Tag Archives: Homeland Security

Anat kamm

Procedures are not a substitute for ethical behavior

Are procedures  a substitute for responsible and ethical behavior?

The  behavior of former secretary  of  State (and Presidential race loser) Hilary Clinton is an important example of how feeling entitled is not the exclusive domain of under 20-somethings. When we do a threat analysis of medical devices, we try to look beyond the technical security countermeasures and dive into the human factors of employees and managers of the organization.

Leadership from the front trumps security technology.

President Obama’s notion of leading from behind is problematic in the data security and governance space – leadership is about leading from the front.

President Obama’s weak position on enforcing data security and privacy in his administration (Snowden, Clinton and NSA) set a poor example that will take years to undo and probably cost Hilary Clinton the election.

In the business environment,  management leadership from the front on data security and privacy is a more effective (as in cheaper and stronger) countermeasure than technology when it comes to mitigating trusted insider threats.

In the family environment, we traditionally see parents as responsible for taking a leadership position on issues of ethics and responsible behavior.

Has mobile changed this?

Sprint  announced new services that  will allow parents to set phone use limits by time of day or week, see daily calls, text messaging and application activity of their children.  Sprint Mobile Controls powered by Safely, a division of Location Labs,  allows parents to see rich graphical representations of how their family calls, texts and use applications and to lock phones remotely at specific times.

For example:

  • Seeing who your son or daughter has been calling or texting recently – and how often.
  • Establishing an allowed list of phone numbers from which your child can receive a call or text.
  • Seeing a list of your child’s contacts with an associated picture ranked by overall texting and calling activity.
  • Viewing what apps your child is downloading to their phone.
  • Choosing up to three anytime apps that your child can use when their device is locked.
  • Allowing your child to override phone restrictions in case of an emergency.
  • Setting alert notifications for new contacts, or School Hours and Late Night time periods.
  • Setting Watchlist contacts: Receive alert notifications when your child communicates with a Watchlist contact.

This seems like a similar play to product and marketing initiatives by credit card companies to control usage of credit card by children using prepaid cards like the Visa Buxx – except in the case of Visa the marketing message is education in addition to parental control:  Visa Buxx benefits for parents and teens include:

  • Powerful tool to encourage financial responsibility
  • Convenient and flexible way to pay
  • Safer than cash
  • Parental control and peace of mind
  • Wide acceptance—everywhere Visa debit cards are welcome

Visa Buxx was introduced almost 10 years ago. I don’t have any data on how much business the product generates for card issuers but fast forward to December 2011, the message of responsibility has given way to parental control in the mobile market:

In the case of mobile phones, I can see the advantage of a home privacy and security product. From Sprint’s perspective; controlling teens is a big untapped market. Trefis. (the online site that analyzes stock behavior by product lines) has aptly called it “Sprint Targets Burgeoning Teen Market with Parents Playing Big Brother

The teen market, consisting of those in the 12 to 17 year age group, is plugged into cellular devices and plans to a much greater extent than you might imagine. According to a Pew Internet Research study, more than 75% of this group owns a wireless phone. This isn’t news to Sprint Nextel (NYSE: S) or mobile phone competitors such as Nokia (NYSE:NOK), AT&T (NYSE:T) and Verizon (NYSE:VZ).

I do not believe that technology is a replacement for education.

It will be interesting to track how well Sprint does with their teen privacy and security product and if parents buy the marketing concept of privacy controls as a proxy for responsible behavior.

Tell your friends and colleagues about us. Thanks!
Share this

Has the threat of cyberwar been grossly exaggerated?

Bruce Schneier writes that The Threat of Cyberwar Has Been Grossly Exaggerated

Not unpredictably – the essay yielded a lively discussion,  I agree with Bruce – especially because of all the hype around Stuxnet. On one hand – the locals in Israel more or less know, or guess who worked on the project and on the other hand – there are clumsy attempts at disinformation – Shai Blitzbau is trying to claim that it is not military code, but didn’t do his homework regarding WinCC ( a Siemens Windows application for industrial command and control, not a special version of Windows for SCADA systems as Blitzbau wrote).

