Tag Archives: Microsoft

The economics of software piracy

One year ago this time was World Cup season and Mondial fever put a lot of regional conflicts on the back burner for a month – not to mention put a dent in a lot of family budgets (husbands buying the latest 60 inch Sony Bravia and wives on retail therapy while the guys are watching football)

It is ironic that the FIFA 2010 World cup computer game doesn’t run on Ubuntu.  It would have been a huge marketing coup and poetic justice if the game software was released for Ubuntu in a GPL license.

This got me thinking about open source licensing and it’s advantages for developing countries, which really got my hackles up  after reading the Seventh Annual BSA and IDC Global Software Piracy Study – that screams:  Software Theft Remains Significant Issue Around the World

The rate of global software piracy climbed to 43 percent in 2009. This increase was fueled in large part by expanding PC sales in fast-growing, high-piracy countries and increasing sales to consumers — two market segments that traditionally have higher incidents of software theft. In 2009, for every $100 worth of legitimate software sold, an additional $75 worth of unlicensed software made its way onto the market. There was some progress in 2009 — software rates actually dropped in almost half of the countries examined in this year’s study.

Given the global recession, the software piracy picture could have taken a dramatic turn for the worse. But progress is being outstripped by the overall increases in piracy globally — and highlights the need for governments, law enforcement and industry to work together to address this vital economic issue.
Below are key findings from this year’s study:

  • Commercial value of software theft exceeds $50 billion: the commercial value of unlicensed software put into the market in 2009 totalled $51.4 billion.
  • Progress on piracy held through the recession: the rate of PC software piracy dropped in nearly half (49%) of the 111 economies studied, remained the same in 34% and rose in 17%.
  • Piracy continues to rise on a global basis: the worldwide piracy rate increased from 41% in 2008 to 43% in 2009; largely a result of exponential growth in the PC and software markets in higher piracy, fast growing markets such as Brazil, India and China.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor – patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That’s called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn’t change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia article on price elasticity of demand )

Back when I ran Bynet Software Systems – we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel – where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 – after the Windows NT launch, the demand for NT was almost totally inelastic – Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software – Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continued with this marketing strategy and most Vista sales were not retail boxes but pre-installed hardware. After Windows 7 released – users have been upgrading en-masse, proving once again the elasticity of demand for a good product.

Microsoft (who are a major stakeholder in BSA) probably don’t have a major piracy problem with operating system sales. Let’s run some numbers. In 2008 –  Microsoft Windows Vista sales were at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue was $15.8 BN. Single unit OEM pricing for a Windows operating system  is about $80 and in a volume deal – maybe $20. Let’s assume an average of $50/OEM license. This means that the operating system  accounts for about 50*3*9/15800 = 8.5% of Microsoft revenue.

The BSA Global Piracy Study states that the “median piracy rate in is down one percentage point from last year” – 1 percent of 8.5 percent is meaningless for Microsoft – in dollar terms – BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar rate in 2009.

Microsoft might have a problem with their cash cow – Microsoft Office. Microsoft Office 2007 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Windows 7 and XP and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve – calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world – assuming that the BSA efforts at combating software piracy are successful – only the very rich would have access to applications like Microsoft Office. The middle and lower class people won’t have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words –download Open Office – the free and open productivity suite.

Finally – I can only anonymously quote a senior Microsoft executive who told me a number of years ago that off the record, Microsoft didn’t mind people copying the software and using a crack because it was a good way of introducing new users to the technology and inducing them to buy the new, improved and supported release a year or two later.

Tell your friends and colleagues about us. Thanks!
Share this

Medical device security in a hospital network

Medical devices are everywhere today.  In your doctors office measuring your blood pressure, at your cosmetician (for hip reduction…) and in the hospital for everything from patient monitoring to robot-assisted surgery.

The people that develop embedded medical devices based on Intel platforms know that Windows is vulnerable.

