Israeli Software

I wanted to write about my security experiences at Reagan Airport in DC and Warsaw, but I actually had real work to do.

We've got our heads down with the Practical Threat Analysis project ....last week a customer took the PCI DSS 1.1 standard too seriously and ran patch management, shut down some ports and lo and behold we get a frantic phone call - how come the Ldap administration application stopped working...support is good for the soul....

I did have some time to look at the Web stats for May though:

- First place - the article on Vulnerabilities of default passwords
- Second place - Practical threat analysis free download
- Third place - the article on Software security assessments

Out of 86,000 hits - looking at search strings - Monica Belucci got almost 400 hits and Emily Proctor (who plays in CSI Miami) got 4. This proves that fans will go to the tail end of the Internet to find pictures of beautiful women like Monica Belucci and Manuela Arcuri.

This was my audience's favorite blog article - Do we really need a security industry?

Friday, CNN Money pre-announced the announcement of what looks to be a pretty deep business cooperation between Google and Salesforce.com.

It makes a lot of sense.

In the battle against Microsoft (google and Marc Beniof are set off squarely against MSFT) there are number of points of strong synergy between the two companies.

Right now, Google Applications is mail, calendering, Web site and spreadsheet - but Salesforce.com and the Appexchange are well-designed, well-implemented systems of business application software as a service.Clearly, not only the CRM applications, but the Apex API and and Appexchange applications can add a lot of value to Google Applications.

Having said that, nothing is holding back the developer community from releasing mashups and integration with various Google applications and Google Labs projects. I would guess that Google likes the salesforce.com presence in the enterprise and the telemarketing, support and sales team that SF.com runs.

On one hand, it's great to see Google and Salesforce.com working together to compete with the largest software company in the world - but a merger might create some pushback in the user community. I am not sure that every salesforce.com customer would be happy about the biggest search company in the world being able to poke a finger in their customer information.

From an application security perspective, putting a lot of Web 2.0 business applications in one place is not necessarily a good idea. Large targets tend to increase the motivation for attackers and increase the complexity of security countermeasures and amount of ongoing vulnerability assessment.

Even today, without a Google-Salesforce.com merger,I think there are issues with Salesforce having so much sensitive customer data. Just one published data security breach would be enough to rock their revenue boat pretty seriously.

Then again, Salesforce.com is on a roll and maybe customers lists from SME customers are not that sensitive.

Today I received a piece of spam in my business mail-box that talks about Ehud Barak (former IDF Chief of Staff and Prime Minister that led the disastrous withdrawal from Lebanon that fomented Intifada II then Lebanese War II).

Several months ago, we migrated our mail services to Google Applications and we've been extremely satisfied. Our qmail server was rock-solid for 5 years (no one ever won Dan Bernstein's bet on hacking qmail) and unlike Microsoft Exchange, our cost of ownership was zero. The problem was that Spam Assassin could not keep up; so unlike the famous Tareytown smokers ad, I decided it's better to switch than fight.

Google mail is almost perfect with spam filtering and the Ehud Barak spam popped up on my radar screen during a random check in the spam folder.

You can probably guess that my politics lean towards having Barak remain in the private sector, but I have a problem with spam in general and spam sent out from a legitimate business in particular.

This particular piece of political spam came from a hi-tech company in Rehovot (the mail was signed Tact Ltd. Rehovot). The mail itself reminds us that Ehud Barak is still under investigation for his involvement in illegal campaign fund-raising and quotes an article in the Israeli Internet portal Walla!.

I wonder if Dr. Rafi Amit, the General manager of this apparently successful Israeli software outsourcing company Tact Systems , is aware of the political activism in his company. Whether the mail was sanctioned by the executive management of the company or not, it's still spam.

From an image/corporate reputation perspective, it looks bad.

From a data security perspective, it reveals an internal vulnerability (sending out spam from inside the company means that they don't do any extrusion detection at all).

From a security procedure perspective, I suspect they don't have an AUP.

Tact Ltd. is a company who do QA and system testing projects in private sector and defense industry and they should know better. They should definitely encourage (and sponsor) involvement and political activism for causes they support, but any corporate AUP (acceptable usage policy) should mandate that extra-curricular / political activity needs to be done on the employees time and dime.

I am normally allergic to trade shows and so-called professional conferences. I find the self-serving parade of vendors and industry experts to be waste of my time. Maybe this is why unconferences run by users are getting popular.

