As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  - they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Wikileaks gives a leaker immediate visibility to her/his message. Once Wikileaks publishes the data, it’s  highly visible due to the tremendous conventional media interest in Wikileaks.  I doubt that PFC Manning, if he had a blog somewhere in the long tail of the Internet, would have made such an immediate impact.

Unlike Wikileaks, data theft of intellectual property or credit card data is motivated by the economic gain. In the case of Wikileaks, the motivation is social or political.  With cheap removable storage devices, smart phones, tables, dropbox and wireless network connectivity “employees with personal agendas will be more likely to jeopardize their careers in order to make a passionate statement“.

Network  DLP is a poor security countermeasure against the Wikileaks class of data breach. Network DLP can network-intercept but not analyze obfuscated data (encryption, embedded screenshots, steganography) and is blind to removable media and smart phones. The best technical countermeasure against a leak must be at the point of data use. First described in a 1983 DOD study called “The Trusted Computer System Evaluation Criteria” (TCSEC)  a user end point needs to be “instrumented” in order to identify and intercept content and mitigate threats before they can occur. This requires identification of the trusted user, appropriate content interception and analysis and the ability to tie the results into actionable forensics. Detecting data loss at the end point, is notably Verdasys’s key strength.

However – there are a few  points in the article that need to be addressed:

Insider theft of sensitive data is not new. WikiLeaks is just the latest outlet for the disaffected individual to be amplified in our interconnected world… WikiLeaks is merely the latest enabler of the populist-driven “Robin Hood” syndrome.

I don’t subscribe to the notion that data theft has always been an issue.   20 years ago, we had industrial espionage of trade secrets or national espionage of defense secrets – not the widespread data leaks we see today.  Conditions in 2011 are different then they were in the 80s when my father worked at TRW Defense and Space Systems in Redondo Beach.  Data breaches are driven by motive, means and opportunity – motive: under 30 something people have a sense of entitlement – they have a Blackberry, a nice car, a nice girlfriend, good standard of living, a 250K college education and a sense that they can do whatever they want without paying the price..  means – mobile and removable devices, Web services… opportunity – a leaker is in positions of access. Given the right stimulus (hating Obama,  despising Hilary, liking a bribe from Der Spiegel) they will get to the data, leave their ethics at the door and do the deed. Calling the phenomena “Robin Hood” is too gracious.

Trade secret and IP theft is projected to double again by 2017 with 2008 losses reaching one trillion dollars!

The $1 Trillion number for the financial losses due to IP theft  was mentioned in a McAfee press release (they took  the item off their web site…) and later quoted by President Obama’s in his talk on “aggressively protecting intellectual property”.

Since the 1 trillion number is  the cornerstone of both vendor and political argumentation for protecting IP, the number bears closer scrutiny. We will see that the $1 trillion number is no more than a love for round numbers, not unlike Gordon Browns love for round numbers “Bring 1,000 troops home for Christmas”.

Referring to Bessen and Maurer “Patent  Failure” and other research articles, the empirical data shows a different picture. Global patents held by US firms as of 1999 was $122BN in 1992 dollars.  Even if that number tripled in 20 years that means that the total IP value is 360BN so it’s impossible that 1 Trillion was “lost”.  I will discuss what loss of IP actually means in a moment.

Examining firm level data, we see that worldwide value of patent stocks is only about 1% of market value.   Note that the majority of this value is owned by a small number of large pharmaceutical companies.   Then, we have to net out litigation and IP legal costs from the net patent rents (the above-normal returns) that a company earns from it’s IP.

And to provide a sanity check on how disproportionate the 1 Trillion dollar IP loss number really is, consider that at  GSK (and their numbers are consistent with the other big innovative pharmas) – cost of sales is 26% of expenses, marketing – 31% and R&D 15%.  Now we know 2 things: (a) that the big pharmas account for most of the IP and (b) most of their money is in sales and marketing. If 10 big pharmas with a total of 100BN operating profit had lost a Trillion dollars, they would all be bankrupt by now,  but they are all alive and kicking and selling us everything from Viagra to Remicade.