Software Requirements
WinCC V6.2 is released for the following operating systems:

Windows XP Professional Service Pack 2 (client / single-user station)

  • Windows 2000 Professional Service Pack 4 (client / single-user station)
  • Windows Server 2003 Service Pack 1 (client / single-user station / server)
  • Windows Server 2003 R2 (client / single-user station / server)

Microsoft SQL Server 2005 SP1 is used as the database and is supplied with WinCC Version 6.2. The SQL Server system administrator password can be assigned by the user and supports adherence to company password conventions.

While Blitzbau is probably trying to link-bait some headlines with  contrarian opinion –  500MB of well written code by a large multi-disciplinary team looks and smells like cyber war no matter what languages the developers speak and use.

Nonetheless – cyber war is overhyped.

I found it significant that Schneier’s article and the resulting discussion thread – skimmed over the obvious:  namely that:

In real war (as defined by soldiers of one state fighting soldiers of another state) or real terror (as defined by bad people who kill civilians) – real people get killed.

As an Israeli – I find the American fixation on cyber terror and cyber war somewhat amusing.

Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world – the American fixation on cyber-war and cyber terror goes beyond DoD and Pentagon turf wars.

For many Americans, cyber war must seem like a safe way of vicariously participating in some kind of a cool war effort without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.

Perhaps – if I might speculate – it is possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of “lets solve conflicts by talking to everyone since everyone are created equal”.

Cyber war and cyber terror are proofs of the inequality of life and the inequality of war.

While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being murdered by a piece of targeted malware – any Israeli you meet – including yours truly, has close friends or family who were killed by real wars and real terrorist.

Tell your friends and colleagues about us. Thanks!
Share this
Cyber warfare pentagon cyberwar

Why Pentagon cyber strategy is divorced from reality.

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

Tell your friends and colleagues about us. Thanks!
Share this

Cultural factors in DLP

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

Tell your friends and colleagues about us. Thanks!
Share this

Facebook disclosure cancels raid on terrorists

I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures.

The recent case of the Opsec security violation on Facebook in Israel reported by the Jerusalem Post, is a good example of how a hierarchical organization (Army) is threatened by a flat social network. The good news was that the security countermeasure was found the social network itself – herein lies the lesson.

The IDF was forced to cancel a recent arrest operation in the West Bank after a soldier posted information about the upcoming raid on his Facebook page.The operation was scheduled to take place several weeks ago in the Binyamin region. The soldier, from an elite unit of the Artillery Corps, posted on his Facebook page: “On Wednesday, we are cleaning out [the name of the village] – today an arrest operation, tomorrow an arrest operation and then, please God, home by Thursday.”

The status update on the soldier’s page was revealed by other members of the soldier’s unit. His commanders then updated Judea and Samaria Division commander Brig.-Gen. Nitzan Alon, who decided to cancel the operation out of concern that the mission had been compromised.

Organizations need to leave the static top down control frameworks a few times a year and look outside the organization for links and interdependencies – and talk to the soldiers in the trenches in customer service, field sales and field service.

The information you will get from people outside your firm and from people with dirty hands is far more valuable than rehashing the ISO27001 check list in an audit.

The most valuable data is from questions you haven’t asked yet – not from a checklist in an Excel spreadsheet in the hands of a junior auditor from KPMG.

Tell your friends and colleagues about us. Thanks!
Share this

Reducing risk of major data loss events

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Tell your friends and colleagues about us. Thanks!
Share this

German homeland security

I am on an email distribution list from the Israeli Export Institute for Israeli software and security companies. The Export Institute is organizing an event for Protecting Critical Infrastructure – the event is slated to take place Brandenburg, in Berlin-Schönefeld, 18 – 20 May 2009. I liked the use of standard security market-speak to describe the opportunity – from the following, it appears that the German market doesn’t view data loss and trusted insider threats as their top priority:

New studies estimate the size of the German IT Security market at around 5 billion Euros, and expect market size to double in the next 5 years. German security managers consider attacks on their companies’ IT Security and internet-related crime to be the most serious security threats to their businesses.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The Israeli Supreme Court is a security vulnerability

I got this from my sister in-law Judith Bedichi this morning – it was written by Dr. Guy Bechor and describes an escalation of security threats to the Jewish State of Israel.  The Israeli Supreme Court is highly-regarded yet clearly preferential to Israeli Arabs, with liberal rulings allowing operations of radical Islamic groups in the name of democracy and human rights.  Dr. Bechor submits that the Supreme Court is a  vulnerability that has been systematically exploited by false claims of groups like Adallah, aiding and abetting security threats to Israel. If you know Hebrew it’s an interesting read.

