Israeli Software

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

I usually write about best practices and practical tools to prevent data theft, data loss and data leakage – since our professional services focus on data security in Central and Eastern Europe. Data security is, I guess a sub-specialty of security and compliance.

Security is chartered with ensuring the survival of a business and protecting it’s capability  to generate value for customers and share holders. The most effective security organizations  are integrated for enterprise protection of physical, information, system and employee assets.

But – I was reminded today that data security is not just about data loss prevention – it’s about ensuring confidentiality, integrity and availability of data in all 4 realms – physical, information, systems and employees.

From on article an MedScape today:

Fewer than half of the clinical trials reported in high-impact-factor journals are adequately registered, while nearly a third show “some evidence of selective outcome reporting,” according to research published September 2 in the Journal of the American Medical Association.

Selective outcome reporting – is a data security violation, tampering with the integrity of the data.

Only this time – it’s human lives not credit cards.

Yikes.

Bahya ibn Paquda was the author of the first Jewish system of ethics written in Arabic in 1040 under the title Al Hidayah ila Faraid al-Qulub, Guide to the Duties of the Heart. In his view, most people acted in accord with selfish, worldly motives. This was almost 2,000 years ago before the age of entitlement in America and most other parts of the Western world.

A client once challenged me to establish a correlation between employees who surf to porn sites and download videos at work and a propensity to steal proprietary data from the company.   My first comment was that porn sites are a fertile source of spyware and malware – and therefore an employee who spends time at work viewing and downloading adult content creates a vulnerability to keylogger-based attacks like the Israeli Trojan or the perennial keylogger attacks on FTP credentials (which is easy since FTP doesn’t encrypt username/password). However – I don’t have (and I don’t know anyone who does have) empirical data from even small samples regarding employees and/or contractors who leaked data and their adult-content surfing habits.

A hint to this question of a possible correlation between data theft and acceptable usage violations in the workplace comes from a book that Rabenu Bahya wrote called “Kad Hakemach” (“The Jar of Flour”, today – I suppose we would call it “The Cookie Jar”).

Read more…

People often ask me to help them find jobs.Often, the answer is that it’s time to go out on your own, start a new career in a non-technology field, doing something you love and do well. But sometimes, I suggest improving interview skills in order to improve the chances of getting hired. After having given this advice a number of times (and never having taken it myself) I decided it was time to eat my own dog food with Ten reasons you should hire Danny Lieberman

Big companies have lobbies and receptionists. They may have many visitors during the day not to mention messengers from FedEx, DHL, TNT, Poczta etc.

A DHL courier recently visited the offices of a client to pick up a package.  He walked in, picked up 5 expensive mobile computers and notebooks, put them in the pouch and walked out.

In China and Taiwan – culturally – a white face is always trusted, in Israel, Turkey and Rome – everyone are friends. In Poland – recipients defer to guests and may be intimidated by non-Polish speakers.

But – people are not always what the seem.

Here are 3 simple steps to improve your physical security that do not involve advanced technology – only the power of the people you already have.

Read more…

It’s during the war on Hamas in Gaza and I got on a thread on a blog about why Islam is so violent. I explained that there are fundamental ideological differences between Islam and Judaism. For starters – Islam values land but not human life, Jews value human life and are willing to compromise on land.

On a much smaller scale it’s important to understand the culture in your workplace and manage in a fair process of being open and taking commitments,  Technical/professional skills are not enough.

---

Back in the 90s – when I worked at Intel Fab8 in Jerusalem, we were chosen to train about 150 engineers for the Intel fab in Leixlip Ireland. I had two Irish people on my team. In particular, I remember Ronnie Murray and Dympna  O’Connell (she told me – pronounce my name like “Debna”, you know like the DEC network adapter…) Dympna once worked for Digital Equipment Corporation and I spent years developing applications in VAX/VMS so we shared common language, the language of Digital networking equipment.

Before the Irish engineers came on board, we went through 3 days of cross-cultural training. We learned a lot, including how much Israelis and Irish are alike – strong family values, ties to country, religion (but not too much) and openness. Of course, the Irish can drink us under the table – which is probably why we had a such a great time.

My friend Isaac Botbol told me that there is a famous but true story about a Texas oil company that was intensely involved in negotiating a substantial business deal with a major company in Mexico. The American team spared no expense in flying their experts to Mexico and presenting the benefits and long term rewards of their state of the art equipment, hardware and excellent customer support. Throughout the negotiations and long hours of working together, both the Mexican and American teams developed a camaraderie and respect for each other.

The Mexicans were satisfied with the proposal and agreed to proceed with the deal. The Americans were delighted. They phoned their legal department in Houston and instructed them to fax the contract to their Mexican counterparts. Since they felt they had completed their job the American team jumped on the next flight back home.

The Mexicans were incensed! They wondered how the American team could be so rude and insensitive as to just fax a bunch of papers and expect to seal such an important deal after weeks of working closely together. The Mexican team refused to sign the contact tried to have as little contact as possible with the American team.

Eventually, when the Americans inquired about the delay and discovered what had happened, they immediately went into damage control. For the American negotiating team, the signing of the deal meant the final phase of a process. For the Mexicans, it symbolized the beginning of a relationship. They wanted to celebrate this milestone and make it personal. They wanted this important occasion to be marked by having all the major players and their spouses, from both sides of the border, to come together and enjoy a memorable dinner.

Fortunately, this story has a happy ending because the American team was able to recover and the deal was finally signed. The lesson from this incident is quite significant because it teaches us the importance of being aware of the different cultural perspectives. While the American business stance is to be task and results oriented, the Hispanic mindset places much more emphasis on the human side of business.