What does the loss of intellectual property actually mean?  After all, it’s not like losing cash.

In a threat analysis I did for a NASDAQ traded firm with significant IP – I determined together with the CFO and the board that their exposure to IP leakage was about 1% of their market cap – they understood that you cannot “lose” IP – but when it’s leaked it goes to a competitor who may gain a time to market advantage – and that advantage is only temporary.   At another public firm where I did a threat analysis using the same methodology, the CEO and board determined that the exposure to IP theft was negligible since the competitors needed 12-18 months to implement stolen IP and since the firm was operating on a 12 month product release cycle, they were ahead of the competition who were using stolen IP.  In other words – it’s better to innovate than to steal and try to re-implement.  This is particularly true in the software industry where the cost of implementation is far higher than the time and cost to develop the algorithm.

Reading Bill’s article, one would naturally ask, given the magnitude of the problem and the effectiveness of Verdasys technology, why doesn’t every company in the world deploy end point DLP like they deploy a firewall.  I think that the answer lies in the actual magnitude of the financial impact of data leakage.   The State department cables Wikileaks disclosure may or may not have been orchestrated by the Obama administration itself – but arguably, no economic damage and no tangible damage was incurred to the US political image or image of it’s allies.  If  real damage had been done to the US, then Hilary would be keeping Jonathan Pollard company.

I think that Verdasys and other DLP vendors miss one of the key strengths of data loss detection/prevention technology: real time feedback to an organizations users, and the deterrent value.   As Andy Grove once wrote – “a little fear in the workplace is not necessarily a bad thing“.

With increasing consumerization of IT, entitled employees will have even more means at their disposal and even more blurring of business boundaries by sexy personal devices.

What is a company to do?  That leaves us with good management and a corporate culture with employee values of competitiveness that drives value that drives rewards both intangible and tangible for the employee.  If it’s just about the money – then an iPhone is worth a lot more than a $500 bonus but engendering a sense of being involved and influencing the business at all levels – even if it’s just a kind word once a day – will be worth 100 fold that number and go a long way towards mitigating the vulnerability of employee entitlement.

I’d like to conclude with a call to the marketeers at McAfee, Symantec, IBM, Oracle, Websense, Fidelis, Checkpoint and Verdasys. Let’s shift the DLP marketing focus from large federal customers and banks and explain to small to medium sized enterprises how DLP technologies can protect the value of their implementation techniques and intellectual property.

For a 10 man vaccine startup the secret is in the recipe, not in the patents.  For a SME with IP – it’s not the IP licensing value, it’s difference between life and death.  And death trumps money any day of the week.

You can download the paper “Protecting Against WikiLeaks Events and the Insider Threat” on the Verdasys Web site.

Sex – despite the huge volume of content in the digital and print media, is one of those phenomena that demonstrate an inverse relationship between substance and talk.    The more talk, chances are, the less substance actually going on. The less talk, the higher a probability that something serious is really going on between you and your partner.  When things are cooking for you and your wife/girl friend  you don’t have time to be writing about it on your blog. When things are rough,  you will probably be a bit shy about going into detail on Facebook.  But it’s a lot easier to talk about other people, who’s hot and who’s not.

Just like data security and global terror.  It’s a lot easier to talk about the Middle East and ignore what’s happening in your own backyard.   It’s like  ”other peoples money” – something you can spend without worrying too much.

Using this metaphor, the data security industry is like sex.   Lots of talk and press releases about data breaches, plenty of marketing communications written by clueless communications majors just out of school working for Symantec and Mcafee and recycling of Gartner reports ad nauseum.  But – a lot less in the vulnerability and risk mitigation department and generally low levels of willingness to talk about security failures in an organization or what really works.