Lacking embedded Linux know-how, medical device developers often end up adopting Windows and Visual Studio as a default. Using Windows is a security-blanket for developers who grew up in the Microsoft Windows monoculture and are scared of the Linux command line.

But – make no mistake using Windows in networked embedded medical devices is a mistake.
This is big mistake #1.

The top 2 threats to a medical device are software defects and software updates.
Consider the implications of updating patient monitoring devices in a hospital with an infected USB stick or an infected Windows notebook.

In product development (and medical device are  no exception),  the support and version update process  is often something  left for the end of the project. At that point, when the product manager asks how are we going to update the software in the field – the hands raise in favor of  USB memory stick updates as an “interim” solution.

It is crucial to use threat analysis on systems of networked medical devices in order to arrive at the right, cost-effective countermeasures (apropos the management challenge of large number of VLANS…). Threat analysis must be an integral part of the SDLC (software development life cycle) – done early in the process and validated from time to time whenever there are significant design, configuration or environmental changes.

Threat analysis enables a medical device vendor and the hospital security team to have an objective discussion on balancing the need to protect the hospital network asset with protecting the availability of the medical device  itself and concomitantly – the safety of patients that are dependent on the device – patient monitoring is the first example that comes to mind.

Unfortunately many device vendors and their hospital customers use a system management model based on Microsoft Windows and business IT management practices. This is big mistake #2.

Medical device vendors need to assess their software security and not assume that an embedded medical device running Windows XP   is no different from any other Windows PC on the network running Office 2007.

To use an analogy from the world of real time embedded systems – consider avionics as key to safety of the pilot and success of the mission. Avionics are not managed like a network of Windows PCs and neither should medical devices on the hospital network.

A medical device in a hospital network – whether it monitors patients, assists in surgery or analyzes EEGs – is an embedded device in a extremely heterogeneous and hostile environment that should simply not be vulnerable to Microsoft Windows malware.

Embedded medical devices should be based in embedded Linux – and not a stock version of Red Hat – but rather built ground up from the latest Linux kernel, with the minimum set of services and software (Qtk etc…) needed to run the application.  The software update process should be part of the design – not something bolted on after the implementation.

Developing for embedded Linux is not copy and paste from Windows. It requires expertise to setup the basic infrastructure.  But – once that infrastructure is up, the medical device developer and it’s hospital customer can be confident that they are standing on a secure platform and not a house of glass built on a foundation of sand.

Tell your friends and colleagues about us. Thanks!
Share this

Cyber crime costs over $1 trillion

A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  – they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Tell your friends and colleagues about us. Thanks!
Share this

ניהול אבטחת מידע בענן – על תבונה ורגישות

ניהול אבטחת מידע בענן – על תבונה ורגישות

,ממשל נתונים הוא דרישה הכרחית להגנה על נתונים כשעוברים למחשוב בענן. קביעת מדיניות ממשל נתונים היא בעלת חשיבות מיוחדת במודל העבודה של מחשוב ענן שמבוסס על אספקת שירותים בתשלום ליחידת צריכה, בניגוד למודל המסורתי של מערכות מידע המבוסס על התקנה, שילוב מערכות ותפעול מוצרים.

יחד עם ההיצע הגדל של פתרונות מחשוב ענן זולים ובעלי ביצועים גבוהים, ישנו צורך חיוני לארגונים לנסח ולהסדיר את מדיניות ממשל הנתונים שלהם. ממשל נתונים פירושו הגדרת הבעלות על הנתונים, השליטה בגישה לנתונים, עד כמה ניתן לעקוב אחר הנתונים וציות לרגולציות, כמו למשל נתוני חולים (הגנה על מידע רפואי אישי כפי שמוגדרת בתקנות של משרד הבריאות האמריקאי).

כדי לבנות אסטרטגיית ממשל נתונים יעילה לענן, יש לענות על עשר השאלות הבאות – תוך חיפוש האיזון המתאים בין הגיון פשוט לדרישות אבטחת הנתונים:

1. מהם הנתונים היקרים ביותר בארגון? כמה כסף הם שווים?

