you need to spend $1M on risk management, network and application security products to be compliant with SOX. You get a 10kg report with the results of the risk assessment which no one reads. The next time you will do a risk assessment like that is in another 2 years; the company will be licking its wounds after a major merger, there will be new threats, new attackers and the LDAP vulnerability your auditor was so concerned about will still be unpatched.

What is wrong with checklists and controls?

• They are qualititative - they do not provide financial numbers to the people who write checks to buy countermeasures but discuss risk in qualititative terms - high, medium, low.
• They do not look at attackers - they use a risk-control model that can check off controls and grade risks without encouraging the organization to develop a deep understanding of where their serious threats and vulnerabilties lie. Maybe you are in a very very competitive business, you do background checks on your employees, you host Linux servers at rackspace.com and you use thin clients to access the business applications. You have competitors who want to steal your IP - i.e. implementing the controls from a PCI-compliance checklist will be a waste of money even if KPMG told you to.
• They do not require that you monitor and assess your peformance in the field. Richard Bejtlich ("BATE lick") quotes me in his book on Extrusion Detection for my excellent series of articles on extrusion. I like Richards football analogy in his blog posting Control-Compliant vs Field-Assessed Security.

  "Imagine a football (American-style) team that wants to measure their success during a particular season. Team management decides to measure the height and weight of each player. They time how fast the player runs the 40 yard dash. An outsider looks at the situation and says: " Check the scoreboard! You're down 42-7 and you have a 1-6 record. You guys are losers!"

• Start with a risk assessment checklist like ISO 27001 but don't stop there.
• Apply an attack-asset-vulnerability-control model. It's fairly easy to identify your assets (physical, digital, operational and intangible assets). The list of attackers to your business should not be rocket-science. The tough part is identifying vulnerabilities; you will need to carefully work through the people, processes and systems of your organization - bottoms-up in order to do this. Download the PTA - threat analysis freeware tool.
• Justify what you do with your money. You will find that is far easier to get $100k for a generator/UPS if the CFO realizes that every hour of electrical downtime costs $100k. This means putting a financial value on your assets and damage to assets by threats that exploit vulnerabilities.
• Be effective. Don't implement all the controls on the checklist. Since the shopping list of controls is a lot bigger than your appetite and pocketbook - your CEO should tell the information security officer that she needs to reduce risk by 1/3 with 1/5th of the budget that the external auditors recommended.

I wrote my 4 part series of articles on Extrusion Prevention at Computerworld online back in mid 2004. Since then I have seen the market evolve but the question is why isn't extrusion detection, ILP, DLP, CMF technology a must-have security product for preventing computer attacks? Maybe it is easier to speak softly and carry a big stick. (I just loved this picture).

It is mid-2007 and I have extrusion detection systems in production at a dozen sites. Some trends are emerging that may help answer the above question (beyond my usual "security is fashion" rant).

Let's start with what the analysts say before analyzing data from the field.

I once suggested to my boss at the Rad-Bynet Group, Yehuda Zisapel, that we attend the annual Gartner IT conference in Tel Aviv. He humphed and said "You shouldn't need to ask Gartner, they should be asking you what works and what doesn't".

In 2002 Gartner Research is quoted as saying that nearly 75% of attacks occur at the application-layer for enterprise organizations. By 2005, Gartner Research is quoted that 70% of all security incidents come from insiders. By late 2006, Gartner and numerous independent sources are confirming that the risk of most security breaches are due to bugs in production software. See the article from the Control Policy Group: operational risk of production software.

Well, like Yehuda told me, I don't need industry analysts to tell me that fundamental software bugs are at the heart of security vulnerabilities. The problem is that the cost of diagnosing and fixing software defects after release to manufacturing, can be 100 times more expensive to remove than during the first software coding and unit test cycle - and this is a very difficult problem to solve. With the sword of privacy compliance over your head it should be more effective to buy an extrusion prevention system from a company like Vontu or Fidelis Security Systems and prevent unauthorized transfer of digital assets without modifying production systems.

