Tag Archives: Data leakage

How can we convince our VP that a network-based DLP makes sense?

My colleague, Michel Godet – sent me a link to an article that Mike Rothman recently wrote.

Michel  (rightly) thinks that it supports the approach that we have been pushing in Europe for over a year now, to justify data security technology investments by using Value at Risk calculations.

Mike’s article – building a business case for security is good. I agree with most of what he writes (I would have commented but searchsecurity doesn’t allow commenting on their Ask The Security Expert: Questions & Answers articles.

So – I will use my own blog to post a couple of my comments (I should probably ping Mogull on this too but I lost  his email)

1) I agree that if you can’t get past the first energy barrier of concern with information protection than you are a non-starter for DLP ( or any data security technology for that matter – it must fit the business needs – otherwise it’s like trying to sell a trombone to a violinist.  Total waste of time

However – once you get past the first road block, the business problem for security investment is:

What is your value at risk, what are the right security countermeasures and are they cost-effective.? Not – what are the vendors selling this quarter.

There is no reason in the world why data security should be any different than any other IT investment.

2) I totally disagree that looking only at a network-based DLP product is inherently limiting. Just because a few vendors like Websense and Symantec, have integrated end point and gateway products doesn’t  makes them cost-effective data security countermeasures, ensure success of the project or prevent the next data breach.

Let me submit  two counter-examples:

A) Suppose all your sensitive data is in the cloud – then maybe network DLP is a good fit

B) Suppose all your endpoints are in the cloud – then maybe endpoint DLP is a good fit

C) Suppose all your sensitive data is on notebooks – then maybe encryption is the right countermeasure to data loss.

The answer is that you have to measure stuff – measure your people, process and system vulnerabilities and where your assets are headed. After that you need to estimate your  VaR and only THEN start thinking about the people, process and technology countermeasures

BTW – I’ve been saying this for years

October 28, 2004 –  A guide to buying extrusion prevention products

March 17, 2005 – How to justify Information security spending

Now if only we could find a way to monetize being right.

Tell your friends and colleagues about us. Thanks!
Share this

How to valuate information assets

A client recently asked:

How do I assign a dollar value to an assets?…should I use the  purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?

Estimating asset value is without doubt the most frequent question we get when it comes to calculating data security risk in monetary terms. There are several practical guidelines for measuring information assets value:

  • Use the right metric – a common mistake made by marketeers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number.  The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.  A customer may not even know that her credit card number is breached (considering that 250 million credit card numbers have been stolen in the past few years – it is a reasonable assumption that your credit card number is known to someone who stole – but your cost is zero, isn’t it?
  • Ask an expert – usually the CFO. The expert can and should provide confidence intervals for his estimate. The CFO is the best source and best equipped to decide if replacement value, purchase value/depreciated or opportunity cost is the relevant metric to measure the value of an asset. It’s ok, if your CFO says that company IP is worth $50 million with a confidence level of 85%.  If you do a practical  threat modeling exercise, you will be able to test sensitivity of your threat model to the confidence boundaries.
  • Use test equipment. For example – If the cost of acquiring a customer is $50, you can write a sql query to find out how many customers you have and then multiply by $50. Looking at the Fixed assets and GL modules is an example of using test equipment.  If you have to measure the number of credit cards in clear text circulating on your network – I suggest  network surveillance.
  • Use random sampling from a population of asset value estimators. The Rule of Five says that there is a 93% chance that the median of a population is between the smallest and largest values in any random sample of the population.   So – if you have to estimate value of a digital asset like intellectual property – you can ask five people for their estimate – for example, the CFO, the CTO, a customer, your VP marketing and a software developer who worked for one of your competitors.
  • Measure in small increments and be prepared to iterate. In other words – when you do a threat model exercise, take small steps –  measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise and most companies measure things that have zero information value to the business because they are easy to measure (for example – how ssh password attacks were made on company web servers) instead of the important things – like what is the value of a field service engineer diagnostic database that is distributed to notebook computers.
Tell your friends and colleagues about us. Thanks!
Share this

Data security for SMB

Yesterday, I gave a talk at our Thursday security Webinar about data security for SMB (small to mid-sized businesses).

I’ve been thinking about DLP solutions for SMB for a couple of years now; the market didn’t seem mature or perhaps SMB customer awareness was low, but with the continued wave of data security breaches, everyone is aware.  The DLP vendors like Verdasys, Fidelis and Vontu (now Symantec) have focused traditionally on Global 1000 companies, but Infowatch is now preparing a product specifically tailored for the SMB market business requirements and pocket.  There are about 10 million SMBs in the world so this would be appear to be a fertile market for both attackers and defenders.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

It’s My Way or “La Puerta”

The role of a supervisor in protecting company data.

