Israeli Software

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

I normally blog about data security issues – I specialize in helping technology companies prevent trusted insider data leakage, protect intellectual property, reputation and trade secrets and mitigate attacks on sensitive data by malicious software.

However – the recent terror flotilla to Israel, the double moral standard of the UN Human Rights Council condemning Israel 25 times in the past 3 years without condemning once human rights violations in Iran and Darfur – makes one pause to think.

In Israel there is a general feeling that Israelis are to blame for the world hating Israelis.

There are at least six versions to this way of thinking – first is anti-semitism (people hate Israelis because they are Jewish), a second version is that extreme left university professors have provided the political rhetoric and ammunition for our enemies,  a third version is that our political leaders are weak and or corrupt (Bibi and Barak),  a fourth version is that the occupation has corrupted Israeli morals, making Israelis despicable in the eyes of the world, a fifth version is that if we would only get our public relations sorted out and speak with a British accent – then the world would accept Jewish presence and a sixth version says that the Palestinians, Iranians and Syrians really want peace – and that if Israel would only stop the occupation and down-size, then we would have peace and the world would accept the Jewish nation – once it had been reduced to an acceptably small, bite-sized portion.

I believe that all versions rest on one question which has not been fundamentally tested – which is what do our neighbors really want?

Deborah Fink from the organisation Jews for Boycotting Israeli Goods (J-BIG), said it was “disgusting” that so many children were present to support the Israeli state.

They’ve been brainwashed. We wouldn’t bring loads of children out to things like this. They go to schools where they’re brainwashed with Israeli propaganda.

Ms Fink is one of many British Jews who campaign for an end to the occupation of Gaza and the West Bank.

Apparently Ms. Fink is mind-controlled by Palestinian propaganda and has conveniently forgot that Israel does not occupy Gaza, having left that area almost 5 years ago. Read more at BBC News – Gaza Crisis. I recommend that Ms. Fink read about the unilateral disengagement from Gaza in August 2005.

Unfortunately, we – Israelis are mind-controlled as well and have forgotten our primary mission – which is the development of the state of Israel – not down-sizing, not outsourcing nor appeasing terrorists.

There is I believe, a fundamental misunderstanding of what makes terrorists tick.

In order to test the assumption behind the various Middle East peace plans of the past 30 years – it is important to test an important hypothesis – “Israel’s neighbors want peace”.

Let’s conduct  a “gedanken experiment”  using 2 assumptions, which I believe are accepted by most politicians today – and consistent with US, Russian and European foreign policy:

Since there is wide agreement in Israel, the US, Europe and Muslim countries, that Israel holds the keys to regional peace – then it becomes a question of price – how much are the other parties (Syria, Palestine, Iran, Turkey …) willing to pay to acquire that product – i.e. peace.

The price might be – how much land Syria is willing to give us in return for peace or how much water Turkey is willing to give us in exchange or how much land Palestine is willing to pay in return for peace or how badly Iran wants Israeli  technology for clean power generation.

Once we have agreed on the price – it’s just a question of agreeing terms of payment and issuing the PO.

If the thought experiment is correct then, the current Israeli strategy of paying the buyer to take our product seems ludicrous.

If the thought experiment is incorrect – then one or more of our assumptions must be false – either our neighbors don’t want peace, peace is not a valuable commodity or – Israel doesn’t hold the keys to acquiring peace in the Middle East.

Reading past the political vitriol of Iran and Abu Maazen,  it’s therefore important to examine our assumptions, starting with the question – “What do terrorists really want?”  and understand why Israel is losing the war against terror.

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

• Human error – cc’ing a supplier by mistake on a classified RFP document
• System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
• Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
• Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

1. Who is the buyer?
2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY	TYPICAL DATA SECURITY DRIVERS	DECISION – MAKERS
BANKING	A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events	CSO or CIO
CREDIT CARD ISSUERS	Ongoing theft of customer transactional information by customer service reps Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners	The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE	A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to data leakage of credit card numbers in online systems	General counsel, VP of internal audit, CFO
PHARMACEUTICALS	Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes	General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)	Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records	VP of internal audit, VP of technologies
HEALTH CARE	Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization	CSO, VP of internal audit
TECHNOLOGY COMPANIES	Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans	CEO, CTO

Ian Fleming once remarked how American road signs were so sexy – “winding curves” and “soft shoulders”.

I was thinking of Ian Fleming  taking an unexpected 5K walk at night on the shoulders of a 6 line freeway.