Here are some trends - with databases of over 2 million alerts its pretty easy to see trends but please bear with me; it will take me a week or two to analyze, classify and compile data in a reasonably structured format. The scope of data is based on network extrusion detection and does not include data theft by physical means or by removable devices such as a USB thumb drive.

1. Channel for violations - mostly HTTP, insignificant number of events using SMTP

2. Data theft by attacking web applications - there was a series of events in the sample data that shows use of Perl scripts that do dictionary password attacks and eventually succeed in downloading commercial data from Web pages. An application security assessment would help prevent this type of computer attack.

3. Number of violations using HTTP POST that could have been prevented by proxy-based content monitoring and filtering devices. Close to zero events. (Note that AJAX uses HTTP GET so this stat is not too surprising, but it needs further investigation

4. Data theft by a trusted insider Close to zero events.
   

ven if t

If we could shift IT security spending to secure implementation we'd all be better off. It would be great if Islamic terrorists could be reprogrammed by psychoanalysts and released as Islam 2007. Unfortunately, they are not nice people who come from dysfunctional families who abused their children and since they are maladjusted, all they need to do is to move to Seattle, work on environmental sustainability and use Windows Vista.

Schneier knows that security cannot be viewed only in terms of vulnerabilities of buggy software and insecure servers. As long as people have valuable assets that are attacked by competitors, criminals and terrorists, there will be a market for security countermeasures.

Information security is a major operational risk for most business today and that risk is the result of a complex interaction of threats to valuable assets, exploitable vulnerabilities and countermeasures.

The value of risk is a function of asset value, probability of threat, depth of damage and ability to apply mitigating countermeasures.

Asset Value x (Threat x Vulnerabilities) / Countermeasures

Using the PTA (Practical Threat Analysis) model it looks graphically like this:

Modern IT system complexity exacerbates the security problem.

Today's IT systems are orders of magnitude more complex than mainframe systems 30 years ago, and they are open on port 80 using a stateless protocol originally designed to serve up information pages.

15 years ago when Checkpoint introduced the first stateful inspection firewall, the operational concept of protecting a secure internal network from external threats made sense. That has now changed, primarily because of HTTP convergence. With all applications running on HTTP over port 80, the notion of a secure internal network is blown away once you open up port 80 to inbound and outbound traffic on your network.

What happens when you have a complex system of cache servers, SSL accelerators, Load balancers, Reverse proxy servers, transparent proxies, IDS/IPS and Web Application Firewalls? Oh yeah - and don't forget J2EE which introduces additional layers of unjustified complexity and vulnerabilties.

You cannot control the threats but you can implement effective countermeasures.

I share Schneier's messianic vision and I would put the onus on customers reminding them that - "if you're not part of the solution, you're part of the problem".

1. Choose countermeasures carefully - don't use a control-compliance checklist. Think it through before you buy an application firewall - it is probably cheaper to do a software security assessment of your online purchasing Web application and fix the bugs.

2. Don't be a security fashionista . Most companies apply inappropriate countermeasures because their purchasing decisions are a) based on the old operational security paradigm and b) there is a lot of keeping up with the Joneses and c) privacy and governance compliance drives firms to implement controls that are good for the regulator and not for the business.

When we apply inappropriate solutions to threats, our cost of attacks and ownership rises rapidly (good for Symantec and McAfee but not good for our shareholders).

3. KISS - Keep it simple.

Defense in depth is important but remember that increased complexity reduces security, and installing additional security products can lull managers into complacency. Here are some examples -

Companies that attempt to mitigate internal vulnerabilities with firewalls and proxies experience an inflation of firewall rules and endpoints that bypass the proxies. Adding more network security elements tends to increase the total system risk, as a result of the interaction between the elements. A zero-tolerance policy to surfing to porn sites may be cheaper and more effective than a complex URL filtering setup.

Endpoints can bypass proxies by specifying a gateway IP address and transparent proxies on a Windows network are no assurance for unauthenticated user agents that bypass the entire proxy infrastructure. HTTP-Aware firewalls such as Web application firewalls can be completely or partially bypassed in some cases. Transparent proxies can be compromised by techniques of HTTP response splitting since they rely on fine-grained mechanisms of matching strings in HTTP headers Our practice with clients shows that on the average 40% of all outbound traffic bypass the proxy anyhow.

