Israeli Software

What risks really count for your business? No question is more important for implementing an effective program of security countermeasures. The management, IT and security practioners cannot expect to mitigate risk effectively without knowing the sources and cost of threats to the organization.

We all depend on transaction processing systems in order to run the business and make decisions, no matter how many employees we have. Whether you are self-employed and making wedding cakes or running a global business with 14,000 employees in 40 locations, you use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “black-box” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software

2. Quantitative evaluation and financial justification

3. Explicit communications between developers and security

4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here

I was talking with a prospect yesterday who is an information security manager; extremely professional and creative at what he does.   In the course of the conversation, I realized that there are fundamental differences in mentality between IT and Security practitioners.

Back when I wrote COBOL/CICS applications for Tadiran Information systems – some of our work looked like what these guys in the picture are doing – standing on a scaffold, patching bricks and praying that in the next rain, the parquet floor won’t get flooded.

Most IT professionals don’t write software anymore – they evaluate, implement, maintain and support packaged applications from vendors. Firms use enterprise systems like Oracle Applications. Oracle buys companies all the time and has a large, complex portfolio of add-on products used to improve functionality of Oracle Applications, stave off the competition and up-sell customers; with products like Oracle BI Applications.

The key phrase for IT professionals is predictable processes – making sure that the evaluation process is adhered too, making sure that the implementation process of a new module or system is executed in a uniform and timely fashion (I learned these buzz words at Intel almost 20 years ago…). The most important thing (and this relates to security as well) is to ensure that the execution of business functions by people using the system also conforms to the company business process.

Security professionals don’t write software either – many do Perl and TCL scripting, and here and there a few write C code to generate custom packets for network hacking etc…Although many infosec people come from a software development background,  most of the work is about specifying,  evaluating and implementing TLA products and services; SIM, DLP, IPS, NAC, ERM, PCI, DRP, SOX.   Based on empirical evidence with clients – the majority of infosec departments are very focussed on compliance and perimeter security and  very technology and product-focussed, not unlike their IT brethren.

The key phrase for security professionals is UNPREDICTABLE EVENTS – responding to internal and external attacks on people (phishing, social engineering and terrorists), systems (hacking) and data (data loss and fraud).

IT Business applications are defined by the business and corporate business objectives.   Security activity is defined by people and organizations who don’t carry a company card and don’t care how much money a company pours into security of people, process and techology.

This is a fundamental mismatch between IT and Security groups.  Since I can’t buy into something I don’t understand – I have difficulty seeing how complex standards like COSO/COBIT help bridge the gap. Politically – the analogy of a hot potato comes to mind.

I would propose that the common ground for IT and Security practioners in a company starts with a very simple idea of brick and mortar security.    If everyone (IT, IT Security, Compliance, Risk managment and Physical Security) start thinking and talking in the same brick and mortar language of attacks, vulnerabilities, assets and countermeasures  we will be able to improve both the process and respond better to the unexpected events.

Thursday this week, is the  7′th anniversary of the Al Queda attack on the US in New York on 9/11/2001.

The world today is more connected, more always-on, more accessible…and more hostile. There are threats from Islamic terror, identity theft, hacking for pay, custom spyware, mobile malware, money laundering and corporate espionage. For those of us working in the fields of risk management, security and privacy, these are all complex challenges in the task of defending a business.

The biggest challenge is the divide between IT and  management. It’s similar to the events leading up to 9/11: The FBI investigated and the CIA analyzed, but the two sides never discussed the threats and the potential damage of Saudis learning to fly, but not how to land airplanes.
Read more…