Tag Archives: anti-virus

The death of the anti-virus

Does anti-virus really protect your data?


Additional security controls do not necessarily reduce risk.

Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements.

We use the quantitative threat analysis tool – PTA that enables any business  to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in your and your customers’ business environment.

Like everything else in life, security is an exercise in alternatives.

But – do you choose the right one?

Many firms see the information security issue as mainly an exercise permissions and identity management (IDM). However, it is clear from conversations with two of our large telecom customers that (a) IDM is worthless against threats of trusted insiders with appropriate privileges and (b) Since the IDM systems requires so much customization (as much as 90% in a large enterprise network) it actually contributes additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down. This is as true for a personal workstation as it is for a large enterprise network.

The question from a security perspective of an individual user is pretty easy to answer. Install a decent personal firewall (not Windows and please stay away from Symantec) and be careful.

For a business, the question is harder to answer because it is a rare company that has such deep pockets they can afford to purchase and install every security product recommended by their integrator and implement and enforce all the best-practice controls recommended by their accountants.

An approach we like is taking standards-based risk assessment and implementing controls that are a good fit to the business.

We use the quantitative threat analysis tool – PTA that enables any business  to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in their and their customers’ business environment.

More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of an all-or-nothing compliance checklist implementation that may cost mega-bucks.

And in this economy – fewer and fewer businesses have the big bucks to spend on security and compliance.

Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments in the best and most cost-effective way for your business and pocketbook.

Tell your friends and colleagues about us. Thanks!
Share this
hospital networks

What is your take on anti-virus in medical devices?

A check-box IT requirement for medical devices on the hospital network is installation of anti-virus software even though most devices don’t have network connectivity and as a result are running outdated AV engine and  signatures. 

What is your take?

Should device vendors continue to install anti-virus even though it’s not effective?

Would you considering using alternative technology like application white-listing such as Mcafee embedded security agent)


Tell your friends and colleagues about us. Thanks!
Share this

How to remove malware from a Windows PC

We provide software security, threat modeling and threat mediation in the medical device and healthcare space working with technology developers in Israel.

How does this work?

We evaluate your healthcare software system or medical device from an attacker point of view, then from the management team point of view, and then recommend specific detailed action steps to close the gap between your product and HIPAA security and privacy requirements. We then train your product development team based on these recommendations.

Many medical devices still run on Microsoft Windows; variants of Windows XP, Windows XP embedded and Windows server systems are not uncommon.

Being a commodity operating system, primarily designed for ease of use by end-users and application development by programmers using Visual Studio, it is not uncommon to see malware attack medical devices and healthcare information systems.

If your’e a medical device or healthtech developer using Windows platforms, one of the first action steps we recommend is to setup a security ERT (emergency response team) with a clear response plan and division of responsibilities.

The security ERT will be your first responders in the case of a data leak or malware infection.

The ERT should have a clear, well-thought and debugged procedure for removing malware.  See this excellent malware removal guide for an example.



Tell your friends and colleagues about us. Thanks!
Share this

Why Stuxnet was developed by the Israelis

Who developed Stuxnet?  Was Stuxnet developed by the Israeli Sigint unit 8200 or was it a group of Americans, Germans and Israelis working in collaboration?

There has been a flurry of articles  about Stuxnet in the Israeli papers, speculating on the source of the Stuxnet virus and discussing if this is the beginning of cyber war (it isn’t…).  This weekend,  I saw two articles  – one an opinion piece and the other a review of the technology for the readers of the daily news.

The best work yet on the topic of Stuxnet and Israel is an outstanding essay written by Caroline Glick in the Jerusalem Post on October 1, 2010 – here is an excerpt:

IF we assume that Stuxnet is an Israeli weapon, what does it show us about Israel’s position vis-à-vis its enemies? What Stuxnet shows is that Israel has managed to maintain its technological advantage over its enemies. And this is a great relief. Israel has survived since 1948 despite our enemies’ unmitigated desire to destroy us because we have continuously adapted our tactical advantages to stay one step ahead of them. It is this adaptive capability that has allowed Israel to win a series of one-off battles that have allowed it to survive.

But again, none of these one-off battles were strategic game-changers. None of them have fundamentally changed the strategic realities of the region. This is the case because they have neither impacted our enemies’ strategic aspiration to destroy us, nor have they mitigated Israel’s strategic vulnerabilities. It is the unchanging nature of these vulnerabilities since the dawn of modern Zionism that gives hope to our foes that they may one day win and should therefore keep fighting.

Israel has two basic strategic vulnerabilities.

The first is Israel’s geographic minuteness, which attracts invaders. The second vulnerability is Israel’s political weakness both at home and abroad, which make it impossible to fight long wars.

Some Israelis have been quick to claim that the code was not sophisticated enough or that its distribution method was too sloppy to make it a military operation.

While I do not subscribe to a theory that  Stuxnet signals the  advent of cyber-war (targeted malware has been around for over 5 years), I think it would be naive to dismiss  Stuxnet as just another virus.Underestimating threats is a third strategic vulnerability I would add to the geographic minuteness and political weakness both at home and abroad that the esteemed Ms. Glick has already mentioned.