Firewall and proxy logs are generally never analyzed, and often lag hours behind an event. An IPS often relies on anomaly detection. Anomaly detection relies on network flow data, which is often reported at intervals of 15 to 45 minutes. With that kind of lag, an entire network can be brought down. Because anomaly detection is looking for an anomalous event rather than an attack, it is frequently plagued by time-consuming false positives. A proxy on the other hand relies on URL filtering and simple keyword matching that analyzes the HTTP header and URL string. By looking at content and ignoring the network; a proxy can suffer from high rates of false negatives, missing attacks.

Invest less in IT Security products and more in monitoring and proactive bug fixing in your own applications. Use extrusion detection methods in order to monitor your network and identify vulnerabilities.

It was really hot in Israel today and I continued to sweat Schneier's vision of not needing a security industry. He likes embedding security technologies in services sold by large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast.

A colleague was complaining to me recently that Microsoft is putting roadblocks in the way of kernel level developers in order to prevent them from working inside the operating system. The good news is that he now charges his customers even higher prices for the work since there are only 2 or 3 development groups in the world outside Microsoft that write reliable kernel code for Windows and his group is one of the 3.

His prophesy is that this jealous and closed behavior by Microsoft will be their downfall.

"Google will release an operating system, all applications will be available as Web 2.0 applications and we will be freed from the tyranny of Wintel " according to my buddy.

Organizations have valuable digital assets that are at risk from a trusted insider and computer attacks. The question has always been - what are the best countermeasures to mitigate the vulnerabilities of Windows XP and buggy applications?

The answer is not to put IT security in the cloud. The answer is to supply IT services just like any other utility. If you turn the water faucet, you get your water without considering the entire infrastructure behind it. With on-demand IT services - the service provider can concentrate on building the security into the application and maintaining and continuously mitigating vulnerabilities and threats.

There is now a massive development movement of Web 2.0 applications. I'm looking at Office 2.0 Database and I am seeing a huge array of applications from Word processing to database management to Web-based operating systems. See - Glide Digital - Anytime, anywhere access to all your digital stuff. None of this great innovation is coming from large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast.

Scott McNealey's dream of a thin PC may finally come true - a very lean PC running a minimalistic version of Debian - just a browser really - and you sign up for services - Word processing, CRM, database management - you name it - it's out there and it's available today. Some of the applications are extremely slick and sophisticated (like Salesforce.com or Dabble) and others are weak - but the direction is clear.

Put secure IT applications in the cloud - don't put IT security in the cloud.

A consulting client asked me back in 2005 if they could make a dent in the IPTV market by integrating commodity PCs and WiFi routers in the living room - I liked the idea but I told them they didn't have the financing to pull it off. They were right in market direction - it is going to be a hot summer for IPTV.

A recent news item describes how the battle to win IPTV deals in EMEA (Europe, Middle East, and Africa) with smaller service providers is getting red hot as IBM and Cisco have joined forces to challenge the region's incumbents, Alcatel-Lucent and Nokia Siemens Networks .

IBM sees a 1BN Euro market for IPTV to Tier 2 and Tier 3 operators and has pulled together a soup-to-nuts package of technology, support, security, integration and financing with Cisco as the main sub-contractor.

Cisco also sees a huge opportunity in video. No wonder since - last year they paid $6.9 billion to acquire cable set-top box maker Scientific-Atlanta Inc. Sales at Scientific-Atlanta increased 85 percent to $752 million in 2006 versus 10-15 percent growth in Cisco core business. It's video, video and more video,'' said Kevin Landis, chief investment officer of San Jose-based Firsthand Capital Management, which oversees $750 million including Cisco shares.

Cisco will be providing IBM with their Content Delivery System for video on demand; edge security products; and Linksys home gateways.

