Israeli Software

You have one dollar to spend, how do you spend it wisely?

FUD has been great for security vendors. We personally know an Israeli company who wanted Sarbanes-Oxley compliance so badly, they laid out $1 million on IT security products. Last month, they wanted to survive so badly, they RIFF'd 750 employees. Like the old Arab proverb - "Yom Asal, Yom Basal" (One day honey, one day onion - today it's onion).

We're now seeing companies spend less on security products.

Having less money to spend is an amazing enabler for being more effective.

There is a tendency in recent years to view risk assessment as a process that can automated with vulnerability scanners, black box source scanners etc. These tools are extremely helpful to get a quick handle on the problems but don't address fundamental issues of buggy software.

I had a conversation with a potential client (a large ISP) this week that went something like this:

Prospect - "I would like to have a chance to meet and discuss opportunities with you for a software security assessment of our customer-facing applications."

Us - "That would be our pleasure.. we do - Application software threat analysis since the majority of data breaches are caused by attackers that exploit application software vulnerabilities."

Prospect - I guess we are not talking about a CheckMarx competitor?

Us - Not at all. We may employ source code scanners like Checkmarx to assist with the software security assessment but our approach is very business driven. We don't sell a technical product.

You can read about the methodology here -
Risk reduction for legacy information systems

Tuesday nights I learn daf yomi with my friend Yaron - who is a software engineer at a big Israeli hi-tech company that makes data communications hardware.

First thing he does when I come over is put up a pot of coffee and we start shooting the bull on the more spectacular software bugs we saw recently. He's a real-time programmer, working in VxWorks environment in C - I'm more into Linux and Web applications and software security - we do a lot of software security assessments and see a lot of bugs.

They starting using a static analysis tool called Klocwork for helping them scan their sources for bugs - I noticed from the Web site that Klocwork is also used with software security assessments.

His beef for the past month has been some programs scanned by Klocwork.

My buddy inherited the module from two other programmers that went on maternity leave. After Klocwork turned up some non-fatal problems (if conditions that would never be executed) he gave up and did a manual full code review.

Spaghetti code cannot begin to describe the examples he gave me - would you believe real time code with arrays of arrays of arrays of pointers nested 3 deep? Or how about implementation of Quality of service bandwidth allocation algorithm that divides by remaining bandwidth instead of total bandwidth - effectively oversubscribing because of an implementation bug.

Bottom line - the first bug is purely sloppy coding. The second is classic implementation mistake - - software bug scanners like Klockwork are a good starting point but they cannot replace my friend Yaron.

You'll need plenty of these before you finish your PCI DSS self-assessment

Long overdue, PCI DSS validation documents for self-assessment have been updated to the current standard PCI DSS 1.1. Version 1.1 of the Self-Assessment Questionnaire has been rewritten to be more in line with the Security Audit Procedures. There are also several companion documents :

• How it fits together - Flow chart of the tools to help organizations with PCI DSS compliance and self-assessment.
  
• Instructions for completing a self-assessment - According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety
  
• Navigating the PCI DSS document - “Guidance” for each of the 226 questions.
  
• Frequently Asked Questions
  

The merchant must verify that it adheres to all of the requirements stipulated in the PCI DSS - but heah - who cares about implementation and how much it costs and whether or the requirements are relevant to the merchant and his operating environment.

Any merchant who takes the PCI DSS 1.1 self-assessment checklist seriously should use the free Practical threat analysis for PCI package. It makes the credit card risk assessment simple and cost-effective. This great free software will also save you money on your security implementation by helping you select the most cost-effective countermeasures.

We're all high-tech over here but a chat with a colleague about a beverage company uncovered a story as simple as 500 cases of beer being sent to a relative in another city. The external auditors look at policies and procedures and ignore bugs in business applications that enable operations people to game the system and pocket profits.

Beverage manufacturers and distributors must deal with fraud and data leakage. Is auditing the business process and procedures sufficient? Nope.

Fraud - one of the big issues a beverage distributor has is fraudulent invoicing - for example - people in order entry and logistics management manipulating the system to deliver 500 cases to their brother-in-law and credit him for 450 reporting spoiled goods. A double-pronged approach that combines Business application threat analysis and Business vulnerability analysis audits the supply chain applications, finds the problems and fixes them. Forget about sophisticated database monitoring technology -a risk assessment process that combines software security expertise with practical business expertise is a slam-dunk for the customer.

Data leakage - It turns out that pricing and recipes is a very big deal for a company like like Zywiec or Coca Cola - an extrusion prevention system like Fidelis XPS monitors movement of pricing and recipe data and can actively prevent unauthorized transfer to competitors.

By the way - Zywiec is a pretty good beer.

Over a year ago I wrote how information systems at US colleges have become popular targets for security breaches. According to data published by Choicepoint (itself a major victim in 2005), over a third of last year's 170 high profile privacy breaches were internal attacks on campus.

Now - there is growing concern about Facebook security breaches. Facebook started as a social networking tool for college and high school students where the boundaries and environment are fairly static and well-defined. Today - of course, Facebook is a fun, easy-to-use tool that anyone can use.

When we say security breach in the framework of a social network like Facebook, we really mean two things:

1) Trusted insiders inside the Facebook organization who have uncontrolled access to privacy information (PII) of end users.

