Tag Archives: Obama

Protecting your blackberry

Dealing with DLP and privacy

Dealing with DLP and privacy

It’s a long hot summer here in the Middle East and with 2/3 of  the office out on vacation, you have some time to reflect on data security. Or on the humidity.  Or on a cold beer.

Maybe you are working on building a business case for DLP technology like Websense or Symantec or Verdasys, or Mcafee or Fidelis in your organization.  Or maybe you  already purchased DLP technology and you’re embroiled in turf wars that have put your DLP implementation at a standstill as one of your colleagues is claiming that there are employee privacy issues with DLP and you’re trying to figure out how to get the project back on track after people get back from their work and play vacations in Estonia and brushing up on their hacking skills.

Unlike firewall/IPS, DLP is content-centric. It is technology that drives straight to the core of business asset protection and business process.  This frequently generates opposition from people who own business assets and manage business process. They may have legitimate concerns regarding the cost-effectiveness of DLP as a data security countermeasure.

But – people who oppose DLP on grounds of potential employee privacy violations might be selling sturm and drang to further a political agenda.   If you’re not sure about this – ask them what they’ve done recently to prevent cyber-stalking and sexual harassment in the workplace. 

For sure, there are countries such as France and Germany where any network or endpoint monitoring that touches employees is verboten or interdit as the case may be; but if you are in Israel, the US or the UK, you will want to read on.

What is DLP and what are the privacy concerns?

DLP (data loss prevention) is a solution for monitoring/preventing sensitive outbound content not activity at an endpoint. This is the primary mission. DLP is often a misnomer, as DLP is more often than not, DLD – data loss detection but whatever…Network DLP solutions intercept content from the network and endpoint DLP agents intercept content by hooking into Windows operating system events.  Most of the DLP vendors offer an integrated network DLP and endpoint DLP solution in order to control removable devices in addition to content leaving network egress points. A central command console analyzes the intercepted content and generates security events, visualizes them and stores forensics as part of generating actionable intelligence. Data that is not part of the DLP forensics package is discarded.

In other words, DLP is not about reading your employees email on their PC.  It’s about keeping the good stuff inside the company.    If you want to mount surveillance on your users, you have plenty of other (far cheaper) options like browser history capturer or key loggers. Your mileage will vary and this blog does not provide legal guidance but technically – it’s not a problem.

DLP rules and policies are content-centric not user-centric.

A DLP implementation will involve writing custom content signatures (for example to detect top-secret projects by keyword, IP or source code) or selecting canned content signatures from a library (for example credit cards). 

The signatures are then combined into a policy which maps to the company’s data governance policy – for example “Protect top-secret documents from leaking to the competition”. 

One often combines server endpoints and Web services to make a more specific policy like “Alert if top-secret documents from Sharepoint servers are not sent via encrypted channels to authorized server destinations“. 

In 13 DLP installations in 3 countries, I never saw a policy that targeted a specific user endpoint. The reason for this is that it is far easier using DLP content detection to pickup endpoint violations then to white list and black list endpoints which in a large organization with lots of wireless and mobile devices is an exercise in futility.  

We often hear privacy concerns from people who come from the traditional firewall/IPS world but the firewall/IPS paradigm breaks when you have a lot of rules and endpoint IP addresses and that is why none of the firewall vendors like Checkpoint ever succeeded in selling the internal firewall concept. 

Since DLP is part of the company data governance enforcement, it is commonly used as a tool to reinforce policy such as not posting company assets to Facebook. 

It is important to emphasize again, that DLP is an alert generation and management technology not a general purpose network traffic recording tool – which you can do for free using a Netoptics tap and  Wireshark.

 Any content interception technology can be abused when in the wrong hands or in the right hands and wrong mission.  Witness NSA. 

Making your data governance policy work for your employees

Many companies, (Israeli companies in particular) don’t have a data governance policy but if they do, it should cover the entire space of protecting employees in the workplace from cyber-threats.

An example of using DLP to protect employees are the threat scenarios of cyber-stalking, sexual harassment or drug trafficking in the workplace where DLP can be used to quickly (as in real-time) create very specific content rules and then refined to include specific endpoints to catch forensics and offenders in real-time. Just like inCSI New York New York.