However - what intrigues me is how IBM plans to do the risk assessment and ensure the security such as a complex system - designed and integrated by IBM with so many sub-contractors and vendors. Who will do the threat analysis and choose the most effective countermeasures to mitigate the risk of customer data theft and the threat to system availability with so many interfaces and so much system integration? IBM was not available with an answer to that question when I asked an IGS manager.

Perhaps the answer is not the mushroom theory of management but KISS (keep it simple stupid).

A colleague of mine is working on an extremely interesting IPTV project in a third-world country that basically takes the attitude that the settop box in the living room is really a computer running Linux and the upstream content distribution are commodity Intel servers running Linux.

This is potentially a much simpler and secure architecture and much cheaper than gluing together a bunch of systems.

Read more here about how Your TV, Internet and PC meet in the living room

I just saw a white paper from Symantec entitled " IT Risk Management: An Essential Strategy for Business Success". This is a transparent me-too play after a series of announcements several months ago from McAfee that they are entering the risk assessment services business. I have serious problems with clueless vendors of proprietary closed-source software like Symantec and McAfee providing security consulting and risk assessment services.

A famous quote says that "if you're not part of the solution, you're' part of the problem " I prefer the version from American stand-up comedian George Carlin - "If you think there's a solution, you're part of the problem". Coming from one of the worst anti-virus vendors in the business, Symantec is firmly in the middle of the problems that they created with their own mediocre software and now with their pretentious white papers pitching snake oil security solutions for IT risk management.

Symantec and McAfee have vested interests in selling their own products. Why would anyone buy consulting from a consultant with such a conflict of interest? I dare Symantec to put in writing that they would produce a risk mitigation plan that recommends FOSS (free open source) security countermeasures such as Clam AV. Clam AntiVirus is an excellent open source (GPL) anti-virus toolkit for Linux, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Open Solutions has Clam AV running at a production customer scanning 50,000 messages / day with no false positives or false negatives and zero downtime, zero maintenance and zero cost. It cost our customer less consulting time to set it up than for a proprietary closed source security product from Symantec.

Symantec are ignoramuses in the threat and risk analysis business. Their white paper is filled with gems like this: " IT Risk Management involves two complementary components: security and availability. Information is worthless, and can even be a liability, if it’s not secure. Secure information is useless if it can’t be efficiently stored and readily accessed. " . Gee - what happened to the three tenets of security - confidentiality, integrity and availability? I guess Symantec were playing hookey from school the day the teacher gave that class or maybe they don't have products for protecting data integrity and preventing data theft. And who says that non-efficient storage makes information worthless? Poor Symantec are clueless - because they don't understand that information assets need to be valuated - the valuable assets have intrinsic value and maybe they are stored on a piece of paper in a safe-deposit box (for example a contract with an investor committing to put in his money). Trival assets can be stored on offline storage. In other words - the 3 security components of confidentiality, integrity and availability are all direct functions of the asset value

Would you hire these jokers for a risk assessment at your firm?

If you want the real thing for practical threat analysis of your IT risks (not marketing bullshit), I suggest you get yourself a free download of PTA Professional from PTA Technologies. If you're seeking certification and or a risk assessment to the ISO 27001 standard there is a free download of PTA ISO 27001 library here: Automating ISO 27001Implementations

I bashed managed security services recently as a worse alternative than making your infrastructure secure. Once again, it proves I'm swimming against the stream. It seems that trends in the supply-chain are driving managed security services sales.

According to a report published on Light Reading, small to medium-sized enterprises are picking up managed security services rapidly. When MSS started out a few years ago - a typical customer was a large company with global security requirements or a small financial institutions with billions of dollars in assets to protect.

Despite massive media coverage of high-profile data security breaches - it seems to me that growing awareness in the SME of network security vulnerabilities is not being converted into sales of managed services. Traditionally, the SME market is handled by boutique security integrators who provide mainstream firewall, anti-virus and spam-filtering solutions. This is borne out both by our experience with SME customers at Open Solutions and by a conversation I had recently with the marketing director of one of France's largest security product distributors who confirmed that SME's are still firmly entrenched in the firewall/anti-virus mindset.

