Tag Archives: Checkpoint

The Israeli credit card breach

There are 5 reasons why credit cards are stolen in Israel. None have to do with terror; 4 reasons are cultural and the 5th is everyone’s problem: “confusing compliance with security“.

I  could write a book on mismanagement of data governance and compliance, data security, web server security, web application software security.

In 2003, I got turned on to the notion of using extrusion prevention to prevent data loss. I had the privilege to work with some of the pioneers in data loss prevention and over a period of over 5 years, I evangelized, sold, marketed, implemented and supported data loss prevention solutions in Israel and Europe. In the course of that time, I made thousands of phone calls, met hundreds of prospects and sold a dozen systems.  I  developed a unique perspective to the data security space working with both vendors and C-level decision makers in a wide variety of verticals from financial services to diamonds and telecommunications.

There is no need to state the obvious common denominators between Israeli companies and their US counterparts who have suffered the ignominy of a large scale credit card data breach: Closing the barn doors after the horses have fled, thinking it won’t happen to them, relying on their Checkpoint firewall to prevent data breaches, erroneously calling an anti-virus threat management, believing their IT outsourcing provider and equating the counting of compliance check list items with effective data security.

In this essay, I will try and enumerate what I believe are the key contributing factors behind the insecurity of most Israeli businesses.  Most are inherently cultural to Israel although the last factor (PCI DSS 2.0) is everyone’s problem.

Letting your piss go to your head

The first factor is cultural. It’s called in Hebrew  עלה לו השתן לראש.  It’s hard to translate this exactly – but a literal translation is “letting your piss go to your head”.   Arguably, this may be true for many senior executives, especially those on Wall Street who run billion dollar financial service businesses.

The difference is that in Israel, a colonel who served in the Israeli Air Force and then retired at age 45 on a full military pension to work as a VP in a publicly-held Israeli company that does $50M worth of business has more piss up his head then the CEO of IBM.  You are more likely to ascend bodily into heaven than to convince this person to be a security leader, implement robust data governance in his organization and implement strong data security countermeasures. There are many jokes about this in Israel. The one I like the most goes like this: “Why not have sex under an open window in Israel? Because, someone will leap through the window and tell you – move aside, I’ll show you how it’s done“.  As far as I can tell, this is also the root cause for Israeli politicians like Ehud Barak, Bibi and Tzipi Livni who believe that they know what is best for the Palestinians.  (Letting your success get the best of you is gender-neutral).

The Checkpoint syndrome

The second factor is also cultural. I would label it the Checkpoint syndrome. I believe that the Americans call it “NIH – Not invented here”.   It is literally almost impossible to sell an Israeli CIO on the notion of innovative data loss prevention technologies when Checkpoint hasn’t really done much in that space (granted they introduced a DLP software blade for their firewall product in 2010, 7 years after Fidelis, Vontu and Verdasys already had working technology). Port Authority, later acquired by Websense, did indeed have some success in Israel – burning $60M in VC funding and selling about 30 systems in Israel due to a related syndrome that I shall call the 8200 syndrome – which is sort of an Israeli coolness factor – like Roy Hargrove and RH Factor playing funk. A related illness, which is at epidemic levels in Israel, is the Microsoft Monoculture.  While Microsoft has correctly pigeonholed data security into data governance  the main focus of Microsoft operating systems is access control and when key system management focus is on access control then it becomes difficult for system managers to properly assess the risk from trusted insider threats – insiders who violate security policy simply because they can. עלק אבטחה.

Retaliation instead of mediation

The third factor is political.

Saber rattling is a political gesture and retaliation is not a substitute for proactive threat analysis and premeditated risk mediation.

My friend Maryellen Evans sent me this clip from the Financial Times: Israel seeks revenge for hacking

The Israeli government has threatened to retaliate against the hacker who last week published the credit card details of thousands of Israelis, with one senior official comparing the cyberattack to a “terrorist operation”. Danny Ayalon, the deputy foreign minister, warned that the attack represented “a breach of sovereignty comparable to a terrorist operation, and must be treated as such”. He added: “Israel has active capabilities for striking at those who are trying to harm it, and no agency or hacker will be immune from retaliatory action.”

Oh. I’m getting shivers at the thought of Israeli generals led by Ehud Barak retaliating against hackers.

There are 3 fundamental flaws behind this thinking (assuming someone is actually thinking like this, which may be assuming too much).