When dealing with customers in Europe (especially Italy, Israel and Greece) this lesson is just as valuable. Hi-tech sales and technology management is also about understanding the cultural differences. Whether they’re your customers, colleagues or direct reports – people want to see the business as well as the human side of your leadership abilities. They want to know that despite the language differences, you genuinely care about them and the work they do. Of course this is true in every workplace but driving home this idea and putting into practice, is much more difficult and challenging when there are different language and cultural expectations.

The newspapers this morning online and print, had a number of items citing how Obama won in the social networking space – au contraire – Obama won the election because he sold Americans a message of hope, even if it was modeled on a character from the TV Series “24″,

The majority of Americans are not wired like us high-tech geeks – but TV and cell phones are something that everything watches and uses.

Next week, in the U.K. and Australia; Hutchison will launch a new 3G cell phone with social networking applications. The phone is produced by the new Hutchison mobile device subsidiary INQ Mobile.

The new  handset is supposedly a new product category of  “low-cost social mobile” devices that make applications like Facebook as easy to use as SMS texting.   The key to stimulating more usage of mobile data subscribers is to reduce the cost to the operator and provide easy-to-use applications.   Cellular operators, having already made large CapEx investments in the 3G infrastructure need to drive data usage into all users, not just the 15% that use smart phones today.

Using a smart phone for social networking raises some interesting security questions. If you could be anonymous online, it will now be easier to track down the exact identity or even physical location of that hot-looking woman you are chatting with.  A cellphone number is more exact than a geographic lookup of an IP address.

For the full article see: Hutchison preps Facebook Phone Launch

I recently signed up on the ANSI Web site to download a document on cyber risk calculation and they had a minimum 10 character password requirement -  they also share your personal data (all demographics are required fields by the way) with third parties – at least they have an opt-out check box on the registration form.

The ANSI Web security policy is misguided: They’re collecting too much personal data, but requiring strong passwords that cannot mitigate the risk of sharing personal information with third parties. Once personal data is stored on a third-party server, ANSI cannot guarantee privacy according to their privacy statement.

A while back, a colleague asked me what is the best way to encrypt internal email.

My first question to him was – what is the threat,  who is  the attacker and what is the asset you are protecting? Are you trying to encrypt business communications between employees and vendors/customers to protect from eavesdroppers or do you want to encrypt the message repository and protect it from attackers?  Before  applying encryption as a security countermeasure do a little threat analysis first.
My experience with data loss prevention with systems that monitor millions of transactions and hundreds of violations a year has shown the following:

a. It’s  better to use outgoing email in clear text because

1) you can monitor what people are doing  and

2) having  a business partner decrypt/encrypt is generally a pain in the ass that is greater than the value of the business transaction.

There is little reason to encrypt internal email in my experience. Let’s say that Mike in sales has an insider tip on company  stock options and he wants to tell Candace in HR.  Encryption doesn’t mitigate that threat. Let’s say that Joe has a secret algorithm he wants to sell to Gene who works the dark side. Encrypting internal email won’t mitigate that threat either. If there are confidential files being sent by email to external destinations – encrypt the files and give the key to the recipient.

If you’re concerned about data leakage then your cheapest and most effective countermeasure is monitoring email transmission for particular data types and destinations.

b. If you have high-value business communications between your company and vendors – you are better off just encrypting  the file (for example a sensitive contract or product design doc) and sending  the encrypted attachment.  This will enable you to monitor who is sending and who is receiving and with the right monitoring system – you will be able to detect that an encrypted file was sent which is interesting information in it’s own right.

Read my blog entry on this topic http://www.software.co.il/blog/2007/06/secure_communications_without_1.html

A lot has been written about Google-aided automation of hacking. There is little I can add to this topic besides some personal and practical advice.

If you’re running Joomla 1.5 you may have noticed queries of the sort  “powered by joomla .domain_name_extension” in your Apache access.log file. It’s almost certain you’ll find a few of these if you’re running a Web site with an Israel domain suffix – .co.il. This is an interesting attack vector – Islamic groups use Google to search for Israeli Web sites powered by vulnerable versions of the Joomla 1.5.x software.  If the exploit works then the results are anything from Web site defacing to taking over the admin account.

Here are 4 tips to mitigating this particular class of vulnerability:

1) Stay up to-date with the latest version of Joomla software. There are a ton of resources on the Web telling people how to do that. Use Google.

2) Less is more. The latest versions of Joomla 1.5.x have more than enough functionality for a world-class content web site. Instead of installing a bunch of vulnerable plugins – concentrate on writing interesting and relevant content.

3) Obfuscate. Remove references to “Powered by Joomla” in templates and document.php:

a. Edit the footer and document templates, you can do that in the administrator GUI.

b. Edit libraries/joomla/document/document.php and remove the Meta generator tag reference to Joomla 1.5.   I see no reason in advertising to search engines what version of the CMS you’re using.   Put anything else instead – like DotNet Nuke if you’re running Joomla on a Ubuntu box. I don’t believe you can use Google for passive OS fingerprinting like p0f.

c. Rename the admin user account – call it anything else but admin – no point in giving the bad guys an advantage.

4) Diversify your applications.    Diversification is a technique used in investing and telecommunications in order to reduce risk. Basically what it means is to distribute your application services and create a smaller attack surface on your content management site. If you need a mailing list – use one of the commercial mailing list services like Constant Contact. If you need a social network – use a commercial service like Ning or use an Open Source social networking application like Elgg. If you need a blog then use Wordpress or Blogger. Diversification means not putting all your eggs in one basket – if someone hacks your server and steals a list of 5000 names, you might be liable for third party lawsuits, you may have committed a criminal offense under one of the US State privacy laws like California SB1386 or EU privacy regulation depending on where your servers reside.  If someone steals names from Constant Contact — you won’t have liability and without names, your database is a less attractive target for identity theft attacks.