Information security and  risk analysis is complex stuff, with multiple dimensions  of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships.  This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical hype and theater: today – , HIPAA, iOS and Android security,  yesterday – Sarbanes-Oxley, federated identity management, data loss protection and application security firewalls.

Back in 2007,  I thought we might a return to the Age of Reason, where rational risk management replaces blind compliance check lists – I thought that this could happen  for 2 reasons:

1. Compliance projects  can have good business value, if you focus on improving the product and it’s delivery.
2.  Security is like fashion – both are cyclical industries, the wheel can also turn around in the right direction.

HIPAA compliance is a minimum but not sufficient requirement for product and process improvement.

Healthcare companies and medical device vendors that do HIPAA compliance projects, may be paying a steep price for HIPAA compliance without necessarily getting a return on their investment by improving the core features and functionality of their products and service offerings.

Compliance driving improvements in products and services is good for business, not just a mantra from Mcafee.

It could happen, but then again, maybe not. Look at the trends. Taking a sample of articles published in 2011 on the  eSecurityPlanet Web site we see that  mobile devices and cloud services lead the list, followed by IT security with healthcare closing the top 15. I guess cost-effective compliance is a lot less interesting than Android security.

1. iOS vs. Android Security: And the Winner Is?
2. 5  iOS 5 Enterprise Security Considerations – You can’t keep Apple out of the enterprise anymore so it’s best to figure out the most secure way to embrace it, writes Dan Croft of Mission Critical Wireless.
3. PlayBook Tops in Tablet Security – Recent price reductions may mean more Blackberry Playbook tablets entering your organization, but that may not be such a bad thing for IT security teams.
4. Android Security Becoming an Issue – As the Android mobile platform gains market share, it also garners a lot of interest from cyber crooks as well as IT security vendors.
5. Which Browser is the Most Secure? – The ‘most hostile’ one, say researchers at Accuvant Labs.
6. How to Prevent Employees from Stealing Your Intellectual Property -It’s the employee with the sticky hands that is the easiest and cheapest to thwart.
7. Security Spend Outpacing the Rest of IT – High profile breaches and mobile devices are driving IT security spending.
8. Public Cloud Keys Too Easy to Find -If you put the keys to your cloud infrastructure in plain sight, don’t be surprised if you get hacked.
9. Zeus (Still) Wants Your Wallet – The antivirus community has failed to figure out this able and persistent piece of malware. It’s as simple as that.
10. Spear Phishing Quickly Coming of Age – Even the security giants are not immune from this sophisticated and growing form of attack, writes Jovi Bepinosa Umawing of GFI Software.
11. Penetration Testing Shows Unlikely Vulnerabilities – Enterprises need to dig deeper than just automated scanning to find the really interesting and dangerous cyber security flaws.
12. Bank Fraud Still Costing Plenty – Bank fraud is and will continue to be an expensive problem.
13. Do IT Security Tools Really Make You Safer? – Yet another suite of tools for IT security folks to administer and manage can actually have the opposite effect.
14. Siege Warfare in the Cyber Age – In one the unlikeliest turn of events brought about by technology, it looks like Middle Ages’ siege warfare may be making a comeback, writes Gunter Ollmann of Damballa.
15. Healthcare Breaches Getting Costlier – And it’s not just dollars and cents that are on the line – reputations are on the line, writes Geoff Webb of Credant Technologies.

As a preface, begin with the understanding that you already have all the resources you need.

Discussions with colleagues in a large forensics accounting firm that specialize in anti-fraud investigations, money laundering and anti-terror funding (ATF), confirm what I’ve suspected for a long time. Armies of junior analysts working for the large accounting firms who have never seen or experienced a fraudulent event and are unfamiliar with the your business operation are not a reasonable replacement for careful risk analysis by the business done by people who are familiar with the business.

Step # 1- Do not do an expensive business process mapping project.

Many consultants tell organizations that they must perform a detailed business process analysis and build data flow diagrams of data and users who process data. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows inside your organization between people doing their job is arguable. There are much better ways to protect your data without writing out a 7 digit check. Here is the first one you should try out. Select the 10 most valuable data assets that your company owns. For example – proprietary mechanical designs of machines, detailed financials of a private company being acquired, and details of competitive contracts with large accounts. In a few interviews with finance, operations, IT, sales and engineering, you can nail down those key assets. After you’ve done that, schedule a 1 hour meeting with the CFO and ask her how much each asset is worth in dollars. In general, the value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO in dollar terms – in terms of replacement cost, impact on sales and operational costs.

