Did you ever have a feeling that your IT integrator was treating you like a couple of guys selling you a Persian rug?  ”Take it now – it’s so beautfiful, just perfect for your living room, a steal  for only $10,000 and it’s on sale” and when you ask if it will last, they tell you “Why do you want it to last? Enjoy, use it in good health, wear it out quickly and come back to the store so that we can sell you Persian Rug 2012″.

I had a meeting with a long-time client today – I’ve developed some systems for them in the FDA regulatory and clinical trial management space. We met for lunch to discuss a new project which involved an extension to an existing multi-center study.

The question of disaster recovery planning and offsite backup came up and  they asked me what I thought about backing up their clinical trial data together with their office file backups taken by their outsourcing IT provider.

I said this is a very bad idea because while their IT contractor specializes in providing Microsoft Windows/Office support for small businesses, they just don’t have the know-how or security expertise for HIPAA compliant data storage.

In general, small business IT integrators are  behind the curve on data security, compliance, disaster recovery and application software security. Their job is to keep Microsoft SBS running smoothly and install anti-virus software, not mitigate data security and HIPAA compliance attacks. The typical SMB integrator mindset is dominated by the Microsoft monoculture, and I would not expect them to be able to analyze data security threats correctly.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat. Storing clinical data with a bunch of Microsoft Office files is just too big a risk to take. The CEO accepted my recommendation to encrypt data on a secure, hardened virtual server instance in the cloud and monitor potential exposure to new emerging threats as their application and project portfolio evolves.

After lunch and getting back into the office, I realized that Risk analysis is a threat to IT vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to an IT vendor salesperson who must make quota.

I am a big proponent of putting vendor suggestions aside and taking some time to perform a business threat analysis (shameless plug for our business threat analysis services,  download our free white paper and learn more about Business Threat Modeling and security management). In a business threat  analysis you ignore technology for a week or 2 and systematically collect assets, threats, vulnerabilities …and THEN examine the cost-effective security countermeasures.

Your vendor wants to sell you a fancy $20,000 application security/database firewall, but it may turn out that your top vulnerability is from 10 contract field service engineers who shlep your company’s source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure - Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Information security vendors often promote their backup/data loss prevention/data retention/application security products using a compliance boogeyman.

The marketing communications often reaches levels of the absurd as we can see in the following example:

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Information security vendors like NetClarity do not have any economic incentive to really reduce data security and compliance breaches that would reduce  sales, making it better business for them  (not for their customers) to sell ineffective products.

This raises an interesting question about information security business models – but that’s a topic best left to another post.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

For fear of becomming(sic) the next victim of identity theft, 150 million U.S. consumers don’t bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers’ confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

I don’t doubt that US banks, after having received all that tax payer money, will spend some of it on biometrics and multi-factor authentication. I predict that they will eventually abandon ship on authentication technology for home banking, when they realize that authentication technology doesn’t protect their customers on the Internet.

Multi-factor doesn’t prevent phishing. It doesn’t prevent identity theft. It doesn’t  secure online accounts from fraudulent transactions.  Take two attacks for example:

Man in the middle - an attacker sets up a fake banking web site and gets people to login, by passing the request for authentication thru to the real bank – the attacker doesn’t care if the user is authenticated with  biometrics or with out of band SMS messages – that’s great.   He still gets the user into his system in order to harvest usernames, passwords, credit cards and account numbers

Trojan horse - an attacker distributes a Trojan on a CD or from a online adult content site.  When the user logs in to the bona-fide banking site, he can use the connection to perform fraudulent transactions – like account withdrawals and funds transfers while the user is logged-in and authenticated.

Multi-factor and biometrics work well in a controlled environment like a corporate local area network but in the wild – the threats are changing too fast for multi-factor authentication solutions to provide effective data security.

What will get more people to use online banking?

• Trusting their bank.
• Banks that don’t lose customer data
• A simple but robust online login method (account, username, password) that uses offline, face to face authentication to validate identity before issuing a username/password and enforces strong, frequently updated passwords.
• Education about the dangers of phishing
• A well engineered online banking web site that doesn’t require hardware dongles and Java or ActiveX client software

1. Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
2. We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
3. Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I posted this question  on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing;  I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.

Darian Stultz reminds us that people are the weakest link and brings some insights into organizational politics.

Both psychology and technology are equally important. From a technology perspective, vendors tend to promise the world, but people install, configure and operate the security technology.

Systems are vulnerable to incorrect configurations, mis-cabling, or open unnecessary  open ports. The best training for employees may not be sufficient to handle all possible configuration scenarios and use of external/internal experts can mitigate these risks through discovery, and a remediation plan. This costs money. External Auditing is more costly, but provides a politically neutral assessment because the auditor is more likely to report findings. For the manager who hired the auditor, an external audit can be stressful since the auditor wants future business from upper management, and is likely to prove his worth by high-lighting even small issues.

From a psychology perspective – prevention of security events is not a sign of weakness, but of resolute strength. Yes, prevention costs money. The larger the scope of the business, the more opportunities there are for security risks. The optimum (utopian) way to handle security is for the CEO to support fully efforts to secure the business from internal and external security threats. The sell from middle management is easier with full buy-in. Most companies I have worked for or consulted for have a “middle ground” where a security department exists, but was an afterthought of the business. Therefore they jockey for human resources, and funding for projects to secure vulnerabilities.

Michael Seese agrees that people are key to understanding security vulnerabilities

Just as Willie Sutton said that he robbed banks because “that’s where the money is,” attackers will go after end users because that’s where the valuable information is.

As security technologies continue to improve, attackers will focus on the weakest link: our people. The quick and cynical explanation is that people are more easily prone to being fooled by a scam or to become lax in following procedures than technology solutions.

People have emotions egos. They want to help, if they can, when asked. They don’t want to be yelled at. They trust. They get busy and they get stressed out. In some cases, they get greedy. But oftentimes, they simply don’t realize the value of what, to them, seems to be a trivial piece of information.

Gabriel Bar-Giora feels that psychology  is more important than the technology side of security but stresses the need for an integrated management approach

A company must integrate both aspects, getting managements to define and implement security policy, translated into budget and manpower and regulations, then – and only then – the product pieces will start falling into place – VA, DLP, DRP, HA etc.

Joe Peck is director of product management at Code Green  Networks and brings a perspective of a vendor selling DLP solutions in a tough economy  and competitive market space.

Most companies did not allocate 2009 budget for a DLP project. That’s neither a technology or a psychological constraint. It’s an issue  of having  budget for new requirements. Some customers have been able to use budget for email encryption or content filtering use it to purchase our data loss prevention solution. As awareness of information protection grows, I expect more companies to allocate 2010 budget explicitly for DLP.

The market is still pretty early. Many customers don’t know yet what DLP really is and how it fits into their security portfolio so there is a need for educating IT on the need for data-centric security as opposed to traditional system or network-centric security.

DLP is hot and the marketing hype has resulted in many vendors slapping a DLP label on their product and providing incomplete or even irrelevant solutions (e.g. device control solutions with no data inspection capability or email and web gateway solutions that can do keyword matches but will generate a false positive flood when an employee shops at Amazon).

Even with knowledgeable customers, some folks prefer not to be early adopters, they want to be a technology follower as a way of reducing risk. That has both a technology and psychological aspect to it.

Finally – data security crosses organizational boundaries – it’s not just the network security team. It often involves Legal, Compliance/Audit, the data owners, and the IT group. That slows down the evaluation, justification and purchasing process significantly. DLP is not a standalone IT solution.

John Martin, a security practice leader at IBM NZ reminds us that people are not machines, they need technology safeguards.

People cannot be trusted to make the right decision 100% of the time? Given the current economic recession, more cases of fraud emerge every day. Techniques such as DLP, can make up for the the human factor or re-enforce what is on the spur of the moment conveniently forgotten. Understanding the psychology assists us to appreciate the appropriate technological solution(s) from a risk management perspective and during the justification – business case.

Kyle Quest who works for Vericept reminds us that  human behavior is the main driving force behind most things in life, not just security, but he is pessimistic about a company’s ability to utilize security technology effectively.

Look at the GFC for example, Alan Greenspan thought that companies would follow logic and wouldn’t engage in risky financial activities… The results were not forecasted and have affected the entire world.

There is one key reason for data loss events: the checkbox mentality. “Need to have a firewall.. check that… now we safe”. Obviously, this is an oversimplification… This checkbox mentality creates an illusion of security. It all starts from the top. Executives don’t really care about data security. They’ll either ignore the issues or do just enough to get a piece of paper that says that they are secure. As a result, even when money is spent on the data security technology, customers don’t get anything useful ROI.

Data security is not even on the third place when it comes to running a business (yes, there are exceptions, but I’m talking about the majority of customers. The security process in the enterprises is broken. Marcus Ranum does a great job talking about this subject in his “Anatomy of Security Disasters“

Jerry Bell is a Technology strategist at IBM and believe that without the psychology in place, you cannot deliver the technology.

Done right, controls mitigate weakness, whether they are technological or people controls. No technology or “management support of security” platitude is going to reduce risk on it’s own. By definition, security is about making trade-offs that the organization must make based on their risk profile. The risk management part of managing a company starts with the CEO. Good CEO’s hire CIO/CSO’s that they trust to ensure that the business in soundly controlled. Other CEO’s hire CIO’s to simply keep the wheels from falling off the car.

If security is not a business priority after a presentation of the risks and possible securit ycountermeaures, there isn’t a lot to do. Keep good records of the discussions and risk assessments presented to use as defense to keep the job after a security breach happens.

Sadly, most companies don’t find religion around security (or disasater recovery) until bad things happen.

Richard Ryan – an independent security consultant notes that regardless of technology, the entire organization needs to have a culture of security.

It takes everyone working together to create a secure organization and then its only secure as its weakest link, which can be people, technology, or a combination of both.  The psychologies of some people are geared to take advantage of someone else’s weaknesses. For some reason, their desire to have more than someone else takes over, and the scheming starts, flaws are found, and security is breached.

Nicholas Key is an independent security consultant from the UK wishes that people could assured secure.

People are the first line of defence in security policy and normally overlooked. Although there is assurance and certification of security technology like C2 and Common Criteria, there is no facility which gives assurance that ‘our people’ have a first-class level of security awareness.

DineshBareja has yet to see a client who says – please go out and raise the awareness factor in my organization.

Usually the implementing team cobbles together a bunch of sad slides that are passed off as awareness programs for the purpose of compliance with the certification program. The will to spend on professionally designed programs which will be really effective is (sadly) very weak, and organizations are losing out on their security investment.

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat.

Walking the exhibit hall, I realized that Risk Assessment is a threat to security product vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to a vendor salesperson who must make quota.

If you do a risk assessment with Practical Threat Analysis (shameless plug for PTA – download here you systematically collect assets, threats, vulnerabilities …and THEN produce a cost-effective risk mitigation plan. Your vendor wants to sell you a $100,000 database firewall, but it may turn out that your top vulnerability is from 10 Field service engineers with company source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Vendors often attempt to mitigate the risk assessment threat by using compliance as a universal countermeasure.

This is can approach absurd levels as we shall see in the following example.

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Security vendors like NetClarity do not have economic incentive in reducing data leakge and mitigating risk since that would reduce their product.