Israeli Software

I saw a post recently on Controlled social networking for student collaboration. One of the comments lamented not having the head count to install technology to control Facebook access by students.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

If you deploy or are considering data security technology from Websense, Fidelis, Verdasys , Guardium, Imperva or Sentrigo – do you give a DAM ?

It seems that DLP (data loss prevention)  vendors are moving up the food chain into DAM (database activity monitoring)? As customers deploy two products in parallel (for example Imperva and Fidelis) for DLP and DAM – the opportunity for reducing TCO (total cost of ownership) seems to be a clear imperative.

Both Websense and Fidelis Security  provide DLP functionality for structured data in databases (Fidelis calls it internal DLP) and Websense provides fairly granular fingerprinting of combinations of relational table columns using their PreciseID technology.

Although Websense focuses on deep content analysis and stays away from application security, Verdasys provides application logging at the end point and Fidelis provides application analysis via the network session in addition to the deep content inspection. Both are functions strongly related to database activity monitoring.

Here are the goals I would put down for database activity monitoring, due to the high level of interaction with client/sever and Web applications

Dr. David Gurevich in an interview with the Israeli business daily Globes predicts that real time death will be the next development in reality programming.  Once the domain of science fiction and fantasy – Dr. Gurevich believes that the online death scenario is an inevitable development in the loss of privacy and wave of voyeurism brought on by social networks like Facebook.

Although many people would love to participate in televised reality shows like Survival, it’s no longer necessary - you can do it yourself on Youtube.

Like any other scarce commodity, I predict that online privacy will soon become a product that people will pay dearly for perhaps to the point of acquiring entrance into a totally technology free environment.

The  key vulnerabilities of a business  to fraud and data loss are rooted in the  four sins of hubris: thinking, looking, fighting and denying.

Hubris is defined as excessive pride or self-confidence, starting with the thought that fraud and data theft won’t happen to you.  Most firms look in the wrong direction, by focussing on external threats and malware instead of trusted insiders and organized crime. They fight the wrong battle, by installing anti-virus on machines that are not vulnerable to virus attacks, and relying on firewalls for data loss prevention. By not monitoring outbound data flows they also gain plausible denial that there are issues of data loss and economic crime in the organization.

The  sins of hubris lead to a situation where the bigger you are the harder you fall (“It can’t happen to me because we have governance, IT etc..”). According to PWC 2009 Global Economic Crime Survey – bigger companies experienced more fraud.

46% of organisations experiencing economic crime had more than 1,000 employees.

The percentage of companies in the 201 – 1,000 employee range experienced almost half the number of fraud of their larger cousins. But this may be because they have fewer governance programmes in place, or what they do have are less effective.

By the way, I think the PwC have it wrong.   Smaller companies may have fewer governance programs in place, and because they have less money, these programs are probably more effective, not less effective.

Denial of data loss and economic crime also derives from incomplete understanding of the economic costs. The 2009 PwC economic crime survey points out that :

27% of those reporting fraud in the last 12 months put its costs at more than $500,000.

One quarter of respondents reporting accounting fraud estimated that it had cost them more than US$1m.

Only 17% of those who suffered asset misappropriation reported losses of more than US$1m.

The impact of economic crime is not just financial: 32% of respondents said employee morale was most affected by such incidents.

Data loss and fraud events are unpredictable, high impact events without precedent that cannot be forecasted with virus/epidemiology or  market risk models.  The assumption in these  models is that the unexpected can be predicted by extrapolating trends from past observations, especially when these statistics are assumed to represent samples from a normal distribution. Although other distributions might provide better fits to historical data, such as the fractal (for earthquakes) or LÉvy distributions (for securities returns) or EVT (for operational risk events) – in all economic crime cases, organizational  culture was at the center of losses, and more specifically, a complex interaction of culture, people and rapidly-changing technology.

It’s impossible to stave off fraud and data theft with technology or procedures alone due the complexity, but with a management that puts a priority on a business objective of protecting company assets and customers, an organization will be able to go beyond governance and security checklists and reduce their value at risk.

Economic crime and data theft  warrants a zero-tolerance culture starting in the boardroom and with the executive management leading by example with open doors and ethical behavior.

It’s World Cup season and Mondial fever will probably put a lot of regional conflicts on the back burner for the next month – not to mention put a dent in a lot of family budgets (husbands buying the latest 60 inch Sony Bravia and wives on retail therapy while the guys are watching football)

I  wanted to write a review of the 2010 FIFA World Cup South Africa video game (it would have been a great excuse for my wife) but I don’t have the right platform – I use Ubuntu and I have neither an Xbox 360 nor a Playstation 3.

It’s ironic that the South African  World cup game doesn’t run on Ubuntu.  It would have been a huge marketing coup and poetic justice if the game software was released for Ubuntu in a GPL license.

That got me thinking about open source licensing and it’s advantages for developing countries, which really got my hackles up  after reading the Seventh Annual BSA and IDC Global Software Piracy Study – that screams:  Software Theft Remains Significant Issue Around the World

The rate of global software piracy climbed to 43 percent in 2009. This increase was fueled in large part by expanding PC sales in fast-growing, high-piracy countries and increasing sales to consumers — two market segments that traditionally have higher incidents of software theft. In 2009, for every $100 worth of legitimate software sold, an additional $75 worth of unlicensed software made its way onto the market. There was some progress in 2009 — software rates actually dropped in almost half of the countries examined in this year’s study.

