Last year I gave a talk on quantitative methods for estimating operational risk of information systems in the annual European GRC meeting in Lisbon – you can see the presentation below.

As a I noted in my talk, one of the crucial phases in estimating operational risk is data collection: understanding what threats, vulnerabilities you have and understanding not only what assets you have (digital, human, physical, reputational) but also how much they’re worth in dollars.

Many technology people interpret data collection as some automatic process that reads/scans/sniffs/profiles/processes/analyzes/compresses log files, learning and analyzing the data using automated  algorithms like ANN (adaptive neural networks).

The automated log profiling tool will then automagically tell you where you have vulnerabilities and using “an industry best practice database of security countermeasures”,  build you a risk mediation plan. Just throw in a dash of pie charts and you’re good to go with the CFO.

This was in fashion about 10 years ago (Google automated audit log analysis and you’ll see what I mean) for example this reference on automated audit trail analysis,  Automated tools are good for getting a quick indication of trends, and  tend to suffer from poor precision and recall that  improve rapidly when combined with human eyeballs.

The PCI DSS council in Europe (private communication) says that over 80% of the merchants/payment processors with data breaches  discovered their data breach  3 months or more after the event. Yikes.

So why does maintaining 3 years of log files make sense – quoted from PCI DSS 2.0

10.7 Retain audit trail history for at least
one year, with a minimum of three
months immediately available for
analysis (for example, online, archived,
or restorable from back-up).
10.7.a Obtain and examine security policies and procedures and
verify that they include audit log retention policies and require
audit log retention for at least one year.
10.7.b Verify that audit logs are available for at least one year and
processes are in place to immediately restore at least the last
three months’ logs for analysis

Wouldn’t it be a lot smarter to say -

10.1 Maintain a 4 week revolving log with real-time exception reports as measured by no more than 5 exceptional events/day.

10.2 Estimate the financial damage of the 5 exceptional events in a weekly 1/2 meeting between the IT manager, finance manager and security officer.

10.3 Mitigate the most severe threat as measured by implementing 1 new security countermeasure/month (including the DLP and SIEM systems you bought last year but haven’t implemented yet)

I’m a great fan of technology, but the human eye and brain does it best.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig - fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data.

Although US legislation requires disclosure of a data loss event, it does not require disclosure of the root causes of  the event.

In the Hannaford Supermarket data breach case of over 4 million credit cards, the State of Massachusetts refused to provide details on their investigation.  Hannaford claims that malware attacked their store servers and promptly signed a contract with IBM to replace over 250 store back office servers.

Let’s take closer look and see if this makes sense.

Store back office servers in a retail POS system are never connected to the public Internet and therefore could not be attacked directly by malware. It is possible that there was network connectivity from the company’s internal administration network of Windows users to store back office servers and this may have served as a vector for malware delivery. Possible and if true, a reason to segregate the store networks from the administration network using technology such as Waterfall Systems but not a reason to replace all the back office servers.

My gut feeling is that Hannaford may have had a case of credit card authorization requests being saved in temporary files that were accessible from a Windows share on the administration network. Which made it childs play to steal by an insider with reasonable knowledge and access to the network.

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Therefore, it should be no surprise to anyone that a similar situation exists where large companies don’t realyl know what, where, when and how their data assets are located.

This is given rise to a relatively new concept called “Data Discovery”.

Symantec has one of those cute 4 step risk management processes for data loss prevention – discover, monitor, protect and manage. Security vendors have a predilection for this sort of a 4 step cycle,  often presented on a circular chart but sometimes in a box or on a line.

Why is data discovery the first step in the endless 4 step wash-cycle designed to maximize product subscription revenues for companies like Checkpoint and Symantec instead of minimizing customer data security risk for organizations like the British NHS.

Data discovery may be a good idea for the vendor but it may be a very bad idea for the customer.

It appears that the rationale for starting with data discovery is primarily related to sales quota although it has product potential as well.  So here are 3 reasons to start with data discovery in a data loss prevention project – none of which has anything to do with minimizing value at risk.

Reason no 1) If you can’t dazzle them with brilliance, baffle them with bullshit

For  a big organization, data discovery is a herculean task – once you get into a data discovery project – you won’t have enough time to discover that the monitor and protect steps don’t work. This is a good strategy for companies with weak content-analytical and prevention capabilities like Symantec.

Reason no 2) You will discover the mother lode

This is a wet-dream for any salesman: get the customer to pay you for discovering all of the possible opportunities to sell them product.   Oh yes – you need endpoint DLP, and then 500 network DLP appliances for all the branch offices and then new backup and data storage management software.  It’s a brilliant sales strategy. I’m sorry I didn’t think of it.

Reason no 3)Find a smoking gun

Data discovery may discover a smoking gun that will help the vendor scare the management into buying their solution.  The only problem with this strategy is that after a nuclear Korea, soon-to-be nuclear Iran, Bin Laden,  9/11, Iraq II, Lebanon II, Operation Cast Lead and Afghanistan – people do not  buy into security FUD tactics.

So – why IS data discover a good thing for data loss prevention?

I’m not sure.

a) If the data never leaks – who cares if it’s on someone’s workstation or not. If you can be PCI-DSS 1.x compliant – you are good to go. PCI DSS doesn’t require data discovery – it just mandates not storing payment cards. 99 percent of world merchants self-comply anyhow.

b) If you discover (for the sake of argument) credit card data in plain text in a number of legacy applications, are you capable of reengineering the business process and the software applications?  I want an honest answer here….

c) You did data discovery and found a passel of sensitive data on workstations. Now what? Write policies? Punish people? Install Verdasys end point DLP with encryption on demand to mitigate the problem because you can’t reengineer the business process?

