Israeli Software

I saw a post recently on Controlled social networking for student collaboration. One of the comments lamented not having the head count to install technology to control Facebook access by students.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

Dr. David Gurevich in an interview with the Israeli business daily Globes predicts that real time death will be the next development in reality programming.  Once the domain of science fiction and fantasy – Dr. Gurevich believes that the online death scenario is an inevitable development in the loss of privacy and wave of voyeurism brought on by social networks like Facebook.

Although many people would love to participate in televised reality shows like Survival, it’s no longer necessary - you can do it yourself on Youtube.

Like any other scarce commodity, I predict that online privacy will soon become a product that people will pay dearly for perhaps to the point of acquiring entrance into a totally technology free environment.

One of the biggest challenges in global multi-center clinical trials (after enrollment of patients) is collaboration between multi-center clinical trial teams: CRAs, investigators, regulatory, marketing, manufacturing, market research, data managers, statisticians and site administrators.

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

I usually write about best practices and practical tools to prevent data theft, data loss and data leakage – since our professional services focus on data security in Central and Eastern Europe. Data security is, I guess a sub-specialty of security and compliance.

Security is chartered with ensuring the survival of a business and protecting it’s capability  to generate value for customers and share holders. The most effective security organizations  are integrated for enterprise protection of physical, information, system and employee assets.

But – I was reminded today that data security is not just about data loss prevention – it’s about ensuring confidentiality, integrity and availability of data in all 4 realms – physical, information, systems and employees.

From on article an MedScape today:

Fewer than half of the clinical trials reported in high-impact-factor journals are adequately registered, while nearly a third show “some evidence of selective outcome reporting,” according to research published September 2 in the Journal of the American Medical Association.

Selective outcome reporting – is a data security violation, tampering with the integrity of the data.

Only this time – it’s human lives not credit cards.

Yikes.

Bahya ibn Paquda was the author of the first Jewish system of ethics written in Arabic in 1040 under the title Al Hidayah ila Faraid al-Qulub, Guide to the Duties of the Heart. In his view, most people acted in accord with selfish, worldly motives. This was almost 2,000 years ago before the age of entitlement in America and most other parts of the Western world.

A client once challenged me to establish a correlation between employees who surf to porn sites and download videos at work and a propensity to steal proprietary data from the company.   My first comment was that porn sites are a fertile source of spyware and malware – and therefore an employee who spends time at work viewing and downloading adult content creates a vulnerability to keylogger-based attacks like the Israeli Trojan or the perennial keylogger attacks on FTP credentials (which is easy since FTP doesn’t encrypt username/password). However – I don’t have (and I don’t know anyone who does have) empirical data from even small samples regarding employees and/or contractors who leaked data and their adult-content surfing habits.

A hint to this question of a possible correlation between data theft and acceptable usage violations in the workplace comes from a book that Rabenu Bahya wrote called “Kad Hakemach” (“The Jar of Flour”, today – I suppose we would call it “The Cookie Jar”).

Read more…

People often ask me to help them find jobs.Often, the answer is that it’s time to go out on your own, start a new career in a non-technology field, doing something you love and do well. But sometimes, I suggest improving interview skills in order to improve the chances of getting hired. After having given this advice a number of times (and never having taken it myself) I decided it was time to eat my own dog food with Ten reasons you should hire Danny Lieberman

Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc.

A DHL courier recently visited the offices of a client to pick up a package.  He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch and walked out.

In China and Taiwan – culturally – a white face is always trusted, in Israel, Turkey and Rome – everyone are friends. In Poland – recipients defer to guests and may be intimidated by non-Polish speakers.

But – people are not always what the seem.

Here are 3 simple steps to improve your physical security that do not involve advanced technology – only the power of the people you already have.

Read more…

It’s during the war on Hamas in Gaza and I got on a thread on a blog about why Islam is so violent. I explained that there are fundamental ideological differences between Islam and Judaism. For starters – Islam values land but not human life, Jews value human life and are willing to compromise on land.

On a much smaller scale it’s important to understand the culture in your workplace and manage in a fair process of being open and taking commitments,  Technical/professional skills are not enough.

---

Back in the 90s – when I worked at Intel Fab8 in Jerusalem, we were chosen to train about 150 engineers for the Intel fab in Leixlip Ireland. I had two Irish people on my team. In particular, I remember Ronnie Murray and Dympna  O’Connell (she told me – pronounce my name like “Debna”, you know like the DEC network adapter…) Dympna once worked for Digital Equipment Corporation and I spent years developing applications in VAX/VMS so we shared common language, the language of Digital networking equipment.

Before the Irish engineers came on board, we went through 3 days of cross-cultural training. We learned a lot, including how much Israelis and Irish are alike – strong family values, ties to country, religion (but not too much) and openness. Of course, the Irish can drink us under the table – which is probably why we had a such a great time.

My friend Isaac Botbol told me that there is a famous but true story about a Texas oil company that was intensely involved in negotiating a substantial business deal with a major company in Mexico. The American team spared no expense in flying their experts to Mexico and presenting the benefits and long term rewards of their state of the art equipment, hardware and excellent customer support. Throughout the negotiations and long hours of working together, both the Mexican and American teams developed a camaraderie and respect for each other.

The Mexicans were satisfied with the proposal and agreed to proceed with the deal. The Americans were delighted. They phoned their legal department in Houston and instructed them to fax the contract to their Mexican counterparts. Since they felt they had completed their job the American team jumped on the next flight back home.

The Mexicans were incensed! They wondered how the American team could be so rude and insensitive as to just fax a bunch of papers and expect to seal such an important deal after weeks of working closely together. The Mexican team refused to sign the contact tried to have as little contact as possible with the American team.

Eventually, when the Americans inquired about the delay and discovered what had happened, they immediately went into damage control. For the American negotiating team, the signing of the deal meant the final phase of a process. For the Mexicans, it symbolized the beginning of a relationship. They wanted to celebrate this milestone and make it personal. They wanted this important occasion to be marked by having all the major players and their spouses, from both sides of the border, to come together and enjoy a memorable dinner.

Fortunately, this story has a happy ending because the American team was able to recover and the deal was finally signed. The lesson from this incident is quite significant because it teaches us the importance of being aware of the different cultural perspectives. While the American business stance is to be task and results oriented, the Hispanic mindset places much more emphasis on the human side of business.

When dealing with customers in Europe (especially Italy, Israel and Greece) this lesson is just as valuable. Hi-tech sales and technology management is also about understanding the cultural differences. Whether they’re your customers, colleagues or direct reports – people want to see the business as well as the human side of your leadership abilities. They want to know that despite the language differences, you genuinely care about them and the work they do. Of course this is true in every workplace but driving home this idea and putting into practice, is much more difficult and challenging when there are different language and cultural expectations.