Given the global recession, the software piracy picture could have taken a dramatic turn for the worse. But progress is being outstripped by the overall increases in piracy globally — and highlights the need for governments, law enforcement and industry to work together to address this vital economic issue.
Below are key findings from this year’s study:

• Commercial value of software theft exceeds $50 billion: the commercial value of unlicensed software put into the market in 2009 totalled $51.4 billion.
• Progress on piracy held through the recession: the rate of PC software piracy dropped in nearly half (49%) of the 111 economies studied, remained the same in 34% and rose in 17%.
• Piracy continues to rise on a global basis: the worldwide piracy rate increased from 41% in 2008 to 43% in 2009; largely a result of exponential growth in the PC and software markets in higher piracy, fast growing markets such as Brazil, India and China.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor – patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That’s called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn’t change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia article on price elasticity of demand )

Back when I ran Bynet Software Systems – we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel – where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 – after the Windows NT launch, the demand for NT was almost totally inelastic – Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software – Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continued with this marketing strategy and most Vista sales were not retail boxes but pre-installed hardware. After Windows 7 released – users have been upgrading en-masse, proving once again the elasticity of demand for a good product.

Microsoft (who are a major stakeholder in BSA) probably don’t have a major piracy problem with operating system sales. Let’s run some numbers. In 2008 –  Microsoft Windows Vista sales were at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue was $15.8 BN. Single unit OEM pricing for a Windows operating system  is about $80 and in a volume deal – maybe $20. Let’s assume an average of $50/OEM license. This means that the operating system  accounts for about 50*3*9/15800 = 8.5% of Microsoft revenue.

The BSA Global Piracy Study states that the “median piracy rate in is down one percentage point from last year” – 1 percent of 8.5 percent is meaningless for Microsoft – in dollar terms – BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar rate in 2009.

Microsoft might have a problem with their cash cow – Microsoft Office. Microsoft Office 2007 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Windows 7 and XP and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve – calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world – assuming that the BSA efforts at combating software piracy are successful - only the very rich would have access to applications like Microsoft Office. The middle and lower class people won’t have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words -download Open Office – the free and open productivity suite.

Finally – I can only anonymously quote a senior Microsoft executive who told me a number of years ago that off the record, Microsoft didn’t mind people copying the software and using a crack because it was a good way of introducing new users to the technology and inducing them to buy the new, improved and supported release a year or two later.

I normally blog about data security issues – I specialize in helping technology companies prevent trusted insider data leakage, protect intellectual property, reputation and trade secrets and mitigate attacks on sensitive data by malicious software.

However – the recent terror flotilla to Israel, the double moral standard of the UN Human Rights Council condemning Israel 25 times in the past 3 years without condemning once human rights violations in Iran and Darfur – makes one pause to think.

In Israel there is a general feeling that Israelis are to blame for the world hating Israelis.

There are at least six versions to this way of thinking – first is anti-semitism (people hate Israelis because they are Jewish), a second version is that extreme left university professors have provided the political rhetoric and ammunition for our enemies,  a third version is that our political leaders are weak and or corrupt (Bibi and Barak),  a fourth version is that the occupation has corrupted Israeli morals, making Israelis despicable in the eyes of the world, a fifth version is that if we would only get our public relations sorted out and speak with a British accent – then the world would accept Jewish presence and a sixth version says that the Palestinians, Iranians and Syrians really want peace – and that if Israel would only stop the occupation and down-size, then we would have peace and the world would accept the Jewish nation – once it had been reduced to an acceptably small, bite-sized portion.

I believe that all versions rest on one question which has not been fundamentally tested – which is what do our neighbors really want?

Deborah Fink from the organisation Jews for Boycotting Israeli Goods (J-BIG), said it was “disgusting” that so many children were present to support the Israeli state.

They’ve been brainwashed. We wouldn’t bring loads of children out to things like this. They go to schools where they’re brainwashed with Israeli propaganda.

Ms Fink is one of many British Jews who campaign for an end to the occupation of Gaza and the West Bank.

Apparently Ms. Fink is mind-controlled by Palestinian propaganda and has conveniently forgot that Israel does not occupy Gaza, having left that area almost 5 years ago. Read more at BBC News – Gaza Crisis. I recommend that Ms. Fink read about the unilateral disengagement from Gaza in August 2005.

Unfortunately, we – Israelis are mind-controlled as well and have forgotten our primary mission – which is the development of the state of Israel – not down-sizing, not outsourcing nor appeasing terrorists.

There is I believe, a fundamental misunderstanding of what makes terrorists tick.

In order to test the assumption behind the various Middle East peace plans of the past 30 years – it is important to test an important hypothesis – “Israel’s neighbors want peace”.

Let’s conduct  a “gedanken experiment”  using 2 assumptions, which I believe are accepted by most politicians today – and consistent with US, Russian and European foreign policy:

Since there is wide agreement in Israel, the US, Europe and Muslim countries, that Israel holds the keys to regional peace – then it becomes a question of price – how much are the other parties (Syria, Palestine, Iran, Turkey …) willing to pay to acquire that product – i.e. peace.

The price might be – how much land Syria is willing to give us in return for peace or how much water Turkey is willing to give us in exchange or how much land Palestine is willing to pay in return for peace or how badly Iran wants Israeli  technology for clean power generation.

Once we have agreed on the price – it’s just a question of agreeing terms of payment and issuing the PO.

If the thought experiment is correct then, the current Israeli strategy of paying the buyer to take our product seems ludicrous.

If the thought experiment is incorrect – then one or more of our assumptions must be false – either our neighbors don’t want peace, peace is not a valuable commodity or – Israel doesn’t hold the keys to acquiring peace in the Middle East.

Reading past the political vitriol of Iran and Abu Maazen,  it’s therefore important to examine our assumptions, starting with the question – “What do terrorists really want?”  and understand why Israel is losing the war against terror.