2. כיצד מאוחסנים נתונים אלה – שרתי קבצים, שרתי מסד נתונים, מערכות ניהול מסמכים?

3. כיצד יש לנהל ולאבטח את הנתונים?

4. למי צריכה להיות גישה לנתונים?

5. למי בפועל יש גישה לנתונים?

6. מתי הייתה הפעם האחרונה שנבחנה מדיניות אבטחת המידע / הצפנה?

7. מה המתכנתים בארגון יודעים על אבטחת מידע בענן?

8. למי יש אפשרות לשנות או לטפל בנתונים? (כולל שותפים עסקיים וקבלנים)

9. במקרה של דליפה למקור בלתי מוסמך, מהו הנזק הכלכלי שיגרם לארגון?

10. במקרה של פריצה, תוך כמה זמן יאותר אירוע אובדן הנתונים?

בהקשר של ממשל נתונים בענן, רבים שואלים מה סוג הנתונים שיש לשמור בתשתית IT מקומית?”.

התשובה המוכנה והמובנת מאליה היא שמידע רגיש צריך להישמר באחסון מקומי.

למרות זאת, יתכן ועדיף לאחסן דווקא מידע רגיש מחוץ לכותלי המשרדים במקום לספק גישה מקומית לעובדים וקבלנים.

השימוש בשירותי תשתית מחשוב בענן לאחסון נתונים רגישים יכול למעשה להקטין את מרחב האיומים לאיומים במקום להגדיל אותו, ולהעניק לארגון יותר שליטה על ידי מרכוז וסטדנדרטיזציה של אחסון נתונים כחלק מאסטרטגיית ממשל נתונים מקיף.

בנוסף ניתן לשאת ולתתבחוזה מסחריעל הרכב אמצעי שליטה יעילים במסגרת חוזה מסחרי עם ספקי שירותי מחשוב ענן, מה שלא ניתן לעשות בקלות מול עובדים בארגון.

השאלה השנייה שחוזרת על עצמה לגבי אסטרטגיית ממשל נתונים בענן היא כיצד ניתן להגן על נתונים בלתי מובנים מפני פריצות?”.

באופן ברור, התשובה תלויה בארגון עצמו ומערכות הוכנה שלו.

למרות שאנליסטים כמו גרטנר טוענים שיותר מ– 80% ממידע הארגוני מאוחסן בקבצים כמו מיקרוסופט אופיס, הנתון הזה תלוי באופן טבעי בתחום העיסוק של הארגון. ספקי שרות אוגרים מרבית המידע שלהם במסדי נתוניםת ולא בקבצי אקסל.

 

אם בכלל, מרחב האיומים על מסדי נתונים גדל הרבה יותר מהר מהגידול הטבעי בקבצי אופיס. ספקי שירותים בתחום הטלקום והסלולר מחזיקים כמויות עצומות של מידע במסדיי נתונים מובנים (רשומות שיחה, רשומות שירותים ללקוח וכו‘). ככל שסמארטפונים, אנדרואיד, מחשבי לוח והתקני מחשוב ניידים יהיו נפוצים יותר, כך יגדל חלקם של הנתונים המובנים בספקי השירות למיניהם בענן. בתחום הבריאות, בעידן שכל הרשומות רפואיות אלקטרוניות, גדל עוד יותר כמות המידע הרגיש במסדי נתונים כגון אוראקל.

נוסף על כך, השימוש בטכנולוגיית מאגרי מידע גסון המתחברת ישירות ליישומי אינטרנט (נמצא בשימוש רחב בפייסבוק), גדל במהירות עצומה. שימו לב במיוחד לקאוצדיבי שיש מעל עשרה מיליון התקנות לאחר פחות משנתיים בשטח! מאגרי כאלה כאלה עלולים להיות חשופים להתקפות חדירה מסורתיות שמנצלות נקודות תורפה בזמן בנייה והרצת שאילתות.