Since this is part of the human chemistry – I don’t imagine this will change in the near future but for sure we will have a lot of fun, just like great sex.

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler“ is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

• They define their industry similarly, focusing on being the best.
• They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
• They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
• They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
• They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post

Malicious Attack on the message

The beauty of  HTTP Web Services is that traffic flows through port 80 and port 443 and it uses a human-readable format (XML or JSON). This is also the key vulnerability.  A typical IT / system administration approach that relies on protecting Web service providers with a firewall/IPS setup is not very effective.  We will explain why.

Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. While most firewalls can recognize SOAP as well-formed HTTP traffic they cannot inspect the actual content of the SOAP message or JSON data. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. Web service interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The message is often self-describing and clearly shows the data elements.

A Web service provider is a juicy, self-describing target.

Replay Attack
Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.

Buffer Overflow
An attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

Dictionary Attack
Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.

Intrusion Detection of attacks by malicious outsiders
Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IPS will detect anomalous attack behavior and if monitored may help the security team mitigate the threat.

Extrusion detection of attacks by trusted insiders
Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for data breach, we would require use of a DLP –  Data loss  prevention system such as Fidelis XPS or WebSense DLP.

Threat containment
Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise.  A DLP system provides real-time detection, forensics recording and  the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

As one of the pioneers in the DLP space (data loss prevention) and an active data security consultant in the field since 2003 – I am not surprised when civilians like the authors of the article and the current US administration claim discovery of America, once they discover that the emperor is naked.  Of course there is an insider threat and of course it is immune to anti-virus and firewalls and of course the US Federal government is way behind the curve on data security – installing host based security which was state of the art 7 years ago.

My Dad, who worked in the US and Israeli Defense industry for over 50 years is a PhD in systems science. He asked me how it happened that Wikileaks was able to hack into the US State Department cables.  I explained that this was not an external attack but a trusted insider leaking information because of a bribe or anger at Obama or Clinton or a combination of the 4 factors. My Dad just couldn’t get it.   I said look – you know that there is a sense of entitlement with people who are 20-30 something, that permits them to cross almost any line.  My Dad couldn’t get that either and I doubt that the US Federal bureaucrats are in a better place of understanding the problem.

Data leakage by trusted insiders is a complex phenomenon and without doubt, soft data security countermeasures like accepted usage policies have their place alongside hard core content interception technologies like Data loss prevention.  As Andy Grove once said – “a little fear in the workplace is not a bad thing”. The  set of data security countermeasures adopted and implemented must be a good fit to the organization culture, operation and network topology.

BUT, most of all – and this is of supreme importance – it is crucial for the head of the management pyramid to be personally committed by example and leadership to data protection.

The second key success factor is measuring the damage in financial terms. It can be argued that the Wikileaks disclosures via a trusted insider did little substantive damage to the US government and it’s allies and opponents alike. If anything – there is ample evidence that the disclosure has helped to clear the air of some of the urban legends surrounding US foreign policy – like the Israelis and the Palestinians being key to Middle East peace when in fact it is clear beyond doubt that the Iranians and Saudi financing are the key threats that need to be mitigated, not a handful of Israelis building homes in Judea and Samaria.

As an afternote to my comments on the SCIAM article, consider that after the discovery of America, almost 300 years went by before Jefferson and the founding fathers wrote the Declaration of Independence.   I would therefore expect that in the compressed 10:1 time of Internet years, it will be 30 years before organizations like the US government get their hands around the trusted insider threat.

On security and compliance

It’s impossible to ignore the fact that compliance (like it or not) is a driver for companies to invest in improving their software and data security past running a firewalls and anti-virus. While compliance drives companies into taking action, do compliance activities actually result in implementing and sustaining strong data security  management and technology countermeasures?  We will see that the answer is generally no.

