What a simple idea. It doesn’t matter how they break into your network or servers – if attackers can’t take out your data, then you’ve mitigated the threat.

Data loss prevention is a category of information security products that has matured from Web / email content filtering products into technologies that can detect unauthorized network transfer of valuable digital assets such as credit cards. This paper reviews the motivation for and the taxonomies of advanced content flow monitoring technologies that are being used to audit network activity and protect data inside the network.

Motivation – why prevent data loss?

The majority of hacker attacks and data loss events are not on the IT infrastructure but on the data itself.  If you have valuable data (credit cards, customer lists, ePHI) then you have to protect it.

Content monitoring has traditionally meant monitoring of employee or student surfing and filtering out objective content such as violence, pornography and drugs. This sort of Web content filtering became “mainstream” with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin. Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, starting in 2003, a new class of content monitoring products started emerging that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “data loss” no matter what kind of attack was mounted. Whether the data was stolen by hackers, leaked by malicious insiders or disclosed via a Web application vulnerability, the data is flowing out of the organization. The attack vector in a data loss event is immaterial if we focus on preventing the data loss itself.

The motivation for using data loss prevention products is economic not behavioral; transfer of digital assets  such as credit cards and PHI by trusted insiders or trusted systems can cause much more economic damage than viruses to a business.

Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup.

Companies often hesitate from publicly reporting data loss events because it damages their corporate brand, gives competitors an advantage and undermines customer trust no matter how much economic damage was actually done.

Who buys DLP (data loss prevention)?

This is an interesting question. On one hand, we understand that protecting intellectual property, commercial assets and compliance-regulated data like ePHI and credit cards is  essentially an issue of  business risk management. On the other hand, companies like Symantec and McAfee and IBM sell security products to IT and information security managers.

IT managers focus on maintaining predictable execution of business processes not dealing with unpredictable, rare, high-impact events like data loss.  Information security managers find DLP technology interesting (and even titillating – since it detects details of employee behavior, good and bad) but an  information security manager who buys Data loss prevention (DLP) technology is essentially admitting that his perimeter security (firewall, IPS) and policies and procedures are inadequate.

While data loss prevention may be a problematic sale for IT and information security staffers, it plays well into the overall risk analysis,  risk management and compliance processes of the business unit.

Data loss prevention for senior executives

There seem to be three schools of thought on this with senior executives:

1. One common approach is to ignore the problem and brush it under the compliance carpet using a line of reasoning that says “If I’m PCI DSS/HIPAA compliant, then I’ve done what needs to be done, and there is no point spending more money on fancy security technologies that will expose even more vulnerabilities”.
2. A second approach is to perform passive data loss detection and monitor flow of data(like email and file transfers) without notifying employees or the whole world. Anomalous detection events can then be used to improve business processes and mitigate system vulnerabilities. The advantage of passive monitoring is that neither employees nor hackers can detect a Layer 2 sniffer device and a sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network. then this school of thought has plausible deniability.
3. A third approach takes data loss prevention a step beyond security and turns it into a competitive advantage. A smart CEO can use data loss prevention system as a deterrent and as a way of enhancing the brand (“your credit cards are safer with us because even if the Saudi hacker gets past our firewall and into the network, he won’t be able to take the data out”).

A firewall is not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because: 

1. The firewall might not be properly configured to stop all the suspicious traffic.

2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.

3. The major of hacker attacks and data loss events are not on the IT infrastructure but on the data itself.

4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.

5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection

Sophisticated incoming and outgoing (data loss prevention or DLP) content monitoring technologies basically use three paradigms for detecting security events

1. AD- Anomaly Detection – describes normal network behavior and flags everything else
2. MD- Misuse Detection – describes attacks and flags them directly
3. BA – Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification – RFC’s, ping of death, stealth scanning etc.
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Data loss detection – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Data loss prevention or detection needs to work at a much higher level than intrusion detection – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst needs deep understanding of the network and what should not happen with it. He builds rules that model how the monitored network should conceptually work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the tool. The advantage of the burglar alarm model is that a good network administrator can leverage his knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

What about prevention?

Anomaly detection is an excellent way of identifying network vulnerabilities but a customer cannot prevent extrusion events based on general network anomalies such as usage of anonymous ftp. In comparison there is a conceptual problem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection.