In summary:

There are 3 key use cases for DLP in the context of privacy:

  1. Privacy compliance (for example PCI, HIPAA, US State and EU privacy laws) can be a trigger for installing DLP. This requires appropriate content rules that key to identifying PHI or PII.
  2. Enforcement of your corporate  data governance and compliance policies where privacy is an ancillary concern.   This requires appropriate content rules for IP, suppliers and sensitive projects. So long as you do not target endpoints in your DLP rules, you will be generating security events and collecting forensics that do not infringe on employee privacy.   In some countries like France and Germany this may still be an issue.  Ask your lawyer.
  3. Employee workplace protection – DLP can be an outstanding tool for mitigating and investigating cyber threats in the workplace and at the very least a great tool for security awareness and education. Ask your lawyer.

If you liked this or better yet hated it,  contact  me.  I am a professional security analyst specializing in HIPAA compliance and medical device security and I’m based in Israel and always looking for interesting and challenging projects.

Idea for the post prompted by Ariel Evans.

Tell your friends and colleagues about us. Thanks!
Share this

Ehud Barak, information leaks and political activism

What do Anat Kamm, Ehud Barak and Meir Dagan have in common?

Ehud Barak is current Israeli Minister of Defense, former IDF Chief of Staff and former Prime Minister  that led the disastrous withdrawal from Lebanon that fomented Intifada II and then Lebanese War II.  Barak is famous for quotes like “If I was a Palestinian, I would also be a suicide bomber” or “If I was an Iranian, I would also build nuclear weapons“.

During her military service as an assistant in the Central Command bureau Anat Kamm secretly copied over 2,000 classified documents, copied the documents to a CD and leaked it to the Israeli Haaretz journalist Uri Blau. Kamm  was recently convicted of espionage and leaking confidential information without authorization and sentenced to 4.5 years in prison after a plea bargain.

Former Mossad chief Meir Dagan has recently voiced unrestrained criticism of the current administration’s defense policy in the service of his political activism; criticism which is supposedly based on his inside knowledge from the Mossad.

Meir Dagan, together with Gen. Gabi Ashkenazi (former chief of staff), Gen. Amos Yadlin (former head of military intelligence), and Yuval Diskin (former head of Shin Bet), opposed an attack on Iran. While in office (they all retired between November 2010 and May 2011), the Gang of Four successfully blocked attempts by Netanyahu and Barak to move forward on the military option.

Of the four, only Dagan has spoken openly, after leaving office, about what he considers to be the folly of an attack on Iran —  and openly criticized Netanyahu and Barak for irresponsibly pushing Israel to an unnecessary war, relying on his former position of responsibility as chief of intelligence as as implying that what he said must be true.

It was unclear why Dagan would speak of plans best left undisclosed. Unclear, at least until last week, when Dagan announced his plans for a movement to change the method of Israeli government, leaving his options to enter politics in the future open.

I wish Dagan luck.  I’m not happy with his way of publicizing his political activism at the risk of treading the thin line of information leak. It places him on the same slippery slope as Anat Kam who lamely attempted to justify her actions as an act of political protest.

In comparison with Dagan, Barak is circumspect (despite his unfortunate quotes and bad decisions).

Barak was asked about the possibility of making a decision on attacking Iran in the Israeli daily Ha’aretz.

In my various posts I’ve already seen all the possible permutations, as long as one thing remains constant: the role of the military is to prepare the plans. It is important that the political echelon listen very carefully to what the operational and intelligence echelons have to say, but at the end it is the political echelon that has the responsibility for the decision.
More here on Israeli defense minister Ehud Barak on Iran, U.S., and war
Tell your friends and colleagues about us. Thanks!
Share this

The political power of social media

Clay Shirky writes on Foreign Affairs this week

Arguing for the right of people to use the Internet freely is an appropriate policy for the United States, both because it aligns with the strategic goal of strengthening civil society worldwide and because it resonates with American beliefs about freedom of expression

By switching from an instrumental to an environmental view of the effects of social media on the public sphere, the United States will be able to take advantage of the long-term benefits these tools promise.

