Israeli Software

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

In an article to be published Wednesday August 26, 2010 discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on a removable drive by a foreign intelligence agency in 2008 uploaded itself onto a network run by the U.S. military’s Central Command – source: Washington Post

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.

Why doesn’t the US military just junk Windows and use Ubuntu – you can plug a USB with some autorun code to run Conficker on Ubuntu and precisely nothing will happen.

I think we’re rapidly approaching a  point in time where people will pay for privacy.  I know that after a super-hot month of August with the house full of kids chain-watching Ratatouille, I would pay someone for some privacy.

The privacy controls that governments are attempting to impose on social media and the technical safeguards that social networks like Facebook are implementing seem to be band-aids on a larger and much more significant two-part problem

1. How to enable individuals to control the information they disclose?
2. How to enable individuals to put their value in front of their social graph?

I believe that the brunt of the public debate has been on question number 1 – primarily because of the sheer size and entertainment/leisure time/socializing/shmoozing/networking elements of Facebook and LinkedIn and other social media web sites.  As Bruce Schneier has noted in some of his recent essays – privacy on the Net is not necessarily about forbidding disclosure  (like the regulators are trying to do with PII and PHI compliance regulation) but about controlling what you share.

But  entertainment, leisure time, socializing and networking are not everything in life – and as a matter of fact – most people go to work and either create, make, sell or buy for a living.   Question number 2 is about increasing your disclosure in a controlled way and putting your value forward to your customers and not behind the company that you represent. Value backwards (as opposed to value forwards) is the way most information technology and big pharma is sold today – you work for a security integrator and you’re reselling someone else’s product extolling the virtues of Websense DLP (like 10 other resellers in your geography) or you’re a medical sales representative for MSD and you’re extolling the advantages of Remicade for treating Crohn’s disease.

But – we all know that the reason the customer is talking to you is because he values you (or thinks you might have something of value to sell).

Last year we did a private, professional networking project for one of the big 3 innovative pharmas at one of their Central European offices. It was a successful clinical trial of what we thought was a good idea – enabling medical sales representatives to place their value in front of their social graph of doctors.   As we approach release of the beta version of a productized version – it seems time to get some feedback on the notion of private, controlled networking. So here it is – feel free to comment online or email me.

Assuming you knew why a data breach will happen, wouldn’t you take your best shot at preventing it?

Consider this:

Your security defenses don’t improve your understanding of the root causes of data breaches, and without understanding the root causes –  your best shot is not good enough.

Why is this so?

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up.  Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

Obviously we need a better way of understanding what threats really count for our business. More about that in some up coming posts.

Now it’s some lazy journalist at Information Week aiding and abetting the pseudo-statistics of of the Ponemon Institute – screaming headlines of  the cost of data breaches of PHI – protected healthcare information

According to Information Week; Analysis: Healthcare Breach Costs May Reach $800 Million

Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRUST, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That’s $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

What is the connection between the Ponemon studies (sponsored by data security vendors) and the PHI leakages.

Nothing.

Why is a PII leak and a meaningless plug number of $60 relevant to PHI (which requires a combination of medical data and personal identifiers?

Why can’t someone make a phone call and ask how much the companies actually paid in fines and then make a few more phone calls and start estimating ancillary costs and direct costs such as legal.

Why not just multiply by the average cost of an iPhone?

After all you can steal data with your mobile easily enough can’t you.

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a networked Windows-based embedded medical device used for patient monitoring.  The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition.  The threat analysis used the PTA (Practical threat analysis) methodology, described in Appendix A of the full article reporting on the threat analysis of a medical device in PDF format.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures is suggested in Section III. We devoted special interest to the issue of propagation of viruses and malware into the hospital network.

Our analysis shows that installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate the most severe threats – ePHI leakage, software defects and USB access to bedside units.

A detailed discussion appears in Section IV of this paper. Section V suggests segregating the bio-med functions from the hospital enterprise IT.  Section VI provides a summary of the analysis and its findings.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by the medical device manufacturers and hospital customers to model changes in risk profile as technology and customer environment evolve. The threat model can be downloaded here and the threat modelling software can be downloaded here.

Read more…

Aug 7, 2010 WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.

I cannot believe my eyes – “no single federal standard”??

I am at a loss to understand why the US needs another data security bill – when there are already a plethora of regulations regarding personal information – Graham Leach Bliley (financial services), PCI DSS (credit cards), HIPAA (health care) and the state data security bills (CA SB 1386, Mass Data privacy etc.. ).  This is without even mentioning FISMA and the NIST security requirements for implementing HIPAA. With Obamacare in effect – it seems to me that the gold standard for PII protection will soon become HIPAA and since health care appears to becoming nationalized in the US – NIST will soon be the king of data security control frameworks.

