Tag Archives: Anti-Fraud

The case for a guild of security consultants

The notion of a security consultant guild is a seductive idea.  Promoting  quality, defining service levels and enhancing professional standing are good  things, but there is a red ocean of professional forums so – I would not just jump in and start a guild.

Just take a look at forums like LinkedIn and Infosec Island – most (sometimes it feels like all…) of the folks in professional networks are independent  consultants – and that makes perfect sense – we all have to eat. Yet LinkedIn cannot replace industry forums like ISACA or ISC2 that work to promote industry standards, improve security awareness, drive private-public partnerships etc.

The problem with ISC2 and similar industry lobbies – is that they have vested interests, therefore they don’t or can’t represent independent security consultants.  When was the last time Raytheon called me up – asking to collaborate on a data security project for DoD – like never?

I would take some lessons from the IETF.

Any security consultant organization should have three principles: free, open, and based on vendor-neutral standards.

Note my emphasis on “Vendor-neutral standards”.  This is the secret of the success of the IETF and the Internet in general and it will be the core of the success for any group of security consultants that want to do more than kibitz in LinkedIn security forums.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Why security defenses don’t prevent data breaches

Assuming you knew why a data breach will happen, wouldn’t you take your best shot at preventing it?

Consider this:

Your security defenses don’t improve your understanding of the root causes of data breaches, and without understanding the root causes –  your best shot is not good enough.

Why is this so?

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up.  Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

Obviously we need a better way of understanding what threats really count for our business. More about that in some up coming posts.

Tell your friends and colleagues about us. Thanks!
Share this

More nonsense with numbers

Now it’s some lazy journalist at Information Week aiding and abetting the pseudo-statistics of of the Ponemon Institute – screaming headlines of  the cost of data breaches of PHI – protected healthcare information

According to Information Week; Analysis: Healthcare Breach Costs May Reach $800 Million

Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRUST, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That’s $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

What is the connection between the Ponemon studies (sponsored by data security vendors) and the PHI leakages.

Nothing.

Why is a PII leak and a meaningless plug number of $60 relevant to PHI (which requires a combination of medical data and personal identifiers?

Why can’t someone make a phone call and ask how much the companies actually paid in fines and then make a few more phone calls and start estimating ancillary costs and direct costs such as legal.

Why not just multiply by the average cost of an iPhone?

After all you can steal data with your mobile easily enough can’t you.

Tell your friends and colleagues about us. Thanks!
Share this

Health insurer data breaches

switched.com is having trouble understanding the attack vector of a data breach.  They apparently believe that  software vulnerabilities can be mitigated by consumers “actively protecting their information”.

Hackers recently attacked WellPoint, a health insurer which reportedly covers 34 million people. As a result of the breach, the company notified 470,000 individual customers that confidential information, including medical records and credit card numbers, may have been compromised. It’s imperative that consumers actively protect their information (sic), because cyber-criminals have accessed at least 358,400,000 records belonging to U.S. citizens over the past five years. [From: CBS News]

I recommend treating passwords like  cash, but give me a break. If over 350 million credit card records have been breached, then active protection measures are useless since your credit card is already disclosed.

Together with gems of  security naiveté in the American press,  we can add another round of US-European political infighting over who has a bigger schlong.

The Solvency II European insurance supervision directive is “not as comprehensive and transparent” as US regulation, according to New York’s state insurance regulator. Jim Wrynn, superintendent of the New York State Insurance Department, also criticised efforts by stakeholders in the process of the European regulatory overhaul to deny equivalence status to the US while its state-based regulation remains in place…Wrynn was critical of (the Solvency II) approach, and described the current US model as “a well-tested and comprehensive regime”. [From: risk.net]

I suppose that AIG and Wellpoint don’t count.

Tell your friends and colleagues about us. Thanks!
Share this

Data security in the cloud

It seems that with amorphous and rapidly evolving trend of storing data in cloud providers and social media like Twitter and Facebook, that social media and cloud computing is the next frontier of data security breaches.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

Tell your friends and colleagues about us. Thanks!
Share this

Cultural factors in DLP

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

Tell your friends and colleagues about us. Thanks!
Share this

Facebook disclosure cancels raid on terrorists

I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures.

The recent case of the Opsec security violation on Facebook in Israel reported by the Jerusalem Post, is a good example of how a hierarchical organization (Army) is threatened by a flat social network. The good news was that the security countermeasure was found the social network itself – herein lies the lesson.

The IDF was forced to cancel a recent arrest operation in the West Bank after a soldier posted information about the upcoming raid on his Facebook page.The operation was scheduled to take place several weeks ago in the Binyamin region. The soldier, from an elite unit of the Artillery Corps, posted on his Facebook page: “On Wednesday, we are cleaning out [the name of the village] – today an arrest operation, tomorrow an arrest operation and then, please God, home by Thursday.”

The status update on the soldier’s page was revealed by other members of the soldier’s unit. His commanders then updated Judea and Samaria Division commander Brig.-Gen. Nitzan Alon, who decided to cancel the operation out of concern that the mission had been compromised.

Organizations need to leave the static top down control frameworks a few times a year and look outside the organization for links and interdependencies – and talk to the soldiers in the trenches in customer service, field sales and field service.

The information you will get from people outside your firm and from people with dirty hands is far more valuable than rehashing the ISO27001 check list in an audit.

The most valuable data is from questions you haven’t asked yet – not from a checklist in an Excel spreadsheet in the hands of a junior auditor from KPMG.

Tell your friends and colleagues about us. Thanks!
Share this

Learning about change and changing your security

Reading through the trade press, DLP vendor marketing collateral and various forums on information security,  the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation.   However –

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

  1. Systems are focussed on rule-breaking (IDS, DLP, firewalls, procedures) – yet malicious insider can engage in data theft and espionage without breaking one of the IDS/IPS/DLP rules.
  2. The rules are static (standards such as ISO 27001 or PCI DSS 1.x) or slow-moving at best (yearly IT Governance audit)
  3. Ignore collusion between insiders and malicious outsiders whether for espionage purposes (a handler who manipulates an employee) or for criminal purposes (stealing customer data for resale).

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.

Tell your friends and colleagues about us. Thanks!
Share this

Business unit strategy for data security

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

  1. Is your information asset protection spending driven by regulation?
  2. Are Gartner white papers your main input for purchasing decisions?
  3. Does the information security group work without security win/loss scores?
  4. Does your chief security officer meet three to five vendors each day?
  5. Is your purchasing cycle for a new product longer than six months?
  6. Is your team short on head count, and not implementing new technologies?
  7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Data security and compliance – Best practices

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”
In the attached presentation – we review data security requirements in compliance regulation, we discuss provable security and show how DLP can serve both as an invaluable measurement tool of security metrics of inbound and outbound business transactions and when required – as a last line of defense for personal account numbers.
Tell your friends and colleagues about us. Thanks!
Share this