לסיכום, כשניגשים לבנות אסטרטגיית ממשל נתונים לענן יש להתחשב בכל הנקודות שהוצגו כאן ולהתחיל על ידי מענה לעשר שאלות המפתח לאבטחת נתונים במחשוב ענן.


Tell your friends and colleagues about us. Thanks!
Share this

Wikileaks and data theft

A colleague of mine, Bill Munroe, is VP Marketing at Verdasys, the first of the agent DLP vendors and the most established of  the independent pure play DLP technology companies. (No. I do not have a business relationship with Verdasys).  Bill has written a paper entitled “Protecting against Wikileaks events and the trusted insider threat” . The paper brings a number of important insights regarding the massive data breach of State Department cables and why Wikileaks is different.

Wikileaks gives a leaker immediate visibility to her/his message. Once Wikileaks publishes the data, it’s  highly visible due to the tremendous conventional media interest in Wikileaks.  I doubt that PFC Manning, if he had a blog somewhere in the long tail of the Internet, would have made such an immediate impact.

Unlike Wikileaks, data theft of intellectual property or credit card data is motivated by the economic gain. In the case of Wikileaks, the motivation is social or political.  With cheap removable storage devices, smart phones, tables, dropbox and wireless network connectivity “employees with personal agendas will be more likely to jeopardize their careers in order to make a passionate statement“.

Network  DLP is a poor security countermeasure against the Wikileaks class of data breach. Network DLP can network-intercept but not analyze obfuscated data (encryption, embedded screenshots, steganography) and is blind to removable media and smart phones. The best technical countermeasure against a leak must be at the point of data use. First described in a 1983 DOD study called “The Trusted Computer System Evaluation Criteria” (TCSEC)  a user end point needs to be “instrumented” in order to identify and intercept content and mitigate threats before they can occur. This requires identification of the trusted user, appropriate content interception and analysis and the ability to tie the results into actionable forensics. Detecting data loss at the end point, is notably Verdasys’s key strength.

However – there are a few  points in the article that need to be addressed:

Insider theft of sensitive data is not new. WikiLeaks is just the latest outlet for the disaffected individual to be amplified in our interconnected world… WikiLeaks is merely the latest enabler of the populist-driven “Robin Hood” syndrome.

I don’t subscribe to the notion that data theft has always been an issue.   20 years ago, we had industrial espionage of trade secrets or national espionage of defense secrets – not the widespread data leaks we see today.  Conditions in 2011 are different then they were in the 80s when my father worked at TRW Defense and Space Systems in Redondo Beach.  Data breaches are driven by motive, means and opportunity – motive: under 30 something people have a sense of entitlement – they have a Blackberry, a nice car, a nice girlfriend, good standard of living, a 250K college education and a sense that they can do whatever they want without paying the price..  means – mobile and removable devices, Web services… opportunity – a leaker is in positions of access. Given the right stimulus (hating Obama,  despising Hilary, liking a bribe from Der Spiegel) they will get to the data, leave their ethics at the door and do the deed. Calling the phenomena “Robin Hood” is too gracious.

Trade secret and IP theft is projected to double again by 2017 with 2008 losses reaching one trillion dollars!

The $1 Trillion number for the financial losses due to IP theft  was mentioned in a McAfee press release (they took  the item off their web site…) and later quoted by President Obama’s in his talk on “aggressively protecting intellectual property”.

Since the 1 trillion number is  the cornerstone of both vendor and political argumentation for protecting IP, the number bears closer scrutiny. We will see that the $1 trillion number is no more than a love for round numbers, not unlike Gordon Browns love for round numbers “Bring 1,000 troops home for Christmas”.

Referring to Bessen and Maurer “Patent  Failure” and other research articles, the empirical data shows a different picture. Global patents held by US firms as of 1999 was $122BN in 1992 dollars.  Even if that number tripled in 20 years that means that the total IP value is 360BN so it’s impossible that 1 Trillion was “lost”.  I will discuss what loss of IP actually means in a moment.