Last night I was driving my daughter’s car on Route 6.   There was a leak in the water pump, engine overheated and I stopped by the side of road and called a tow.

Visualize.  Route 6 South, 2km before the Kfar Daniel interchange. 7pm at night

The tow company (Derachim) told me – up to 3 hours + 60 sheqel surcharge for service on Route 6 – they asked me how I would like to pay and I said – “cash”.  After 1 1/2 hours – the tow shows up, takes the car and instead of taking the car (and me) to our garage in Shilat – he left me by the road side and drove off “to pick up another car in Rishon”.    I started walking, after a brisk 5 km hike – I got a ride from a woman who stopped by the side to change her shoes…. I got my wife on the horn and we rendezvou’d at the gas station at Latrun.

The icing on the cake was a series of phone messages on my cell from the tow company at 1130 pm – saying that they understood I was supposed to pay the Route 6 surchage by credit card….

My lawyer once told me that I should be careful with verbal commitments since a verbal commitment can often be construed as a binding agreement.  The question is how to verify the verbal agreement and enforce non-repudiation?

There are many cases in life where you want to be able to verify a verbal commitment using a trusted third party in order to prevent the other side from repudiating/reneging on the agreement.

You’re doing a sales transaction over  the phone, you have a face to face meeting and it ends with verbal agreement and a handshake, you have an accident and you agree terms verbally with the other party, you are in a divorce process and agreed verbally on money and custody issues.

I always thought that this would be a great application for a mobile service provider – you could call up a third party verification number and the two parties would state their names and ID numbers and agree into the phone for a digital recording that would get a timestamp and reference number.

Data Exchange is a company in Tulsa Oklahoma that provides the ability to protect verbal agreements with third party verification.   

The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Read more…

There is compliance to industry regulation like PCI DSS 1.2 which is aimed at consumer protection and then there is compliance to government regulation like the FCPA which is aimed at maintaining a high ethical level of behavior and ensuring a level playing field of business.

For a large global company like Monsanto, Merck or Johnson and Johnson, FCPA is an exercise in compliance, awareness training, monitoring and risk management. Clearly – paying bribes directly or indirectly via third party intermediaries, to government employees is problematic from an ethical standpoint and attempts to dilute the problem by explaining that there are gray areas and cultural differences doesn’t change the ethical substance. Like many issues in compliance and risk management, preventing Foreign Corrupt Practices violations is not as simple as it looks although the principle is straightforward – “Thou shalt not give a bribe”.

A seminar at Bioworld last year dealt with the challenge of FCPA compliance using language such as:

• 15 red flags to indicate non-compliance—find and fix these before the DoJ and SEC do it for you!
• Activities for which you can be held accountable, even if committed by foreign subsidiaries, suppliers, or rogue employees
• 5 guidelines for creating FCPA policies, based on recent cases
• 3 foreign official risk areas—did you realize making remuneration to these people could be a Federal crime?
• Who should write procedures, and who should implement them
• Advice and resources for training staff locally and abroad
• 9 ways to audit and assess your FCPA compliance program
• Internal investigations—when to conduct one, who should conduct it, and what to do if you find evidence of non-compliance
• Issues with conducting employee interviews and collecting electronic records

The problem is that you know where you start, you don’t know where you finish and you will always have trouble organizing the useful references you collect on the way.

After a call with a client, I started investigating how to provide high value scientific data in a social network for doctors and medical representatives in a way that would bypass the sticky issues of digital asset protection, content preparation, distrust of vendor-sponsored forums and information overload.

Earlier this week, a conversation with a nephrologist convinced me that this is a problem of data discovery and organization, not content creation. Like everyone else, doctors are swimming in an ocean of information – they just have less time and more patients on their hands than the average programmer or sales person.

So I started searching. and found out about science social networking, heard about a science social networking killer app, moved on to discover Synthese Recommender – tried it out on Tamiflu effectiveness (Swine flu is in the news these days with travel alerts to Mexico) read a fiction article called Raj, Bohemian, went back and posted a general reference on the Wikipedia article on risk assessment describing my work on a quantitative approach to data security – then spent some time in the Apache project reading about the technology underpinnings of Synthese – Mahout and Tika.

Then I blogged and tweeted a bit and emailed my wife about all this great stuff (she’s a librarian and I thought she’d be as excited as I was – she wasn’t) )…

Three hours of fascinating clicking later, it’s now time to go pick up Carmel from the day care center – since they finish early today – it being the evening before Israeli Independence day.