Category Archives: Internal security

Better physical security with more eyeballs

Internal security, Physical security, Privacy, Risk mitigation

Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc.

A DHL courier recently visited the offices of a client to pick up a package.  He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch and walked out.

In China and Taiwan – culturally – a white face is always trusted, in Israel, Turkey and Rome – everyone are friends. In Poland – recipients defer to guests and may be intimidated by non-Polish speakers.

But – people are not always what the seem.

Here are 3 simple steps to improve your physical security that do not involve advanced technology – only the power of the people you already have.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Invisibility cloak

Internal security, Technology

DIdn’t you want one of those invisibility cloaking devices back when you were in High School?

I sure did – but I grew up on Star Trek

According to the Discovery Channel – we’re within 6 months of a cloaking device – the only catch is that it will only be good for 2D surfaces. Not for watching girls in the locker room.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Houston, we have a problem

Compliance, Data leakage, Information security, Internal security, ,

Are you like the rest of the lemmings?

Most companies we know – don’t have the faintest idea of what’s going on inside the corporate network.   Once the company management discovers that almost all their employees cc company documents to their gmail accounts so they can access the data at home – it becomes a “Houston we have a problem” moment.  .

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The truth about the Palestinian-Israeli conflict

Internal security, Physical security

The one-sided UN resolution that didn’t even mention Hamas was not surprising. It’s 14 days into the war on Hamas in Gaza and it appears a good time to share  a few brief facts on the Israeli-Palestinian conflict –

1. Nationhood and Jerusalem.  Israel  became a nation in 1312 B.C.E. Two thousand years before the rise of Islam.

2. Arab refugees in Israel began identifying themselves as part of a Palestinian people in 1967, two decades after the establishment of the modern State of Israel .

3. Since the Jewish conquest in 1272 B.C.E., the Jews have had dominion over the land for one thousand years with a continuous presence in the land for the past 3,300 years.

4. The only Arab dominion since the conquest in 635 C.E. Lasted no more than 22 years.

5. For over 3,300 years, Jerusalem has been the Jewish capital.  Jerusalem has never been the capital of any Arab or Muslim entity.  Even when the Jordanians occupied Jerusalem, they never sought to make it their capital, and Arab leaders did not come to visit.

6.  Jerusalem is mentioned over 700 times in the Old Testament.   Jerusalem  is not mentioned once in the Koran.

7. King David founded the city of Jerusalem.  Mohammed never came to Jerusalem.

8. Jews pray facing Jerusalem.  Muslims pray with their backs toward Jerusalem.

9. Arab and Jewish Refugees: In 1948 the Arab refugees were encouraged to leave Israel by Arab leaders promising to purge the land of Jews.  Sixty-eight percent left without ever seeing an Israeli soldier.

10. The Jewish refugees were forced to flee from Arab lands due to Arab brutality, persecution and pogroms.

11. The number of Arab refugees who left Israel in 1948 is estimated to be around 630,000.  The number of Jewish refugees from Arab lands is estimated to be the same.

12. Arab refugees were INTENTIONALLY not absorbed or integrated into the Arab lands to which they fled, despite the vast Arab territory. Out of the 100,000,000 refugees since World War II, theirs is the only refugee group in the world that has never been absorbed or integrated into their own peoples’ lands.  Jewish refugees were completely absorbed into Israel, a country no larger than the state of New Jersey.

13. The Arab – Israeli Conflict: The Arabs are represented by eight separate nations, not including the Palestinians. There is only one Jewish nation.  The Arab nations initiated all five wars and lost.   Israel defended itself each time and won.

14. The P.L.O.’s Charter still calls for the destruction of the State of Israel.  Israel has given the Palestinians most of the West Bank land, autonomy under the Palestinian Authority, and has supplied them.

15. Under Jordanian rule, Jewish holy sites were desecrated and the Jews were denied access to places of worship. Under Israeli rule, all Muslim and Christian sites have been preserved and made accessible to people of all faiths.

16. The U.N. Record on Israel and the Arabs: of the 175 Security Council resolutions passed before 1990, 97 were directed against Israel.