I believe there are two reasons for increased SME awareness of the importance of risk assessment, practical threat analysis and risk mitigation:

1) Its a fashion trend - if the big guys are doing it, if it's good for CRM and salesforce.com and if SaaS (software as a service) is red-hot then why not get some security in the cloud.

2) The more substantial reason is what I'm calling the supply-chain effect of compliance. If a big customer needs to be PCI compliant or FISMA compliant then their suppliers need to be compliant as well. This is a much more challenging task for an SME and since compliance risk assessments are not in the core expertise of their local security integrator they are often best served by a managed security service.

Read more here about managing risk in the supply chain:
Managing the Trade-offs of Low Cost and High Risk

Jewish mothers are known for laying guilt on husband and children. Years ago, I concluded that this is not related to how religious they are, (Reform, Conservative or strictly Orthodox), or being ethnically Jewish (a good friend of ours is Catholic and she does the Jewish mother guilt thing real well).

Sunday, May 13 is Mothers Day in the US (in Israel it's called Family Day - because we are a progressive country)

There has been a spike in Mother's Day-related spam, pushing flowers, chocolate, fruit baskets, etc., to guys who either forgot, or couldn't decide what to get their Mom. Some of these mails are harmless, or plain stupid sales pitches, but some messages will be carrying malware attachments or attached links to phishing attacks for identity theft and credit-card harvesting. The law of large numbers works here - so if they distribute 50 million messages and 1 out of 10,000 bite - they have a nice catch of 5,000 credit cards and personal data.

Let's ask all the spammers out there that are writing and distributing Mothers Day spam - don't you guys have mothers? If you did - you can be sure she would be ashamed of what you guys are doing.

As usual - practice safe email - "don't buy and do not reply" to any unsolicited commercial email.

Oh yeah - and ask yourself whether your mom would approve.

Well, I'm still behind schedule on my data reduction work but I hope to have a preliminary version of the paper - "Extrusion Prevention - Three Years After" by the end of this week. Today, I wanted to write the introduction and set the background for the results from the trenches of battling data theft.

Introduction

The market for extrusion prevention products has turned into an important security product niche but has not become mainstream and the question is why? I believe the answer lies not with the technology but with the security model that the products employ.

Vendors like McAfee (who acquired the Israeli startup Onigma a few months ago), Vontu, Verdasys, Fidelis Security, Code Green, Vericept, GTB and Oakley tend to use marketing terminology for what they do, ILP (Internet Leakage Prevention), DLP (Data Leakage Prevention), CMF (content monitoring and filtering), EPS (Extrusion Prevention Systems (or Extrusion Detection). We will use the general term extrusion prevention to describe both gateway, network-security products such as Fidelis Security Systems XPS and end point products such as Onigma.

The extrusion prevention product vendors employ a traditional operational network security model in order to ensure confidentiality of data. In an operational security model, one assumes that the inside of the network is trusted (or the employee endpoint PC is trusted if you're an endpoint product like McAfee). Extrusion prevention vendors assume that confidentiality can be ensured by monitoring and preventing unauthorized movement of data from inside the trusted area to an untrusted area. This model and its assumptions are flawed.

1. Since all applications have converged to HTTP, and since almost all organizations open up HTTP on port 80, the notion of a trusted internal network is totally incorrect.
Regarding end-pont workstations being secure, the assumption is probably somewhat better, although some estimates say that up to a quarter of all PCs are Zoombie computers

As we will soon see, we need to examine all vulnerabilities including people (who are the number one vulnerability for any organization). Note that technical network security countermeasures may be of limited utility when it comes to mitigating the risk due to people.

2. While network connectivity provides the transport for attackers to the scene of the crime (so to speak), vulnerabilities in operating system and application software are exploited by an attacker to cause damage to assets once he arrives at the scene.

Our own studies show that on a conservative estimate at least half of all data security breaches are caused by outsiders (or insiders working in collusion with criminal outsiders) that exploited vulnerabilities in software to obtain data. None of the cases of data breach we are familiar with were caused by worm attacks such as Zotob that ran through Windows 2000 networks two years ago. Two Moroccan hackers were jailed for creating and distributing the Zotob worm. The worm code was used to hijack vulnerable Windows 2000 computers and create botnets for email spam for profit.