Step #2 – Do not develop a regulatory compliance grid.

There is no point in taking a non-value-added process and spend money making it more effective.

My maternal grandmother, who spoke fluent Yiddish would yell at us – ” grosse augen” when we would pile too much food on our plates. ” Grosse augen” ( or as my folks put it); is having eyes that are bigger than your capacity. Yes, US publicly traded companies are subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.
Looking at all the corporate governance and compliance violations; cases such as Hannaford supermarkets and AOL – it’s clear government regulation has not made America more competitive nor better managed.

Step #3 – Identify the top 5 data assets in your business and valuate them

I saw an article recently that linked regulatory compliance mandate and asset cost. Definitely not true – the value of an asset for a company is whatever operational management/CFO say it is. Asset value has nothing to do with compliance but it has everything to do with a cost effective risk control plan. For example – a company might think that whole disk encryption on all company notebook computers is a good idea – but if only 20 people have sensitive data – why spend 1 million dollars on mobile device data encryption when you can solve the problem for less than 5k?

Step #4 – Do not store PII

The absolutely worst thing you can do is a project to analyse data retention and protection regulations that govern each of the sensitive data elements that need protecting, and working with legal and compliance consultants who know the relevant regulations. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help the marketing guys sell more anyway – and you can give the money you save on some fancy database encryption software to the earthquake victims in Myanmar and China.

Step #5 – Monitor your outsourcing vendors

Despite the hype on trusted insiders, most data loss is from business partners. You can write a non-disclosure agreement with an outsourcing vendor and trust them, but you must verify their compliance and prevent unauthorized data leaks.

The best story I had in years was in a meeting with the VP internal audit at a medium sized bank in Israel. He took a sales call with me and I pitched our extrusion prevention technology from Fidelis Security Systems as a way to protect their customer data. He said – look Danny, we don’t need technology – we’ve outsourced everything to a very large bank and their data center security is world-class. Two weeks later, the big bank had a serious data breach event (a high school student hacked into the internal network of the bank from a public Windows-based kiosk and helped himself to some customer lists. Two months later, the small bank was reported to be looking to get out of their outsourcing contract. Don’t rely on contracts alone – use people and DLP technology to detect data leakage.

Step #6 – Do annual security awareness training but keep it short and sweet

Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have everyone read, understand and sign a 1 page procedure for information security. Forget interview projects and expensive self-assessment systems – what salesman in his right mind will take time to fill out one of those forms – if he doesn’t update his accounts on salesforce.com? Install an extrusion detection system at the network perimeter. Prosecute violators in real time. Do random spot checks on the read-and-understand procedure. Give demerits to the supervisors and managers if their employees don’t pass the spot check.

Step #7 – Calculate valuate at risk of your top 5 data assets

ISO 27001 and PCI DSS 1.1 checklists are great starting points but they focus on whether a particular technology, policy or control has been implemented, and not whether these controls are cost-effective security countermeasures against internal and external attackers. Use Practical Threat Analysis with a PTA risk library for ISO 27001 or PCI DSS 1.1 and you will be able to build a cost-effective risk mitigation plan based on asset values, threat probabilities and estimated damage levels.

Step #8 – Ask your vendors and colleagues difficult questions

After you’ve done a practical threat analysis of your risk exposure to attacks on sensitive customer data and IP you will be in better position than ever to know what policies, procedures and technologies are the most effective security controlss. You’ll be in an excellent position to ask difficult questions and negotiate terms with your favorite vendor. While the attitude of many companies is to hold data protection protections close to their chests, it is valuable to talk to your colleagues at other companies in the same market and get a sense of what they have done and how well the controls perform.

Step #9 – Resist the temptation to do a customer data integration (CDI) project.

Customer data is often stored in many applications and locations in a large organization. The knee-jerk reaction of IT is to do a big data integration project and get all the digital assets under one roof. There are three reasons why this is a terrible idea. (a) Most of these projects fail, overrun and never deliver promised value (b) If you do suceed in getting all the data in one place, it’s like waving a huge red flag to attackers – heah , come over here – we have a lot of sensitive data that is nicely documented and easily accessible. Companies with enterprise software systems such as SAP and Oracle Applications are three times more likely to be attacked. (c) Ask yourself – would Google have succeeded if with global data integration strategy?