There is plethora of compliance regulations. There is regulation for  Privacy(HIPAA/HHS), for Children: (Children’s Online Privacy Protection Act (COPPA) for Credit Card holders: (FCRA), for merchants (PCI DSS), for Public entities (Sarbanes-Oxley), for Insurance (State laws) , for Securities trading (SEC), for Telecom (New York State Public Service Commission rulings) and many many more.

Looking at the wide variety of regulations and standards we can see that compliance really comes in only 3 flavors:

1. Governance regulation such as HIPAA and SOX.  Government compliance regulation is focussed on customer protection and requires a top down risk analysis process.
2. Industry compliance regulation such as PCI DSS that focuses on protecting the card association supply chain, doesn’t require risk analysis and mandates a fixed control set (if you think that best-practice security control sets are a good idea, then stop and consider the abysmal failure of the Maginot line in WWII and the Bar Lev line in the Yom Kippur war in 1973).
3. Vendor-neutral standards such as ISO 27001 that focuses on data and system protection, doesn’t require risk analysis nor consider asset values although it does provide what is arguable the most comprehensive set of controls.

Well-meaning as the regulators may be, there are two fundamental flaws in the security-by-compliance model:

1. You can comply without being secure and use compliance as a fig-leaf for lack of data security
2. You can invest in software and data security without being compliant

…We don’t invest in data loss prevention technology because it’s a criminal offense when one of our employee breaches critical filings. We feel the legal deterrent is sufficient.
IT Manager – Securities and Exchange Commission in a Middle East country

Privacy regulation trends in the US and Europe

Government-regulated privacy-protection of information is a natural response rooted in the field of telecommunications, since countries either own the telecom business outright or tightly regulate their industry. This has largely led to a view of electronic privacy as an issue of citizen rights versus state legislation and monopoly.

In the information age, privacy has two dimensions – intrusion and data breach:

• Protection against intrusion by unwanted information or criminals; similar to the constitutional protection to be secure in one’s home.
• Protection against data breach by controlling information flows about an individual’s or a business’s activities; for example preventing identify theft or protecting a company’s trade secrets.

Regulation has moved in two major directions–centralized general protection and decentralized ad-hoc protection. The EEC (European Economic Community ) has pursued the former, and passed comprehensive data protection laws with coordination on information collection and data flows. The United States, in contrast, has dealt with issues on a case-by-case basis (health-care, credit cards, corporate governance etc…) resulting in a variety of ad hoc federal and state legislation.

A synthesis of the European and the American approaches is to formulate a set of broad rules for vertical industry. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy. However, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases. Two Representatives in the House Select Committee on Homeland Security are calling for a Privacy Czar. The Privacy Czar would be responsible for privacy policies throughout the federal government as well as ensuring private technology does not erode public privacy.

“Right now, there’s no one at home at the White House when it comes to privacy. There’s no political official in the White House who has privacy in their title or as part of their job description. Congress should take the lead here because this administration has not,” says Peter Swire, an Ohio State University law professor and former chief privacy officer in the Clinton administration in an interview with Wired back in 2006 – and in the Obama administration has anything changed?
(http://www.wired.com/news/privacy/0,1848,63542,00.html )

Horizontal applications

Sarbanes Oxley: enforcing corporate governance

The Sarbanes-Oxley Act (SOX) has had a major impact on US corporate governance SOX was a response to the accounting scandals and senior management excesses at some public companies in recent years. It requires compliance with a comprehensive reform of accounting procedures for public corporations to promote and improve the quality and transparency of financial reporting by both internal and external independent auditors. SOX regulation is enforced by the Public Company Accounting Oversight Board (“the Board”).

SOX Section 404 – “Management Assessment Of Internal Controls ” is indirectly relevant to data breach. It requires an “internal control” report in the annual report which states management responsibility and assesses effectiveness of internal controls. Companies are also required to disclose whether they have adopted a code of ethics for senior financial officers and the contents of that code.

