Tag Archives: Risk Assessment

safeguard your head office small business

A word to Teva on firing employees and assuring data security

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book

In early December 2017, the Israeli pharmaceutical generics company Teva announced it would lay off about 1,700 of its employees in Israel, who make up about 25% of all the company’s employees in Israel, out of a total workforce of 6,680 employees.    Without diving into the emotional implications and political opportunities the big layoff creates – I suggest taking a different look at the problem.

What kind of risk are you creating when you fire a big chunk of your work force?

When a big global, publicly-traded company like Teva decides to fire a big piece of it’s work force – it’s to reduce costs in anticipation of reduced revenues and preserving or improving the share prices.

Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since  companies view information security as a luxury, not as a must to run the business.

There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 1700 employees are being fired in a short period of time in a business unit.

When firing large numbers of employees, the unauthorized network transfer of sensitive digital assets belonging to the company should be (but is rarely) a key concern for the CEO. Here are a few true examples of trusted insider theft of digital assets and intellectual property  during a big RIF – all cases are true:

  • Sending suppliers  classified RFP documents
  • Exploiting production servers with anonymous file transfer protocol (FTP) turned on in order to send large quantities of confidential product design documents
  • Break-ins, bribes and double agents (workers who spy for other groups or companies) taking advantage of the chaos caused by RIFs and strikes.

The business need to use advanced technology to detect and prevent data loss drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure (like Teva), the need for data loss prevention becomes more acute as more and more people are involved with less and less allegiance to the firm.

High risk appetite and waiting until the last minute?

In my experience (and this is supported by prospect theory), highly paid CEOs wildly underestimate to the point of ignoring them completely, high impact, low frequency events like trusted insiders and outsourced IT staffers stealing IP during a big RIF.

In normal times, a key part of formulating and establishing information security   policies for your organization is in deciding how much risk is   acceptable and how to minimize unacceptable risk.

This process initially involves undertaking a formal risk assessment which is a  critical part of any ISMS.  However – it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process.

Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.

When a company fires wide-scale – the word dynamic and continuous takes on new meaning.  We are no longer in Kansas anymore when we can ask KPMG to come in and do an organizational risk assessment using their standard questionnaires.

In times of massive layoff – you need to throw away the standard forms and use a threat-analysis based checklist to reevaluate your digital value at risk on a daily basis.  The rationale behind the threat analysis is to mitigate the tendency of top management to ignore high-impact, low-frequency events:

  • Think like an attacker.  What would you steal if you had the opportunity?
  • Use systematic approach to estimate magnitude of risks (risk  analysis).
  • Compare estimated risks against risk criteria to measure the  significance of the risk (risk evaluation)
  • Define the scope of the risk assessment process to improve  effectiveness (risk assessment)
  • Undertake risk assessments periodically to address changes in  assets, risk profiles, threats, safeguards, vulnerabilities and risk  appetite (risk management)
  • Risk measurement should be undertaken in a methodical manner to  produce verifiable results (risk measurement)


Tell your friends and colleagues about us. Thanks!
Share this

Tahrir square – the high-tech version

From Wired

The revolt that started a year ago today in Egypt was spread by Twitter and YouTube, or so the popular conception goes. But a group of Navy-backed researchers has a more controversial thesis:Egyptians were infected by the idea of overthrowing their dictator.

Using epidemiological modeling to chart the discussions and their trajectory online is an interesting idea, I don’t think that they are the first ones to do it.  It’s a different approach to social network analysis which analyzes social phenomena through the properties of relations between and within units instead of the properties of these units themselves. This approach apparently considers trajectories of content combined with natural language analysis to determine what people in certain regions, of certain age groups, genders, or any number of other demographics, are discussing.

We’ve seen how content interception, classification and analysis has had success in the enterprise information security space – in particular with identifying data leaks by trusted insiders and unauthorized disclosure of intellectual property. Doing it on a national or global scale, is much more than computing power.  It’s also understanding the political milieu and intent of the subjects, a powerful challenge for any intelligence organization.

I’m not sure how they collect the actual demographics, handle historical data, deliberate disinformation or feedback effects or even if their model is a good fit for the problem but it’s thought provoking.

Tell your friends and colleagues about us. Thanks!
Share this

Security and the theory of constraints

Security management is tricky.  It’s not only about technical controls and good software development practice. It’s also about management responsibility.

If you remember TOC ( Theory of Constraints, invented by Dr. Eli Goldratt about 40 years ago) there is only 1 key constraint that limits system (or company) performance to achieve it’s goal.

So – what is that 1 key constraint for achieving FDA Premarket Notification (510k) and/or HIPAA compliance success for your medical device on a tight schedule and budget.

That’s right boys and girls – it’s the Business unit manager

Consider 3 cases of companies who are developing medical devices and need to achieve FDA Premarket Notification (510k) and/or HIPAA compliance for their product.   We will see that there are 3 generic “scenarios” that threaten the project.

A key developer leaves and the management waits until the last minute

In this scenario, the person responsible for the software security and compliance quits. The business unit manager waits until the last minute to replace him and in the end realizes that they need a contractor. External consultants (like us) start wading through reams of documentation, interviewing people and reconstructing an understanding of the systems and scope before we even start our first piece of threat analysis and write our first piece of code.

The mushroom theory of management

In this scenario, there are gobs of unknowns because the executive staff did not, could not or would not reveal all their cards in a particularly risky and complex development project that is not reaching a critical milestone.  The business unit manager calls in an outsider to evaluate and/or take over. After 6 weeks – you may sort of think you have most of the cards on the table. But – then again, maybe not. You might get lucky and achieve great progress because the engineers are ignoring the product manager and doing a great job. Miracles sometimes happen but don’t bet on it.

We’re in transition

In scenario 3, a new CEO is brought in after a putsch in the board and things come to a standstill as the executive staff started getting used to the new boss and the line staff start getting used to new directives and the programmers stop wondering if they will still have a job.

Truth be told – only the first scenario is really avoidable.  If your executive staff runs things by the mushroom theory of management or you get into management transition mode – basically, anything can happen.  And that’s why consultants like us are busy.

Tell your friends and colleagues about us. Thanks!
Share this

Business context for ISO 27001

ISO 27001 is increasingly popular because of compliance regulation and the growing need to reduce the operational risk of information security.

What ISO 27001 is missing though, is the business context – the ability for an SME to determine the cheapest and most effective security countermeasures and their order of implementation.  Since ISO 27001 certification requires compliance with the entire control set, it may be too daunting for an SME to consider.

Any business can perform an ISO 27001-based risk assessment on their operation  with their business assets and their typical business  threats  in just a few minutes using the Software Associates PTA library for ISO 27001.  You can download the free Practical Threat Analysis library for ISO 27001 and our free risk assessment software – and upgrade your security today using ISO 27001, the most important vendor-neutral standard for data security available.

Tell your friends and colleagues about us. Thanks!
Share this

How to assess risk – Part I: Asking the right questions

It seems to me that self-assessment of risk is a difficult process to understand and execute, primarily because the employees who are asked to assess the risk in their business process, a) don’t really understand the notion of risk and b) don’t really care.  Let’s face it – risk is difficult to understand, since it is a function of many different, often-interdependent variables.

So the question I am going to pose today is:  What is the best way to do a risk assessment?

and the answer is: Start by asking the right questions.

Let’s say that you have the job to collect data for a risk assessment in your business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit. You figure you’re going to be less than thrilled with the quality of information you receive and the employees may not be excited by your standard checklist questions. However, you know that whistleblowing is innate in all of us and it’s worth trying to get to first base.

Drop the compliance checklist and use an attack modeling approach instead.

Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures. It will take a few minutes and every employee I’ve ever met will grok the concept immediately. For starters – ask 7 questions (you notice how all the process improvement methodologies always have 7 steps…)

  1. What is the single most important asset in your job?
  2. What do you think is the single biggest threat to that asset?
  3. How do you think attackers cause damage to the asset?
  4. Can you give me one example of a security exploit (on conditions of non-disclosure)?
  5. If you could give the risk and compliance manager one suggestion, what would it be?
  6. If you had to give the CEO one suggestion, what would it be?
  7. If you had to give President Obama one suggestion on how to reduce the threat of global terror, what would it be?
Tell your friends and colleagues about us. Thanks!
Share this

Are you still using Excel for risk assessment?

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

  • Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
  • Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
  • Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
  • Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

Tell your friends and colleagues about us. Thanks!
Share this

Cutting through the marketing b/s of security products

I think FUD is not going to cut it anymore.

There is currently no standard, vendor-neutral methodology tp quantify information security risk and justify technology purchases.

Maybe during the GFC as budgets dwindle down and threats ratchet up – security analysts will finally get some real work done.

In order for a company to decide what security countermeasures are best for them – they must measure the movement and value of their data, and weigh that in terms of a threat model. We conclude by suggesting a series of questions to ask in order to test two hypotheses – 1) that information leakage is currently happening and 2) that a cost-effective risk mitigation plan can be defined and implemented.

For more read Preventing internal threats on a budget

Tell your friends and colleagues about us. Thanks!
Share this