3. Extrusion prevention products operate in isolation from the other 2 tenets of information security - integrity and availability. They presume to provide a silver bullet to the confidentiality requirement; however their effectiveness needs to be measured as part of the overall risk mitigation plan of an organization.

Information security is increasingly a major operational risk for a business but the multitude, complexity and cost of IT security products create a dilemma for an IT manager - what countermeasures should be selected and implemented?

Information security cannot increase your organizations revenues but when managed judiciously, a business can reduce its expenses on security controls while reducing risk.

Since extrusion prevention products provide a novel, yet partial countermeasure, IT management needs to be able to justify the contribution of this countermeasure to overall system risk reduction.

The best way to reduce risk effectively is to do conduct the discussion with management in dollar terms. In our experience practical threat analysis supports a ROSI (return on security investment) discussion by recommending prioritized, cost-effective, risk mitigation plans. The PTA calculative method is today's default standard for threat analysis with over 6,000 downloads worldwide and dozens of references in academic and government agency papers.

Let us get this straight, even if it appears on CSI Miami, blogging at work is a vulnerability, not a threat.

OK - another trusted insider who stole data, not nice but I'm sure if we dig deeper we will find a disgruntled employee, no security procedures in place for protecting sensitive digital assets, no monitoring of outgoing data using extrusion detection technology and no awareness training. Big deal - Du Pont are making the same mistakes as everyone else.

But - what irks me is when so-called security consultants take a case like this and try to hype it to their purposes.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells has made a big deal about blogs being a bad thing - he used the DuPont data theft case as a way to illustrate his point - even though it has nothing to do with blogging.

He noted there are approximately 100 million blogs ; many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. He said (and I quote) "Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages."

I guess he saw the same episode of CSI Miami that we did, where the perky receptionist was blogging about office relationships and insider trading using an infrared keyboard and a Pocket PC in her pocketbook under the desk. Plausible but hardly the rule.

Blogging from the office is a vulnerability that is easily mitigated with some practical threat analysis and security best practices:

1. Make a policy and tell your employees that it is not allowed. Period. They can blog on their own time.
2. Install an extrusion detection system like Fidelis XPS and track blog urls and sensitive keywords, once you have that figured out - you can start monitoring sensitive data assets and picking up employees that are posting large files.
3. Understand that blogging is not an isolated security vulnerability - you should download the free Practical Threat Analysis tool and start modeling what's happening in your office.

With Q3 deadlines looming for PCI Compliance, Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards. Visa is also offering a cash awards program for compliance. The US Army once ran a recruiting campaign - "Be all you can be" PCI Data Security is now looking like its - "Do less than we want".

First Data Corp, the giant credit card processor is calling for an overhaul to eliminate subjectivity in the PCI Data Security standard and ease restrictions to get more merchants to meet the standard.

If VISA and MC lower the bar again after two years of sitting on the fence, then what kind of credibility do they have? With all their resources (and considering the relatively simple, best compliance nature of the PCI checklist), it is hard to understand why First Data's CISO, Phil Mellinger is willing for merchants to do less - when in fact logic dictates that merchants should improve security in a cost-effective manner in order to help First Data be compliant with PCI DSS 1.1. There is after all a supply-chain of security at work here.

You need to read between the lines when a professional CISO like Phil Mellinger pushes for a security standard to be less subjective and easier to implement. After reading Phil's comments online recently, I downloaded the latest version of the standard and and took a critical look; you can download the standard here: PCI Data Security Spec 1.1

PCI DSS shows its age (the long winded explanation on what a firewall is, and the requirement for stateful inspection) and its often vague requirements (banning INTERNAL network addresses from coming from the INTERNET to the DMZ ?? I need some explanation on that, because it’s not clear how a service in the DMZ can have a session where the src IP is NAT’d and its coming from the public Internet…unless the company has a private VPN in which case I’m not sure what the vulnerability is exactly ;-)

PCI DSS also uses technically incorrect language at times. For example, the section called "5.0 Vulnerability Management" seems to say that vulnerability management is about anti-virus software and is confuses threats with vulnerabilties since they thinkvulnerabilities (and not attackers) enter a network:

Many vulnerabilities ...enter the network via employees’ e-mail activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.