The IDC IT Security Roadshow 2007 held in Gan Oranim in the Tel Aviv Fairgrounds today was mostly an exception to my rule. The sessions were interesting and the networking was not bad. Kudos to Dan Yachin and the rest of the team at IDC Israel for a job well-done.

Gideon Lopez (MD of IDC Israel) opened the day with a few remarks followed by Gil Schwed who gave the keynote. Here are some notes I took during their talks:

What are the trends in IT Security?

1. There is room for small startups that provide innovation

2. Security is 4% of IT budget (not very much)

3. Companies want consolidation of security management systems

4. There is now an increased awareness of Insider threats, although we need to get past the false positive problem and deal with Extrusion prevention that gets in the way of employees

5. Security as an enabler

6. The odds between attackers and defenders is not equal and it's interesting to compare. Look at the startup community in Israel that are consuming sizable RnD budgets versus modest hacker budgets.

I thought Gideon's comments were mostly ok but "Security as an enabler"?? Give me a break. Security is not a business enabler. It is a cost. It is a way of protecting your assets so you can operate your business, get home safely at the end of the day and deliver positive returns for your shareholders.

The last point that Gideon made is interesting, because it it's meaningless.

There are attackers (organized crime) with huge budgets that can bribe trusted insiders, employ advanced technology, human honey pots and long term social engineering to steal valuable digital assets. Then there are low-budget attackers who smash and grab (like the thieves who broke into BMC Software offices in Ramat Hachayal by smashing a ground-floor window and carting out 50 workstations while the guards were on the other side of the building. Both attackers and owners of valuable assets perform an economic assessment of how much they want to spend on an attack (or defense) versus the value of the assets at risk.

This lack of understanding of the economic dimension of risk was a common denominator later in the conference in the user focus session run by Gadi Gilon, the CIO of Orange Israel.

Gil Schwed - Growth in Internet, growth in threats

Gil's presentation was a march of time Powerpoint and a not so subtle pitch for Checkpoint.

Gil did make one excellent point, namely that customers need strong vendor security focus. Because of merger and acquisition activity (Symantec buying Veritas (a storage vendor), EMC buying RSA (a security vendor) ) etc.

Gil is correct when he says that a lot of the big vendors don't have a strong security focus anymore. The Symantec VP Business Development for EMEA (William Beer) that spoke with me at the break, confirmed that this is definitely true for his company. I guess Cisco never had a security focus.

Checkpoint is one of the few pure-play security vendors that service all sized customer segments. The distribution of the size of their customers is:

- 30% > 10,000 employees
- 30% 1,000-10,000
- 30% 50-1,000
- 10% < 50 employees

Here are some notes from Gil's well-delivered (although somewhat limited-vision) ppresentation:

Enterprise security is composed of Infrastructure, data, mobile and endpoint Security

Network security is composed of a core + data, endpoint, IAM, AA, Threat mgmt / VA, SIM

Today - network security is complicated, hard to manage, too many vendors, it is siloed between departments, reactive and inconsistent.

We need vendor consolidation. IT sec managers dont have enough time to hear, good idea with potential and a new innovative product cannot justify itself because of the market resources required to get customers attention

I suggest that we need to reduce the number of security vendors installed in an enterprise from 15 to 4 or 5.

There has been a loss of security focus for some vendors. This is because of the M&A activity in the networking vendors space. Companies get lost in the supermarket of a big vendor

There has also been a security vendors shift to other larger application spaces like storage

We need architected solutions that unify management and create interoperability, for example an integrated security gateway with FW, IPS, VPN,extrusion prevention, Virtualization and central management.

Data security challenges
1. extrusion/information leakage
2. big files, removable devices (USB, iPOD)
3. lost / stolen notebooks (60% of information theft)

Data security creates huge exposure since ccompanies required to disclose incidents, notify entities at risk. The first requirement is a need for policies on data usage in the firm, then they need port control, media encryption, and gateway protection (extrusion prevention).

Mobile client+data/network gatway +total endpoint + mgmt
Similar to general endpoint requirements

Endpoint

The endpoint requirements are also AV,FW/VPN, data, unified and managed security. We built a personal fw business from 0 to 50M (not that we had much competition) on basis of the lackings of the WindowsXP firewall

Consolidating Security Session

Here are some highlights (note how the vendors don't answer the question but use it as an opportunity to tout their wares)

Can Security vendors survive as pure play, or must they be acquired?

