Israeli Software

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

Operational risk management has been the buzz word du-jour in recent years, due to the Basel II initiative in the banking industry and Solvency II in the insurance industry.

The Basel II definition of operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

It seems that in the middle of the great financial crisis, TARP, unmet calls for transparency and trillions being sunk into the US financial services industry (instead of encouraging innovation, manufacturing and creation of free cash flow…), Basel II deserves to be judged and found wanting.

Perhaps we need to update the Basel II definition of operational risk and bring it into line with a modern set of threats. For example, we might say, let’s add to the Basel II definition, “… and risks due to networking with other businesses”. This is a reasonable addition, since in my experience in data security projects and according to the Verizon security breach reports,  over 70% of data loss incidents involve outsourcing and sub-contractors.

External business partnerships are indeed, a source of risk for financial institutions that do business process outsourcing (especially if one considers data loss) but it appears to me that the Basel II and Solvency II definitions  are  less appropriate for the technology and manufacturing industries, where  innovation and product development are performed by relatively small engineering teams and key assets are product quality and customer safety and not credit cards in database servers.

Let’s take the example of a company that makes a robot to assist in micro-surgery.

For the medical device company, the biggest operational risk  is a flawed product that might damage a patient. The FDA sees this as a regulatory issue and addresses it with the 510(K) but my gut feeling is that most small (4-6 people)  software development teams don’t really have a “process”.  After an audit by a regulatory affairs consultant, they can comply and still fall hard on a software defect or design flaw.

It’s amazing to me that the Basel II definition of does not consider customer safety as an  operational risk, and yet, the lack of customer safety and networked-business risks in the Basel II definition only serves to illustrate the futility of a check list approach to operational risk management.

Since regulatory compliance is not a substitute for analyzing particular threats to a particular business unit,  I would propose a different definition of op risk:

“Any combination of one or more threats that exploits vulnerabilities to damage company assets as measured in dollars (or euro or yen ….)”

This definition is universally applicable to financial services, IP developers, manufacturing, distribution, health care, bio med etc…The definition does not limit business management to risk analysis inside the company but enables a company to consider threats due to product quality, compliance, extended business relationships, PHI, PII and a whole slew of new risks that don’t even exist yet on their current threat surface.

It’s a definition that forces the company executives to ask themselves what are their key threats and assets and vulnerabilities and how much of the company value is at stake.

Threat models are not a silver bullet solution to prevent a crisis like AIG on one hand or Toyota on the other. A threat model is only a tool to implement a risk strategy by the business management. Threat modeling  needs to be used in the proper way, measured in dollar values and must be reviewed regularly – at least once/year.

The beauty of the above definition is that it links operational risks to business operations.

Any business in any vertical, must define their own threat landscape, define their control/security countermeasure strategy, run their own risk assessment regularly and  insure that their data security and regulatory compliance policies, procedures and systems are aligned with the latest version of their threat model.

Read more about threat modeling and operational risk management on this blog.

It seems that with amorphous and rapidly evolving trend of storing data in cloud providers and social media like Twitter and Facebook, that social media and cloud computing is the next frontier of data security breaches.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

Are the security lights on, but no  one is home at your company?

Question No. 1 – Does your organization have a formalized risk analysis process? … 90 percent of the respondents, said that their organizations have such a formalized risk analysis process.

Question No 2 – Does your organization have an executive with a mandate to manage enterprise risk ? … only about 40 percent of the respondents had an executive with such a mandate.

Enterprise Security Risk Management Benchmarking Survey - April 2010

“That’s hard to believe, given that extreme events and risk management are making headlines almost every other day.”

In order  to understand why large enterprises invest in risk analysis process but not in risk management we need to take a closer look at Western (US and EU for the sake of argument) corporate value systems.

For a manager of a company on the verge of bankruptcy, equity compensation is a one-sided bet with upside only. For example, say the CEO  bets on a bridge loan at usurious terms in order to buy time to close an acquisition deal. If the bet pays off, his equity compensation pays off, but if he loses the bet (and the company goes bankrupt or is sold for a pittance), his personal compensation exposure is zero, but the stockholders, bond holders, customers and business partners will be left holding the bag.  Since it’s a one-sided bet with no downside, executives may also be tempted to adopt borderline business practice in order to proactively optimize their compensation.