Examining firm level data, we see that worldwide value of patent stocks is only about 1% of market value.   Note that the majority of this value is owned by a small number of large pharmaceutical companies.   Then, we have to net out litigation and IP legal costs from the net patent rents (the above-normal returns) that a company earns from it’s IP.

And to provide a sanity check on how disproportionate the 1 Trillion dollar IP loss number really is, consider that at  GSK (and their numbers are consistent with the other big innovative pharmas) – cost of sales is 26% of expenses, marketing – 31% and R&D 15%.  Now we know 2 things: (a) that the big pharmas account for most of the IP and (b) most of their money is in sales and marketing. If 10 big pharmas with a total of 100BN operating profit had lost a Trillion dollars, they would all be bankrupt by now,  but they are all alive and kicking and selling us everything from Viagra to Remicade.

What does the loss of intellectual property actually mean?  After all, it’s not like losing cash.

In a threat analysis I did for a NASDAQ traded firm with significant IP – I determined together with the CFO and the board that their exposure to IP leakage was about 1% of their market cap – they understood that you cannot “lose” IP – but when it’s leaked it goes to a competitor who may gain a time to market advantage – and that advantage is only temporary.   At another public firm where I did a threat analysis using the same methodology, the CEO and board determined that the exposure to IP theft was negligible since the competitors needed 12-18 months to implement stolen IP and since the firm was operating on a 12 month product release cycle, they were ahead of the competition who were using stolen IP.  In other words – it’s better to innovate than to steal and try to re-implement.  This is particularly true in the software industry where the cost of implementation is far higher than the time and cost to develop the algorithm.

Reading Bill’s article, one would naturally ask, given the magnitude of the problem and the effectiveness of Verdasys technology, why doesn’t every company in the world deploy end point DLP like they deploy a firewall.  I think that the answer lies in the actual magnitude of the financial impact of data leakage.   The State department cables Wikileaks disclosure may or may not have been orchestrated by the Obama administration itself – but arguably, no economic damage and no tangible damage was incurred to the US political image or image of it’s allies.  If  real damage had been done to the US, then Hilary would be keeping Jonathan Pollard company.

I think that Verdasys and other DLP vendors miss one of the key strengths of data loss detection/prevention technology: real time feedback to an organizations users, and the deterrent value.   As Andy Grove once wrote – “a little fear in the workplace is not necessarily a bad thing“.

With increasing consumerization of IT, entitled employees will have even more means at their disposal and even more blurring of business boundaries by sexy personal devices.

What is a company to do?  That leaves us with good management and a corporate culture with employee values of competitiveness that drives value that drives rewards both intangible and tangible for the employee.  If it’s just about the money – then an iPhone is worth a lot more than a $500 bonus but engendering a sense of being involved and influencing the business at all levels – even if it’s just a kind word once a day – will be worth 100 fold that number and go a long way towards mitigating the vulnerability of employee entitlement.

I’d like to conclude with a call to the marketeers at McAfee, Symantec, IBM, Oracle, Websense, Fidelis, Checkpoint and Verdasys. Let’s shift the DLP marketing focus from large federal customers and banks and explain to small to medium sized enterprises how DLP technologies can protect the value of their implementation techniques and intellectual property.

For a 10 man vaccine startup the secret is in the recipe, not in the patents.  For a SME with IP – it’s not the IP licensing value, it’s difference between life and death.  And death trumps money any day of the week.

You can download the paper “Protecting Against WikiLeaks Events and the Insider Threat” on the Verdasys Web site.

Tell your friends and colleagues about us. Thanks!
Share this

Why data security is like sex

We all think about sex – men (most of the time), women (some of time) and teenagers (all the time).