How is a merchant supposed to perform an effective security risk assessment when the standard itself doesn't comply with the latest in security best practices?

I think that one way to nudge merchants into compliance is by showing them how PCI DSS can add business value by reducing risk. Sure - an awards program is great - but helping them reduce their ongoing security costs is heckova lot better.

Any bank or card processor knows that processing cards is ongoing exercise in risk management - yet Visa and MC have ignored their own core business and turned information security into a checklist compliance thing.

PCI DSS is about mitigating the risk of unauthorized disclosure of credit card numbers (on the assumption that once disclosed they can be used for fraudulent transactions) and PII (on the assumption that with a name, SSN and DOB a bad buy can steal an identity).

The problem is that the PCI DSS is an all or nothing list of controls:

A merchant has no way of calculating his risk profile in PCI.
He has no tool for knowing if implementing the controls will reduce the damage to his assets (business reputation, customer list, charge backs from the bank if he leaks data etc) because:

a) the standard has no notion of assets
b) the standard has no notion of threats
c) the standard has only an implied notion of vulnerabilities
d) the standard has no agreed upon standard to calculate the risk exposure of a merchant or processor in terms of assets, threats and vulnerabilties.

Last week, I learned a new card game - Mao Since it is forbidden to say Mao's rules, new players are often told only "the only rule you may be told is this one." As such, the rules of the game are discovered by playing or watching the game. The game of PCI DSS compliance seems a lot like Mao.

My wife (who is an accomplished card player) told me that I am clueless and pathetic to get so excited over such a stupid card game like Mao. (I confess - I haven't played cards since I was 13 and played pinochle with my Dad by the pool in Boulder, CO over a long summer vacation when he was taking a course at the Bureau of Standards. My 3 younger sisters and I had a great time by the pool - I learned pinochle and he learned about atomic clock synchronization.

So, not knowing the rules and not wanting to spend too much time watching the game, I called up a contact at Israel Credit Cards (one of the three Visa issuers and payment processors in Israel). My contact - Yoni Roth was gratious enough to take my call and listen to my questions. I asked Yoni three questions before he kicked me off the line:

1) Isn't the PCI DSS a checklist of controls? (yes)
2) Does PCI DSS relate to threats, vulnerabilities and countermeasures as an exercise in threat mitigation? (no)
3) I then asked Yoni - wouldn't there be value in using practical threat analysis in order to model the threats to a merchants data assets and mitigate the risk in a prioritized, cost-effective way? (no)

At this point, he started getting a little impatient with me. Look Danny - I understand what you are trying to say - but there is no value in threat analysis for a merchant in PCI compliance because:

a) The small merchants don't need PCI
b) The big merchants are being held captive by the card processors and have to be 100% compliant
c) The medium sized merchants have Qualified Security Assessors (QSAs) to help them be compliant. The QSA's have paid the PCI consortium 5,000 dollars, attended a course and taken a test and now have the franchise to assess and approve PCI compliance.

It's an all or nothing deal.

When I pressed and said - yes but, isn't there value for a QSA consultant to do a practical threat analysis and propose a cost-effective mitigation plan to his merchant client? Yoni said - Danny, you got your 60s - now go away and let me get some work done. Have a nice life.

Guess I gotta observe the game a little more or just take a no for an answer.

Sometimes, that is the best strategy in a card game - know when you're beaten

	- 3 out of 4 business websites are vulnerable to attack - 75% of hacks occur at application level Gartner Research.

A neighbor of ours (who is CFO for an Israeli tech company) asked me last week, what I do for a living, and I replied with my stock answer that I help companies protect loss of valuable digital assets and customer data. His reply was - so you install firewalls?

Your applications count, not your firewall

Firewalls are ineffective since they assume a trusted internal network and trusted applications but since almost every application today operates on the HTTP / port 80 channel, the notion of a trusted core loses all its meaning.