What about security management?

SIM – or security information management consolidates reporting, analysis, event management and log analysis. There are a number of tools in this category – Netforensics is one. SIM systems do not perform detection or prevention functions – they manage and receive reports from other systems. Checkpoint for example is a vendor that provides this functionality with partnerships.

Summary

There are many novel DLP/data loss prevention products, most provide capabilities far ahead of both business and IT infrastructure management that are only now beginning to look towards content monitoring behind the firewall.

DLP (Data loss prevention) solutions join an array of content and application-security products around the traditional firewall. Customers are already implementing a multitude of network security products for Inbound Web filtering, Anti-virus, Inbound mail filtering and Instant Messaging enforcement along with products for SIM and integrated log analysis.

The industry has reached the point where the need to simplify and reduce IT security implementation and operational costs becomes a major purchasing driver, perhaps more dominant than any single best-of-breed product.

Perhaps data loss prevention needs to become a network security function that is part of the network switching fabric; providing unified network channel and content security.

Software Associates helps healthcare customers design and implement such a unified network channel and enterprise content security solution today enabling customers to easily define policies such as “No Instant Messaging on our network” or “Prevent patient data leaving the company over any channel that is not an authorized SSH client/server”.

For more information contact us.

I have written here, here and here about how to reduce the risk of a data breach of a web site.

Not to rain on the media party, but the actual cost to a online marketer of a hacker breaching a web site or defacing the web site could be very low since card-holders are covered by the credit card issuers and as long as the online commerce site continues operation, a temporary revenue dip might be offset by additional visits to the publicity.

Then again, the cost of a data breach to your operation could be very high, especially if you scrimp on security.

So – what is the right answer?

The right answer is the right security for your web site at the right cost to your pocket, not what Symantec says or what Microsoft says but what your risk assessment says.

In order to implement the most cost-effective security for your web site, you need to do a risk assessment that takes into consideration the value of your assets, the probability of attacks,  current vulnerabilities of your web site and operation (don’t forget that trusted insiders may be the more significant vulnerability in your operation) and possible countermeasures, including the cost of said countermeasures.

Sounds complex, right?

Actually – performing a threat analysis of  your web site can be a fairly straightforward exercise using the free risk assessment software provided by PTA Technologies.

You can download the free risk assessment software here and start improving your security today.

Any questions – feel free to reach out to the professional software security consultants in Israel at Software Associates.

Software Associates specializes in helping medical device and healthcare vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments.

The first question any customer asks us regarding HIPAA compliance is how little he can spend. Not how much he should spend. This means we need simple and practical strategies to reduce the risk of data breaches.

There are 2 simple strategies to reduce the risk of data breach, one is technical, one is management:

1. Use real time detection of security events to  directly protect your customers. 
2. Build your security portfolio around specific threat scenarios (e.g a malicious employee stealing IP, a business partner obtaining access to confidential commercial information, a software update exposing PHI etc…) and use the threat scenarios to drive your service and product acquisition process.

Use real-time detection to directly protect your customers

Systems like ERM, SIM and Enterprise information protection are enterprise software applications that serve the back-office business of security delivery; things like log analysis and saving on regulatory documentation. Most of these systems excel at gathering and searching large volumes of data while providing little evidence as to the value of the data or feedback into improving the effectiveness of the current security portfolio.

Enterprise IT security capabilities do not have  a direct relationship with improving customer security and privacy even if they do make the security management process more effective.

This not a technology challenge but a conceptual challenge: It is impossible to achieve a meaningful machine analysis of  security event data in order to improve customer security and privacy using data that was uncertain to begin with, and not collected and validated using standardized evidence-based methods

Instead of log analysis we recommend real-time detection of events. Historical data in  log files  has little intrinsic value in the here-and-now process of event response and mediation.

1. Use DLP (data loss prevention) and monitor key digital assets such as credit cards and PHI for unauthorized outbound transfer.  In plain language – if you detect credit cards or PHI in plain text traversing your network perimeter or removable devices, then you have just detected a data breach in real time, far cheaper and faster than mulling through your log files after discovering 3 months later that a Saudi hacker stole 14,000 credit cards from an unpatched server.
2. Use your customers as early warning sensors for exploits. Provide a human 24×7 hotline that answers on the 3d ring for any customer who thinks they have been phished or had their credit card or medical data breached.  Don’t put this service in the general message queue and never close the service.   Most security breaches become known to a customer when they are not at work.

