Tag Archives: Data retention

Why less log data is better

Been a couple weeks since I blogged – have my head down on a few medical device projects and a big PCI DSS audit where I’m helping the client improve his IT infrastructure and balance the demands of the PCI auditors.

Last year I gave a talk on quantitative methods for estimating operational risk of information systems in the annual European GRC meeting in Lisbon – you can see the presentation below.

As a I noted in my talk, one of the crucial phases in estimating operational risk is data collection: understanding what threats, vulnerabilities you have and understanding not only what assets you have (digital, human, physical, reputational) but also how much they’re worth in dollars.

Many technology people interpret data collection as some automatic process that reads/scans/sniffs/profiles/processes/analyzes/compresses log files, learning and analyzing the data using automated  algorithms like ANN (adaptive neural networks).

The automated log profiling tool will then automagically tell you where you have vulnerabilities and using “an industry best practice database of security countermeasures”,  build you a risk mediation plan. Just throw in a dash of pie charts and you’re good to go with the CFO.

This was in fashion about 10 years ago (Google automated audit log analysis and you’ll see what I mean) for example this reference on automated audit trail analysis,  Automated tools are good for getting a quick indication of trends, and  tend to suffer from poor precision and recall that  improve rapidly when combined with human eyeballs.

The PCI DSS council in Europe (private communication) says that over 80% of the merchants/payment processors with data breaches  discovered their data breach  3 months or more after the event. Yikes.

So why does maintaining 3 years of log files make sense – quoted from PCI DSS 2.0

10.7 Retain audit trail history for at least
one year, with a minimum of three
months immediately available for
analysis (for example, online, archived,
or restorable from back-up).
10.7.a Obtain and examine security policies and procedures and
verify that they include audit log retention policies and require
audit log retention for at least one year.
10.7.b Verify that audit logs are available for at least one year and
processes are in place to immediately restore at least the last
three months’ logs for analysis

Wouldn’t it be a lot smarter to say –

10.1 Maintain a 4 week revolving log with real-time exception reports as measured by no more than 5 exceptional events/day.

10.2 Estimate the financial damage of the 5 exceptional events in a weekly 1/2 meeting between the IT manager, finance manager and security officer.

10.3 Mitigate the most severe threat as measured by implementing 1 new security countermeasure/month (including the DLP and SIEM systems you bought last year but haven’t implemented yet)


I’m a great fan of technology, but the human eye and brain does it best.

Tell your friends and colleagues about us. Thanks!
Share this

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Tell your friends and colleagues about us. Thanks!
Share this

Data availability and integrity – the Apple/Microsoft version

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig – fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

Tell your friends and colleagues about us. Thanks!
Share this

I want data loss reasons, not numbers

Media reporting of data breach events like the UK NHS, Heartland, Hannaford  and Bank of America has overwhelming focussed on the raw numbers of customer data records that were breached.

Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data.

Although US legislation requires disclosure of a data loss event, it does not require disclosure of the root causes of  the event.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Is security a washing machine?

bounce

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Tell your friends and colleagues about us. Thanks!
Share this

Data discovery for data loss prevention

A few years ago I did some work for an Israeli startup called nLayers that did  applications, servers and devices discovery. They were later acquired by EMC. I thought it was a brilliant idea at the time, since large IT organizations don’t really know what assets they have in their IT portfolio.

Therefore, it should be no surprise to anyone that a similar situation exists where large companies don’t realyl know what, where, when and how their data assets are located.

This is given rise to a relatively new concept called “Data Discovery”.

Symantec has one of those cute 4 step risk management processes for data loss prevention – discover, monitor, protect and manage. Security vendors have a predilection for this sort of a 4 step cycle,  often presented on a circular chart but sometimes in a box or on a line.

Why is data discovery the first step in the endless 4 step wash-cycle designed to maximize product subscription revenues for companies like Checkpoint and Symantec instead of minimizing customer data security risk for organizations like the British NHS.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The role of DLP in IP protection

A common conversation I have with my technology clients  touches on patent protection as a  security countermeasure against abuse of intellectual property. The short answer is that if you’re not DuPont or Roche, then patent protection is not going to help you very much. If you develop software , you are probably infringing  someone’s patents as we speak.

Outside the chemical and pharmaceutical industries, the cost of litigation far exceeds the benefits of patent protection. (See “Patent Failure, How judges, bureaucrats and lawyers put innovators at risk”, Bessen and Maurer, Princeton University Press, 2008 pages 130-156, “The cost of dispute”)

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Data loss prevention for SME

Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?

I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor,  or customer service outsourcing provider can be destroyed by a  single data loss event.

The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization.  An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.

A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.

The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Choosing a data loss prevention solution

Data security, Disaster recovery planning

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Reducing risk of major data loss events

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Tell your friends and colleagues about us. Thanks!
Share this