17. Of the 690 General Assembly resolutions voted on before 1990, 429 were directed against  Israel.

18. The U.N was silent while 58 Jerusalem Synagogues were destroyed by the Jordanians.

19. The U.N. Was silent while the Jordanians systematically desecrated the ancient Jewish cemetery on the Mount of Olives.

20. The U.N. Was silent while the Jordanians enforced an apartheid-like a policy of preventing Jews from visiting the Temple Mount  and the Western Wall.

Danny Lieberman

Software Associates

Expert security consultants, providing internal security solutions:  investigating  and preventing data theft and fraud for telecommunications, manufacturing and pharmaceutical companies in Eastern Europe and the Middle East.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow
cyber attacks

Are you on your firewall, while your employees are on Gmail?

Data leakage, Information security, Internal security, , ,

 

Pop question No. 1: What percent of your employees send sensitive company documents  to their Gmail accounts?

Pop question No. 2: When you layoff 15 percent of your workforce, should you fire the information security manager a) First, b) Last or c) Give her an incentive to help ensure that a data breach of company IP and customer lists doesn’t happen

With all the 30,000 foot strategic talk from Gartner and IDC about enterprise risk management – I think that most CEOs are blindsided when a data breach happens – having ignored issues of data theft during organizational changes or assuming that  information security is a “given”.

In a large firm – the CEO delegates the responsibility to the CISO, who has a dedicated team for security and compliance. In smaller companies that don’t have dedicated security  functions, the responsibility for information security falls on the IT department.  IT tends to see security as a technical overhead that gets in the way of running the ERP systems. IT security becomes a issue of  security products,  policies and procedures for appropriate Internet usage.

A company with current best-practice security such as Checkpoint firewalls, ISS IPS, Symantec SIM (security information management system)  will be  totally unaware that most of their employees send company documents to their personal Google mail accounts on a regular basis.

Monitoring of outbound mail based on some fairly simple metadata parameters (like filetype and email domains) can be a highly effective way of improving data security.   You don’t necassarily need to do deep content inspection but you must be prepared to monitor for violations and act quickly on corrective action.  It’s as simply as seeing the event in real time with an extrusion detection system like Fidelis Security Systems XPS and walking over to the employee and asking her not to send the company’s 2009 sales forecast to a private Google mail account.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Agency Accidentally Posts Social Security Numbers Online

Compliance, Data leakage, Internal security,

I  think the expression is – “the road to hell is paved with good intentions”.

I got wind of this data breach event from the IS Alliance.

As reported by WFTV Orlando – Social security numbers for 250,000 people were posted online by mistake, and a state agency is facing serious questions about why it was so careless with the information.

The Agency for Workforce Innovation accidentally posted the sensitive information for people looking for work. All those numbers were left online for at least 19 days. Potential victims do not even know it yet. When thousands of Floridians went to a career center, their personal information was forwarded to the state. Then, by mistake, that information ended up on a state website visible to anyone with Internet access. Local jobseekers’ identities have been compromised. Names, social security numbers, and employment information of more than 250,000 people who sought state help was accidently posted online. The Washington D.C. based Liberty Coalition spotted the error. “This is obviously a case of gross negligence,” said a spokesman for the Liberty Coalition. The Florida Agency for Workforce Innovation made the mistake in October when setting up a computer server. Somehow information that should have been kept private became public, available by an online search. It has since been taken down. The security breach affects people who went to a career service center between 2002 and 2007; even the identities of some their children were posted online. The Florida Agency for Workforce Innovation says it will send out a letter to all the people affected by the breach.

Although it’s convenient to yell negligence, it seems to me that some folks thought they were helping job seekers by posting their information online. If you’re looking for work – the more exposure you get is better. Unfortunately, the problem with posting PII (personally identifiable information), is where to draw the line and how to appropriately control unauthorized disclosure. Name,  phone number and the kind of job a person is seeking makes sense (and is publicly available anyway in  all kinds of other online channels), but social security number, and other data on the family is crossing the privacy line.