Oooh – I just love this stuff “resonates with American beliefs” and “environmental view of the effects of social media on the public sphere

“Some ideas are so stupid only intellectuals believe them.”
George Orwell

Twitter and Facebook are communication tools. Not values.

It is the height of foolishness to assert that a communications tool like Facebook and Twitter is a substitute for values. Sure it makes it easier for 80,000 people to attend demonstrations someone else is funding, but don’t forget the agendas of the people funding the demonstrations.

The US will not be able to “to take advantage of the long-term benefits these tools promise” unless it takes a moral and value position, clearly delineating the basic dos ( for starters – honor your parents, honor freedom of religion) and don’ts (not killing your citizens, not raping your women, not chopping off hands of thieves, not funding Muslim terrorists, not holding the world at gun-point over the price of oil).

There is no evidence that social media changes government policy

Look at Egypt. Look at Israel. Look at Wall Street.

Social media hype is escapism from dealing with fundamental issues

Let’s assume that the US has an agenda and responsibility to make the world a better place.

Green / clean energy.  Healthy people.

I think we can all agree these are  good thing for the world. Did social media play any kind of role at all in the blunders of  the Obama administration in their energy or healthcare initiatives? Does the administration have a good record or a bad record with these initiatives?

Solyndra is an illustration of how a major Obama contributor took half a billion in loan guarantees and walked away without exposure.   The factory employed about 150 people and stimulated the pockets of a small number of wealthy people.   And, do not forget, Solyndra is kids stuff compared to the $80 Billion in real money that the US government squandered on Afghan electrification projects with no oversight on the cost-plus contractors that delivered zip to Afghanistan.

Mr. Obama and his yea-sayers like Clay Shirkey need the hifalutin talk about the importance of social media and free speech, to deflect voter attention from  rewards to their campaign contributors, financial service institutions, government contractors and Beltway insiders and winning the next Presidential election.

Is the objective improving the health of Americans or is the objective giving gifts of $44,000 to US doctors so that they can go out and buy some software from one of the 705 companies that have certified to HHS requirements for e-prescribing? WTF does e-prescription software have to do with treating chronic patients?

Even giving President Obama credit for having some good ideas – once you have a big, centralized, I’ll run everything, decide everything, make everyone comply kind of government – you get all kinds of nonsense like Solyndra, Afghan electrification projects, health care software subsidies and … Bar Lev lines,  multi-billion sheqel security fence projects and the funneling of funds from the PA to Israeli businessmen allied to Israeli ex-generals who sell gasoline to Palestinian terror organizations and security services to Palestinian banks.

In the Middle East – even while vilifying Bush, the Obama administration continues the Bush doctrine of not going after the real bad guys who fund terror (the Saudis),  while wasting thousands of American lives (in Iraq and Afghanistan) and blowing over 80 billion dollars in tax payer money on boondoogles like the Iragi and Afghan electrification projects.

Obama praise for the Arab Spring is chilling in its double-talk about democracy (just last month in Tunisia) as Libya, Egypt and their neighbors transition into Islamic fundamentalism rule amidst blatantly undemocratic violence.

In Israel, I would not blame any US President for problems our own doing no more than I would credit Facebook with the 2011 Summer of Love on Rothschild which was no more than an exercise in  mass manipulation by professional political lobbyists and people like Dafne Leaf who were too busy with their liberal agendas to serve their country.

Israeli leaders have been on a slippery downhill slope of declining morals since Sabra and Shatila in 1985.

And for that – we cannot blame any single President or Prime Minister no more than we can credit Facebook with remembering friends’ birthdays –  but only blame ourselves for putting up with the lack of values and morals of our leaders.

Tell your friends and colleagues about us. Thanks!
Share this
Federal Healthcare Chart

Healthcare data interoperability pain

Data without interoperability =  pain.

What is happening in the US healthcare space is fascinating as stimulus funds (or what they call in the Middle East – “baksheesh”) are being paid to doctors to acquire an Electronic Health Records system that has “meaningful use”. The term “meaningful use” is vaguely  defined in the stimulus bill as programs that can enable data interchange, e-prescribing and quality indicators.