2) Facebook end users who are vulnerable to phishing and impersonation attacks and may divulge their own privacy information (PII) ( or worse - think about 35 year old men impersonating 16 year old boys and preying on high-school freshmen).

Ireland leads the EU with the highest GDP growth in Euroland; over 5 percent in 2007 and twice the EU average (See this article from
PwC) but less than half of Irish firms have a business plan for IT, according to an article published in the Irish Silicon Republic.

This is refreshing news in a sense that it tells the truth, and not having an IT business plan is probably true at most other places in the world. A more meaningful comment in the article, in my view is the statement that:

Only 7 percent said they planned to improve the security of existing IT infrastructure this year.

I would normally assume that not planning, means not investing in IT security, but I think something deeper is happening.

We are constantly bombarded in the press with sturm an drang, threats and gloomy prognoses for virus and worm exploits.

Most of these death and gloom forecasts are written by vendors like McAfee and Symantec, who have a vested interest.The Irish, being practical folk, may be reacting by simply ignoring the FUD tactics of vendors and investing where their security risk assessment shows good ROI. In other words - half invest by ROI. The other half don't plan and wait for something to happen first.

Straight talk from the SEC - a business should be allowed to use common business sense to find and fix material weaknesses in their internal controls.

What is this all about?

Is this about small businesses paying a lot more for compliance than big business? That is how the IT trade press is playing it.

I don't think so.

I read the notes from the open meeting on the SEC's Proposed Interpretive Guidance to Management for Section 404 of Sarbanes-Oxley Act that took place on May 23,2007.

The SEC says that a business should be allowed to use common business sense to find and fix material weaknesses in their internal controls.

What do governance, compliance and risk TLAs have to do with SOX compliance?

You can have strong security controls that mitigate the wrong security threats (COBIT)

You can have strong IT best practices that don't mitigate any security threats (ITIL)

You can have strong IT security management and still have inadequate financial reporting controls. (ISO 27001)

SOX (Sarbanes-Oxley) 404 requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). This is requires documenting and testing financial, manual and automated controls. Is it primarily an IT Security issue?

No.

ITIL - ( IT Infrastructure Library framework) is a set of best practices for IT operations, and has little to do with SOX and PCI DSS compliance, While there is an ITIL Financial Management module - the ITIL process itself does not require a financial audit of IT and is therefore irrelevant to SOX compliance.

ISO 27001 is the information security risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. ISO 27001 certification will help an organization improve its IT security - but ISO 27001 certification is no guarantee that a publicly-traded firm will be SOX 404 compliant - or in straight-talk: you can mitigate application security vulnerabilities, and still steal money from the shareholders.

COBIT (Control Objectives for Information and related Technology) - The SEC accepts COBIT as a control framework standard for governance, security, and internal control best practices. Although use of COBIT is not mandatory for SOX compliance, the framework has been adopted by many companies to attain SOX compliance in their IT operational processes. The main issue I have with COBIT is that it places the answer before the question. A company must adopt the 34 control objectives in COBIT irregardless of the value of the company's digital assets, business threats, the asset vulnerabilities and calculated dollar risk profile. A company may use COBIT to meet SEC standards for internal security controls without knowing if those controls are effective in mitigating their risk threats. In other words - you can waste a lot of money, have your risk and eat it too.

Recommendations

I'm taking a break from my normal ranting on all the things I think are wrong with IT compliance and risk management: too much technology, complex internal security control frameworks, fuzzy qualitative risk assessments (the risk of a data breach is "medium"), vendor-driven security countermeasures (buy an Imperva application security firewall and be PCI DSS 1.1. compliant forever) and too many controls that come with too little root-cause analysis (PCI DSS 1.1 SAQ).

I just finished reading a great article on Forbes online by Glen Porter called The Most Important 30 Seconds Of Any Sale.

The most daunting task in sales is cracking open the door. I totally agree - all the sales and business development strategy books that you've read, tell you about the 47 steps in the complex sale you must execute in order to close. But Glen tells it like it is - the decision maker you need doesn't have time for 47 complex sales steps - your first step is to close a 20 minute meeting with the most senior executive relevant to your cause in your prospect's organization.

Over 40 years ago, Bob Townsend wrote "Up the organization" and talked about how important it is to sell bottoms up. Bob pointed out that even if you sell a senior guy on your product or service - a person lower down in the organizational bureaucracy can sink your ship by putting your PO in a bottom drawer. This is may still be true in government agencies but in my experience - the world is a much more complex place - with a lot more competition and noise than when Townsend wrote how he turned around Avis.

You need to get the message through and 60 seconds for an elevator pitch is about what you have. If you're writing an executive summary for an investor - forget the 47 steps to business plan development - think that your prospect sees 50 business plans a day - and all of them claim to be the next salesforce.com or next google or revolutionize mobile content or online advertising. Your investment prospect has an attention span of 3 pages and your sales prospect has an attention span of 60 seconds - cognitively - remember that in every 1 second of a conversation we all lose 10% focus - 10 seconds into the pitch - if you haven't snagged her attention - you probably have lost the battle.

We implemented this strategy with a prospect recently - we had an hour for a presentation but within 15' and 8 slides we had finished the pitch. The prospect looked us in the eye and gave us 5 very good reasons and 30' of his time why he would not buy. We left disappointed but with important insights - no time wasting and great inputs to help us improve.