Category Archives: Risk Assessment

Rising the level of trust associated with identity in online transactions

Obama’s National Strategy for Trusted Identities in Cyberspace

In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions.

NSTIC focuses on upgrading outdated password-based authentication systems and reducing the barriers associated with identity proofing and deployment of strong credentials, while also enabling end-users to have more control over when and what information they disclose in a range of transactions.

Could someone please translate this for me?

How is giving an end-user more control over information disclosure is going to mitigate the risk of data breaches when over 300 million credit cards have already been breached?

What about online merchants vulnerabilities and better data security countermeasures for online Web services?

Will PCI DSS discover Data loss prevention technology anytime in the next decade?

Where  I come from, that’s called shutting the barn-door after the horses have flown.

Tell your friends and colleagues about us. Thanks!
Share this

Practical security management for startups

We normally associate the term “small business” or SME (small to medium sized enterprise) with commercial operations that buy and sell, manufacture products or provide services – lawyers, plumbers, accountants, web developers etc…

However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup.   A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.   Unlike other small businesses, a high tech startup is almost purely focussed on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.

Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.

Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:

1) If the startup uses FOSS (free open source software), there is nothing to hide.  This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed  source code as well.

2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components:    Domain expertise, implementation know-how and the implementation itself (the software source code).   The first two factors – domain expertise and  implementation know-how are crucial to successful execution.

The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and  implementation know-how.  Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.

Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:

The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents. The advantages of the business threat modeling methodology are:

  • Threat modeling places the focus on asset management and Value at Risk reduction before acquisition of information and security technologies.
  • Threat modeling helps select  the right countermeasures often prioritizing monitoring before active data loss prevention (for example)
  • Threat  modeling, when done right, quantifies risk in dollar terms. This is particularly important when reporting back to the investors on exposure to data loss of IP.
  • Threat modeling helps justify investments in security, compliance and risk management to the management board – simply because it puts everything into financial values – the value at risk and cost of the security portfolio.

These are similar objectives to GRC (Governance, risk and compliance) systems.

The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.

I think that we can all agree that the last thing that a hi-tech startup needs is a system to manage GRC activities when they’re working to make the next investor milestone.

Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.

How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.

You own assets – for example, expensive diamond jewelry stored at home. These assets have a dollar value.

Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.

The key threat to the asset is that an attacker may break in through the ground floor windows.

The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.

That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.

Tell your friends and colleagues about us. Thanks!
Share this

Threats on personal health information

A recent HIPAA violation in Canada  where an imaging technician accessed the medical records of her ex-husband’s girlfriend comes as no surprise to me. Data leakage of ePHI in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.  Humans being naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family will bend the rules to get information.   HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia consistently show that the number one attack vector on PHI is friends and family, not hackers.

Courtesy of my friend Alan Norquist from Veriphyr

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

  • Failing to inform the victim of any disciplinary action against the perpetrator.
  • Not reporting the breach to the appropriate professional regulatory college.
  • Not following up with an investigation to determine if policy changes were required.

The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inapprorpriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information – Ottawa Citizen, January, 2011


Tell your friends and colleagues about us. Thanks!
Share this

What if al-Qaeda Got Stuxnet?

Speaking at this years RSA Security conference in San Francisco, Deputy Defense Secretary William Lynn was worried about al-Qaeda getting Stuxnet:

al-Qaeda operates as a network comprising both a multinational, stateless army and a radical SunniMuslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a ChristianJewish alliance is conspiring to destroy Islam,  embodied in theU.S.-Israel alliance, and that the killing of bystanders and civilians is religiously justified in jihad. (From Wikipedia)

William Lynn is the same official at the US Department of Defense who doesn’t believe in offensive measures to combat cyber terror. In his article several months ago in Foreign Affairs Lynn claims:

Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

Let’s see if we can connect the dots.

1. Who is the attacker?

Lynn has just reiterated that the Obama administration officially considers al-Qaeda a threat to the US, markedly ignoring the Muslim Brotherhood – since the US considers the Muslim Brotherhood a secular, democratic political organization.  Neither is Mr. Lynn concerned with other Islamic terror groups like Hamas or the PLO.

2. What are the best security countermeasures against the attack?
Despite believing in good cyber security defenses, Mr Lynn does not offer any security countermeasures against al-Qaeda deploying Stuxnet and falls back on the American shoe bomber security philosophy, considering yesterday’s attack, not tomorrow’s attack. This is the same security management strategy that resulted in millions of airline passengers taking off their shoes in a fruitless, ineffective security countermeasure against a one-time, one in a million attack.

3. Is Stuxnet a cost-effective attack against the great Satan?
Of course – al-Qaeda might deploy Stuxnet against US critical national infrastructures but then again it might be cheaper and more effective for a Muslim terror organization to do something different – like use Facebook to make friends with a DC college student, make a date with her in Manhattan and have her ride the Red Line to Reagan Airport in DC, go through the non-security measures there, not get profiled and use a text message to a bomb in her bag to blow up in the line of people taking off their shoes, killing 20-30 civilians and taking down the US transportation infrastructure for the day.

4. Is the Obama administration more concerned with media exposure than with combating Islamic cyber terror?

Director of National Intelligence James Clapper told a House panel. al-Qaeda appears more focused on making inroads to unsuspecting Muslim youth through social media. Is Mr Clapper speaking with Mr Lynn, or is the Obama administration making the same mistake that the Bush and Clinton administrations made where the CIA collects intelligence, the DOD defends, the FBI investigates civilian crimes but no one connects the dots?