Risk analysis provides invaluable input to improve business practice and reduce security breach exposure but you have to execute on the implementation of the security countermeasures and be prepared to hold them up to scrutiny of your peers on a regular basis.  That requires a strong work ethic, transparency and accountability.

Since executives are generally not held personally accountable for security breaches  - it is not surprising at all that most enterprises have  formal risk analysis processes but few firms have managers with  the personal responsibility to execute on security risk management.

Let’s return to our original question – ‘Is IT equipped to deal with clear and present danger?’

We now see that IT and their information security colleagues may indeed have the formal risk analysis processes and even the latest in data security technology countermeasures to reduce the impact of security breaches but they don’t function inside a corporate value system that rewards them for cost-effective security.

And that my friends – is already an ethical question, not a process management nor a compensation question.

I saw a post recently on Controlled social networking for student collaboration. One of the comments lamented not having the head count to install technology to control Facebook access by students.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

If you deploy or are considering data security technology from Websense, Fidelis, Verdasys , Guardium, Imperva or Sentrigo – do you give a DAM ?

It seems that DLP (data loss prevention)  vendors are moving up the food chain into DAM (database activity monitoring)? As customers deploy two products in parallel (for example Imperva and Fidelis) for DLP and DAM – the opportunity for reducing TCO (total cost of ownership) seems to be a clear imperative.

Both Websense and Fidelis Security  provide DLP functionality for structured data in databases (Fidelis calls it internal DLP) and Websense provides fairly granular fingerprinting of combinations of relational table columns using their PreciseID technology.

Although Websense focuses on deep content analysis and stays away from application security, Verdasys provides application logging at the end point and Fidelis provides application analysis via the network session in addition to the deep content inspection. Both are functions strongly related to database activity monitoring.

Here are the goals I would put down for database activity monitoring, due to the high level of interaction with client/sever and Web applications

Dr. David Gurevich in an interview with the Israeli business daily Globes predicts that real time death will be the next development in reality programming.  Once the domain of science fiction and fantasy – Dr. Gurevich believes that the online death scenario is an inevitable development in the loss of privacy and wave of voyeurism brought on by social networks like Facebook.

Although many people would love to participate in televised reality shows like Survival, it’s no longer necessary - you can do it yourself on Youtube.

Like any other scarce commodity, I predict that online privacy will soon become a product that people will pay dearly for perhaps to the point of acquiring entrance into a totally technology free environment.

The  key vulnerabilities of a business  to fraud and data loss are rooted in the  four sins of hubris: thinking, looking, fighting and denying.

Hubris is defined as excessive pride or self-confidence, starting with the thought that fraud and data theft won’t happen to you.  Most firms look in the wrong direction, by focussing on external threats and malware instead of trusted insiders and organized crime. They fight the wrong battle, by installing anti-virus on machines that are not vulnerable to virus attacks, and relying on firewalls for data loss prevention. By not monitoring outbound data flows they also gain plausible denial that there are issues of data loss and economic crime in the organization.

The  sins of hubris lead to a situation where the bigger you are the harder you fall (“It can’t happen to me because we have governance, IT etc..”). According to PWC 2009 Global Economic Crime Survey – bigger companies experienced more fraud.

46% of organisations experiencing economic crime had more than 1,000 employees.

The percentage of companies in the 201 – 1,000 employee range experienced almost half the number of fraud of their larger cousins. But this may be because they have fewer governance programmes in place, or what they do have are less effective.

By the way, I think the PwC have it wrong.   Smaller companies may have fewer governance programs in place, and because they have less money, these programs are probably more effective, not less effective.

Denial of data loss and economic crime also derives from incomplete understanding of the economic costs. The 2009 PwC economic crime survey points out that :

27% of those reporting fraud in the last 12 months put its costs at more than $500,000.

One quarter of respondents reporting accounting fraud estimated that it had cost them more than US$1m.

Only 17% of those who suffered asset misappropriation reported losses of more than US$1m.

The impact of economic crime is not just financial: 32% of respondents said employee morale was most affected by such incidents.