SOX Section 409 – “Real Time Disclosure” implies that a significant data breach event be disclosed on “a rapid and current basis”. SOX also increases the penalties for mail and wire fraud increased from 5 to 10 years and creates a crime for tampering with a record or otherwise impeding any official proceeding.

HSS/HIPAA: enforcing patient privacy

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave Congress 3 years to pass health privacy legislation. In May 2003 – the HHS (Dept of Health and Human services implemented federal protections for the privacy of individual health information under the Privacy Rule, pursuant to HIPAA. Because of limitations of HIPPA, the rule is far from seamless and will require a lot more work in the US Congress by both parties to ensure privacy of personal health information.

My conclusion on all of this is:

• SOX has been a strong driver for sales of  IT  products and services, but it’s totally unclear that the billions spent by corporate America on compliance has actually done much to improve customer protection.

Vertical Industries

Securities: Did we leave the cat guarding the cream?

Annette L. Nazareth, market regulation director at the U.S. Securities and Exchange Commission, outlined proposals at a securities industry conference in New York on May 21 calling for stock exchanges, as the Associated Press put it, “to abide by most of the requirements they set for companies they list.”
(http://www.sec.gov./news/speech/spch052104aln.htm )

Wow.

Insurance Industry: Federal versus free market

October 2003, witnesses before the Senate Commerce committee testified regarding insurance industry regulations. The committee analyzed the current US system, which relies on state law, and examined proposals for improving industry regulation. One of the central issues was whether or not the federal government should play a larger role in insurance industry regulation. Also discussed was the need to provide protection for consumers without forcing unnecessary regulations on insurance companies. Some senators expressed concerns about high insurance rates.

Conclusion

If you’re a vendor of IT products and services, it has become increasingly difficult to sell security with rising complexity of attacks and countermeasures and decision makers who find it difficult to understand what works and what doesn’t.

What will happen to the B2C security industry is hard to say. Perhaps the Intel McAfee acquisition is a sign of things to come where security becomes a  B2B  industry  like safety manufacturers for the aerospace and automotive industries.

Until security becomes built-into the cloud, my best suggestion for a business is don’t leave your ethics at home and don’t wait for the government to tell you what you learned from your parents at age 5 – put your toys away and don’t steal from the other kids.

1. Run Ubuntu
2. Get your services in the cloud
3. Practice safe computing.

Run Ubuntu on desktops and operate production and development servers in the cloud (at slicehost.com – I don’t mind giving them the free publicity because they deserve it).  Don’t install anti-virus on any of your machines.   Your  servers will be regularly attacked by various pieces of automated software anyhow, but because you will  shut down unnecessary  services and  ports and update all the time – you won’t have unscheduled downtime.   Use strong passwords and change them on an irregular basis and you will be more secure than most.

Practice safe computing:

a) Don’t go to malware-infested sites and b) never insert a foreign USB into one of the machines  and c) patch regularly

What about anti-virus?

I really don’t understand all the hoopla about anti-virus,    If it’s a personal computer (PC) and you trashed it – what difference does it make if you took your eyes off your notebook on an airport conveyor belt and it got ripped off or didn’t bother to practice safe surfing and got attacked by Conficker?

Maybe the time has come for people to think about their PCs like people think about cash.

If you carry it around you have to protect it. If you lose cash – you can only blame yourself. If you got your pocket picked in the big city – you can only blame yourself.

The CEO of a client (a specialty brokerage with  about 100 employees) told me a few years ago that his security policy goes like this:

We have invested a lot of money in providing our employees with state of the art information technology. Your personal workstations have all the applications you need.   If you download software – you are fired.

Next – we’ll be buying metal helmets so that the CIA won’t be able to read our minds.

The central guideline is the EU Data Protection Directive – and reading the law, we begin to get an answer to our dilemma.

First – there are fundamental differences in approach between the US ( an industry-centric regulatory/sectoral approach) and the EU (a personal, privacy-centric approach). The US love technology solutions and the Europeans prefer policy, procedure and discipline.

