Category Archives: Risk Assessment

Data security case study

Data leakage, Information security, Internal security, Risk Assessment, , , , , , ,

A lot of companies do V/A (vulnerability assessments) with scanners like Beyond Security or Nessus.  We took a hybrid approach for an internal security assessment using a Fidelis Security Systems network DLP appliance for detecting data loss vulnerabilities and structured human interviews to identify assets and analyze business threats such as competitors who might steal designs. The objective of the study was to quantify value at risk in dollar terms and propose a cost-effective, prioritized set of security countermeasures.

You  can download the data security case study and download the data security report to the management.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Social networks, not branded networks

Data leakage, Information security, Risk Assessment, Software security, Technology,

Apparently people in a social network like Facebook don’t mind the ads but they  would not join a branded group according to this article Social network users reluctant to join branded groups

Less than one third of social network users would be willing to join a brand’s group even with the offer of exclusive or free content, according to new research from the Internet Advertising Bureau (IAB).

This jives with evidence we heard from colleagues regarding some well-known cases of pharmaceutical companies sponsoring content for treating cardiology problems in online forums on medical Web sites.   When it became known that the content was sponsored – doctors protested and fled the site en-masse. In other words – power to the people and not branding to the people. Now – if we could only get IT and IT security professionals to be as critical as doctors.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

A great year for data thieves

Data leakage, Information security, Internal security, PCI DSS, Physical security, Risk Assessment, Risk mitigation, Software security, Technology, ,

The Verizon Business Report on data breaches 2009 was released – the data breach investigations report headlines with 285 million data records breached in 2008:

  • 91% of attackers were organized crime
  • 74% of attacks by malicious outsiders
  • 67% of vulnerabilities due to system defects
  • 32% implicated business partners

The report must be particularly disturbing to endpoint DLP vendors focused on preventing data loss by trusted insiders on  PCs (  99.6% of data was breached by  attackers attacking servers…. )

My experience with clients in the past 5 years in the data loss/extrusion prevention business has been focused on discovering internal security vulnerabilities and implementing cost-effective security countermeasures.  Our findings (summarized in our Business Threat Modeling white paper) were based on analyzing empirical data of 167 data loss events points a finger at software defects as a key data loss vulnerability. The Verizon business study appears to suggest that the situation has only gotten much worse – i.e. data breachs are rising as software quality is declining.

A conservative estimate in our research showed that 49% of the events exploited software defects as shown in the below table. Theoretically we can mitigate half of the risk by removing software defects in existing applications. The question, which we  answer in the white paper is how.

Aggregated vulnerability distribution by type
Vulnerability type

Total

Percentage
Accidental disclosure by email

5

3.0%
Human weakness of system users/operators

13

7.8%
Unprotected computers / backup media

67

40.1%
Malicious exploits of system defects

82

49.1%
Grand Total

167

100.0%

The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The Fallacies in Obama public policy

Compliance, Risk Assessment

Look at this graph

From the graph, we see that the GDP dropped dramatically from 1929 to 1932 despite fairly constant government spending on stimulus programs (although the graph does not tell the story of the jinking and shifting in the Roosevelt stimulus packages).   The big uptick in GDP happened from 1935-1938 with no visible correlation to government spending and really took off as the US geared up for WWII, spending almost 50% of the GDP on defense.

In summary, regarding economic growth – Empirical  US economic data does not support the Obama administration thesis that it is possible to stimulate the US economy with public spending as measured by GDP.  The big rush happened because the US went to war against the Nazis. It might happen if the US  went to war against Islamic terror.

There are over 80,000 Federal regulations on the books (according to the FTC) and none of them prevented the current GFC. By it’s nature – a government is a highly inefficient operation – therefore, it’s far more effective to have a small set of easy to understand and very emphatic commandments that apply to everyone. Thou shalt not steal…for example. Now compare that with Sarbanes-Oxley…..

Regarding regulation – historical empirical data from the USSR, does not support the thesis that centralistic regulation and  control are sustainable strategies for a country. Heck it – doesn’t even work for a family with 4 teenagers….

Moreover – what exactly is Obama’s exit strategy for getting us out of debt to the Chinese and de-extricating the US from draconic regulation in 10 years when  no one will remember why and how we ended up shackling the most creative economy in the world.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Preventing intellectual property abuse

Compliance, Information security, Risk Assessment, Risk mitigation, Software security, Technology, , , , ,

One of my pet peeves with security vendors like Symantec, Vontu, Websense and Checkpoint is marketing collateral that totally disregards the basics of security – it’s like they hired an English major straight out of school and told them to start writing. Sensitive assets, confidential assets, proprietary assets – you can make a total mishmash as long as you mention compliance, SOX and HIPPA at least 3 times in the article.