Personally, I think monitoring at  endpoints or the network edge (depending on the business and network situation) for 1 asset (that one asset that the CEO lives and dies for) is more effective than all the data discovery Symantec will ever do.

But – if you’ve been paying attention – the discover, monitor, protect and manage wash-cycle doesn’t include quantifying and valuating your asset and putting data loss prevention into a business context – your business context.

And without business context – security products are worth about as much as Bounce in your washer. Nice to smell, make the clothes fluffy but not much more.

Outside the chemical and pharmaceutical industries, the cost of litigation far exceeds the benefits of patent protection. (See “Patent Failure, How judges, bureaucrats and lawyers put innovators at risk”, Bessen and Maurer, Princeton University Press, 2008 pages 130-156, “The cost of dispute”)

There are also many classes of assets not protected by patents: new products in R&D phases, manufacturing process recipes, internal financials and  information such as board of directors.This data  is typically shared by many people in the company as well as with outsiders: customers, ontractors and researchers. Typically protected by NDA (non-disclosure agreements),  a company can sue a person who leaks information, seeking damages. Even though the direct legal costs are high, the business costs of litigation for the company can be much higher, not to mention that you first you have to apprehend the discloser.  Information leaks require managers and researchers to spend their time producing documents, testifying, strategizing with lawyers and appearing in court.

In this respect – Data Loss Prevention (DLP) technologies are an ideal tool to monitor for abuse or theft of IP over the network by an employee or outside contractor/business partner. The ability to detect the information leak and produce the forensics not only mitigates the risk but also provides the data you will need if you do have a violation and have to go to court.

The reason that DLP is perfectly suited for the IP abuse monitoring role  stems from the fact that DLP is a data-centric security control, independent of users and rights management.  From this perspective – it doesn’t really matter if you implement a network DLP solution (like Fidelis Security Systems or Websense) or an agent DLP solution (like McAfee and Verdasys).  Like they say at Nike – Just do it!

Read more on data loss prevention solutions and by all means drop me a line and tell me what you think.

Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?

I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor,  or customer service outsourcing provider can be destroyed by a  single data loss event.

The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization.  An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.

A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.

The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.

In order to understand the possible impact of an internally-launched attack on data (for example – an employee taking proprietary customer pricing with them to a competitor) or blogging new product plans from the office – or losing a database of payment card numbers to a hacker – the first step to being proactive is monitoring.

With a UTM box, security focus is on outside­-in attacks, despite the fact that the majority of attacks on customer data and intellectual property launch from inside the office/extended network. The notion of trusted systems inside a hard perimeter has disappeared with rise of Web 2.0 services and convergence of all applications to HTTP.

I cannot imagine an SME spending $150,000 on Fidelis XPS network DLP solution or Verdays Digital Guardian (which is oriented to Global 500 customers or translated into English – at least 2,000 seats) but the new network DLP  product – Traffic Monitor Lite from Infowatch is taking DLP technology into realm of pricing and ease-of-use from a Global SME. I look forward to having the opportunity to evaluate it and report back on my findings.

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Data security is the task of ensuring confidentiality and privacy, integrity and availability of the data you use to run your business.  It includes DLP, DRP, data retention and backup but the essence  of data security is it’s approach:  data security employs a direct data-centric approach as opposed to traditional IT security which focuses on protecting networks and systems or risk and compliance management which focuses on assuring processes and compliance to regulation.

The confidentiality and privacy component of data security is well-addressed by DLP (data loss prevention) technologies. Roughly divided into two kinds of products – there are agent DLP products from companies like Verdasys and McAfee and network DLP products from companies like Fidelis Security Systems and Symantec (formerly Vontu). At the beginning of 2009 – Websense introduced an integrated agent and network DLP product, and I’m expecting that Mcafee will release their integration with Reconnex sometime in H1 2010. It’s a bit too early to say if the integrated approach to DLP is the best of both worlds or the worst of both worlds – but that’s material for another discussion.

The question is not at all what DLP solution you should choose, but how DLP technology and data security practice fits into your business.
Consider that data loss prevention is a subset of the wider discipline of GRC – governance, risk and compliance.

Data loss prevention is a highly effective supplement to  patch management, server hardening, rights management and permissions. Being data-centric (as opposed to network-centric), a DLP data security countermeasure  mitigates multiple threat vectors from trusted insiders, malicious outsiders or business partners with access to line of business applications.

But TANSTAFFL – there is no free lunch.  Data security comes at a price because unlike servers, your data is everywhere. The price is that if you want to protect your company’s valuable data, you must be able to identify your data threat scenarios and valuate your data with a financial price tag.  With valuation – you will be able to justify an investment, and implement the right data security in an effective way.

Before valuating the data, you must first identify your key threat scenarios or use cases – in any company, there are no more than 3-5.  A threat scenario will be basically a verbal description of the threat, the data being attacked, the vulnerabilities that the threat exploits and the countemeasures that mitigate the vulnerabilities.

Here is a typical threat scenario:

Customer data loss
a)The asset is credit card data.
b)The company installs a Web-based reseller application that enables a reseller to take orders and enter them into the system. The software developer who wrote the Web application is not strong on software security and doesn’t encrypt the payment card transactions sent to the company’s ERP system. The vulnerability is transmission of payment cards in clear text to other system interfaces. The threat is an attacker that may be able to capture the clear-text payment cards by copying temporary files or sniffing data on the network (see the case of Hannaford supermarkets)

c)The data security countermeasures are:
Monitor for credit cards in clear text in the DMZ and on the network segment before the VPN.
Perform a software security assessment of the reseller application and require encryption of all credit transactions sent to external system interfaces (for example the ERP system and the payment processor).

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.