Citrix - security is a monitoring layer that is part of the application architecture

Symantec - security intelligence enables customers to be proactive

Yoggie - Yes, there is consolidation but when a big company grows by acquisition, they become more concerned with customer relationship management than with innovation, which is why there will always be startups.

Can we rely upon and trust the best-of-breed security vendors for our technical countermeasures?
Symantec - Takup on our MSS has been slow, because the IT security people dont want to relinquish control. We're selling co-sourcing these days

Decrue - MSS needs to be viewed as another security countermeasure to the organization vulnerabilities. You need to weigh what's best in terms of the business needs. Look - the term itself - best-of-breed is a dog-show term meaning, expensive and not integrated with anything else and high-maintenance. Make your own conclusions about best-of-breed in that context.

Yoggie - I'm both pragmatic and paranoid when it comes to trusting security technology

Citrix - It's meaningful that the telecom service providers have acquired managed security services and system integrators, (BT and Counterpane, Belgacom and Telindus). I think that a key selling point for security is integration and management which the service providers are good at. The downside is that telecoms are slow moving and non-innovative. Their SME customers usually trust them but when there is a cost, performance or security issue, customers will flee the coop to a competitor. Look at the case when the UK ISP (Tiscali) had a DDOS attack and their mail servers went down - they suggested to their customers to use a free Webmail service.

Security User Experiences Session

What is the most important thing an Infosec manager should do?

Avi - map and valuate your assets, none of my customers do that.

ZIM - Not technology, the cost of maintaining security systems is the main issue since the cost of maintenance is much higher than the cost of acquisition

Clalit - The CISO should be a policy-setter, security should be part of the design so that it doesn't interfere with the operation It should not be a cover

When was the last time you did a risk assessment and did you calculate economic values of risk?

"We generally ignore economic value of risk and we are shooting ourselves in the foot when we don't evaluate risk in financial terms."

Note how everyone talks about what should be done without admitting guilt.

Gadi - (asking for a show of hands in the audience) - almost no one raised their hand

Clalit - We do it annually (or did he mean, should do annually, I'm not sure I heard right...)

Avi - You're right, most customers don't do it but they should. There are far more technical countermeasures than threats so it must be an economics decision - the first part of an quantitative risk assessment is identifying and then valuating the assets.

Rachely Jacob(Bank of Israel) - The 357 Infosec standard mandates use of probabilities of occurence (ARO), of course a bank that complies with 357 and Basel II can use the AMA and mitigate risk while allocating resources to different countermeasures all on a fiscal basis.

ZIM - Risk management is a business process, how much security is enough for the organization, I would say that we need to breakdown the question of quantitative risk assessment into 4 areas: BCP, Baseline (80/20 rule for countermeasures effectiveness),
Basic risk management practices for systems and awareness for employees.

Won't regulation create more vulnerabilties because of it's cost and checklist mentality?

Rachel (BOI) 357 has been effectiveness for IT governance in Israel, even though IT security interferes with implementation projects

Avi - Better to employ countermeasures dictated by a compliance standard than to do nothing. Israel needs regulation...(I'm not sure he is living in the same country I live in - Israel has 10 different regulations for privacy compliance and none are enforced, Israel has regulation for use of the radio spectrum and because it isnt enforced, pirate radio stations cause near-plane crashes at Ben-Gurion Airport.

I would rephrase that - as Israel needs less regulation and more enforcement.

What should be the relationship between the IT manager and the information security manager?

Avi - There should be separation of duties between IT and security, since security is a separate expertise.

Rachel (BOI) - The functions do not have to be separated (357 allows the security manager to be part of the IT group) but the IT manager needs to set policies, do risk assessments and penetration testing of applications. The security process needs to integrative in the organization.

Clalit - In large organizations like ours, there needs to be three bodies: A legislative (that sets policy), an executive (that executes policy) and an audit (that monitors execution against policy)

ZIM - It depends on the corporate culture.

I'm not going to report on the other sessions

The Insider threat session featured a bunch of vendors from McAfee, Symantec, Intellinx and Websense talking about their respective endpoint or gateway or security intelligence perspectives) - I was outside having an interesting talk with William Beer from Symantec.

The Rethinking security session was pretty weak and although there were some smart people there (Dan Yachin from IDC, Yaron Polak (Genesis) Anat Bremler (formerly Riverhead) and Moshe Ishai (CTO of Comsec) Miri Hizkayev (IBM IGS) the responses did not add value for me - there were generalizations like the next big thing will be a security co-processor or quantum cryptography and a redux of the security is a business enabler canard that from Comsec.