Sex – despite the huge volume of content in the digital and print media, is one of those phenomena that demonstrate an inverse relationship between substance and talk.    The more talk, chances are, the less substance actually going on. The less talk, the higher a probability that something serious is really going on between you and your partner.  When things are cooking for you and your wife/girl friend  you don’t have time to be writing about it on your blog. When things are rough,  you will probably be a bit shy about going into detail on Facebook.  But it’s a lot easier to talk about other people, who’s hot and who’s not.

Just like data security and global terror.  It’s a lot easier to talk about the Middle East and ignore what’s happening in your own backyard.   It’s like  “other peoples money” – something you can spend without worrying too much.

Using this metaphor, the data security industry is like sex.   Lots of talk and press releases about data breaches, plenty of marketing communications written by clueless communications majors just out of school working for Symantec and Mcafee and recycling of Gartner reports ad nauseum.  But – a lot less in the vulnerability and risk mitigation department and generally low levels of willingness to talk about security failures in an organization or what really works.

Since this is part of the human chemistry – I don’t imagine this will change in the near future but for sure we will have a lot of fun, just like great sex.

Tell your friends and colleagues about us. Thanks!
Share this

The emotional content of security

I think in the security space, we spend too much time on the business justification and functional part of security (reducing risk, detection data breach violations, complying with HIPAA,  writing secure Web 2.0 applications, securing cloud services, security information management etc…).

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler” is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

  • They define their industry similarly, focusing on being the best.
  • They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
  • They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
  • They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
  • They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post

Tell your friends and colleagues about us. Thanks!
Share this

Securing Web services in the cloud

Almost every SaaS (software as a service) is based on REST or XML Web services.  In this post, I’d like to provide a brief introduction to some typical threats and security countermeasures to protect Web services;

Malicious Attack on the message

The beauty of  HTTP Web Services is that traffic flows through port 80 and port 443 and it uses a human-readable format (XML or JSON). This is also the key vulnerability.  A typical IT / system administration approach that relies on protecting Web service providers with a firewall/IPS setup is not very effective.  We will explain why.

Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. While most firewalls can recognize SOAP as well-formed HTTP traffic they cannot inspect the actual content of the SOAP message or JSON data. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. Web service interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The message is often self-describing and clearly shows the data elements.

A Web service provider is a juicy, self-describing target.

Replay Attack
Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.

Buffer Overflow
An attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

Dictionary Attack
Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.

Intrusion Detection of attacks by malicious outsiders
Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IPS will detect anomalous attack behavior and if monitored may help the security team mitigate the threat.

Extrusion detection of attacks by trusted insiders
Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for data breach, we would require use of a DLP –  Data loss  prevention system such as Fidelis XPS or WebSense DLP.

Threat containment
Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise.  A DLP system provides real-time detection, forensics recording and  the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

Tell your friends and colleagues about us. Thanks!
Share this

Using DLP to protect your source code

Dec 10, 2010.

Sergey Aleynikov, a 40-year-old former Goldman Sachs programmer, was found guilty on Friday by a federal jury in Manhattan of stealing proprietary source code from the bank’s high-frequency trading platform. He was convicted on two counts — theft of trade secrets and transportation of stolen property — and faces up to 10 years in prison.

Mr. Aleynikov’s arrest in 2009 drew attention to a business that had been little known outside Wall Street — high-frequency trading, which uses complex computer algorithms to make lightning-fast trades to exploit tiny discrepancies in price. Such trading has become an increasingly important source of revenue for Wall Street firms and hedge funds, and those companies fiercely protect the code underpinning their trading strategies.

See full story on the Goldman Sachs source code theft incident

If you have proprietary algorithms, it can and may be happening to you. Consider three threat scenarios for software assets:

1. Source code  theft by employees

Source code theft by employees can be a major ethical issue that requires good management but also good detection. Designing, developing and deploying successful software is complex business, but unfortunately, most companies don’t know whether or not their source code is leaving their network with some proprietary algorithms. See the story about Chinese source code theft.