  1. Due to the asymmetrical nature of hacking, there is neither payback, nor deterrence value in threatening to send a drone aircraft to shoot a hacker in Mexico/Saudia/Albania/etc….
  2. Israeli leaders have  proven track records of threatening but not delivering on their promises (the disengagement from Gaza is a case in point) and then caving in populistic, media-driven, Jewsh-mother driven demands to trade terrorists with blood on their hands for Israelis who were drug dealing (see Elchanan Tannenbaum) or soldiers who failed in their duty (see Gilad Shalit is not a hero). As a result, Israeli leadership credibility in this respect is rather low.
  3. Threatening with retaliation is a low-cost, political do-nothing alternative to a fundamental threat analysis of the vulnerabilities in information systems, online sites and networks and careful, open and thorough implementation of strong data security countermeasures – such as locking down Web servers, outlawing Windows and securing message queue infrastructures used for B2B connectivity.

Legislation without enforcement

Several years ago, I had an interesting sales call with the CSO of Clalit, the big Israeli HMO.   I made my pitch for data loss prevention and tied it into the ability of DLP to deliver real-time monitoring and visibility and assure PHI privacy compliance. He laughed at me and said: “Listen, Danny – Israeli has a dozen privacy regulations on the books, all are relevant to PHI, but no one is serious about compliance, so we do what we think we need to do in the limitations of our budget and it is what it is.

The problem of legislation without enforcement is endemic in Israel from traffic safety to women’s rights to environmental protection: Israel is a country with more legislation and commissions of inquiry than  enforcement.   Perhaps,  a weak system of enforcement and abiding the law may be  a vestige of defense mechanisms developed while living in the Diaspora.   Certainly – the Eastern European Jews who founded Israel did not come from a background of law, order and compliance.  They came from a background of revolution and change.

Compliance  without security

Finally, we come to PCI DSS 2.0.  I have written extensively on the drawbacks of PCI DSS and here and here (The Tao of GRC) and suggest specific ways of getting credit card security right.

Perhaps the time has come to perform a vulnerability assessment of the standard itself.

In very simple terms, the biggest vulnerability of PCI DSS is that it’s about 10 years behind the curve.  When people in the PCI DSS Security Council in Europe confess to never having heard of DLP (Data loss prevention) and when the standard places an obsessive emphasis on anti-virus, you know you’re still in Kansas.

Speaking with a senior representative of PCI DSS Security Council in Europe last year, I posed some of these questions and he replied that the situation with merchants is so bad that PCI DSS is “better than nothing”.

That is pathetic isn’t it?

Perhaps we would all be better off taking the day off and hoovering our flats instead of trying to reeducate management, fix political systems, improve our data security and prevent credit card breaches.

It would certainly be cheaper.

 

 

 

Tell your friends and colleagues about us. Thanks!
Share this

Why Microsoft shops have to worry about security

I am putting together a semester-long, hands-on security training course for a local college.   The college asking me for the program showed me a proposal they got from a professional IT training company for a 120 hour information security course. They are trying to figure how to decide, so they send me the competing proposal and lo and behold, 92 out of 120 hours is about certifying people for Checkpoint firewalls and Microsoft ISA server. Here is what I told the college:

This course focuses on two Checkpoint courses CCSA and CCSE – which counts for 80 hours out of a total of 120.   Then they spend another 12 hours on Microsoft ISA server. The course only spends 8 hours on Information security management and 8 hours on application security.   From a marketing perspective, the course brochure looks slick. But not more than that.

Because of courses like this – companies have so many data breaches. After the course, the students  will know  a few buzz words and how to click through the Checkpoint UI, but they won’t understand anything about hacking software.

If you want to understand data security you have to get down into the dirt and roll up your sleeves instead of learning how to click through the Checkpoint user interface. Microsoft system administrators in particular, need to understand security and how to think about threat response and mitigation, because their thought processes have been seriously weakened by the Microsoft monoculture. They need to think about network , data security and software security threats and how to tie it all together with a practical threat analysis and Information security management approach. They can always train on Checkpoint afterwards….

This reminds me of what Paul Graham writes in his article Beating the averages

The first thing I would do… was look at their job listings… I could tell which companies to worry about and which not to. The more of an IT flavor the job descriptions had, the less dangerous the company was. The safest kind were the ones that wanted Oracle experience. You never had to worry about those. You were also safe if they said they wanted C++ or Java developers. If they wanted Perl or Python programmers, that would be a bit frightening– that’s starting to sound like a company where the technical side, at least, is run by real hackers. If I had ever seen a job posting looking for Lisp hackers, I would have been really worried.