Since the business situation, corporate culture and IT infrastructure of every company is different, we believe that it is incorrect to choose security countermeasures on the basis of product features – especially when vendors provide pseudo-risk-management justification for their offering – read Andrew Jaquith on the hamster wheel of pain

We submit that selection of security countermeasures requires measuring their effectiveness against a particular threat. Read  more about this revolutionary idea on Preventing intellectual property abuse and you’ll see exactly how to choose a security product using a practical threat model – visit Practical Threat Analysis and download the free software.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Why do people commit crimes?

Anti-Fraud, Compliance, Data leakage, Information security, Internal security, Open Source, Risk Assessment, Risk mitigation, Threat modeling, ,

The president of a prospect was recently discussing with us whether Oracle IRM (information rights management)  was a good way of preventing data loss, and a viable alternative to a DLP (data loss prevention) system. Rights management would appear at first blush to be orthogonal to data loss prevention but it’s an interesting question that got me thinking.

The answer lies in understanding the fundamentals of crime.

Like any other crime, a trusted insider needs a  combination of means, opportunity, and intent.
Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Why I am voting Likud

Physical security, Risk Assessment, , , , ,

My friend Jacob Richman wrote a page on his web site explaining why he will vote Ichud Leumi (NUP). As a person who has traditionally voted for religious/Zionist parties – I feel compelled to answer Jacob in public.

There are a number of flaws in his argumentations regarding the National Union Party (NUP)

1. The NUP doesn’t have a national agenda – i.e. they don’t have positions on economics, industry, trade, energy, environment, transportation and healthcare in their platform.  They are a “one trick pony”
The country runs on taxes  – without a strong economy the entire question is moot.   I believe that our future is at stake on the economic issues and since the NUP doesn’t even have an economic platform – they are non-starters in my book.

2. The NUP has neither  electoral power nor post-elections political power – which brings me to my third point

3. They are politically weak (and whatever political clout they have is generally wasted on the usual internecine politics endemic to the right and religious parties).  As a result – they will never be able to keep their promise of preserving Erez Israel to their voters.  It’s like me promising you that I’ll go to the supermarket and shop for you without having enough money to  pay for the groceries at the checkout counter.

4. The country is better served with 2 large parties with clear national agendas that represent large portions of the electorate. By supporting the continued existence of small parties like the NUP we weaken the democratic process not strenghten it. Crucial national  decisions must be decided on the basis of a majority vote not on the basis of coalition in-fighting and log-rolling.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

A strategic inflection point in the security industry

Anti-Fraud, Compliance, Data leakage, Information security, Risk Assessment, Risk mitigation, Threat modeling, , , , ,

Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder.

Inside a strategic inflection point of change, the people inside the system are not sure  what is happening and have trouble putting an analysis and a possible solution to their malaise into words. We are seeing a continued rise of data security breaches perpetrated by trusted insiders, competitors and malicious outsiders despite billions being pumpted into compliance and security technology products from companies like McAfee and Symantec. I doubt that during this current recession – we will see many companies look for carpet-bombing technology solutions to their data security issues.

Is the security industry is approaching an SIP – strategic inflection point?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Understanding culture reduces risk

Privacy, Risk Assessment, Risk management, Risk mitigation, , ,

It’s during the war on Hamas in Gaza and I got on a thread on a blog about why Islam is so violent. I explained that there are fundamental ideological differences between Islam and Judaism. For starters – Islam values land but not human life, Jews value human life and are willing to compromise on land.

On a much smaller scale it’s important to understand the culture in your workplace and manage in a fair process of being open and taking commitments,  Technical/professional skills are not enough.

Back in the 90s – when I worked at Intel Fab8 in Jerusalem, we were chosen to train about 150 engineers for the Intel fab in Leixlip Ireland. I had two Irish people on my team. In particular, I remember Ronnie Murray and Dympna  O’Connell (she told me – pronounce my name like “Debna”, you know like the DEC network adapter…) Dympna once worked for Digital Equipment Corporation and I spent years developing applications in VAX/VMS so we shared common language, the language of Digital networking equipment.