Build your security portfolio around specific threat scenarios

Building your security portfolio around most likely threat scenarios makes sense.

Nonetheless, current best practices are built around compliance checklists (PCI DSS 2.0, HIPAA security rule, NIST 800 etc…) instead of most likely threat scenarios.

PCI DSS 2.0 has an obsessive preoccupation with anti-virus.  It does not matter if you have a 16 quad-core Linux database server that is not attached the Internet with no removable device nor Windows connectivity. PCI DSS 2.0 wants you to install ClamAV and open the server up to the Internet for the daily anti-virus signature updates. This is an example of a compliance control item that is not rooted in a probable threat scenario.

When we audit a customer for HIPAA compliance or perform a software security assessment of an innovative medical device, we think in terms of “threat scenarios”, and the result of that thinking manifests itself in planning, penetration testing, security countermeasures, and follow-up for compliance.

In current regulatory compliance based systems like PCI DSS or HIPAA, when an auditor records an encounter with the customer, he records the planning, penetration testing, controls, and follow-up, not under a threat scenario, but under a control item (like access control). The next auditor that reviews the  compliance posture of the business  needs to read about the planning, testing, controls, and follow-up and then reverse-engineer the process to arrive at which threats are exploiting which vulnerabilities.

Other actors such as government agencies (DHS for example) and security researchers go through the same process. They all have their own methods of churning through the planning, test results, controls, and follow-up, to reverse-engineer the data in order to arrive at which threats are exploiting which vulnerabilities

This ongoing process of “reverse-engineering” is the root cause for a series of additional problems:

• Lack of overview of the the security threats and vulnerabilities that really count
• No sufficient connection to best practice security controls, no indication on which controls to follow or which have been followed
• No connection between controls and security events, except circumstantial
• No ability to detect and warn for negative interactions between countermeasures (for example – configuring a firewall that blocks Internet access but also blocks operating system updates and enables malicious insiders or outsiders to back-door into the systems from inside the network and compromise  firewalled services).
• No archiving or demoting of less important and solved threat scenarios (since the data models are control based)
• Lack of overview of security status of a particular business, only a series of historical observations disclosed or not disclosed.  Is Bank of America getting better at data security or worse?
• An excess of event data that cannot possibly be read by the security and risk analyst at every encounter
• Confidentiality and privacy borders are hard to define since the border definitions are networks, systems and applications not confidentiality and privacy.

There are 6 key business requirements for medical device security:

1. Prevent data leakage of ePHI (electronic protected health information) via the device itself, the management system and or the hospital information system interface.
2. Ensure availability of the medical device
3. Ensure integrity of the operation and data of the medical device
4. Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the patient
5. Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the hospital enterprise network

Just like theft, data is leaked or stolen because it has value, otherwise the employee or contractor would not bother.  There is no impact from leakage of trivial or universally available information.  Sending a  weather report by mistake to a competitor obviously will not make a difference.

The financial impact of a data breach is directly proportional to the value of the asset. Imagine an insurance company obtaining PHI under false pretenses, discovering that the patient had been mistreated, and suppressing the information.  The legal exposure could be in the millions.  Now consider a data leakage event of patient names without any clinical data – the impact is low, simply because names of people are public domain and without the clinical data, there is no added value to the information.

But why, does data leak?

The main reason is people. People handle electronic data and make mistakes or do not follow policies. People are increasing conscious that information has value – All information has some value to someone and that someone may be willing to pay or return a favor. This is an ethical issue which is best addressed by direct managers leading from the front and by example with examples of ethical behavior.

People are tempted or actively encouraged to expose leaked/lost data – consider Wikileaks and data leakage for political reasons as we recently witnessed in Israel in the Anat Kamm affair.

People maintain information systems and make mistakes, leave privileged user names on a system or temporary files with ePHI on a publicly available Windows share.