For the original article see: Agency Accidentally Posts 250,000 S.S. Numbers Online

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Ex-Intel worker charged with $1B data theft

Internal security, Technology, , , ,

Big time data theft event, this time by an employee leaving Intel to go to work for AMD. A Worcester, Mass. man has been charged with stealing trade secrets worth more than $1 billion.

Biswamohan Pani, 33, was indicted for allegedly stealing trade secrets from Intel’s Hudson, Mass. facility and downloading confidential documents from Intel offices in California.

According to the indictment, Pani gave notice to leave Intel and told his superiors he was using up about a week of vacation while looking for a job at a hedge fund.

In reality, according to the indictment, he had taken a job at Intel rival AMD and, while using up vacation time at Intel, was downloading documents marked by Intel as confidential. Without going into the entire discussion of Intel’s management of intellectual property, there are some interesting  questions:

Why was an employee, who had announced he was leaving, and was running down vacation at home – even allowed to have access to Intel file servers?

How did Intel discover that confidential documents were being downloaded? Does Intel use data loss prevention technology? were they tipped off by another employee? or did the investigation start once Intel discovered that the employee was going to work for a competitor and then they started checking download logs?

Full article on the Sacremento Business Journal

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Spector 360, data loss prevention tool?

Data leakage, Internal security, , , ,

Remember the “The  Phil Spector Sound”? (I grew up on rock and roll just outside of Philly and when you say Spector, I associate it with  Phil Spector or Arlen Spector – my mind is just wired that way….

A business partner of ours in a developing country asked me a security product question today. What is the difference between Spector CNE and Fidelis XPS.   Or translated – what is the difference between desktop software on your PC that tracks your keystrokes and surfing habits and a network gateway data loss prevention/extrusion prevention system.

If you are a big company and you need a very good http traffic cop I would recommend Fidelis XPS (due disclosure – my company, Open Solutions, is a Fidelis business partner. We have installed a number of their systems at large accounts and it is a fantastic product in my personal experience).

This is what I told him.

Spector CNE is a very cool product but it requires installing client recorder software on every PC. This is a big downside for most companies.

Spector mitigates the threat of employee misuse of the Internet / AUP enforcement.
Spector uses a client recorder, which is software that must be distributed and installed on every PC in the organization.  If the Spector CNE client recorder is not installed – the system cannot detect anything.

Client side recorder software can break Windows,  Windows Update can cause the PC with the PC recorder software to become unusable.   This happened to one of our clients  – after a Microsoft Tuesday update,  all 500 users in the customer service center were unable to use their PCs.
This client went on to acquire an extrusion prevention solution from Fidelis.

Fidelis XPS mitigates a wide range of threats to data assets:

  • Violations of corporate AUP, Internet misuse
  • Data loss from inside the network to public Internet services by employees and
  • Data theft from the network perimeter or DMZ by hackers
  • Data loss from elevation/abuse of privilege on corporate database servers
  • Data loss from exploits by hackers on Web application servers.

Fidelis XPS is based on a Layer 2 sniffing engine which intercepts content from the network at gigabit rates. It doesn’t interfere and is totally invisible since it doesn’t have an IP address. No client software is required.

Fidelis XPS is a bi-directional data loss prevention appliance and decodes and retrieves the data from the network in all protocols and file formats, mail, instant messaging, Web, Webmail, Oracle, DB2, file and print services, Active Directory and LDAP/Open LDAP.

This my experience and it’s based on fighting in the trenches. Comment on this entry and let me know what you think.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Bank employee steals 100,000 sheqels

Anti-Fraud, Data leakage, Information security, Internal security, , , , ,

This is a classic case of trusted insider threat  – as reported by yesterday’s morning paper – “Israel Today”: ( i assume that this has been under investigation for a while so the actual event may have happened over a year ago…).

The arrest sheet in the Tel Aviv district court depicts collusion between an information security employee and outsiders.

An employee in the information security department of the First International Bank in Tel Aviv has been charged as an accessory in a theft of over 100,000 shekels from bank customers.  The employee, Dan Tirspolski exploited access to confidential information to identify foreign resident customers of bank and their online user names and passwords. The foreign residents, not being physically present in Israel – use the Internet to occasionally access their account. He then transferred this information to accomplices outside the bank who used their Internet access to withdraw money from the accounts.