Our hospital recently spent millions on a emr that does not integrate with any outpatient emr. Where is the data exchanger and who deploys it? What button is clicked to make this happen! My practice is currently changing its emr. We are paying big bucks for partial data migration. All the assurances we had about data portability when we purchased our original emr were exaggerated to make a sale. Industry should have standards. In construction there are 2×4 ‘s , not 2×3.5 ‘s.
Government should not impinge on privacy and free trade but they absolutely have a key role in creating standards that ensure safety and promote growth in industry.
Read more here:  Healthcare interoperatbility pains

Mr Obama’s biggest weakness is that he has huge visions but he can’t be bothered with the details so he lets his team and party members hack out implementations, which is why his healthcare initiatives are on a very shaky footing – as the above doctor aptly noted.  But perhaps something more profound is at work. The stimulus bill does not mention standards as a pre-requisite for EHR, and I assume that the tacit assumption (like many things American) is that standards will “happen” due to the power of free markets. This is at odds with Mr. Obama’s political agenda of big socialistic government with central planning. As the doctor said: “government absolutely (must) have a key role in creating standards that ensure safety and promote growth in industry”.  The expectation that this administration set is that they will take care of things, not that free markets will take care of things.  In the meantime, standards are being developed by private-public partnerships like HITSP – enabling healthcare interoperability

The Healthcare Information Technology Standards Panel (HITSP) is a cooperative partnership between the public and private sectors. The Panel was formed for the purpose of harmonizing and integrating standards that will meet clinical and business needs for sharing information among organizations and systems.

It’s notable that HITSP stresses their mission as meeting clinical and business needs for sharing information among organizations and systems.   The managed-care organizations call people consumers so that they don’t have to think of them as patients.

I have written here, here and here about the drawbacks of packaging Federal money, defense contractors and industry lobbies as “private-public partnerships”.

You can give a doctor $20k of Federal money to buy EMR software, but if it doesn’t interact with the most important data source of all (the patient), everyone’s ROI (the doctor, the patient and the government) will approach zero.

Vendor-neutral standards are key to interoperability. If the Internet were built to HITSP style standards, there would be islands of Internet connectivity and back-patting press-releases, but no Internet.

The best vendor-neutral standards we have today are created by the IETF – a private group of volunteers, not by a “private-public partnership”.

The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The IETF Mission Statement is documented in RFC 3935.

However – vendor-neutral standards are a necessary but insufficient condition for “meaningful use” of data.  There also has to be fast, cheap and easy to use access in the “last mile”.  In healthcare – the last mile is the patient-doctor interaction.

About 10-15 years ago, interoperability in the telecommunications and  B2B spaces was based on an EDI paradigm with centralized messaging hubs for system to system document interchange. As mobile evolved into 3G, cellular applications made a hard shift to a distributed paradigm with middleware-enabled interoperability from a consumer handset to all kinds of 3G services – location, games, billing, accounting etc running at the operator and it’s content partners.

The healthcare industry is still at the EDI stage of development – as we can see from organizations like WEDI and HIMSS

The Workgroup for Electronic Data Interchange (WEDI)

Improve the administrative efficiency, quality and cost effectiveness of healthcare through the implementation of business strategies for electronic record-keeping, and information exchange and management...provide multi-stakeholder leadership and guidance to the healthcare industry on how to use and leverage the industry’s collective technology, knowledge, expertise and information resources to improve the administrative efficiency, quality and cost effectiveness of healthcare information.

What happened to quality and effectiveness of patient-care?

It is not about IT and cost-effectiveness of information (whatever that means). It’s about getting the doctor and her patient exactly the data they need when they need it.   That’s why the doctor went to medical school.

Compare EDI-style message-hub centric protocols to RSS/Atom on the Web where any Web site can publish content and any endpoint (browser or tablet device) can subscribe easily. As far as I can see, the EHR space is still dominated by the  “message hub, system-system, health-provider to health provider to insurance company to government agency” model, while in the meantime, tablets are popping everywhere with interesting medical applications. All these interesting applications will not be worth much if they don’t interact enable the patient and doctor to share the data.

Imagine the impact of IETF style standards, lightweight protocols (like RSS/Atom) and $50 tablets running data sharing apps between doctors and patients.

