Israeli Software

The future of music may be friction-free sales and distribution on the Internet, but nothing can replace the excitement of a live performance.

The traditional recording industry have a brick and mortar mindset (their biggest vulnerability) that enables attackers (indy producers and musicians that work on the Internet) to cause them damage.

The big record companies like Sony Columbia built their business over the years with a small number of big stars that they promoted very heavily using conventional marketing techniques. Elton John, mega-promoted (and apparently in huge personal debt...) has sold more than 250 million albums plus over one hundred million singles.

Historically musicians needed the big studios for A) their technology (recording studios) B) Production capability (produce playable media) and C) marketing distribution channel (of brick and mortar stores).

What are the threats to the brick and mortar mentality of the record companies?

A) The technology to produce an album of high quality is sub $15k and in your home.
Home recording technology enables anyone to produce an album at home and deprives the record company of their lock on artists.

B) Production cost is zero. Upload a MP3 file to a server and your users pay the cost of the download.
The Internet enables anyone to produce an album or single and render worthless the record company's production facilities.

C) Distribution channel is the Internet - blogs, forums, search engines, email and social networks.
The Internet enables anyone to distribute an album or single and bypass the record company's distribution channels.

My goodness - this means that GAASSP - the record companies have been disintermediated by technology and the Internet. The world is now a level playing field ( or "the world is flat") for artists anywere in the world. If you have any doubts about that surf to garageband.com

What's next?

1) Equal opportunity for all musicians. That means no more begging and pleading for a chance to record your latest string quartet composition. That means that a jazz quartet in Slovenia has an equal opportunity at winning the hearts of jazz-lovers in Manhattan as a group in Soho.

2) More revenue for musicians since the record companies are disintermediated.

3) What will happen to the CD/DVD? Well - the copy protection for DVD is broken anyhow so there is no point in pretending that the record companies really want to protect intellectual property of their artists. They want to protect their revenue with fear and scare tactics. In reality - there is simply a new kid on the block who is far more efficient and far more available for instant gratification than Sony Columbia.

I predict that the CD/DVD will become a media used to promote live performances. Give them away for free or use them as a bonus coupon for 15% off at the next Mingus Big Band appearance.

Live performances generate revenue for artists and for a reasonable price for a pay per download for a single track - there is no reason an independent artist cannot monetize his or her work at almost zero production and distribution cost.

The PCI DSS 1.1 requirements are available for download from the VISA and MC Web sites. We still need to put on our thinking caps to mitigate threats to payment card data.

The PCI DSS 1.1 requirements are confusing and a mixed bag of countermeasures. Some are very sensible things like modifying vendor provided passwords alongside of some very archaic things like using anti-virus to mitigate "threats".

This can result in a PCI auditor taking advantage of a merchant and overstocking them with security technology and professional services. We've seen this happen more than once.

We have a client who purchased a database firewall at the recommendation of their auditors. They spent over USD 100k on technology a year ago that is still not fully implemented in order to prevent users from accessing the Oracle database with the production dba password. They could have and should have separated their test, development, staging and production environments and prevented developers from connecting to the production server with a simple firewall rule. That could have been implemented with a cheap Linux box running Centos and iptables for basically nothing.

The case with small merchants is that on one hand they don't have the budget nor the mentality to spend although they have the most to lose in a security breach. As a collective group, small to medium sized merchants constitute the most significant source of vulnerabilities in the payment card network.

Clearly - there is a business case both for the card associations AND the small merchant to improve their security.

I'm skeptical about MS Word checklists and Euro15/month network scans as a means of attaining this goal.

I think it's an insult to the intelligence of any decent business owner/manager. As an alternative, we suggest that the small merchant use Practical Threat Analysis to examine his own business situation, mitigate threats and comply.

This is what PCI is about really, at the end of the day.

It seems to be common practice for many of the commercial risk assessment systems to look at risk as a two-dimensional problem - assets (that have qualitative risk) and controls (that mitigate risk).

I presume that this extremely naive model was borne out of using a spreadsheet for risk analysis since spreadsheets are two-dimensional models themselves.

However, this simple-minded model does nothing to help us understand the physics of the risk to an asset -i.e. what forces are at work to damage or counteract the damage posed by threats to the assets.

In order to understand the source of risk - for example in a PCI DSS 1.1 self-assessment project that a small merchant needs to run; we need to use practical threat analysis.

This requires describing:
1. Attackers - people or entities that execute a threat
2. Threats - Attacker(s) that VERB (exploits a vulnerability) to damage an ASSET.
3. Assets - A physical, intangible or digital asset that is valuable to the owners
4. Vulnerabilties - A STATE( that enables a threat to be manifested)
5. Countermeasurs - A control or tool that mitigates the threat

Examples in the next posting. Gotta sign off!