We can only speculate on the actual intent of the Stuxnet malware – direct attacks on Iranian nuclear weapons program SCADA systems or perhaps  intelligence gathering.  It is possible that the  rapid proliferation of Stuxnet into India, Pakistan and Indonesia is indeed an act of purposeful intelligence gathering – following the trail of removable devices and network connectivity used by people from countries collaborating with the Iranian nuclear weapons program.

Maybe, maybe not. The  software developers, who  wrote the attack code and the Stuxnet architects are not giving out interviews but in truth – kernel level software development and cryptographic expertise have nothing to do with it.

Like any military operation – there needs to be motive, means and opportunity – all 3 of which point at a military operation targeted at the Iranian nuclear effort and as Sun Tzu wrote – better to run quick and dirty military operations than to wait for the consequences:

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)

Motive – Israeli wants to mitigate the Iranian nuclear threat.  Means – exploit software vulnerabilities in the Siemens SCADA systems (they hard code passwords and use Microsoft Windows). Opportunity – the sooner the better.

Precisely for these reasons,  and as Caroline Glick noted; Stuxnet is a one-off operation that did not have to be extremely precise – whether the mission objective was to disrupt Iranian nuclear weapons program SCADA systems or collect information.

Tell your friends and colleagues about us. Thanks!
Share this

Data security in the cloud

It seems that with amorphous and rapidly evolving trend of storing data in cloud providers and social media like Twitter and Facebook, that social media and cloud computing is the next frontier of data security breaches.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

Tell your friends and colleagues about us. Thanks!
Share this

Choosing endpoint DLP agents

There is a lot to be said for preventing data loss at the point of use but if you are considering endpoint DLP (data loss prevention), I recommend against buying and deploying an integrated DLP/Anti-virus end-point security agent.  This is for 4 reasons:
  • Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, imagine layering another 100MB of software, another 20MB of data security rules and loads of network traffic for management just for the luxury of getting a good deal from Symantec on a piece of integrated software that IT doesn’t know how to manage anyhow.
  • Software vulnerabilities – if you have issues with the anti-virus – you don’t want them affecting your data flows via the DLP agent. Imagine a user uninstalling  the anti-virus and impacting the DLP agent.
  • Diversity – the strong anti-virus products have weak DLP agents – which means that the advantage of a single management platform is spurious. Having strong anti-virus software on your Windows PCs from a vendor like McAfee complements having strong data loss prevention from a company like Verdasys.
  • Not a good fit for the organization – IT manage the Anti-virus,   Security manage the data security and never the twain shall meet.
Tell your friends and colleagues about us. Thanks!
Share this

Dissonance is bad for business

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

Resolving dissonance in your business is key to getting actionable intelligence in order to reduce risk and improve compliance Why should I care? After all – for this we have security, risk and compliance specialists.

According to the Verizon Business Report, 285 million records were breached in 2008;  32% of the cases implicated business partners.

Information assurance of third parties that have access to your business assets is crucial for contract due diligence, complying with best practices, internal and external audit and regulation.

Due diligence of third parties that work with your business requires actionable intelligence.

Remember Madoff?

Actionable risk and compliance intelligence requires breaking down silos and recycling commonalities instead of fragmenting activities and duplicating resources.

Learn how to make that happen at our next  online workshop on security management coming this Thursday October 29, 2009,
10:00 Eastern 14:00 GMT, 16:00  in Israel and Central Europe 17:00 MT.

Go green by recycling policies and controls.

Don’t make any of the 10 data security mistakes

Register today for this free online workshop.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data. Data security is a war – when the attackers win, you lose.  We will help you win more.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Tell your friends and colleagues about us. Thanks!
Share this

The death of Google Adwords

snake oil 2.0

I don’t really understand why anyone would want to pay Google money for Adwords.

I ran a little experiment recently to promote our web sites using Google Adwords and Twitter.

Here are the results:

The results of my little online marketing experiment show a huge advantage for Twitter with focused search phrases in bios over Google adwords with carefully chosen keywords.

Google Adwords
650 extra hits in 4 weeks
1 hour setting up 2 ads,
Campaigns ran for 4 weeks, cost 1100 sheqels,
Hit Relevance – none. (the keywords people actually used to arrive at the site were not the keywords I chose)

2000 extra hits in 1 day
5′ in Twitter to create a user security_expert
1 hour in Twellow search looking for CSO, CISO, Chief Information Security, Security Director etc… in bios (about 300 people)
5′ posting 5 tweets from my blog
Campaign ran 1 day, cost: 0 sheqels
Hit Relevance – good, no spam on the blog in this 24 hour period (good sign…)

Now – I have to explain to my wife why I wasted 1100 sheqels on Google instead of  (insert requirement here)

Tell your friends and colleagues about us. Thanks!
Share this

USDA bans non IE browsers

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

Tell your friends and colleagues about us. Thanks!
Share this