So – if you are a real hacker, look for companies with security administrators who are certified for Microsoft ISA server and you will have nothing to worry about. But if  your targets security administrators  are facile with Wireshark, Ratproxy and Fiddler and Metasploit, then you should be really worried.

Tell your friends and colleagues about us. Thanks!
Share this

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Tell your friends and colleagues about us. Thanks!
Share this

Is your DLP project a failure?

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

Tell your friends and colleagues about us. Thanks!
Share this

Imperfect knowledge security

A few months ago I wrote about The Black Swan of Security – how major data loss events have 3 common characteristics –

1) A major data loss event appears as a complete surprise to the company .

2) Data loss has a major impact to the point of maiming or destroying the institution (note the case of Card Systems)
3) Data loss is ‘explained’ after the fact by human hindsight (Hannaford Supermarkets, Bank of America…hackers, viruses, drive-by Wifi attacks…)

A colleague of mine, who is a mathematician by training and banking executive by vocation, saw one of my presentations on Black Swan Data Security and  told me I must read Imperfect Knowledge Economics by Professor Roman Frydman from NYU. I’ll take it out of the library, as soon as I can get over to the Hebrew U on Mount Scopus. Everything Roman Frydman and Michael D. Goldberg write about economic models surely holds true for information security today.

Why do our security threat models fail to account for what happens in in real-world and cyberspace? What drives the aggregate outcome of a multi-billion dollar security and compliance industry (1 percent of the US GDP) that fails to prevent the GFC and data leakage of over 250 million credit cards? Is “self-interest” really sufficient to understand security rationality? What is the role of history, the social context and common values in protecting digital assets and systems? How should threat models be used by policymakers and professional investors?

To paraphrase John Kay, writing about the book in The Financial Times,  “the quest for advanced security technology gets in the way of useful security countermeasures.”

Tell your friends and colleagues about us. Thanks!
Share this

Preventing intellectual property abuse

One of my pet peeves with security vendors like Symantec, Vontu, Websense and Checkpoint is marketing collateral that totally disregards the basics of security – it’s like they hired an English major straight out of school and told them to start writing. Sensitive assets, confidential assets, proprietary assets – you can make a total mishmash as long as you mention compliance, SOX and HIPPA at least 3 times in the article.

Since the business situation, corporate culture and IT infrastructure of every company is different, we believe that it is incorrect to choose security countermeasures on the basis of product features – especially when vendors provide pseudo-risk-management justification for their offering – read Andrew Jaquith on the hamster wheel of pain

We submit that selection of security countermeasures requires measuring their effectiveness against a particular threat. Read  more about this revolutionary idea on Preventing intellectual property abuse and you’ll see exactly how to choose a security product using a practical threat model – visit Practical Threat Analysis and download the free software.

Tell your friends and colleagues about us. Thanks!
Share this
cyber attacks

Are you on your firewall, while your employees are on Gmail?

 

Pop question No. 1: What percent of your employees send sensitive company documents  to their Gmail accounts?

Pop question No. 2: When you layoff 15 percent of your workforce, should you fire the information security manager a) First, b) Last or c) Give her an incentive to help ensure that a data breach of company IP and customer lists doesn’t happen

With all the 30,000 foot strategic talk from Gartner and IDC about enterprise risk management – I think that most CEOs are blindsided when a data breach happens – having ignored issues of data theft during organizational changes or assuming that  information security is a “given”.

In a large firm – the CEO delegates the responsibility to the CISO, who has a dedicated team for security and compliance. In smaller companies that don’t have dedicated security  functions, the responsibility for information security falls on the IT department.  IT tends to see security as a technical overhead that gets in the way of running the ERP systems. IT security becomes a issue of  security products,  policies and procedures for appropriate Internet usage.

A company with current best-practice security such as Checkpoint firewalls, ISS IPS, Symantec SIM (security information management system)  will be  totally unaware that most of their employees send company documents to their personal Google mail accounts on a regular basis.

Monitoring of outbound mail based on some fairly simple metadata parameters (like filetype and email domains) can be a highly effective way of improving data security.   You don’t necassarily need to do deep content inspection but you must be prepared to monitor for violations and act quickly on corrective action.  It’s as simply as seeing the event in real time with an extrusion detection system like Fidelis Security Systems XPS and walking over to the employee and asking her not to send the company’s 2009 sales forecast to a private Google mail account.

Tell your friends and colleagues about us. Thanks!
Share this