People design business processes and make mistakes – creating a business process for customer service where any customer service representative can see any customer record creates a vulnerability that can be exploited by malicious insiders or attackers using APT (Advanced Persistent Threat Attacks) that target a particular individual in a particular business unit – as seen in the recent successful APT attack on RSA, that targeted an HR employee with an Excel worksheet containing malware that enabled the attackers to steal SecurID token data,  and then use the stolen tokens to hack Lockheed Martin.

According to Wikipedia, APT attacks utilize traditional attack vectors such as malware and social engineering, but also extend to advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected.  There is always a specific objective behind it, rather than the chaotic and organized attacks of script kiddies.

Faced with a steep bill for securing a new cloud application, a client asked us to help find a way to reduce their risk exposure at the lowest possible cost. By using the Business Threat Modeling methodology and PTA (Practical Threat Analysis) software, we were able to build a risk mitigation plan that mitigated 80% of the total risk exposure in dollars at half the original security budget proposed by the vendor.

This paper describes a customer case study of a risk analysis for a next generation call accounting system provided as a cloud service. A private medical school (let’s call them Campton College – some of the names have been deliberately changed for privacy reasons), needed to replace an aging call accounting system, which frequently lost call records and lacked the capability to provide unified campus-wide telephony billing features. Campton wanted to implement and operate an integrated Web based call accounting system that would service student dorms and administrative departments. The institution contracted with TACS, a call accounting solution provider, to replace the old software and provide a modern, Web-based managed application service that would be cheaper to maintain and easier to use. Prior to implementing the TACS managed call accounting services, Campton retained Software Associates in order to help them perform a risk assessment of the SaaS call accountingsolution.

The TACS managed call accounting service in a nutshell

TACS offers small to mid-sized organizations a managed software as a service application for call accounting that includes basic billing functionality and is capable of collecting and processing call detail records from variety of sources. The Web-based user interface caters to four different types of users: PBX technicians, administrators, phone users and organization managers.

Technicians - TACS technicians are responsible for installing the CDR (call detail records) buffer devices connected to the PBXs for accumulating the calls. A technician defines the parameters of the protocols used by the buffer, data collection schedule, format of call records and performs initial testing of data collection in order to validate that the calls are collected and parsed successfully by TACS data back-end data processing systems.

Administrators - Customer administrators handle ongoing management of the telephone switch resources and subscribers as follows:

• Allocate phone-extensions and other telephony resources, such as cellular phones etc.
• Set the pricing programs that calculates and attaches a price tag to each call
• Define phone users and system users
• Associate users with telephony resources and pricing programs
• Manage system access permissions

Subscribers (phone users) – Subscribers can view and print the detailed listings of their private calls and their monthly bills.

Managers - User department Managers can produce reports that summarize calls traffic and the usage of telephony resources in the organization. They also monitor the billing and payments of phone users.

System Architecture

The TACS system ASP architecture is based on Microsoft Windows Server 2003 that runs several .Net applications responsible for the call accounting processing, and a suite of web applications that interact with users via browsers (IE 5.5 and higher). The system database is managed by a stand alone MS SQL 2000 machine connected to the application server via LAN.

Database

The TACS MS SQL Server 2000 stores all types of system data, including call records, pricing programs, users, organizational structure and system configuration. The CDR tables can handle several million records per month and are indexed by a multiple fields to support rich reporting.

The SQL Server scheduler mechanism is used to schedule and dispatch the data collection activities.

Processing

The processing of CDRs has 3 stages:

• Data Collection collecting the calls from the CDR buffers. The output is blocks of raw CDR data.
• Parsing and reformatting – the output is structured call records in a uniform format invariant to origin of the calls.
• Load to database – call record are associated with the corresponding end point device, subscriber id and telecom provider and then inserted to the database.

The implementation is based on a several Windows services that use worker components to implement the required functionality. For example, the data collection service operates several different collector components to collect the call records from different data sources via the appropriate protocols. Campton College operates 3 PBXs from different vendors: Avaya, Siemens and a small Cisco VoIP switch. The operating parameters of the components are kept in the database.

The data is transferred between the 3 processing stages via MSMQ private queues that serve as non-volatile buffers for data in process.