Step #10 – Prepare a business care for data loss prevention before evaluating products

Despite claims that protecting data assets is strategic to an enterprise, and IT governance talk about busines alignment and adding value – my experience is that most organizations will not do anything until they’ve had a fraud or data security event. The first step to protecting customer data and IP in any sized business from a individual proprietership to a 10,000 person global enterprise is laying the case at the door of the company’s management. This is where executives need to take a leadership position – starting with a clear position on which data assets are important and how much they’re worth to the company.

Practical threat analysis is a great way to identify and assess threats to your business and evaluate the potential business impact in dollars and cents to your operation using best-practice risk models provided by the PTA Professional threat modeling tool.

In summary

Software Associates specializes in helping medical device and healthcare software vendors achieve HIPAA compliance and protect customer assets and provides a full range of risk management services, from stopping fraud to ensuring regulatory compliance and enhancing your ability to serve your customers.

There are resources that help you turn information into insight such as   Risk Management from LexisNexis, Identity Fraud TrueID solutions from LexisNexis that help significantly reduce fraud losses and Background Checks from LexisNexis that deliver valuable insights that lead to smarter, more informed decisions and greater security for consumers, businesses and government agencies.For consumers, its an easy way to verify personal data, screen potential renters, nannies, doctors and other professionals, and discover any negative background information that could impact your employment eligibility. For businesses and government agencies, it is the foundation of due diligence. It provides the insight you need to reduce risk and improve profitability by helping you safeguard transactions, identify trustworthy customers and partners, hire qualified employees, or locate individuals for debt collections, law enforcement or other needs.

In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions.

NSTIC focuses on upgrading outdated password-based authentication systems and reducing the barriers associated with identity proofing and deployment of strong credentials, while also enabling end-users to have more control over when and what information they disclose in a range of transactions.

Could someone please translate this for me?

How is giving an end-user more control over information disclosure is going to mitigate the risk of data breaches when over 300 million credit cards have already been breached?

What about online merchants vulnerabilities and better data security countermeasures for online Web services?

Will PCI DSS discover Data loss prevention technology anytime in the next decade?

Where  I come from, that’s called shutting the barn-door after the horses have flown.

In a recent PCI seminar I attended,  the speaker (who hails from the European PCI Security Council) claimed that most European businesses were in a very bad place in terms of their data security but that that the ultimate business objective is 100 percent compliance. I’ve heard similar pronouncements from industry analysts like Forrester.

This is problematic for a number of reasons, starting with the fact that it is impossible to be 100 percent compliant with this or any other standard. A business lives in a performance culture whereas regulators live in a compliance culture. Compliance does not contribute to improving business performance unless the compliance activity is used as an opportunity to improve product security and customer safety and reduce the cost of current security measures.  This is definitely the path you want to choose – forcing your compliance exercise into the same performance mold that your business values and not settling for less.

In a compliance culture

• I comply with the standard.
• I am told the standard. If I am not told, I don’t act.
• The standard is my objective.
• When I meet the standard, I am done.

In a performance culture

• My job is to take risks and deliver value by performing and executing ahead of expectations
• A standard is like a quota.  Something you want to exceed because next year it will be higher.
• Meeting a standard means little. I continuously improve.

Hackers recently attacked WellPoint, a health insurer which reportedly covers 34 million people. As a result of the breach, the company notified 470,000 individual customers that confidential information, including medical records and credit card numbers, may have been compromised. It’s imperative that consumers actively protect their information (sic), because cyber-criminals have accessed at least 358,400,000 records belonging to U.S. citizens over the past five years. [From: CBS News]

I recommend treating passwords like  cash, but give me a break. If over 350 million credit card records have been breached, then active protection measures are useless since your credit card is already disclosed.

Together with gems of  security naiveté in the American press,  we can add another round of US-European political infighting over who has a bigger schlong.

The Solvency II European insurance supervision directive is “not as comprehensive and transparent” as US regulation, according to New York’s state insurance regulator. Jim Wrynn, superintendent of the New York State Insurance Department, also criticised efforts by stakeholders in the process of the European regulatory overhaul to deny equivalence status to the US while its state-based regulation remains in place…Wrynn was critical of (the Solvency II) approach, and described the current US model as “a well-tested and comprehensive regime”. [From: risk.net]

I suppose that AIG and Wellpoint don’t count.

• Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, imagine layering another 100MB of software, another 20MB of data security rules and loads of network traffic for management just for the luxury of getting a good deal from Symantec on a piece of integrated software that IT doesn’t know how to manage anyhow.
• Software vulnerabilities – if you have issues with the anti-virus – you don’t want them affecting your data flows via the DLP agent. Imagine a user uninstalling  the anti-virus and impacting the DLP agent.
• Diversity – the strong anti-virus products have weak DLP agents – which means that the advantage of a single management platform is spurious. Having strong anti-virus software on your Windows PCs from a vendor like McAfee complements having strong data loss prevention from a company like Verdasys.
• Not a good fit for the organization – IT manage the Anti-virus,   Security manage the data security and never the twain shall meet.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

How do I assign a dollar value to an assets?…should I use the  purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?

Estimating asset value is without doubt the most frequent question we get when it comes to calculating data security risk in monetary terms. There are several practical guidelines for measuring information assets value:

• Use the right metric – a common mistake made by marketeers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number.  The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.  A customer may not even know that her credit card number is breached (considering that 250 million credit card numbers have been stolen in the past few years – it is a reasonable assumption that your credit card number is known to someone who stole – but your cost is zero, isn’t it?
• Ask an expert – usually the CFO. The expert can and should provide confidence intervals for his estimate. The CFO is the best source and best equipped to decide if replacement value, purchase value/depreciated or opportunity cost is the relevant metric to measure the value of an asset. It’s ok, if your CFO says that company IP is worth $50 million with a confidence level of 85%.  If you do a practical  threat modeling exercise, you will be able to test sensitivity of your threat model to the confidence boundaries.
• Use test equipment. For example – If the cost of acquiring a customer is $50, you can write a sql query to find out how many customers you have and then multiply by $50. Looking at the Fixed assets and GL modules is an example of using test equipment.  If you have to measure the number of credit cards in clear text circulating on your network – I suggest  network surveillance.
• Use random sampling from a population of asset value estimators. The Rule of Five says that there is a 93% chance that the median of a population is between the smallest and largest values in any random sample of the population.   So – if you have to estimate value of a digital asset like intellectual property – you can ask five people for their estimate – for example, the CFO, the CTO, a customer, your VP marketing and a software developer who worked for one of your competitors.
• Measure in small increments and be prepared to iterate. In other words – when you do a threat model exercise, take small steps -  measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise and most companies measure things that have zero information value to the business because they are easy to measure (for example – how ssh password attacks were made on company web servers) instead of the important things – like what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Identiwall  for secure online transactions

Target market - online banking, online insurance

Product status: Leading product in Israel for online banking strong identification, authentication, anti-phishing, strong session security. Currently, over 1 million end users

Unique features

• No end user client software or hardware device required
• Minimal changes to Web application, hooks into ISAPI layer or Apache module
• Separate security server, not exposed to Web application server vulnerabilities
• Session risk management which is maintained external to server side session, i.e. Cannot be corrupted or attacked. It examines navigation patterns – can detect an automated attack pattern within a short time frame, or URL hacking, session hijacking, where the attacker goes directly to a particular URL, bypassing the normal application navigation performing content inspection in order to detect and stop phishing

Identiwall-VPN

Target market: Existing VPN users who rely on Radius authentication and/or tokens and want to improve security and reduce costs

Product status – production product

Unique features

• Strong 2 factor authentication
• Replacement for RSA/Checkpoint tokens
• Cheaper, more flexible, without requiring hardware devices

Identiwall-Dynamic security

Target market-Companies with large number of employees on multiple office building floors, multi-building campus

Product status – production product developed for Israeli defense clients. Currently in use by institutions in US and Europe, clients like Fortis.

Product brief

Integrates and correlates physical and logical security. Detects multiple user logins from multiple physical locations at same time, logins of employees who have left the building. Used to detect inside jobs. For example – installed in HQ of a company with 1200 employees. Security officer established a threshold to purchase if the system would detect at least 2 events/day – the system detected an average of 37 security events/day in the first week

Unique features

• Can detect inactive Pcs and automatically shut them down for big energy savings
• Can detect movement of RFI-tagged laptops
• Automated FBI: forensics based investigation on event discovery. Backtracks through logs, logins/logouts/failed logins. Aggregates access rights in order to detect users who are working in collusion.

]]> http://www.software.co.il/2009/10/preventing-inside-jobs-with-dynamic-security/feed/ 0