Other than that it was a nice conference. I enjoyed seeing colleagues and running into Elisheva Jakobovich from Vertex and Jonny Saacks from Genesis Partners.

The food was pretty good too.

Are your programmers in a black hole?

Even amidst a growing security fashion trend for application security, emphasis is still placed on technical countermeasures such as application firewalls and application security scanning.

Ask a beginning programmer if a black box scanner is capable of getting inside her code and understanding the bugs and ensuing security vulnerabilities - she'll laugh at the thought.

I'm familiar with a high-tech company who uses agile programming techniques. The lead programmer and chief architect are doing an outstanding job, but the rest of the programmers are lost in individual black holes. The General Manager of the group doesn't have the faintest idea what state the team is yet he's committed to a major delivery in less than 60 days.

Consider their code quality - they'll still be coding 6 hours before delivery. The saying goes that the most creative work by a programming team is done 24 hours before the trade show. But - creativity is not necessarily security.

If you develop applications; the next time you think about reducing the risk to your business, think about improving how your software development team works - how do you set milestones, how do employees take commitments, how well do they execute and how do you measure performance.

The latest version of PCI Data Security is much improved but the prose is still pretty turgid with an odd verbiage of threats, assets, vulnerabilities and controls.

I'm providing tech support to our partners over at the Control Policy Group on a project they're doing to create a PCI DSS 1.1 library for PTA. They were having trouble parsing out the PTA framework entities from the standard PCI pdf document. You can see what I mean:

Requirement 1 - Install a firewall Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

If you do a threat analysis of the prose you can extract the following entities:

What are the asset(s): Cardholder data
What are the Countermeasure(s) - Install and maintain a firewall configuration

What are the vulnerabilities(s) :
Unauthorized access from the Internet
Seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems

What are the threat(s): hackers, trusted insiders.

What are the entry points - e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access.

I reckon you get the idea - they're gonna be riding a rocky road before they release their library - but I for one am looking forward to seeing it.

I get a daily email news from searchsecurity.com according to my interests in risk assessment and risk migitation. It's fairly tolerable and sometimes I even click on the message before trashing although the content doesn't always get high marks for quality.

The other day I got an email promoting a Webcast sponsored by Arc Sight titled "New Webcast: Effectively Mitigate Security Risks and Manage Threats". I thought - WOW - that sounds a lot like our messaging at PTA Technologies. The speakers were Brian T. Contos, CSO and Dave Anderson, Senior Manager, Product Marketing. Some of the messages were "Discover how to balance risk optimization and performance". (PTA provides a quantitative risk analysis framework and the ability to produce a prioritized, risk optimization plan - sounds familiar?)

Arcsight position the company as a provider of security and compliance management solutions that intelligently identify and mitigate business risk by providing a real time and historic view into external attacks, insider threats and compliance breaches.

Arcsight has a great customer base and large reseller partner channel, but from the wording in the email it was hard for me to know exactly what they do - so I called on a customer of ours who uses Arc Sight for a commentary. Sans marketing collateral - its a product for firewall/IPS log analysis. The CISO at our customer told me that it's difficult to use and the reports he gets are not very helpful to his everyday needs in mitigating trusted insider threats. This customer uses a real-time extrusion detection system and he firmly believes that real-time alerts on violations in the data, network and people planes are far more useful than historical log analysis. As he put it " we have a gigabit network, every second - 100mega byte of data is flowing or 8.5 terabyte a day - how can we possibly use log analysis for real-time audit and detection of attacks? "

I then took a look at folks who took the free download of PTA Professional. Lo and behold - our colleagues at Arcsight are frequent fliers and Mr Brian T. Contos CSO is a registered PTA user.

It's an honor for a small, boot-strapped operation like ourselves to be an inspiration for an award-winning company (Gartner MQ, Forrester) company like Arc sight.

Encryption is not always an effective countermeasure for mitigating attacks on customer data and valuable digital assets.

With statistics showing that about half of all customer data breaches are due to people losing their notebook computer, it's pretty obvious that encrypting data on your mobile hard drive is an excellent idea. Like the man from American Express said - Don't leave home without it.

However, encrypting everything doesn't always improve security - I'll bring two examples to prove my point - hidden channels and secure email.