The service processes and some of the worker components were developed using .NET technology. Other worker components are legacy Win32 components wrapped with .NET Interop layer.

Web applications

The Web Applications are implemented in ASP.NET combined with Microsoft reporting engine. Some of the applications are capable of directly viewing and editing data tables in the database via ASP.NET server side controls.

In the TACS system, all Web applications share the same infrastructure for user login and secure access to the database.

Pricing, database maintenance and data exchange

The pricing, database maintenance and data exchange tasks are implemented with a Windows service that uses worker components to perform the actual tasks, similar to the call records processing architecture. The tasks are executed in a periodical manner according to the system schedule.

Why conduct a threat analysis?

“By retiring an aging 80′s in-house system and outsourcing to TACS we will move into the 21st Century in less than nine months; and get an easy to use service that is available to all students and generates a revenue stream,…quot; said Joan Walz, Campton campus operations manager, “but we had security concerns about using an outsourced service.”

“We knew that TACS is an experienced call accounting solution provider but we were unsure that their software and operations team had adopted a best-practices approach to information security and we asked TACS to submit to an external assessment of their systems…” said Walz.

What is Business Threat Modeling?

A Business Threat Modeling study focuses on protecting valuable assets, is sponsored by a senior manager, has 2-5 participants with relevant knowledge, is guided by an experienced security analyst with specific domain expertis (in this case telecommunications).  A typical threat modeling study lasts 2-5 days where the last day is devoted to presenting the results to management.

In a pre-kickoff planning meeting, the consultant works with the sponsor to set clearly defined goals and outcomes for the session. Since much of the work is done in small breakout groups, all stakeholders take an active part. The consultant guides the group through a fast-paced process to:

1. Identify assets
2. Identify vulnerabilities
3. Define countermeasures
4. Compose threat scenarios
5. Understand calculated risk
6. Optimize countermeasures

The data collection and risk calculation is performed using PTA Professional. PTA captures the information in a structured database and automates the  risk what-if calculation process. Analysts and stakeholders don’t need to maintain unstructured Word or Excel documents. Users can quickly create new threat scenarios and countermeasures. All issues are captured and nothing is lost. Management can ask for and quickly receive any reports they want.

PTA kickoff

At the first day kickoff session, the functional and architectural descriptions of TACS system were presented to the consultant, by Dympna O’Connell, TACS product manager. “We’re already documenting and revising our customer provisioning and configuration procedures”, said O’Connell. “We realize that these process steps are crucial to our customer’s information security and we want to make sure there are no security holes and opportunities for data manipulation”.

Step 1 of the study – Identify Assets

In the first step of the study the group mapped the system’s major assets, their financial values and the losses that may be caused when assets are damaged. The following major system assets were identified:

The detailed list of identified assets is part of the full threat-model database available for download from Call Accounting Case Study threat model. To view the detailed entities lists you should have PTA software installed on your computer.

Step 2 Identify Vulnerabilities

In order to identify vulnerabilities and flaws, Open Solutions analysts studied the functional and architecture documents supplied by Ms. O’Connell. “Since TACS bases its architecture on Microsoft infrastructure, we used the PTA MS-Telecom entity library as a base line checklist for picking up system common vulnerabilities” said Yuval,  risk consultant. “More then 70% of the stuff was already there. We have just had to complement the picture by diving into the CDR collection equipment and by studying Campton specific business procedures with the help of Mr. Walz.

“Identifying the relevant vulnerabilities is an iterative process bundled with the understanding of the actual threats. All in all, we came up with 15 focused vulnerabilities relevant to the specific architecture, the specific telephony infrastructure and the ASP mode of operation” said Yuval.

Step 3 – Define Countermeasures

During this step the team defined the countermeasures relevant for mitigating the identified vulnerabilities. Some of the countermeasures were well known safeguards picked up from the predefined PTA entity library such as enforcing OS patches deployment and strong passwords policy. Others were more unique e.g. the development of mechanism for managing data collection buffer passwords in an encrypted repository.

“We worked directly with Ms. O’Connell and her developers on estimating countermeasures implementation costs needed by PTA for calculating countermeasures cost-effectiveness” said Yuval.

The lists of the 22 countermeasures that were defined and the identified vulnerabilities are included in the case study database available for download from Call Accounting Case Study threat model.