HTTP and port 80 is a highly effective channel of attack for threats that exploit application vulnerabilities.

Applications are vulnerable for a large number of reasons; lack of awareness of developers to secure development and inappropriate testing tools in the SDLC (software development life cycle). Tools for QA testing in new code development are not designed to detect security defects in applications and when exploited, software security defects can destroy company value and customer trust.

Don't rely on outbound filtering

2. Malicious software can exploit trusted applications to access or damage data. For example, If your firewall allows Web client / server applications such as MS Internet Explorer to transmit and receive data over HTTP on port 80, and that application allows other applications (or users) to control its actions, then outbound filtering is worthless. The added protection provided by outbound filtering is a false illusion and seduces you into a false sense of security.

Three years ago Bob Sundling from Zensoft wrote an insanely simple program. To demonstrate how outbound filtering is a joke, Bob provides a small executable file (3KB), along with its C++ source code .
In this example, if Internet Explorer is a "trusted" application by your firewall, then you are implicitly trusting every other software application on your PC.

Don't rely on deep packet inspection

Netscreen (now Juniper Networks ) has one of those. I was unable to get a spec off their Web site that explains exactly what it really does beyond general marketing collateral, but even the marketing gurus disclose a major shortcoming of the NetScreen Deep Inspection Firewalls. Juniper explains that their deep inspection firewall reassembles packets into sessions, looking for protocol anomalies and application-level intrusion attacks attacks based on pattern matching.

Customers tell me that using an IPS for extrusion prevention sort of seemed like a good idea at first; but the inflation of rules, the difficulty of intercepting and analyzing complex content like Microsoft Office and weakness of a typical IPS to manage events and provide advanced forensics - renders an IPS (and certainly a deep inspection firewall) fairly useless for extrusion prevention.

What should you do?

• Don't listen to the security product vendors
  
• Do your own risk assessment with practical threat analysis to evaluate the financial impact of application vulnerabilities and threats to your firm's assets. Don't wait to hire consultants and get a thick report. We live in times of just-in-time exploits and you can get bitten while you're sitting with the consultant.
  
• Start monitoring outbound traffic - look at what files are leaving the network.In projects with clients, we always implement real-time network audit technology at the network perimeter. Clients find this a highly-effective approach since they can identify digital assets (not applications) that are flowing out of the network. For example, if a PC
  became infected with custom spyware that started transmitting sensitive business assets such as passwords, the real-time network audit appliance produces an alert in real-time. The client's network technicians could then immediately shut down the PC, diagnose and remove the spyware. Read more about Extrusion prevention Technology on my Web site.
  
• Take simple administrative measures. At a brokerage company we know, the General Manager called all the employees into a conference room and announced that anyone who would download software was fired. Period.
  

Michael Rasmussen from Forrester anointed the general area of software applications for solving risk and compliance problems - GRC - governance, operational risk and compliance. He correctly points out in a white paper from November 2005 that the space is confusing, undifferentiated and filled with vendors with point functions claiming to be the be-all, and-all.

I was talking with colleagues at PTA Technologies this week about this deal and after speaking with a number customers who use the practical threat analysis tool, it became clear why monolithic, enterprise software applications for ERM are going to have trouble mainstreaming.

a. Most firms (even sizable financial institutions) have a problem shelling out $500k - $2M for an enterprise risk management system when they don't know the key risk indicators in their business processes (we spoke with a medium sized bank here in Israel and they pointed this out to us).

b. Many firms don't have a good handle on their business processes either, which explains why business process mapping and modeling vendors like Mega are doing well and attempting to branch out into the ERM space.

At the level of an operational business unit or IT security group there appear to be 2 trends:

1 The customer needs to be able to quantify risk in dollars in order to select & justify controls to business decision makers (the guys who write the checks) - this is a major challenge for most of the vendors, who still use qualitative methods and compliance-based checklists.

2. Firms are looking for risk-expertise - “on-demand" yet due to the sensitivity of a database of asset financial values, threats, vulnerabilities and which countermeasures the organization is deploying no one wants to use a multi-tenant, hosted application service solution like salesforce.com.