Hidden channels

Usability in secure email communications

Non-repudiation is the idea that a signer cannot later deny that they sent the message. But - this is just an illusion - the subject can always claim that someone stole her private key and that the signature itself is a forgery.

Integrity - phishing is a commonplace thing and a daily threat to users. Digital signatures would seem to have utility in countering forged sender information. In practice, we see that a digital signature in an email note is almost useless. A well-crafted email address like customer-service@paypal.com can sucker users into clicking on a URL. In practice, there is so much phishing going on, it turns out that there is a far more effective countermeasure for the integrity threat - just automatically delete any mail with a sender address and/or a subject that is either not familiar or unexpected. If they want you - they can always call you.

Privacy - this is a big deal. Privileged attorney-client communications, chats with a mistress - you would think that by now everyone would be using PGP. There are three reasons why secure email never mainstreamed.

1) Ease of use - its a pain in the ass for the everyday user

2) Value of the asset - what can an eavesdropper learn from the average document sent by an attorney to her client? Not much - and if its really important - she can always encrypt the document using Win Zip AES strong cryptography

3) Probability of occurrence - having been in the telecom business for a long time, I can tell you that with the complexity of the systems and wiring, it's a miracle that the phones still work. The probability of a competitor discovering who your ISP is, bribing a customer service person at the ISP and then extracting some sensitive data is basically zero. Put it differently - its always a question of value of asset versus the cost of the attack - for a $100M digital asset (the masters for the Beatles White Album?) - it's worth going to the trouble and spending the money.

Why the energy levels are low, why people state "what is needed" but don't take the initiative to do what is needed.

Jim and Michele McCarthy describe a series of design patterns for software development teams in their book - Software for your head; the first is the CheckIn pattern, which requires strong personal involvement.

Strong personal involvement is key to high energy levels in software development but it hinges on trust in the leadership; without that trust, professional programmers tend to go off on their own.

Several years ago I worked for at a company that hired a former Israeli Air Force Colonel as general manager of the operation. I was VP Engineering and the GM was never able to connect to our young, talented programming team; he patronized the Russian immigrants and asked the women to make coffee for him. It was a great place to work but the team never achieved the vision.

My friend Issac Botbol is a professional trainer for Hispanics in the workplace. Issac was talking to me about building trust and I realized that Hispanics are culturally similar to programmers. Neither speak the same language as their managers and both groups distrust the suits. Here is what Issac had to say:

One of your greatest challenges as a leader of an organization that employs Hispanics in the workplace is to provide this workgroup with a sense of belonging. During one of our workshops, an English speaking production manager expressed this issue in a very effective and honest manner. He said: "I wish my people would feel comfortable enough to come to me and tell me what's bothering them." When asked to elaborate on this a bit further, he said that he was definitely aware of a distinct separation, a line in the sand between him and the rest of the front line Hispanic employees.

It is not easy for leaders, especially English speaking leaders, to break through this hurdle. It's true that the language and cultural barrier is responsible for causing a wide communication gap and it's a fact that a common language unites. However; communication is more than just words; it also involves action. More importantly, it involves trust. Generally speaking, there is a significant lack of trust between Hispanics in the workplace and leaders above the supervisor level. Hispanic front line employees usually view upper management as being far removed from their daily challenges and problems. Although this may exist in workplaces where there are no language differences, the suspicion and trust issues are more prevalent with Hispanic employees.

Many leaders in turn, readily accept the fact that there is nothing they can do about the separation of language and culture. They believe that their options are limited when it comes to breaking through the communication gap. That is where the danger lies! They concentrate more on getting the product out the door, rather than on the people responsible for producing the product in the first place.

From the Hispanic employees' perspective, the message from the "office world" is not always a welcoming and positive one. Leaders may fail to convey that this particular workgroup is part of a larger picture and a valuable contributing factor to the success of the organization. It's important to periodically and regularly gather the front line employees and make a fuss over them. It's essential to take the opportunity to express how they've met or surpassed the production schedules, maintained an acceptable safety record, or adhered to quality standards.

Trust is achieved when it is a consistent and deliberate process of regular interactions, human involvement and honest communications. It is not easy to achieve and with Hispanics in the workplace, it is tenfold more difficult. The reason is due to their perception of American management and a host of other cultural issues that we'll discuss in future newsletters. The important point for leaders to remember is that consistent behavior that reflects a sense of genuine interest will do a lot to reduce the barriers to trust.