מסמך החזוןשחיברה הנהגת ערביי ישראל לאור מה שקרה בעכו.

מאת דרגיא בכור

בחדשים האחרונים פרסמו ועדת המעקב העליונה של ערביי ישראל‘, ‘וועד ראשי הרשויות הערביותוארגון עדאלהאת מסמך החזון” ! שלהם, כיצד צריכה להיראות מדינת ישראל, ועל מה הם נאבקים. מעניין לציין שאת הארגונים הללו מממנים או מדינת ישראל או יהודים ליברלים מארצות הברית, החושבים שככה הם עוזרים לישראל.

בקצרה, אם לסכם את המסמך הגזעני הזה, הקובע ש ישראל היא תולדה של פעולה קולוניאליסטית שיזמו האליטות היהודיותציוניות באירופה ובמערב“, אילו הם דרישות הערבים, הרואים ביהודים רוב מהגר“:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

70 years after Kristallnacht

It’s sad that on the 70th anniversary of Kristallnacht,  Ehud Olmert and Tzipi Livni felt compelled to mitigate their political vulnerabilities with offers of appeasement to Palestinian terrorists.

Political spin is not a sound replacement for national pride.

Translated literally from the English as the Night of Broken Glass, Kristallnacht was a pogrom  in Nazi Germany in November 9-10. That night, 82 Jews were murdered and 25,000–30,000 were arrested and deported to concentration camps.

Olmert, Livni and Peres should listen up and learn from an event that happened this Friday in Berlin.

I got this item – courtesy of Joseph Bernadette.

The Rykestrasse synagogue in Berlin was torched  on Kristallnacht. This past Friday  saw rabbis bringing the Torah to the synagogue, in a ceremony witnessed by political leaders and Holocaust survivors from around the world. The synagogue, with a capacity to seat 1,200, has been described as one of the jewels of Germany’s Jewish community. Rabbi Chaim Roswaski, who presided at the ceremony ,described the reconstruction as “a miracle.” The re-opening comes at the start of a Jewish culture Festival this week in Berlin.

Who would have thunk?

Tell your friends and colleagues about us. Thanks!
Share this

What do hackers want?

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing to run our business and make decisions, no matter how big or small we are. We all use business applications (most of them Web-based these days) to buy, sell, pay vendors and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

This is for three reasons:

  1. You must understand the attacker. If you understand what a terrorist wants (suicide bomber in a shopping mall sometime next week),  you can save lives with a preemptive attack. In the physical world – we defend the citizens of our country with both defensive and offensive means.  Often a political decision that is up for public scrutiny and criticism, nonetheless we do attack our enemies – with military action; commando raids, precision bombing or carpet bombing.
  2. You must understand yourself. Defensive “fire-and-forget” security countermeasures such as an IPS are not a replacement for understanding of where the threats lie and how much your assets are worth. A  Checkpoint SmartDefense firewall can help protect against malformed IMAP commands but  it cannot detect extrusion of proprietary company assets in a gmail attachment. An application firewall can help mitigate well-known XSS vulnerabilities but won’t fix bugs in customized application source code or mend system configuration problems.
  3. You must consider the alternate cost. There is no reason for us to attempt to take rational decisions in the real world but abstain from cost-benefit calculations in the cyberspace.  The cost of mounting a cyber attack on a company, bribing/social-engineering an employee to mail a file with all employee details is far less than what the company spends on its information security systems. With  inherently asymmetrical costs of cyber defenses versus cyber attacks, it’s high time to change the rules. Robert Bejtlich has a fascinating discussion on his blog – Mutually Assured DDOS. It’s a catchy title with a lot of interesting insights – but personally – I am not sure that projection of power and deterrence and mutually assured destruction is an acceptable corporate or government business objective.
Tell your friends and colleagues about us. Thanks!
Share this