Israeli Software

I've been wanting to write about the debacle at Société Générale for a while.

As reported by David Jolly in the
New York Times on January 24, 2008, the French bank Société Générale said that it had uncovered "an exceptional fraud" by a trader that would cost it €4.9 billion, or about $7.1 billion, and that it would seek new capital of about $8 billion.

The company, said in a statement that the fraud had been committed by a trader in charge of "plain vanilla" hedging on European index futures.

Société Générale employs 2,000 people in its compliance department - what the heck where these people doing?

Probably checking off items in a compliance checklist.

That's just about where this $18BN/year GRC market is right now. Checking off items dictated by a regulator who has never met the company, it's employees, managers, customers and suppliers.

How did we get to this sorry state of affairs? Basically because it's easier to check off an item on a list then to identify root cause and fix problems.

I met with a big GRC (governance, risk and compliance) consulting firm in Europe recently and we were discussing how they might use the Practical Threat Analysis methodology in their risk assessment practice.

The idea behind Practical Threat Analysis is that everything has a cost and risk is not an amorphous entity to be estimated on its own. Risk has root causes in any organization - the root causes of risk are threats that exploit vulnerabilities of various physical, digital ,operational and reputation assets of the company. Risk is mitigated by appropriate security countermeasures that reduce the amount of damage an exploit can cause.

The big consulting company loved the idea of quantitative risk assessment but they had two reservations:

1. Current risk assessment projects are qualitative and are based on data collection interviews and therefore manpower intensive - since the projects are costed on the basis of manpower cost - the consultant doesn't have the budget to perform a quantitative risk assessment. In other words - a big bank might spend 1 million Euro on a GRC assessment and not know a) how much financial exposure they actually have and b) how much their security countermeasures are going to cost

2. How to estimate the value of assets? A cornerstone of Practical Threat Analysis is estimating asset value in dollars (or Euro) and truth be told - the answer to this question is simple. Ask the right person. If you want to know the damage to the company if they don't report on time to the NASDAQ, then ask the CFO. If you want to know the cost of a firewall - ask the network administrator or IT manager.

Plato wrote in the Fourth Book of "The Republic":

"For the introduction of a new kind of music must be shunned as imperiling the whole state; since styles of music are never disturbed without affecting the most important political institutions."

Recently I joined an expert committee to review a draft law in the Israeli Knesset regulating eCommerce - one of our objectives is also to produce a seal of quality for Israeli eCommerce Web sites. The law aims to fill a void that exists in the current criminal code and consumer protection legislation in the realm of digital messaging.

The draft is heavy on privacy, DRM and IP protection regarding the responsibilities of services providers but it ignores the issue of data integrity due to fraudulent and/or malicious actions by insiders.

Remember Société Générale?

We need a new kind of music in the GRC - governance, risk and compliance space - a kind of music that will emphasize the importance of people in the risk and security process.

I believe that security is about people inside the organization - not about vendor technology. Most threats are inside a company and most vulnerabilities are inside software applications.

The draft law for eCommerce in the Knesset is a good start for Israel - now if we can only get the politics right....

This new US law, passed in August 2007, allows warrantless wiretapping whenever one end of the communications link is believe to be outside US borders.

Considering the breadth of content interception made possible by the law, it is inevitable that domestic US communications will intercepted and civil liberties threatened.

Irregardless of of American civil liberties concerns, the Protect America Act warrants a systematic threat analysis since the surveillance system itself is at risk from trusted insiders and malicious outsiders.
In 2006, the cell phone traffic of over 100 senior member of the Greek government was intercepted by insiders that exploited a legally installed wiretapping system. A number of Telecom Italia have been arrested for illegal wiretapping and attempted blackmail. Read some fascinating aspects of the Vodaphone Greece affair and Telecom Italia here - Two Strange Deaths in European Wiretapping Scandal.

I've been having some serious discussions about the future recently - no../ not with Jennifer Anniston.

If trusted insiders are the number one threat - then it's impossible that an Identity Management system is the best security countermeasure.

I somehow missed the big brouhaha with Sears privacy breaches in their online marketing.

The news broke in December and has been extensively covered in online at the Valley Wag - Sears covertly spying for Comscore - a detailed analysis of exactly how the Comscore proxy works is described in Ben Adelmans web site here.

I thought browser proxies went out of fashion in 2001 - but this has some pretty good attack functionality

1. Monitors all all Internet traffic to and from the user PC
2. Monitors HTTPS sessions - generally logins and shopping / banking sites.
3. Parses the header section of personal emails.

The response from Sears has been that users can join the community without installing the Comscore software and that Comscore scrubs PII (personally identifiable information they receive.

Considering the poor record on protecting customer data in the past 8 years by US companies I would tend to dismiss Sears and Comscore pronouncements as legitimate let alone effective security countermeasures.

Install the Sygate 5.52 Personal Firewall if you're using Windows or Windows XP.

Practice safe Internet - don't download software you don't want.
Block outgoing traffic from all unknown applications on your PC.