Before the Irish engineers came on board, we went through 3 days of cross-cultural training. We learned a lot, including how much Israelis and Irish are alike – strong family values, ties to country, religion (but not too much) and openness. Of course, the Irish can drink us under the table – which is probably why we had a such a great time.

My friend Isaac Botbol told me that there is a famous but true story about a Texas oil company that was intensely involved in negotiating a substantial business deal with a major company in Mexico. The American team spared no expense in flying their experts to Mexico and presenting the benefits and long term rewards of their state of the art equipment, hardware and excellent customer support. Throughout the negotiations and long hours of working together, both the Mexican and American teams developed a camaraderie and respect for each other.

The Mexicans were satisfied with the proposal and agreed to proceed with the deal. The Americans were delighted. They phoned their legal department in Houston and instructed them to fax the contract to their Mexican counterparts. Since they felt they had completed their job the American team jumped on the next flight back home.

The Mexicans were incensed! They wondered how the American team could be so rude and insensitive as to just fax a bunch of papers and expect to seal such an important deal after weeks of working closely together. The Mexican team refused to sign the contact tried to have as little contact as possible with the American team.

Eventually, when the Americans inquired about the delay and discovered what had happened, they immediately went into damage control. For the American negotiating team, the signing of the deal meant the final phase of a process. For the Mexicans, it symbolized the beginning of a relationship. They wanted to celebrate this milestone and make it personal. They wanted this important occasion to be marked by having all the major players and their spouses, from both sides of the border, to come together and enjoy a memorable dinner.

Fortunately, this story has a happy ending because the American team was able to recover and the deal was finally signed. The lesson from this incident is quite significant because it teaches us the importance of being aware of the different cultural perspectives. While the American business stance is to be task and results oriented, the Hispanic mindset places much more emphasis on the human side of business.

When dealing with customers in Europe (especially Italy, Israel and Greece) this lesson is just as valuable. Hi-tech sales and technology management is also about understanding the cultural differences. Whether they’re your customers, colleagues or direct reports – people want to see the business as well as the human side of your leadership abilities. They want to know that despite the language differences, you genuinely care about them and the work they do. Of course this is true in every workplace but driving home this idea and putting into practice, is much more difficult and challenging when there are different language and cultural expectations.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The financial impact of cyber threats

Risk Assessment, , , , , ,

Kudos to ANSI for publishing a free guide to calculating cyber risk.

Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk calculative methods from dozens of software companies like  Palisade and Countermeasures.

The good news

It’s important that a standards body like ANSI  endorse calculating cyber risk in dollar terms, directing their message to executives.  Any CFO will want to see a brick and mortar calculation for justifying security investment – especially in today’s market where money is scarce and cyber-threats are abundant. I can appreciate the effort that must have been involved in getting Homeland Security Standards Panel (HSSP),  the Internet Security Alliance (ISA) and dozens of industry professionals involved.

The bad news

The ANSI document has a number of fundamental flaws:

a. It doesn’t offer practical ways of building a cost-effective, prioritized program of security countermeasures, although it talks about the multi-dimensional nature of the threats and vulnerabilities in high-level terms:

The key to understanding the financial risks of cyber security is to fully embrace its multi-disciplinary nature. Cyber risk is not just a “technical problem” to be solved by the company’s Chief Technology Officer. Nor is it just a “legal problem” to be handed over to the company’s Chief Legal Counsel; a “customer relationship problem” to be solved by the company’s communications director; a “compliance issue” for the regulatory guru; or a “crisis management” problem. Rather, it is all of these and more.

b, An additional problem with the ANSI document is that it doesn’t a practical risk-calculative method for real life. In a real business the risk calculation is a complex multi-dimensional interplay between threats, vulnerabilities and security countermeasures that simply cannot be performed in a 2 dimensional Microsoft Excel.

c. The real failing of the ANSI method is totally ignoring that risk is caused by damage to assets. Although the document mentions  assets: physical assets, digital assets (that if stolen are really copied…) and intangible assets (such as company reputation)  – it does not acknowledge that  assets have financial value.  Any CFO worth her salt, will be able to make a reasonable judgment of corporate cyber asset asset: for example, availability of the Oracle Applications Financial reporting system at quarter-end  or intellectual property such as mechanical design files of products that the company manufactures.

It’s a step in the right direction, but late in coming and lacking in scope. I hope that the document will receive wide distribution – it’s well written and easy to understand –  most executives should have no problem relating to the material and adopting and adapting it to their business situation.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow