Israeli Software

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

• Human error – cc’ing a supplier by mistake on a classified RFP document
• System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
• Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
• Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

1. Who is the buyer?
2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY	TYPICAL DATA SECURITY DRIVERS	DECISION – MAKERS
BANKING	A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events	CSO or CIO
CREDIT CARD ISSUERS	Ongoing theft of customer transactional information by customer service reps Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners	The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE	A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to data leakage of credit card numbers in online systems	General counsel, VP of internal audit, CFO
PHARMACEUTICALS	Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes	General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)	Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records	VP of internal audit, VP of technologies
HEALTH CARE	Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization	CSO, VP of internal audit
TECHNOLOGY COMPANIES	Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans	CEO, CTO

Ian Fleming once remarked how American road signs were so sexy – “winding curves” and “soft shoulders”.

I was thinking of Ian Fleming  taking an unexpected 5K walk at night on the shoulders of a 6 line freeway.

Last night I was driving my daughter’s car on Route 6.   There was a leak in the water pump, engine overheated and I stopped by the side of road and called a tow.

Visualize.  Route 6 South, 2km before the Kfar Daniel interchange. 7pm at night

The tow company (Derachim) told me – up to 3 hours + 60 sheqel surcharge for service on Route 6 – they asked me how I would like to pay and I said – “cash”.  After 1 1/2 hours – the tow shows up, takes the car and instead of taking the car (and me) to our garage in Shilat – he left me by the road side and drove off “to pick up another car in Rishon”.    I started walking, after a brisk 5 km hike – I got a ride from a woman who stopped by the side to change her shoes…. I got my wife on the horn and we rendezvou’d at the gas station at Latrun.

The icing on the cake was a series of phone messages on my cell from the tow company at 1130 pm – saying that they understood I was supposed to pay the Route 6 surchage by credit card….

My lawyer once told me that I should be careful with verbal commitments since a verbal commitment can often be construed as a binding agreement.  The question is how to verify the verbal agreement and enforce non-repudiation?

There are many cases in life where you want to be able to verify a verbal commitment using a trusted third party in order to prevent the other side from repudiating/reneging on the agreement.

You’re doing a sales transaction over  the phone, you have a face to face meeting and it ends with verbal agreement and a handshake, you have an accident and you agree terms verbally with the other party, you are in a divorce process and agreed verbally on money and custody issues.

I always thought that this would be a great application for a mobile service provider – you could call up a third party verification number and the two parties would state their names and ID numbers and agree into the phone for a digital recording that would get a timestamp and reference number.

Data Exchange is a company in Tulsa Oklahoma that provides the ability to protect verbal agreements with third party verification.   

The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Read more…

There is compliance to industry regulation like PCI DSS 1.2 which is aimed at consumer protection and then there is compliance to government regulation like the FCPA which is aimed at maintaining a high ethical level of behavior and ensuring a level playing field of business.

For a large global company like Monsanto, Merck or Johnson and Johnson, FCPA is an exercise in compliance, awareness training, monitoring and risk management. Clearly – paying bribes directly or indirectly via third party intermediaries, to government employees is problematic from an ethical standpoint and attempts to dilute the problem by explaining that there are gray areas and cultural differences doesn’t change the ethical substance. Like many issues in compliance and risk management, preventing Foreign Corrupt Practices violations is not as simple as it looks although the principle is straightforward – “Thou shalt not give a bribe”.

A seminar at Bioworld last year dealt with the challenge of FCPA compliance using language such as:

• 15 red flags to indicate non-compliance—find and fix these before the DoJ and SEC do it for you!
• Activities for which you can be held accountable, even if committed by foreign subsidiaries, suppliers, or rogue employees
• 5 guidelines for creating FCPA policies, based on recent cases
• 3 foreign official risk areas—did you realize making remuneration to these people could be a Federal crime?
• Who should write procedures, and who should implement them
• Advice and resources for training staff locally and abroad
• 9 ways to audit and assess your FCPA compliance program
• Internal investigations—when to conduct one, who should conduct it, and what to do if you find evidence of non-compliance
• Issues with conducting employee interviews and collecting electronic records

The problem is that you know where you start, you don’t know where you finish and you will always have trouble organizing the useful references you collect on the way.

After a call with a client, I started investigating how to provide high value scientific data in a social network for doctors and medical representatives in a way that would bypass the sticky issues of digital asset protection, content preparation, distrust of vendor-sponsored forums and information overload.

Earlier this week, a conversation with a nephrologist convinced me that this is a problem of data discovery and organization, not content creation. Like everyone else, doctors are swimming in an ocean of information – they just have less time and more patients on their hands than the average programmer or sales person.

So I started searching. and found out about science social networking, heard about a science social networking killer app, moved on to discover Synthese Recommender – tried it out on Tamiflu effectiveness (Swine flu is in the news these days with travel alerts to Mexico) read a fiction article called Raj, Bohemian, went back and posted a general reference on the Wikipedia article on risk assessment describing my work on a quantitative approach to data security – then spent some time in the Apache project reading about the technology underpinnings of Synthese – Mahout and Tika.

Then I blogged and tweeted a bit and emailed my wife about all this great stuff (she’s a librarian and I thought she’d be as excited as I was – she wasn’t) )…

Three hours of fascinating clicking later, it’s now time to go pick up Carmel from the day care center – since they finish early today – it being the evening before Israeli Independence day.

The Verizon Business Report on data breaches 2009 was released – the data breach investigations report headlines with 285 million data records breached in 2008:

• 91% of attackers were organized crime
• 74% of attacks by malicious outsiders
• 67% of vulnerabilities due to system defects
• 32% implicated business partners

The report must be particularly disturbing to endpoint DLP vendors focused on preventing data loss by trusted insiders on  PCs (  99.6% of data was breached by  attackers attacking servers…. )

My experience with clients in the past 5 years in the data loss/extrusion prevention business has been focused on discovering internal security vulnerabilities and implementing cost-effective security countermeasures.  Our findings (summarized in our Business Threat Modeling white paper) were based on analyzing empirical data of 167 data loss events points a finger at software defects as a key data loss vulnerability. The Verizon business study appears to suggest that the situation has only gotten much worse – i.e. data breachs are rising as software quality is declining.

A conservative estimate in our research showed that 49% of the events exploited software defects as shown in the below table. Theoretically we can mitigate half of the risk by removing software defects in existing applications. The question, which we  answer in the white paper is how.

The Carnegie Mellon Software Engineering Institute (SEI) reports that 90 percent of all software vulnerabilities are due to well-known defect types (for example using a hard coded server password or writing temporary work files with world read privileges). All of the SANS Top 20 Internet Security vulnerabilities are the result of “poor coding, testing and sloppy software engineering

It’s a very long story, and better not to ask how this happened; but one of my cousins is married to Calvin Echodu
Executive Director, Pilgrim Africa. Calvin, who is a really nice guy, sent me an email recently – they’re working hard to stop a malaria epidemic in Uganda that got started after the big flooding in 2007. Visit the web site and make a donation – even a small one will help.

Pilgrim is a Christian Ugandan non-profit (Reg. No S5914/3885) providing material and spiritual aid to the war- afflicted peoples of eastern and northern Uganda.