As I wrote in April 2009 about the Obama cyber security policy review, I was reminded of Melissa Hathaway’s 2009 speech to the RSA Security conference which featured a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“.

As I wrote back in April 2009 – I thought we should wait 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.

Less than 6 months later, Ms. Hathaway resigned. People familiar with the matter said Ms. Hathaway had been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her politically. (See Siobhan Gorman’s Wall Street Journal piece from August 2009. Gorman covers national intelligence issues at WSJ and has written stories exposing the NSA’s computer problems—including those in its multibillion-dollar Trailblazer program aimed at identifying electronic data crucial to the nation’s safety).

Tell your friends and colleagues about us. Thanks!
Share this

The truth about consultants

In a previous lifetime, I developed airline reservation systems software.

The owner and CEO of one of our customers (a rapidly growing regional airline) was a larger than life figure who kept chilled Finlandia vodka in a mini-freezer in his office and liked to tell stories. One day he told me a story. He said – “Danny, there are two kinds of consultants, good consultants and bad consultants. You ask them what time it is. The good consultant will look at your watch and say it’s 9:30, take his fee and leave. The bad consultant will tell you it’s 9:30, steal your watch and run with the money”.

Tell your friends and colleagues about us. Thanks!
Share this

How to assess risk – Part II: Use attack modeling to collect data

In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling to assess risk.

Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform  quantitative risk assessment for a data security  and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.

The first guideline I will lay down, is to estimate value of risk  in Dollar/Euro/Ruble values – whatever currency you like.

Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may  exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.

With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective attack modeling –

If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:

1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.

2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.

3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.

4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.

An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.

5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.

6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.

Tell your friends and colleagues about us. Thanks!
Share this

Operational risk management – what we really need

Operational risk management has been the buzz word du-jour in recent years, due to the Basel II initiative in the banking industry and Solvency II in the insurance industry.

The Basel II definition of operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

It seems that in the middle of the great financial crisis, TARP, unmet calls for transparency and trillions being sunk into the US financial services industry (instead of encouraging innovation, manufacturing and creation of free cash flow…), Basel II deserves to be judged and found wanting.

Perhaps we need to update the Basel II definition of operational risk and bring it into line with a modern set of threats. For example, we might say, let’s add to the Basel II definition, “… and risks due to networking with other businesses”. This is a reasonable addition, since in my experience in data security projects and according to the Verizon security breach reports,  over 70% of data loss incidents involve outsourcing and sub-contractors.

External business partnerships are indeed, a source of risk for financial institutions that do business process outsourcing (especially if one considers data loss) but it appears to me that the Basel II and Solvency II definitions  are  less appropriate for the technology and manufacturing industries, where  innovation and product development are performed by relatively small engineering teams and key assets are product quality and customer safety and not credit cards in database servers.

Let’s take the example of a company that makes a robot to assist in micro-surgery.

For the medical device company, the biggest operational risk  is a flawed product that might damage a patient. The FDA sees this as a regulatory issue and addresses it with the 510(K) but my gut feeling is that most small (4-6 people)  software development teams don’t really have a “process”.  After an audit by a regulatory affairs consultant, they can comply and still fall hard on a software defect or design flaw.

It’s amazing to me that the Basel II definition of does not consider customer safety as an  operational risk, and yet, the lack of customer safety and networked-business risks in the Basel II definition only serves to illustrate the futility of a check list approach to operational risk management.

Since regulatory compliance is not a substitute for analyzing particular threats to a particular business unit,  I would propose a different definition of op risk:

“Any combination of one or more threats that exploits vulnerabilities to damage company assets as measured in dollars (or euro or yen ….)”

This definition is universally applicable to financial services, IP developers, manufacturing, distribution, health care, bio med etc…The definition does not limit business management to risk analysis inside the company but enables a company to consider threats due to product quality, compliance, extended business relationships, PHI, PII and a whole slew of new risks that don’t even exist yet on their current threat surface.

It’s a definition that forces the company executives to ask themselves what are their key threats and assets and vulnerabilities and how much of the company value is at stake.

Threat models are not a silver bullet solution to prevent a crisis like AIG on one hand or Toyota on the other. A threat model is only a tool to implement a risk strategy by the business management. Threat modeling  needs to be used in the proper way, measured in dollar values and must be reviewed regularly – at least once/year.

The beauty of the above definition is that it links operational risks to business operations.

Any business in any vertical, must define their own threat landscape, define their control/security countermeasure strategy, run their own risk assessment regularly and  insure that their data security and regulatory compliance policies, procedures and systems are aligned with the latest version of their threat model.

Read more about threat modeling and operational risk management on this blog.

Tell your friends and colleagues about us. Thanks!
Share this

Controlled social networking

I saw a post recently on Controlled social networking for student collaboration. One of the comments lamented not having the head count to install technology to control Facebook access by students.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

Tell your friends and colleagues about us. Thanks!
Share this

Are you still using Excel for risk assessment?

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

  • Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
  • Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
  • Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
  • Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

Tell your friends and colleagues about us. Thanks!
Share this

Business unit strategy for data security

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

  1. Is your information asset protection spending driven by regulation?
  2. Are Gartner white papers your main input for purchasing decisions?
  3. Does the information security group work without security win/loss scores?
  4. Does your chief security officer meet three to five vendors each day?
  5. Is your purchasing cycle for a new product longer than six months?
  6. Is your team short on head count, and not implementing new technologies?
  7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this