Data loss and fraud events are unpredictable, high impact events without precedent that cannot be forecasted with virus/epidemiology or  market risk models.  The assumption in these  models is that the unexpected can be predicted by extrapolating trends from past observations, especially when these statistics are assumed to represent samples from a normal distribution. Although other distributions might provide better fits to historical data, such as the fractal (for earthquakes) or LÉvy distributions (for securities returns) or EVT (for operational risk events) – in all economic crime cases, organizational  culture was at the center of losses, and more specifically, a complex interaction of culture, people and rapidly-changing technology.

It’s impossible to stave off fraud and data theft with technology or procedures alone due the complexity, but with a management that puts a priority on a business objective of protecting company assets and customers, an organization will be able to go beyond governance and security checklists and reduce their value at risk.

Economic crime and data theft  warrants a zero-tolerance culture starting in the boardroom and with the executive management leading by example with open doors and ethical behavior.

It’s World Cup season and Mondial fever will probably put a lot of regional conflicts on the back burner for the next month – not to mention put a dent in a lot of family budgets (husbands buying the latest 60 inch Sony Bravia and wives on retail therapy while the guys are watching football)

I  wanted to write a review of the 2010 FIFA World Cup South Africa video game (it would have been a great excuse for my wife) but I don’t have the right platform – I use Ubuntu and I have neither an Xbox 360 nor a Playstation 3.

It’s ironic that the South African  World cup game doesn’t run on Ubuntu.  It would have been a huge marketing coup and poetic justice if the game software was released for Ubuntu in a GPL license.

That got me thinking about open source licensing and it’s advantages for developing countries, which really got my hackles up  after reading the Seventh Annual BSA and IDC Global Software Piracy Study – that screams:  Software Theft Remains Significant Issue Around the World

The rate of global software piracy climbed to 43 percent in 2009. This increase was fueled in large part by expanding PC sales in fast-growing, high-piracy countries and increasing sales to consumers — two market segments that traditionally have higher incidents of software theft. In 2009, for every $100 worth of legitimate software sold, an additional $75 worth of unlicensed software made its way onto the market. There was some progress in 2009 — software rates actually dropped in almost half of the countries examined in this year’s study.

Given the global recession, the software piracy picture could have taken a dramatic turn for the worse. But progress is being outstripped by the overall increases in piracy globally — and highlights the need for governments, law enforcement and industry to work together to address this vital economic issue.
Below are key findings from this year’s study:

• Commercial value of software theft exceeds $50 billion: the commercial value of unlicensed software put into the market in 2009 totalled $51.4 billion.
• Progress on piracy held through the recession: the rate of PC software piracy dropped in nearly half (49%) of the 111 economies studied, remained the same in 34% and rose in 17%.
• Piracy continues to rise on a global basis: the worldwide piracy rate increased from 41% in 2008 to 43% in 2009; largely a result of exponential growth in the PC and software markets in higher piracy, fast growing markets such as Brazil, India and China.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor – patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That’s called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn’t change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia article on price elasticity of demand )

Back when I ran Bynet Software Systems – we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel – where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 – after the Windows NT launch, the demand for NT was almost totally inelastic – Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software – Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continued with this marketing strategy and most Vista sales were not retail boxes but pre-installed hardware. After Windows 7 released – users have been upgrading en-masse, proving once again the elasticity of demand for a good product.

Microsoft (who are a major stakeholder in BSA) probably don’t have a major piracy problem with operating system sales. Let’s run some numbers. In 2008 –  Microsoft Windows Vista sales were at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue was $15.8 BN. Single unit OEM pricing for a Windows operating system  is about $80 and in a volume deal – maybe $20. Let’s assume an average of $50/OEM license. This means that the operating system  accounts for about 50*3*9/15800 = 8.5% of Microsoft revenue.

The BSA Global Piracy Study states that the “median piracy rate in is down one percentage point from last year” – 1 percent of 8.5 percent is meaningless for Microsoft – in dollar terms – BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar rate in 2009.

Microsoft might have a problem with their cash cow – Microsoft Office. Microsoft Office 2007 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Windows 7 and XP and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve – calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world – assuming that the BSA efforts at combating software piracy are successful - only the very rich would have access to applications like Microsoft Office. The middle and lower class people won’t have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words -download Open Office – the free and open productivity suite.

Finally – I can only anonymously quote a senior Microsoft executive who told me a number of years ago that off the record, Microsoft didn’t mind people copying the software and using a crack because it was a good way of introducing new users to the technology and inducing them to buy the new, improved and supported release a year or two later.