Looking at data security  as an exercise in providing cost effect security countermeasures, it appears to me that the bill is most likely either a public relations play  or congressional logrolling. The interesting item is the requirement to provide credit card monitoring services after a breach for a year – perhaps the bill is intended to help stimulate the business of companies like Experian, Symantec, RSA and Mcafee.

The US does not need more data security regulation (requiring “strong security features” whatever that means) because with over 350 million US credit cards breached – the data is already out there. This bill is equivalent to closing the barn door after the horses have already fled.

What I would recommend to the esteemed Senators is a totally different approach – one adopted by Poland. Poland, which is a member of the EU and subject to the EU Privacy Law decided a few years back to make data security breaches expensive. If a firm in Poland breaches personal data – they are liable to up to a 2.5% fine of their annual gross revenue.

None of this hokey – “provide monitoring services and notify within 60 days” nonsense. Make US data breachers pay for their security vulnerabilities and even the playing field with the consumers – who are indeed paying the price for poor data security at American retailers and banks.

Not so long ago – when a company ( business unit, department or manager) wanted to develop a line of business software application, they would do a system analysis starting with business requirements and then proceed to develop an application and deploy it.

Things have changed.

Packaged software and Web applications that the CEO’s niece can whip together in a week, have replaced structured systems development. There are of course,  good things about not having a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is insecure software. So called security development methodologies are band-aids on deep cuts, that cannot replace a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.  IT is about executing predictable business processes. Security is about reducing the impact of unpredictable events.

IT’s “best practice” security in 2010 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications), IT staffers  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modelling is a lot of hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling - threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

We spent the past week in Tzfat  (Safed) – situated in the northern part of Israel and with a 900meter elevation, the weather is cool and dry and a welcome relief from the humidity and heat of Tel Aviv.

We met a couple at dinner one evening – the husband is a retired aerospace software engineer that had done cutting edge work in his career, including the embedded software for one of the first unmanned aerial vehicles (UAV).  He took early retirement 15 years ago and today is hustling real estate and odd jobs.   At age 62, he’s overweight, after a triple bypass, technology-obsolete and convinced he will never get back into the tech game.

For sure – this recession is helping us understand the importance of family and friends and the difference between needing something (really) and wanting something.  This is a natural inward-looking reaction. However, in order to really take something of value out of the recession you need to look outward and challenge a lot of your base assumptions – it doesn’t really matter if you are (or soon will be) a self-employed consultant or a salaried (or soon to be ) sales professional. I submit that there are several important takeways that most people miss:

1) Invest in knowledge – spend 1 hour a day in constant learning, if you’re a tech person then work on keeping your edge and learning some new tools and technologies. If you are a sales professional – remember that sales skills are like basketball – practice your shooting 1 hour/day and your stats will go up.

2) Remember that what counts in your business is free cash flow – adding value and having some cash left at the end of the transaction. It’s not definitely not about  leveraging credit cards, mortgages and derivatives.

3) Invest in your health – spend 4-5 hours a week in physical activity. There is no point reaching 60 with a heart condition and proficiency in a programming language that was obsolete in the 70s.

switched.com is having trouble understanding the attack vector of a data breach.  They apparently believe that  software vulnerabilities can be mitigated by consumers “actively protecting their information”.

Hackers recently attacked WellPoint, a health insurer which reportedly covers 34 million people. As a result of the breach, the company notified 470,000 individual customers that confidential information, including medical records and credit card numbers, may have been compromised. It’s imperative that consumers actively protect their information (sic), because cyber-criminals have accessed at least 358,400,000 records belonging to U.S. citizens over the past five years. [From: CBS News]

I recommend treating passwords like  cash, but give me a break. If over 350 million credit card records have been breached, then active protection measures are useless since your credit card is already disclosed.

Together with gems of  security naiveté in the American press,  we can add another round of US-European political infighting over who has a bigger schlong.

The Solvency II European insurance supervision directive is “not as comprehensive and transparent” as US regulation, according to New York’s state insurance regulator. Jim Wrynn, superintendent of the New York State Insurance Department, also criticised efforts by stakeholders in the process of the European regulatory overhaul to deny equivalence status to the US while its state-based regulation remains in place…Wrynn was critical of (the Solvency II) approach, and described the current US model as “a well-tested and comprehensive regime”. [From: risk.net]

I suppose that AIG and Wellpoint don’t count.