Imagine vendor-neutral, standard middleware for  EHR applications that would expose data for patients and doctors using an encrypted Atom protocol – very simple, very easy to implement, easy to secure and with very clear privacy boundaries. Perhaps not my first choice for sharing radiology data but a great way to share vital signs and significant events like falling and BP drops.

This would be the big game changer  for the entire healthcare industry.  Not baksheesh. Not EDI. Not private-public partnerships.

Tell your friends and colleagues about us. Thanks!
Share this

How to make Federal data security effective

I submit that a “no tickee, no washee” strategy might improve US Federal data security.

An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that  is based on numbers reported by the DHS.

The US spends a lot of money on cyber security, over half of which goes to contractors like Raytheon and SAIC- who are part of the Obama Administration euphemistic private-public “partnership”.

A recent report by INPUT — “Federal Information Security Market, 2010-2015” — predicts that federal investment in information security will rise from $8.6 billion in 2010 to $13.3 billion by 2015 at a compound annual growth rate of 9.1 percent, nearly twice the rate of overall federal IT spending.

“Over the last year, federal agencies have seen a 78 percent growth in cyber incidents. This demand for increased information security is greater than any other current technology, leaving it more immune to the recent federal budget cuts.” Key drivers for the expected increase in investment in information security include a 445 percent increase in cyber security incidents since 2006, a shortage of qualified security professionals, and an increasingly complex and interconnected technology environment. “

In the relationship between the US government and IT security contractors, it’s actually in the interests of the contractors for the number of cyber attacks to go up – since if they went down – they might be out of a job.

The data from the DHS supports this hypothesis by revealing that over 2/3 of Federal agencies have unacceptable data security monitoring systems.

One would assume that the OMB would require Federal agencies to take affirmative action to improve their data security by linking budget to improved data security metrics but instead, the report makes a parveh politically-correct recommendation to improve IT security worker effectiveness instead of IT security countermeasure effectiveness.

In order to improve IT security countermeasure effectiveness in the US Federal Government, the OMB should reduce base payments to contractors and vendors who provide IT security services and data security technologies and link their compensation to a reduction in the damage caused to US government data and network assets.   By using metrics and well-defined targets (like 90% of the government agencies doing data security monitoring),  it’s possible to reduce Federal value at risk, but as long as contractors are feeding off the Federal milk cow at GSA rates it’s not likely to happen in our lifetime.

Federal agencies suffered 41,776 cyber attacks in 2010, up from 30,000 the previous year, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is tasked with defending the dot-gov domain and sharing information with industry and local governments.

Almost two-thirds of US Government agencies are not yet continuously monitoring their systems for vulnerabilities and intrusions at an acceptable level, and 8 percent of agencies had no monitoring program in place.

Last fiscal year, civilian agencies spent 74 percent of their IT security budget on government personnel salaries and benefits and contractors. Overall security spending made up 16 percent of agencies’ IT budgets. Contractors accounted for 54 percent of their staff, and government made up 46 percent. At the Defense Department, 68 percent of IT security workers are government employees.

Tell your friends and colleagues about us. Thanks!
Share this

Brainwashed by propaganda?

I decided to update this post – after the security theater of the week with the Palestinians and Israelis – as if Israel really needs the Palestinians to recognize Israel as a Jewish State and as if not building a few houses is going to give the Palestinian leaders a reason to stop terror and live in peace.

I normally blog about data security issues – I specialize in helping medical device manufacturers secure their software, protect their patient data and comply with regulations like HIPAA.

However – the recent terror flotilla to Israel, the double moral standard of the UN Human Rights Council condemning Israel 25 times in the past 3 years without condemning once human rights violations in Iran and Darfur – makes one pause to think.

In Israel there is a general feeling that Israelis are to blame for the world hating Israelis.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

US bashing Toyota for displacing GM as #1

There is a reason why GM is in trouble and Toyota has displaced GM in the number one automobile manufacturer.

Here is a piece from a colleague and friend – Todd Walzer, Todd and I worked together at Intel Fab 8 in Jerusalem in the 80’s.

Working at Intel Jerusalem in the 1980’s, we were all in awe of Japan. Quality Circles, Just-In-Time Manufacturing – Japan was way ahead.  20 years later, it’s still a quality-first country, but there are a few chinks in the armor.