The case reveals a direct link between data loss, fraud and money theft.   The trusted insider did not exploit a vulnerability of weak passwords – in cases like this, trusted insiders are insider threats that exploit a minimum of two vulnerabilities in the bank’s software applications – both vulnerabilities are a violation of the principle of separation of duties:

  1. One application may disclose clear text versions of the username password relating to a particular account number
  2. Another application may disclose account details such as the address and the fact that the bank customer is a foreign resident and not physically present in Israel – enabling the crime where a malicious insider collaborated with malicious outsiders.

Read more about data breaches and the consequences for managers who ignore data security.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Preventing data loss or reacting to data loss.

Data leakage, Internal security, , , , , ,

I love New York but I live in Israel.

DLP (Data Loss Prevention or extrusion prevention) is an important category of IT security that helps protect data from leaving the network. Keeping the good stuff in, as opposed to keeping the bad guys out.

Israel has a booming IT security industry with Checkpoint, Radware, Algosec, Cyberark, Aladdin, Allot, Yoggie, Adi Shamir and numerous small security startups.  It’s hard to show a customer something new.   There is a lot of innovation in security here and  just about everybody has a Checkpoint firewall.  In Israel, Checkpoint is a de-facto gold standard for security product features.  Gil Schwed would like to see DLP in the gateway but Checkpoint is still at the strategy stage with DLP apparently – as a result a lot of Israeli companies have passed on this technology.

Websense acquired an Israeli company a couple years ago called Port Authority, which is a really strange name for a content inspection system and even more weird if you had ever been in the seedy old Port Authority terminal in New York on 42d street back in the 60s and 70s – with the dirt, gasoline fumes and the most variegated types of humanity to be found on a New York street – prostitutes, con men and transvestites….

Anyhow, I digress.

A colleague asked me this week to compare Fidelis XPS Extrusion Prevention system with Websense DLP. This is more or less what I told him:

For larger firms – Fidelis XPS is the best fit you can get, being extremely scalable, easy to install and economical to maintain.  If you run a business unit with a Microsoft network of up to 1000 users and well defined requirements to prevent leakage of MS Office documents; Websense is a viable option.  See points 1-3 below:

1) With Websense you have to classify and index your documents.  The server that does that creates a  man in the middle vulnerability and adds load to your Windows file server – since the scanner is constantly hitting documents on the file server.  Introducing MITM vulnerabilities and more load on your Windows file and print servers are two headaches I would try to avoid.

2) Conceptually, the Websense DLP product is designed for outbound traffic and doesn’t play in the internal security space.

Fidelis XPS is based on NCP – a Layer 2 sniffer with full session reassembly running at full 1GB/s. Websense uses inline forward proxies and appears to melt down at less than 100MB/s.  A forward proxy can be exploited and is blind to a wide variety of data leakage attacks – for example –  sending data with an HTTP GET command to an external server. That’s a trivial exploit and easy way to steal data, The new Fidelis XPS Internal product supports DB2 and Oracle and is an effective way for preventing data loss inside the network, elevation of privilege and abuse of privilege.   Abuse of privilege by an outsourced Oracle DBA is a vulnerability that is mitigated extremely well by Fidelis XPS Internal.

3) Conceptually, Websense DLP assumes that you know how to classify your data   Fidelis XPS enables data classification, of course, but  all  my active Fidelis XPS  users have found that Fidelis XPS is extremely good at discovering new vulnerabilities. The Fidelis XPS Command Post is a lot like one of those real-time early warning systems where you can see terrorists spinning up mobile missile launchers.

It’s like this, I told my friend. it depends if you think about security from a defensive or a strategic perspective.

If you think about security from a defensive perspective, you think you know everything and you don’t have too big a business unit to manage (i.e. you’re an Israeli) – go ahead and buy Websense.

If you think about security from strategic perspective, you think you have a lot to learn and you’d rather block high-profile attacks (first shooter advantage) and get an early warning of new inbound threats – you are thinking about security from a strategic perspective. Get Fidelis XPS.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow