Israeli Software

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

At a meeting with one of our clients last week – the question of business case for data loss prevention came up quite strongly.   It started with the client saying that they were hearing that while vendors like Symantec and Websense were getting a lot of customers to buy their DLP products – many of these customers were failing at their attempt to implement DLP.

The detailed reasons why people fail at DLP implementations merits a separate post –  but it’s a lot like why over 50% of the content management implementation from vendors like Vignette never made it to production in the 90s – the root cause was that there was no real business case for the technology.

I want to talk about why  building a business case for Data security is critical to the success of your data security/data loss prevention/fraud prevention project.

If you run a business or business unit – you must ask yourself two questions

Is data security a major operational risk for your business?

Could be.

Unlike a computer virus – internally launched attacks on data  that result in data leaks, breach of  integrity, loss of data availability and non-compliance are your problem, not someone elses.

Unlike business processes – data risk cannot be outsourced.

Unlike balance sheet assets – companies don’t know their current financial exposure to data security threats.

The next question is should you invest in DLP technologies? Any one with only a nickel in their pocket (and in this market – that’s a lot of companies…) will say “Why should we when we don’t know the return on investment?  In order to answer your questions, you must measure your value at risk using a data security based risk assessment This is a simple, almost obvious notion – you measure risk of asbestos poisoning by checking your building insulation and you measure risk of fire damage by checking the building itself and various policies, procedures and equipment related to fire prevention.

Think about smoke detectors. You can’t put up an office building without smoke detectors (in Israel – the regulator has set a minimum density per square meter and the prices are low enough that the contractors will basically put in as many as you want). Why would you think of managing your data without the comparable data breach security monitoring equipment?

Data security based risk assessment uses DLP technology (the test equipment) and a best practices analytical risk model to measure the value of your data and your value at risk. Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective data security controls in the people, process and technology planes. What you do then – is up to you.

Most companies I know in Europe and Israel are not at a sufficient level of security maturity to do this kind of thing themselves – and will need an independent consultant – one with specific domain expertise in their industry vertical,  specific data security expertise and ability to do analytical threat modeling – installing Checkpoint firewalls doesn’t count and you really want someone who is vendor neutral.

A client recently asked:

How do I assign a dollar value to an assets?…should I use the  purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?

Estimating asset value is without doubt the most frequent question we get when it comes to calculating data security risk in monetary terms. There are several practical guidelines for measuring information assets value:

• Use the right metric – a common mistake made by marketeers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number.  The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.  A customer may not even know that her credit card number is breached (considering that 250 million credit card numbers have been stolen in the past few years – it is a reasonable assumption that your credit card number is known to someone who stole – but your cost is zero, isn’t it?
• Ask an expert – usually the CFO. The expert can and should provide confidence intervals for his estimate. The CFO is the best source and best equipped to decide if replacement value, purchase value/depreciated or opportunity cost is the relevant metric to measure the value of an asset. It’s ok, if your CFO says that company IP is worth $50 million with a confidence level of 85%.  If you do a practical  threat modeling exercise, you will be able to test sensitivity of your threat model to the confidence boundaries.
• Use test equipment. For example – If the cost of acquiring a customer is $50, you can write a sql query to find out how many customers you have and then multiply by $50. Looking at the Fixed assets and GL modules is an example of using test equipment.  If you have to measure the number of credit cards in clear text circulating on your network – I suggest  network surveillance.
• Use random sampling from a population of asset value estimators. The Rule of Five says that there is a 93% chance that the median of a population is between the smallest and largest values in any random sample of the population.   So – if you have to estimate value of a digital asset like intellectual property – you can ask five people for their estimate – for example, the CFO, the CTO, a customer, your VP marketing and a software developer who worked for one of your competitors.
• Measure in small increments and be prepared to iterate. In other words – when you do a threat model exercise, take small steps -  measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise and most companies measure things that have zero information value to the business because they are easy to measure (for example – how ssh password attacks were made on company web servers) instead of the important things – like what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

A recent post by Kevin Conway on LinkedIn drew over 500 responses to his somewhat dramatic statement that Social Media for Business is CRAP -

Maybe because my feeling for the hyped-up benefits of social media was recently confirmed by a top millionaire online guru. If you follow the most successful gurus his name is always at the top of the list. As a matter of fact, he was the first online entrepreneur to make a MILLION $$ in a day. That said, recently he published a PDF where he said “I think social media Su-ks”. When I read that I felt a sigh of relief, “maybe I am not off the tracks after all”. You see when you don’t “follow the pack” you tend to sometimes feel like you are going down the wrong path or at least missing an opportunity. Now, I must admit I use all the major social media outlets including Twitter, Facebook, Squidoo, etc, etc. However, not for direct marketing. And, even though I publish new product releases on Twitter, analytics tells me no convertible traffic comes from that source or Facebook. My primary use of social sites is for building backlinks, but that is for SEO purposes. And, of course the added exposure. i.e. “branding” doesn’t hurt.

I believe that there are several fundamental principles that Kevin and over 500 responses ignored:

ONE – “The media must fit the product”
If you are pitching 6 figure enterprise rights management systems on Facebook – then, yes – social media is crap. But if you are pitching consumer/personal oriented products – like fitness, fashion and self-improvement – you are in the right channel. And even though they are at the long tail – do not forgot that even the geekiest IT managers are on Facebook and they are always in buying decision mode.

TWO – “Social software is not Social media”
It is a common misconception to confuse open undifferentiated/uncontrolled social media like Twitter and Facebook with social networking software which is used for the most serious and professional applications from catching terrorists to helping medical sales professionals interact with their doctor customers.

Social network software can be used in serious B2B domains leveraging the network effect to generate 10x customer contacts – since it works in parallel – not in serial.

THREE – “Better to market to targeted people than to undifferentiated keywords”
My own experimentation using Twitter to build B2B communities in a particular niche showed me dramatically that social media is 3 orders of magnitude more effective at generating leads than google adwords.

The reason is simple – people with well defined interests are much better targets than content keywords.

For my Israeli readers – הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

I’m collecting data for a couple of articles on data security in social networks and ad-hoc mobile networks so I’ve been a little slow on blogging lately – so I’m down to general management and risk management stuff.

I think that cutting and running as soon as possible from unreliable business partners is an exercise in sound risk management.  Let me know if you agree after reading the following story.

I have an acquaintance, Eran Lasser who is co-founder and joint GM of John Bryce Training.  Back when I ran Bynet Software (a Microsoft distributor and ACS – Authorized Support Center), we did some training projects with Eran as we were launching Windows NT and later Microsoft Backoffice.

I reached out to Eran last week with some ideas for management level training courses in areas where I have some personal expertise – data security and more recently using social software for B2B sales. He asked their VP Business development, Ori Lapid to meet with me – and within a day or two a secretary made an appointment.  The morning of the appointment – the secretary called to confirm – I came in a few minutes early and waited patiently for Ori to start the meeting.

After 5, 10 and 15 minutes went by with the secretary giving me the usual disclaimer of “he will be with you in a few minutes” – I told the secretary that Ori’s 15 minute academic grace period had expired and I left.  I thought it was significant and also a vindication of my decision to walk out that neither the secretary nor Ori Lapid bothered to contact me and apologize for wasting my time.

This is  the epitome of what Israelis call “not being serious” or as they say in Israel.

הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

Ian Fleming once remarked how American road signs were so sexy – “winding curves” and “soft shoulders”.

I was thinking of Ian Fleming  taking an unexpected 5K walk at night on the shoulders of a 6 line freeway.

Last night I was driving my daughter’s car on Route 6.   There was a leak in the water pump, engine overheated and I stopped by the side of road and called a tow.

Visualize.  Route 6 South, 2km before the Kfar Daniel interchange. 7pm at night

The tow company (Derachim) told me – up to 3 hours + 60 sheqel surcharge for service on Route 6 – they asked me how I would like to pay and I said – “cash”.  After 1 1/2 hours – the tow shows up, takes the car and instead of taking the car (and me) to our garage in Shilat – he left me by the road side and drove off “to pick up another car in Rishon”.    I started walking, after a brisk 5 km hike – I got a ride from a woman who stopped by the side to change her shoes…. I got my wife on the horn and we rendezvou’d at the gas station at Latrun.

The icing on the cake was a series of phone messages on my cell from the tow company at 1130 pm – saying that they understood I was supposed to pay the Route 6 surchage by credit card….

David Benyon from Op Risk and Compliance magazine reports

A new bribery and corruption legislation will be put before the UK parliament. Doing business using bribery would mean jail for a decade under the bill.

“The new Bribery Bill will make it far easier for companies and senior management to be prosecuted where bribes have been offered, paid or received. The new legislation will be even wider than the US Foreign Corrupt Practices Act, because it covers business-to-business transactions as well as business transactions with government or state-owned bodies,” says Neill Blundell, partner and head of the fraud group at law firm Eversheds”

Small businesses need information security – perhaps even more than a big business because they probably have less resources and are more vulnerable to hackers.

NIST has released guidelines for Small Business Information Security -

A talk I give recently at one of our Thursday online workshops on data security

My prospects are out, it’s beautiful weather (already got my morning ride in thank you) and time to clean up my desk for the weekend.

I need to talk about data security presentations. Most of them are horrible – heavy on technical details or heavy on corporate marketing fluff.  If the presentation is about same origin policy and DNS pinning (Christian Matthies’s  excellent explanation of DNS pinning and anti-DNS pinning), you would start out by showing the DNS request/response strings like this (this is a DNS response string):

0000 00 16 41 ae 68 f2 00 30 6e 2c 9e a3 08 00 45 00 ..A.h..0 n,....E.
0010 00 82 95 e5 00 00 3f 11 58 4a 04 02 02 02 10 10 ......?. XJ...d..
0020 10 02 00 35 c7 c2 00 6e bd 6d b2 bb 85 80 00 01 ...5...n .m......
0030 00 02 00 01 00 01 03 77 77 77 09 73 65 63 74 68 .......w ww.secth
0040 65 6f 72 79 03 63 6f 6d 00 00 01 00 01 c0 0c 00 eory.com ........
0050 05 00 01 00 00 0e 10 00 02 c0 10 c0 10 00 01 00 ........ ........
0060 01 00 00 0e 10 00 04 43 4e 3d c8 c0 10 00 02 00 .......C N=......
0070 01 00 00 0e 10 00 09 06 6E 61 6D 65 73 76 c0 10 ........ namesv..
0080 c0 4d 00 01 00 01 00 00 0e 10 00 04 c0 a8 00 64 .M...... .......d

If the presentation is about Symantec Data Loss Prevention Suit 9.0 – it will start off with a ton of text like this:

Today, just about anybody in an organisation can share, access, and disseminate information easily. Organisations have come to depend on it – in fact, it is enormously empowering. At the same time, the workforce has become increasingly mobile and the ubiquity of high-speed Internet access, smart mobile devices, and portable storage means that ”the office” can be anywhere.

As a consequence, it has become more difficult than ever for organisations to prevent the loss of sensitive data. According to the Ponemon Institute*, more than 250 million personal records have been exposed by data breaches since 2005, with each breach costing an average of US$6.6 million to the unfortunate organisation.

Clearly yesterday’s security perimeters aimed at securing IT network cannot address today’s data security challenges and it’s time to shift the focus to securing the data itself.

Symantec Data Loss Prevention delivers a unified solution to discover, monitor, and protect confidential data – wherever it is stored, or however it is used. Only Symantec offers comprehensive coverage of confidential data across endpoint, network, and storage systems.

Let’s face it, most data security presentations stink

I consider myself a pretty good presenter – I try to keep my presentations, clear, concise, emotional, entertaining. But there is always room for improvement so I went back and watched the Steve Jobs launch presentation of the iPhone. I took notes. Jobs is an awesome presenter. Here are some secrets for an effective data security presentation (with all credit to Steve Jobs).

I feel something in the air

Yes, it is the train to Heathrow and I am about to get run over.

Preventing data loss in municipal government

• Have ONE  consistent message for example “Why firewalls cannot prevent data loss”
• One message per slide, e.g: “Firewalls blocks ports but DLP requires blocking of data”
• Keep it simple, like this, e.g.: “Data security requires closing gaps between policy and enforcement”
• Demo – show them a data security breach live
• It’s always good to have an enemy, like this: “Websense, Symantec, Mcafee”
• and then there is the Steve Jobs “One more thing” (like Count Basie on the swing classic April in Paris when he says “One more time” and then “One more once”….)
• Practice over and over again until you have your line down perfectly. If you play a line on tenor saxophone that is 120 then you should have it under your fingers at 180….