The stories of losing source code and having it posted on the Net are fairly common – remember  Windows NT source code and Mainsoft?.  We’ve found, from work with software developers, that many source code leaks are never reported. Frightengly, companies usually have no idea how the source code got out in the first place and call in consultants after the event to detect the origin of the leak .

In order to respond quickly to a suspected disclosure of company IP/source code, it’s crucial to be doing real time detection which is far more important than trying to prevent unauthorized disclosure altogether.

2. Source code leakage from outsourcing

In many cases,  source code leaks from a network run by an outsourcing service provider or from a team of outsourcing contractors connected via a VPN. However, if companies cannot detect problems in their own networks, they are unlikely to find them in others. The result is an outsourcing relationship built on a shaky foundation with no independent monitoring capability to enforce non-disclosure agreements.

This points at a wider problem for software developers everywhere. Whether you collaborate with a partner on development or outsource an entire project, you expose sensitive software and intellectual assets to people people with limited allegiance to your firm.

3. Misuse of Open Source software

This is probably worth an entire article in it’s own right but most developers today incorporate Free Open Source software into their projects. The Open Source license, if it’s GPL for example, may be infectious in the sense that if the GPL requires disclosure of sources, then incorporating GPL-licensed code into your project may require you to do the same (read about copy-left licenses).  In that case – you should start by establishing a policy for using Open Source licenses and monitor usage of Open Source code.

How can DLP (data loss prevention) help you protect your source code?

Data loss prevention (or in this case data loss detection) of software source code is based on three key concepts

  1. A direct approach – prevent valuable software assets from getting out, unlike indirect methods that focus on preventing unwanted users from getting in. Conventional IT security takes an indirect approach by focusing on controlling user and system  behavior through access control and authentication. This indirect method places a heavy burden on your security staff and does not scale well. It won’t get the job done.
  2. Real-time flow monitoring – of software assets over all channels. Since almost everything tunnels over http today, you have to worry about back-channels and not just email
  3. Network audit – DLP should be used in a detection capacity to detect upticks in unusual activity; for example unusually large FTP or SCP file transfers may be a pre-cursor of an employee getting ready to leave the company with large quantities of your source code and proprietary algorithms

When deploying DLP for source code protection, consider technical and  business requirements.

Technical requirements. Commercial DLP products include pre-built fingerprints for identifying C/C++C# source code.  A more substantial requirement  is that the DLP solution you choose should use network DLP technology that is bi-directional on all channels – two possible candidates are Websense DLP and Fidelis Security Systems XPS.

Business requirements start with management commitment to the project, and policy for use of Open Source code and use of code and non-disclosure by contractors.

And finally, a post like this would not be complete without the requisite 7 step checklist:

A 7 Step check list for source code protection for the information security team

  1. Acknowledge that black holes exist (for example: no policy for Open Source licensed code, unclear policy for use of company IP in contractor software development). Fix it by writing the appropriate policies and implementing them.
  2. Get your VP Technologies to agree and budget money.
  3. Identify your company’s business needs for source code protection. Some senior executives don’t care what you do – they only care about sleeping well at night. The more you know about their issues the easier it is to sell them. Don’t improvise.
  4. If you’re not using bi-directional network DLP today, call a DLP vendor on Wednesday and ask them to come into the office on Monday with a box.
  5. Give them one hour to set up on a production network segment. Try a few of your favorite cases; trap a webmail with some top-secret project keywords, fingerprint a SQL query from your data model, steal some C# source code from your own system and upload to github.com
  6. Allocate one day for a hands-on evaluation and have the vendor in a week later to discuss results.
  7. Be patient. Be prepared to refine the rules.

Using DLP technology to monitor movement of source code can be a rewarding exercise in terms of protecting company IP and reputation, however it is not a trivial task. Just remember:

It’s kinda fun to do the impossible

Walt Disney

Tell your friends and colleagues about us. Thanks!
Share this

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Tell your friends and colleagues about us. Thanks!
Share this