In our previous posting we explained how Practical Threat Analysis uses a model of threats, assets, vulnerabilities and countermeasures as opposed to simplistic Excel-based models that treat two dimensions of asset + control.

In this posting, we will give some concrete examples of threat entities.

Suppose you have been asked to perform a threat analysis for an IPTV system that uses a system of distributed servers that deliver digital content on demand by IP Unicast.

We will deliberately keep the example simple and look at two threats:

Your assets:
A1-Movie content
A2-Video servers

Attackers
AT1-User at home
AT2-Criminals who may break in and steal servers.
AT3-Competitors who want to discredit or damage the service provider's business

Threats, exploited vulnerabilities and countermeasures

Threat T1 – A criminal may break in and steal the video servers
Vulnerability V1 – The server building has a front door with a simple lock
Countermeasure C1 – Place a fence around the server building
Countermeasure C2 – Put bars on the building windows

Threat T4 – Competitor may mount a DDOS attack and overload the IPTV servers
Vulnerability V7 – IPTV network is on ISP WAN infrastructure, enabling public access
Countermeasure C9 – Isolate IPTV network using firewall and dedicated VLAN

Note that a threat is always in the form of [Attacker] [VERB] [ASSET] [DAMAGE]
and vulnerability always describes a state of weakness.

On a previous blog posting Blogging from work back in May, I talked about employees posting to blogs from inside the office.

I apparently raised the hackles of MacDonnell Ulsch who is the Director of Technology Risk Management & Privacy at JEFFERSON WELLS, INC.

MacDonnell emailed me a pretty nice comment (I've disabled comments for the time being on this blog due the quantity of comment spam that the site was getting - some time I'll get around to fixing it with a Turing test - in the meantime it's mail).

Hi Danny,

I saw your posting regarding my comments on blogging. I actually enjoyed reading your comments. I always enjoy a good discussion. Here are some points that I would like to make and have made in the past regarding my view of blogging. Thanks in advance for reading this and the very best to you.

With respect to blogs being a vulnerability and not a threat: you are right. But the hacker or terrorist exploiting it is a threat, so the existence of a blog threatens the integrity of the enterprise. I have been widely quoted out of context on this issue. I have worked with clients who have experienced serious problems as a result of uneducated workers blogging indiscriminately. I have attached an article that will likely be of interest to you. I am not saying that people should not blog. I am not saying that companies should not allow blogging. This would be ludicrous and ridiculous. That’s like advising people not to use the Internet. I understand that you were not at the talk I gave, so you could not have heard everything that I had to say. Here are a few points that I would make to you:

1. The US Army now restricts blogging in forward combat areas because of the disclosure of sensitive information that would endanger our troops.

2. One client was socially engineered through blogging into disclosing sensitive IT architecture information that enabled a hacker from Germany to illegally access company systems. The IT professional was terminated. He wishes he had had a policy in place that would have educated on the risks associated with blogging. Had management made him aware of the risks, perhaps he would still be employed by the company. His actions were not malicious. He simply wasn’t aware there was cause for concern. A lot of people still believe that. They are sadly misinformed.

3. Organized crime, from around the world, are behind some blogs, particularly those associated with pornographic content. Organized crime is, in concert with international narcotics traffickers and certain terrorist factions, using technology to commit ID theft crimes, part of the money laundering problem that we have. There is a reason that Russian banks, and other banks chartered by nations with deficient banking regulations, engage with organizations such as the Black Peso Market Exchange and other such money laundering operations. And then there is the issue of Eastern European companies organizations that use technology, including blogs, to acquire email addresses for spammers. These companies also use emails for phishing for ID theft and for socially engineering employees of dual-use technology companies and defense companies. The intelligence and investigative agencies are well aware that these conditions exist.

4. The infiltration of organized crime is not a product of my imagination but based on information from the US Secret Service (Treasury), the Department of Justice, the Drug Enforcement Administration, the Center for Strategic and International Studies, and other institutions.

5. My advice is not to eliminate blogging at companies. It is to regulate blogging much as email is regulated. As a J.D., you understand the liability concerns over inappropriate email use and Internet use. Internet and email use require corporate policies. Companies also need to regulate the use of blogs.

6. Also, I did not say or in any way indicate that the Gary Min/DuPont case involved blogging. However, Min did have stolen trade secrets on his laptop, which was issued by Victrex PLC. My point was simply that mobile technology enabled Min to more easily transfer some 180 files to his Victrex laptop and then carry those trade secrets with him. He could have accomplished this with other mobile technology, too. But my point was about the mobility of information and not blogging in this case.

Everyone is entitled to express an opinion (at least those of us who live in a free society). You obviously have yours and I have made mine very public. In my opinion, the outright rejection of these concerns contributes to a false sense of security. In the interim, I am going to plead with my management not to make me blog everyday on my corporate issued laptop. However, if management does decide to accept your advice to punish me accordingly, I will first advise them on the appropriate policies and procedures necessary to managed the risks of that decision accordingly.