FoxNews reported on Monday another in a series of credit card extrusion events - 4.2 Million Credit Card Numbers Stolen From the Hannaford Bros Supermarket Chain.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The information being publicly reported leaves a lot unsaid:

1. Hannaford claim that they don't store any PII (personally identifiable information) and that only credit / debit card numbers were involved in the extrusion event. However - almost 2,000 cases of fraud were reported - which appears contradictory. In order for the criminal to actually use the card numbers - he or she would need the additional security number and a name and address that would pass muster with the address verification processing,

2. Hannaford CEO Ronald C. Hodge stated that they would bolster their network security. Equivalent to closing the barn door after the horses have fled - this raises a question whether or not Hannaford were PCI DSS 1.1 compliant. If they are compliant - it raises additional questions regarding the state of their security countermeasure implementation.

3. Extrusion events like this don't happen because of network vulnerabilities.

The primary vulnerability category is buggy, insecure software applications that enable attacks on digital assets.

The majority of customer data security breaches occur because of software vulnerabilities that can be identified and mitigated by performing an application software risk assessment. Since the card authorization process involves a piece of software reading card numbers from the POS system and transmitting them over an encrypted link to the payment authorization network - it is a reasonable assumption that the attack vector is on the interface between the software and the communications link.

A malicious outsider could have hacked into the internal corporate network looking for credit card data. There are probably two threats - one is to sniff a link between the authorization program and the external communications line, the second is to look for temporary files with credit card numbers. My bet is that the application receives card numbers from the POS systems in a temporary file and that a bunch of these files are stored - if Hannaford is using zero floor limit on the card authorizations - every transaction is authorized - if not then there will be some batch processing with a number of card numbers stored in a single file.

A lot of these cases are inside jobs - it's a lot easier for a company like Hannaford to blame a hacker on their data security breach then to talk about the trusted insiders that attacked their customer data. It could have been as simple as a contract programmer zipping up all those temporary files and emailing them to collaborator.

Visa and MasterCard stipulate in their contracts with retailers that they will not divulge who the source is when a data breach occurs.

I guess - we will probably never know.

My buddy Todd Walzer from iLand6 in Japan always has interesting insights on the Japanese technology markets. Todd sent this to me the other day:

People ask me what Japanese customers want. Besides the obvious things like long-term business relations with people who speak Japanese, there are a few requirements worth noting.

In the network area, customers want redundancy. This is the case not only for carriers, but for any enterprise larger than a SoHo.

Western system vendors coming to Japan often expect an ROI-based redundancy approach, in which customers analyze the probability of failure at each link, and implement a total solution that provides high uptime at an affordable cost.

In Japan, it's much simpler. You install two units of each network device with redundant cabling. You duplicate your external communication lines either through 2 fibers with different routing, or 1 fiber and a backup by copper, wireless, etc.

Higher cost? Yes. But, you assure a high reliability operation that is always up.

iLand6 Capital and Development Co. Ltd. is based in Tokyo and focuses on the Japan Communications Market, in sales and business development.

Another extrusion event popped up on my radar screen this week - Harvard revealed last week that personally identifiable information (PII) of 6,000 applicants have ended up on BitTorrent -

“The University’s initial examination did not reveal the full extent of the hack. As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.”

“Harvard officials said the data includes the applicant’s name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.”

Not every business model can be copied successfully.

Being in the security business the past 5 years but having spent a long time in the open trenches of Open Source Web applications - a light finally went off in my head - has the time come for Free Open Source risk assessment software ?

Point 1 - Is free open source software a force to be reckoned with in business applications?

Point 2 - Open Source Business applications compete with SaaS not with Oracle

With Axentis charging $100,000 setup and another $100,000/year for a GRC management system run as a software service - we are now back in Kansas - with big iron enterprise software.

Is enterprise risk management software vulnerable to Open Source competitors?

Enterprise software like Oracle back in the 90s was vulnerable to highly capable free open source offerings like MySQL that were capable of solving a decent sized subset of the business requirements for a very small fraction of the price. Microsoft SQL server picked up market share, MySQL took off and Oracle eventually dropped their prices.

With over 100 vendors competing in the enterprise risk management space (more about that market in another posting - and average prices over $500,000 according to analysts - it appears that Enterprise risk management/GRC software is ripe for the pickings.

Defense in depth is a mantra- but I think the inflation of security technologies is increasing operational risk of information security - not mitigating risk.

Reason 1 : More security elements increases risk.
Adding more network security elements tends to increase the total system risk, as a result of the interaction between the elements. For example - companies that attempt to mitigate internal threats and control interior network channels with firewalls and proxies experience an inflation of firewall rules and endpoints that bypass the proxies.

Reason 2 - Feature discussion is not risk assessment
Many companies tend to spend their time evaluating vendor features instead of performing a risk assessment. This usually results in installing a product with absolutely no understanding of ROSI - return on security investment. After buying a security product based on marketing and FUD tactics - the customer (not the vendor) pays for ownership of an inappropriate solution in addition to paying for the damage caused by attackers who exploit the unmitigated vulnerabilities.

Risk management needs to be an ongoing exercise and a critical examination of the most cost-effective security countermeasures.