Recently I paid a visit to a top-tier auto makers’ factory.  After the factory-floor discussions, we walked over to the office building, which maintains a traditional “lean and mean” atmosphere.  Little more than a tin hall, with lines of desks in open space, lights switched off by sensors above unmanned desks. The small open-space “meeting area” has high tables with no chairs. Meetings are held standing up – short and to the point.

In the meeting area is a bulletin board, and one posting caught my eye.  It was a list of “This Month’s 10 Worst Suppliers”, replete with graphs and defect counts.

I can’t recall this methodology from any of my business school textbooks, and still not sure what to make of it. One way or another, it left an impression on me.  I bet it made an even greater impression on those 10 companies.

The recent Toyota crisis is not without its cultural hypotheses on the Japan side.  “The U.S. is bashing Toyota for displacing GM as #1.”  “Toyota’s failure stems from adopting too many foreign parts suppliers as part of its aggressive expansion”.

The Japan economy, stagnant the past 20 years, is in need of positive thinking.  I expect a turnaround with the change of generation, in 5-10 years time. My modest wish: on a future visit to this factory, I hope to see a Best Ten Suppliers List tacked up next to the Worst Ten.

Where the Americans are focussed on finance and bonuses and Obamacare – the Japanese are still focussed on quality and manufacturing – after having adopted Deming’s philosophy of Total Quality after WWII – the Americans are adrift on their own home turf, printing money to fund socialist public policy and setting world records in executive fraud and data security breaches.  The Japanese may need to have more positive thinking but in my opinion, the Americans need to get back to basics of innovation and quality manufacturing.

Tell your friends and colleagues about us. Thanks!
Share this

Bribes as a way of doing business, the Obama Peace Prize

ITALY G8 SUMMIT - Malia Obama Peace t-shirt

When I talk about employee data security vulnerabilities, I like to bring examples of how gambling or cyber-stalking can threaten an employee and make them vulnerable into being exploited and disclosing or manipulated company information. A competitor or criminal may offer to help with a gambling debt in return for stealing some documents.   That’s a bribe of course. When an employee steals proprietary company documents and leaks them to a competitor the damage is done – even if the company is not immediately aware.

Bribes are way of doing business in some countries.   In Russia, it’s institutionalized, on the table and part of the process. In the US – it’s been wrapped, packaged and prettified as media consultants, management consultants and congressional lobbyists.  In Russia, it’s acceptable to talk about paying 50,000 US Dollars to get the name of the official in Moscow municipality who approves vending machine permits.  In the US – it’s still taboo to ask how much Obama paid a media consultant to get his name to the top of list of the Nobel comittee.

Of all the the talkbacks I saw the past few days heaping scorn or praise on the Nobel Peace Prize committee, not a single comment was made on when the Obama application was added to the list of 205 candidates for the Peace Prize.   Since – it appears trivial that the selection process takes close to a year and Obama has been in office only 9 months, one may assume that the decision to promote Obama for Peace was taken sometime in the beginning of the presidency.   I can visualize a process where a consultant was retained to identify the key movers and shakers and then additional influencers retained to promote Obama with the key movers and shakers who would then make sure the committee made the right decision – which aligns the particular left-leaning political agendas of both the committee and the US President.

Timing is an important element in a bribe. If you need to make a bubble payment on your mortgage – it’s money you need now. If you’re a President with a declining popularity rating, it’s political capital you need now.  I don’t really see the difference between the two.

Tell your friends and colleagues about us. Thanks!
Share this

Overspending on security

From Allan Paller’s testimony before the US Senate I think the quote speaks for itself. Outside the US – it seems even stranger to believe that US companies have enough money for two cyber security organizations paid for by the US taxpayer.

However, federal agencies cannot move effectively to more secure systems unless you shift the emphasis of the FISMA assessments from paper reporting to automated monitoring of essential controls. …  Two weeks ago, a federal CIO told me, “I have a CISO who always gets me to green on my FISMA grades, but the reports he produces have no impact at all on security of our computers or networks, I am setting up a separate group to do real security.” This CIO can do both because of a surge of funding his organization has received from the new stimulus bill.

Tell your friends and colleagues about us. Thanks!
Share this