Israeli Software

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

I think we’re rapidly approaching a  point in time where people will pay for privacy.  I know that after a super-hot month of August with the house full of kids chain-watching Ratatouille, I would pay someone for some privacy.

The privacy controls that governments are attempting to impose on social media and the technical safeguards that social networks like Facebook are implementing seem to be band-aids on a larger and much more significant two-part problem

1. How to enable individuals to control the information they disclose?
2. How to enable individuals to put their value in front of their social graph?

I believe that the brunt of the public debate has been on question number 1 – primarily because of the sheer size and entertainment/leisure time/socializing/shmoozing/networking elements of Facebook and LinkedIn and other social media web sites.  As Bruce Schneier has noted in some of his recent essays – privacy on the Net is not necessarily about forbidding disclosure  (like the regulators are trying to do with PII and PHI compliance regulation) but about controlling what you share.

But  entertainment, leisure time, socializing and networking are not everything in life – and as a matter of fact – most people go to work and either create, make, sell or buy for a living.   Question number 2 is about increasing your disclosure in a controlled way and putting your value forward to your customers and not behind the company that you represent. Value backwards (as opposed to value forwards) is the way most information technology and big pharma is sold today – you work for a security integrator and you’re reselling someone else’s product extolling the virtues of Websense DLP (like 10 other resellers in your geography) or you’re a medical sales representative for MSD and you’re extolling the advantages of Remicade for treating Crohn’s disease.

But – we all know that the reason the customer is talking to you is because he values you (or thinks you might have something of value to sell).

Last year we did a private, professional networking project for one of the big 3 innovative pharmas at one of their Central European offices. It was a successful clinical trial of what we thought was a good idea – enabling medical sales representatives to place their value in front of their social graph of doctors.   As we approach release of the beta version of a productized version – it seems time to get some feedback on the notion of private, controlled networking. So here it is – feel free to comment online or email me.

Assuming you knew why a data breach will happen, wouldn’t you take your best shot at preventing it?

Consider this:

Your security defenses don’t improve your understanding of the root causes of data breaches, and without understanding the root causes –  your best shot is not good enough.

Why is this so?

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up.  Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

Obviously we need a better way of understanding what threats really count for our business. More about that in some up coming posts.

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a networked Windows-based embedded medical device used for patient monitoring.  The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition.  The threat analysis used the PTA (Practical threat analysis) methodology, described in Appendix A of the full article reporting on the threat analysis of a medical device in PDF format.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures is suggested in Section III. We devoted special interest to the issue of propagation of viruses and malware into the hospital network.

Our analysis shows that installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate the most severe threats – ePHI leakage, software defects and USB access to bedside units.

A detailed discussion appears in Section IV of this paper. Section V suggests segregating the bio-med functions from the hospital enterprise IT.  Section VI provides a summary of the analysis and its findings.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by the medical device manufacturers and hospital customers to model changes in risk profile as technology and customer environment evolve. The threat model can be downloaded here and the threat modelling software can be downloaded here.

Read more…

Aug 7, 2010 WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.

I cannot believe my eyes – “no single federal standard”??

I am at a loss to understand why the US needs another data security bill – when there are already a plethora of regulations regarding personal information – Graham Leach Bliley (financial services), PCI DSS (credit cards), HIPAA (health care) and the state data security bills (CA SB 1386, Mass Data privacy etc.. ).  This is without even mentioning FISMA and the NIST security requirements for implementing HIPAA. With Obamacare in effect – it seems to me that the gold standard for PII protection will soon become HIPAA and since health care appears to becoming nationalized in the US – NIST will soon be the king of data security control frameworks.

Looking at data security  as an exercise in providing cost effect security countermeasures, it appears to me that the bill is most likely either a public relations play  or congressional logrolling. The interesting item is the requirement to provide credit card monitoring services after a breach for a year – perhaps the bill is intended to help stimulate the business of companies like Experian, Symantec, RSA and Mcafee.

The US does not need more data security regulation (requiring “strong security features” whatever that means) because with over 350 million US credit cards breached – the data is already out there. This bill is equivalent to closing the barn door after the horses have already fled.

What I would recommend to the esteemed Senators is a totally different approach – one adopted by Poland. Poland, which is a member of the EU and subject to the EU Privacy Law decided a few years back to make data security breaches expensive. If a firm in Poland breaches personal data – they are liable to up to a 2.5% fine of their annual gross revenue.

None of this hokey – “provide monitoring services and notify within 60 days” nonsense. Make US data breachers pay for their security vulnerabilities and even the playing field with the consumers – who are indeed paying the price for poor data security at American retailers and banks.

Not so long ago – when a company ( business unit, department or manager) wanted to develop a line of business software application, they would do a system analysis starting with business requirements and then proceed to develop an application and deploy it.

Things have changed.

Packaged software and Web applications that the CEO’s niece can whip together in a week, have replaced structured systems development. There are of course,  good things about not having a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is insecure software. So called security development methodologies are band-aids on deep cuts, that cannot replace a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.  IT is about executing predictable business processes. Security is about reducing the impact of unpredictable events.

IT’s “best practice” security in 2010 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications), IT staffers  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modelling is a lot of hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling - threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

We spent the past week in Tzfat  (Safed) – situated in the northern part of Israel and with a 900meter elevation, the weather is cool and dry and a welcome relief from the humidity and heat of Tel Aviv.

We met a couple at dinner one evening – the husband is a retired aerospace software engineer that had done cutting edge work in his career, including the embedded software for one of the first unmanned aerial vehicles (UAV).  He took early retirement 15 years ago and today is hustling real estate and odd jobs.   At age 62, he’s overweight, after a triple bypass, technology-obsolete and convinced he will never get back into the tech game.

For sure – this recession is helping us understand the importance of family and friends and the difference between needing something (really) and wanting something.  This is a natural inward-looking reaction. However, in order to really take something of value out of the recession you need to look outward and challenge a lot of your base assumptions – it doesn’t really matter if you are (or soon will be) a self-employed consultant or a salaried (or soon to be ) sales professional. I submit that there are several important takeways that most people miss:

1) Invest in knowledge – spend 1 hour a day in constant learning, if you’re a tech person then work on keeping your edge and learning some new tools and technologies. If you are a sales professional – remember that sales skills are like basketball – practice your shooting 1 hour/day and your stats will go up.

2) Remember that what counts in your business is free cash flow – adding value and having some cash left at the end of the transaction. It’s not definitely not about  leveraging credit cards, mortgages and derivatives.

3) Invest in your health – spend 4-5 hours a week in physical activity. There is no point reaching 60 with a heart condition and proficiency in a programming language that was obsolete in the 70s.

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

It seems that with amorphous and rapidly evolving trend of storing data in cloud providers and social media like Twitter and Facebook, that social media and cloud computing is the next frontier of data security breaches.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

Are the security lights on, but no  one is home at your company?

Question No. 1 – Does your organization have a formalized risk analysis process? … 90 percent of the respondents, said that their organizations have such a formalized risk analysis process.

Question No 2 – Does your organization have an executive with a mandate to manage enterprise risk ? … only about 40 percent of the respondents had an executive with such a mandate.

Enterprise Security Risk Management Benchmarking Survey - April 2010

“That’s hard to believe, given that extreme events and risk management are making headlines almost every other day.”

In order  to understand why large enterprises invest in risk analysis process but not in risk management we need to take a closer look at Western (US and EU for the sake of argument) corporate value systems.

For a manager of a company on the verge of bankruptcy, equity compensation is a one-sided bet with upside only. For example, say the CEO  bets on a bridge loan at usurious terms in order to buy time to close an acquisition deal. If the bet pays off, his equity compensation pays off, but if he loses the bet (and the company goes bankrupt or is sold for a pittance), his personal compensation exposure is zero, but the stockholders, bond holders, customers and business partners will be left holding the bag.  Since it’s a one-sided bet with no downside, executives may also be tempted to adopt borderline business practice in order to proactively optimize their compensation.

Risk analysis provides invaluable input to improve business practice and reduce security breach exposure but you have to execute on the implementation of the security countermeasures and be prepared to hold them up to scrutiny of your peers on a regular basis.  That requires a strong work ethic, transparency and accountability.

Since executives are generally not held personally accountable for security breaches  - it is not surprising at all that most enterprises have  formal risk analysis processes but few firms have managers with  the personal responsibility to execute on security risk management.

Let’s return to our original question – ‘Is IT equipped to deal with clear and present danger?’

We now see that IT and their information security colleagues may indeed have the formal risk analysis processes and even the latest in data security technology countermeasures to reduce the impact of security breaches but they don’t function inside a corporate value system that rewards them for cost-effective security.

And that my friends – is already an ethical question, not a process management nor a compensation question.