Second –  the current round of DLP technologies (mostly US developed and highly tuned to the US regulatory environment) may not always be a good fit for an EU-based company.

A perusal of the law shows that current  DLP technologies have marginal added value to the 6 out of the 7 OECD requirements ( Notice, Purpose, Consent,Disclosure, Access and Accountability).

• Notice—data subjects should be given notice when their data is being collected;
• Purpose—data should only be used for the purpose stated and not for any other purposes;
• Consent—data should not be disclosed without the data subject’s consent;
• Security—collected data should be kept secure from any potential abuses;
• Disclosure—data subjects should be informed as to who is collecting their data;
• Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
• Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

The security requirement is the sweet spot for DLP, but with the exception of Fidelis XPS and Mcafee Reconnex, most DLP products focus on data leaving the organizational network and not data being abused inside the organizational network.  (There are solid technology reasons behind this which are beyond the scope of this post).  In addition, note that the Mcafee  reseller channel  knows how to sell anti-virus products while Fidelis is focussed selling network DLP to the US defense market – suggesting that there may be also be channel constraints to distribution of DLP products in Europe.

However, the key challenges to DLP technology adoption in Europe are at the management level – and they are three-fold:

Lack of a “DLP strategy”.   This is out of my personal experience in Central Europe and also based on data from a seminar run by the Forrester group in Amsterdam last year – where 90% of the CTO’s who participated said they had no plans to implement DLP in 2010. With the current economic environment, weakening of the Euro and drop in IT funding – I am not seeing any change of direction.  Conversations with security product distributors in France and Germany confirms that the EU market is still focussed on firewall/IPS and anti-virus.

Lack of business justification. If you don’t monitor outbound traffic then you don’t know if you have issues.  Since EU Privacy virtually prohibits monitoring outbound traffic of employees then by definition, European companies do not  know if they have issues.

The challenge of global implementations. There are few DLP implementations that span multiple, geographically diverse network domains.    One case  I am familiar with is GSK (Glaxo, Smith Kline).  Verdasys and Fidelis cut a deal with the CIO of GSK  in Boston for a global DLP deployment of Verdasys agent + Fidelis XLPS  gateway solutions and to the best of my knowledge – the European implementation is stalled.   There are numerous reasons why a global IT implementation will stall; all of which are exacerbated by data security and compliance issues:  Consider the challenges of budget, organizational politics, local regulation, local management culture, local legal opinions, local IT suppliers, local IT outsourcing services: any one issue can be a barrier to a local implementation of head-office sanctioned CIO-office designed project.

In summary – instead of looking for global or Pan-European solutions, perhaps we would be better served by viewing DLP as a Swiss army knife, highly suited for particular applications and local requirements.   More about that in an upcoming post.

Enhance device security
Protect embedded devices against existing and unknown zero-day threats via malware (such as worms, viruses, Trojans and buffer-overflow threats, etc.). Because many embedded devices such as ATMs and kiosks have a large attack area, they face increased security vulnerabilities. McAfee Embedded Security ensures that the device—when in production and in the field—is secure and cannot be compromised.

The Mcafee product is clearly aimed at embedded Windows devices – which are unfortunately over 1/2 of embedded medical devices since a good many software developers come from IT backgrounds and don’t have the cojones to deal with Linux let alone embedded Linux on small footprint hardware.  Some of the collateral makes a lot of sense while other parts seem like typical security vendor marcom   –  like the part about assuring HIPAA compliance with tamper free logs. When you have a hammer, everything looks like a nail as I noted in my post last year on the true cost of HIPAA privacy violations

The product feels like a commercialization of a project that their professional services group did for a particular customer. The discussion about supporting integration of multi vendor channels sort of  smells like an Intel aphorism and while it might serve Intel, multi-vendor channel integration may be  the exception rather than the rule in the medical device space,  since most medical device vendors are  small specialized business units or startups intent on preserving their own IP.