There is a feeling of entitlement in the Western world that enables employees to use company resources for private purposes.  If can use a pencil, you can use a phone, if you can use a phone, you can use your PC to surf the Net on a break. If you can surf the Net, you can look for a job, and if you can look for a job on company time on a company PC, then the next step is sending proprietary company files (files you consider your “own”) to a private Gmail or FTP account just before you leave the company and take that job.

Although entitlement may be a root cause of trusted insider data theft, I doubt we can change Western culture by playing a game of ain’t it  awful.

A group manager/supervisor or team leader must temper this entitlement with personal example and appropriate use of emphatic and uncompromising demands to protect company assets and prevent information leaks.

However, sometimes, an uncompromising demand to meet company data security policy can turn into intimidation. As my friend Isaac Botbol writes in his newsletter on English Communications Skills for Hispanics in the Workplace

Although intimidation is a negative motivator, it is still a powerful motivator. It implies that there are dire consequences for not following “orders” or instructions such as: “do what I say, or else.” Many front line Hispanic employees have often heard the clear threat behind the message: “si no te gusta, allí esta la puerta” which means “if you don’t like it, there’s the door.”

Leading through intimidation may be sign of a problem between the supervisor and her manager. In many Israeli companies, there are senior managers who are retired senior officers in the Israeli Army. This may result in a management style based on giving and taking orders. The result may be a supervisor who resents her manager and an employee who doesn’t care anyway (in Hebrew it sounds a lot better –  “Zrikat Zayin”  or זריקת זין

To paraphrase my friend Isaac –

By taking a personal interest in developing the leadership skills of your front line supervisors, you’ll be on your way to creating a win-win situation for protecting company data and preventing data leakage.

Tell your friends and colleagues about us. Thanks!
Share this

Product counterfeiting in aerospace industry

This seems to be my weekend for  product counterfeiting.   I was in Tel Aviv last week on Dizengoff and picked up a couple of paperbacks at the “Book Junkie” bookstore for 5 sheqels/book (that’s about $1.25!) – one of them was Michael Crichtons’ novel Airframe (The book is genuine… and they have an amazing collection of really cheap paperbacks.)

I won’t give away the plot – (you can read the outline on Wikipedia) but it’s a good read and it underscores a point that is extremely familiar to data security / data loss prevention practitioners – namely that human error and poor training and not sophisticated technology is usually the root cause of an event. Although a number of counterfeited parts were discovered in the wing slats, it was a person, not type-certified for the aircraft, that caused the death of 4 people.

Tell your friends and colleagues about us. Thanks!
Share this

Three simple ways of preventing data loss

Speak software and carry a big stick

When I was a solid state physics grad student at Bar Ilan, I had two advisors – Prof. Nathan Aviezer and Prof. Moshe Kaveh (who is now the President of the university).     Aviezer was fond of saying that he only does simple things. I was calculating electrical conductivity of aluminum at low temperatures and due to singularities of the 2OPW approximation of the Fermi surface – it was anything but simple. Still – doing simple things is a life lesson that I’ve tried but not always suceeded in keeping.

So – how do we make data loss prevention (DLP) simple, or at least a lot simpler than it is today?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

N Digital TV data breach in Poland

00032

Polish digital TV broadcaster N (owned by ITI Neovision) has disclosed a breach of customer data records – after PII was discovered accidentally on the Net by a subscriber via a search engine.

The partner who manages our offices in Warsaw (the team specializes in high end data security consulting and DLP projects in Central Europe) called me this morning after hearing about the data loss event on the radio on the way to work.

The details are fairly typical for a telecommunications service provider.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Exploiting a wireless mesh network for utilities

Greentech

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage. Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Imperfect knowledge security

A few months ago I wrote about The Black Swan of Security – how major data loss events have 3 common characteristics –

1) A major data loss event appears as a complete surprise to the company .

2) Data loss has a major impact to the point of maiming or destroying the institution (note the case of Card Systems)
3) Data loss is ‘explained’ after the fact by human hindsight (Hannaford Supermarkets, Bank of America…hackers, viruses, drive-by Wifi attacks…)

A colleague of mine, who is a mathematician by training and banking executive by vocation, saw one of my presentations on Black Swan Data Security and  told me I must read Imperfect Knowledge Economics by Professor Roman Frydman from NYU. I’ll take it out of the library, as soon as I can get over to the Hebrew U on Mount Scopus. Everything Roman Frydman and Michael D. Goldberg write about economic models surely holds true for information security today.

Why do our security threat models fail to account for what happens in in real-world and cyberspace? What drives the aggregate outcome of a multi-billion dollar security and compliance industry (1 percent of the US GDP) that fails to prevent the GFC and data leakage of over 250 million credit cards? Is “self-interest” really sufficient to understand security rationality? What is the role of history, the social context and common values in protecting digital assets and systems? How should threat models be used by policymakers and professional investors?

To paraphrase John Kay, writing about the book in The Financial Times,  “the quest for advanced security technology gets in the way of useful security countermeasures.”

Tell your friends and colleagues about us. Thanks!
Share this