We're doing an annual IT risk assessment for one of our clients - fortunately for us, they are using practical threat analysis to create a prioritized risk mitigation plan for their 2008 budget.

We kicked off data collection on Monday and it was entertaining to see how various managers perceive their assets and threats. One of the vulnerabilities is a favorite of mine - disposal of hard disk drives. The company manufactures industrial equipment with an embedded Linux operating system that controls the machine. When machines are taken out of service or returned to the factory for repair - the disk drive is often replaced. So far so good.

What happens to all the disposed disk drives ? Well - it appears that the technicians format the drive (or not, if it's dead on arrival) and dump it in a barrel in the backlot of the factory. Hmm - not a happy thought - if the company's intellectual property was pirated from the disk drives recycled into a PC for someone's office.

There are two approaches to sanitizing disks The first is to employ a software disk "wiping" or "overwriting" utility. The other is to physically destroy the hard disk with a big 10kg hammer.

There are a couple of decent FOSS - free open source products that do disk wiping, you may know of others - if you do - email me a comment and I'll post it.

- DBAN (based on self-contained boot floppy): Darik's Boot and Nuke
- Eraser (For Windows OS): Eraser

Both are active Open Source projects and DBAN has recently been updated for Intel dual-core processors.

In the case of Eraser (which is GPL), the patterns used for overwriting are based on Peter Gutmann's paper Secure Deletion of Data from Magnetic and Solid-State Memory in order to effectively remove magnetic traces of data from the hard drive.

But - at the end of the day, as I told the security officer at this client, it's gonna be a lot easier for them to take a big 10kg hammer and smash the drives in the barrel on the back lot.

Although, many SMEs may be less aware of the security technology latest and greatest - they are probably more aware of their own vulnerabilities - being smaller and flatter organizations - the risk assessment tends to be much simpler and clear to a business decision maker.

This means that practical threat analysis, that provides a cost-effective, prioritized risk mitigation plan becomes a killer when combined with economies of scale and volume discounts. Buy the right thing at the cheapest price.

Just a thought.

Posted on October 15, 2007 11:39 AM | Permalink

October 16, 2007

Willem de Kooning said that "The trouble with being poor is that it takes up all your time."

The NRF letter to the PCI Security Council brings a sensible approach that credit card security breaches would be reduced if merchants were not required to store payment card data.

The NRF understands that PCI DSS 1.1 is about improving payment card security but claims that "it is unlikely PCI will ever be able to keep pace with the continually-evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."

Dave Hogan is right. Merchants SHOULD rethink their assumptions about PCI DSS 1.1. It isn't about compliance for compliance sake, it is about looking carefully at a particular retailer's vulnerabilities and mitigating them with the most cost-effective countermeasures - not storing any payment card data is a great countermeasure.

Mastercard and VISA's position is that merchants are not required to store payment card data and PCI DSS 1.1 makes it extremely clear that merchants should not store payment card data

Merchants store payment card data and mag-strip data because a) it is convenient (enables them to provide customer service easily), b) it helps them improve their marketing (buy 2 shirts and get 1 free if with your Mastercard Gold card) and c) the legacy POS and backoffice software applications store the data (and who has the strength to perform a software security assessment of some legacy Cobol code).

According to a recent Forrester report sponsored by RSA - 81 percent of merchants retain credit card data, 73 percent store expiration dates, 71 percent store verification codes, and 57 percent store magnetic strip data.

As of October 2007, we have reports that 40 percent of retailers have been PCI-certified, and another 50 percent are either in the process of complying or have submitted their "initial validation." In my book that adds up to 90 percent either certified or in the process of complying with PCI DSS 1.1 - that seems pretty good.

SO - if 90 percent of the merchants are on the right path, what is the problem?

The problem is (and Mr Hogan knows this), is that only 1,000 of the largest retailers require an external auditor - everyone else (over 4 million merchants in the US alone), can fill out a MS Word checklist and self-comply. The NRF understands that an MS Word checklist is practically useless as a countermeasure against attackers who want to steal payment card and mag-strip data.

I think it's more productive for the National Retail Federation to tell their member merchants that security starts at home with a little practical threat analysis. I highly recommend that retailers download the Free PCI DSS 1.1 self-assessment tool and you'll see how useless MS Word really is in comparison.

Posted on October 16, 2007 11:01 AM | Permalink

October 18, 2007

October 23, 2007

October 24, 2007

Search

Search this blog:

About October 2007

This page contains all entries posted to Israeli Software in October 2007. They are listed from oldest to newest.

September 2007 is the previous archive.

November 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

This weblog is licensed under a Creative Commons License.

Powered by
Movable Type 3.32

Small to medium sized retailers can protect payment card data - but it won't be a one-click operation or something they can outsource to a Security in the Cloud service.