Step 4 Build Threat Scenarios

“Building the threats is the peak of the process”, said Software Associates founder and CTO Mr. Danny Lieberman, “this is the point where we use our experience to compose the threat scenarios, evaluate their feasibility and estimate the probability they will actually happen”.

“The flexibility of the PTA database driven model enables us ‘what-if’ experiments and the calculative capabilities gives us immediate feedback on the severity of threats” , said Yuval.

Step 5 – Understand the calculated Risk

After refining threat probabilities, the PTA software calculated the following bottom-line:

• The total yearly value of assets that might be damaged if threats materialize is $2.21M
• The risk level (the value of the financial losses that may be caused to the system due to the identified threats) is 249% of the total assets (~$5.5M). Although it is clear that the actual damage to the system assets cannot exceed their total value, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since in this specific system several threats threaten the same assets, the risk level exceeds 100%.

The following bar chart presents the 5 most dangerous threats calculated and displayed by PTA (the value of risk is presented in real $):

Top Threats by Risk

Not surprising, it was found that the most dangerous threats are the ones that threaten the calls data either in the system database on the various collecting stages.

“The ranking of the threats reflects a typical heterogeneous software system. The ability to take into account non-standard threats specific to the analyzed system is one of the great strengths of PTA “, said Lieberman, “We were not limited to generic information security standards, such as ISO 27001 and indeed you can see some interesting threats that indigenous to this particular system e.g. the CDR buffers vulnerabilities. Complex systems like this often have huge risks that are hidden in the cracks of generic standards…”

Step 6 Optimize Countermeasures

It was clear that a level of 249% of risk is dangerous and that countermeasures should be applied to reduce the system risk before going into heavy-duty production operation. We asked Open Solutions to show us how to reduce the risk to an acceptable level of 60% at lowest cost, said Ms. Walz. Since our budget was constrained, we considered canceling the whole info-sec project and taking our risks by doing nothing. At that step, said Yuval, we ran the PTA optimized risk reduction plan with a target risk level of 50%. We obtained an optimized plan with the following countermeasures that should be applied:

• Install content leakage prevention system
• Install firewall
• Enforce deployment of latest security patches for OS, database and Web server
• Develop mechanism for secure managing of CDR buffers passwords
• Use CDR buffers with secure transfer and login authentication protocols
• Enforce security code review
• Enforce data access via stored procedures with formal parameters content validation
• Implement validation of input fields in web pages
• Develop secured passwords and role-based mechanism for web users
• Develop monitoring mechanism for back-end processing (system health)
• Limit access of ASP employees and technicians to system resources
• Enforce quality passwords policy for protecting each of the machines on the network
• Use Windows integrated authentication policy
• Database login accounts should be given the minimal rights that are necessary for their functionality

Implementing the recommended set of countermeasures reduces the system risk to 54.3% at a cost of 127,000 $. Only 14 countermeasures out of the 22 were selected – the proposed order of countermeasures also ensures a quickest reduction of risk per $ spent throughout the system modification process. The implementation of the following countermeasures was suspended to later stages in system life cycle:

• Create acceptable use policy for email and Internet access
• Install anti-DoS appliance
• Enforce deployment of latest security patches for OS, database and Web server
• Develop fraud detection mechanism
• Security officer should assure the personal integrity of employees
• Develop module for logging changes in data initiated by users
• Enforce employees’ liability for disclosing private calls information
• Restrict display of phone numbers and sensitive information in detailed reports

Ms. Walz of Campton College and Ms. O’Connell of TACS summarized their impressions of the study.

“We were pleased with the speed and quality of results of the PTA methodology that Open Solutions uses; with the fact that it created consensus among the stakeholders; with the effective use of senior manager time; and above all getting us the best risk reduction at the lowest cost. “

Appendix 1. Abbreviations and terminology

PBX Private Exchange telephony device; interchangeable with the term Switch

MSMQ Microsoft Middleware Queue system

CDR  Call Detail Record

Telephony buffer Intermediate buffer device for storing CDRs collected from PBX

Data Source origin of telephony calls data e.g. PBXs, IP Switches etc.

Users Individuals that have access to the university telephony resources and to TACS system e.g. students, academic staff, administration and personnel

She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

Certainly, all the DLP vendors think so.  Only problem is, the PCI DSS Council doesn’t even have DLP in their standard which pretty much guarantees zero regulatory tail wind for DLP sales to payment card industry players.

I’m actually impressed that Symantec didn’t manage to influence the PCI DSS council to include DLP in the standard. An impressive display of professional integrity and technology blindness.

A while back, we did a software security assessment for a player in the online transaction space.

When I asked the client and auditor what kind of real time data loss monitoring they have in place, just in case, they have a bug in their application and/or one of their business partners or trusted insiders steals data, the answers where like “umm, sounds like a good idea but it is not required by PCI DSS 2.0″

And indeed the client is correct.

PCI DSS 2.0 does not require outbound, real time or any other kind of data loss monitoring.

The phrases “real time” and “data loss” don’t appear in the standard. The authors of the standard like file-integrity monitoring but in an informal conversation with a PCI DSS official in the region, he confessed to not being familiar with DLP.

Here are a few PCI  monitoring requirements.

None of these controls directly protect the the payment card from being breached. They are all indirect controls and very focused on external attackers – not on trusted insiders nor business partners.

1. Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
2. If automated monitoring of wireless networks is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.
3. Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
4. Monitor and analyze security alerts and information, and distribute to appropriate personnel.
5. Verify through observation and review of policies, that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.

Oh man.

But, there are important cases, where the best data retention strategy is not to backup the data at all.

The process of backup is fairly well understood today and there are technologies for backing up data all the way from personal data backups on flash memory drives and Internet backup services to robots and cassette technologies for backing up terabytes of data.

Restoring data from backup is also nominally a fairly straightforward exercise, although I suspect that most businesses with well-oiled backup procedures generally don’t bother testing their backup media to see if they can actually restore the data.

But – there is another dimension to data retention besides backup and restore and that is minimizing the threat surface of sensitive data: PII (personally identifiable information) and  ePHI (protected healthinformation stored in an electronic format).

Let’s take the case of a typical business that has customer data, commercial information and intellectual property related to a development and/or manufacturing process. What is more important in our data retention strategy:  Backup and restore of customer data?  backup and restore of contracts or backup and restore of source code? The only way to  answer this question is to understand how much these assets are worth to the company and how much damage would be incurred if there was a data breach.

For the purpose of asset valuation, we distinguish between customer data without PII and customer data that may have PII.  Let’s consider 4 key assets of a company that designs and manufactures widgets and sells them over the Internet.

1. Customer data that may have some personal identifiers. The company may not deliberately accept and process customer data with attributes that would enable a third party to identify end users but such data may be collected in the course of marketing campaigns or pilot programs and and stored on company computers.  At the end of the marketing campaign, was the data removed?  Probably not. In the case of a data breach  of PII, it does not matter what the original intent was, the liability is  there. The company will pay the cost of the disclosure all the way through investigative audit through possible litigation.

2. Customer data with no personal identifiers.  Best practice is not to store data with PII at all, if the business needs numerical data for statistics, price analysistrend analysis of sales or simulations for new products, the analysis can be done on raw data without any PII.The best security control for PCI DSS and HIPAA is not to store PII at all.

3. Company reputation.  If there was a data breach, chances are company reputation may be tarnished for a while but notoriety is a form of publicity that can always be spun to the company’s advantage.

4. Intellectual property – for example, chemical recipies, algorithms, software engineering and domain expertise. The damage of  IP data loss can be sizable for a business, especially for an SME.  Here – the data retention strategy should focus on highly reliable backup and restore with data loss prevention to block leakage of sensitive digital assets. There is an ethical component to protecting IP and that means making sure that your employees and contractors understand the importance of protecting the business IP.

Note that in the life cycle of a customer data breach, damage first accrues from attacks on the data assets followed by reputational damage as the company gets drawn deeper into damage control, investigation and litigation.

But what about the customer data?

How do you minimize the customer data security threat surface?

In 3 words, your data retention strategy is very simple:

Don’t store PII.

Decide now that sensitive data will be removed from servers and workstations. Make sure that customer data with PII is not backed up.

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  - they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs