Israeli Software

I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures.

The recent case of the Opsec security violation on Facebook in Israel reported by the Jerusalem Post, is a good example of how a hierarchical organization (Army) is threatened by a flat social network. The good news was that the security countermeasure was found the social network itself – herein lies the lesson.

The IDF was forced to cancel a recent arrest operation in the West Bank after a soldier posted information about the upcoming raid on his Facebook page.The operation was scheduled to take place several weeks ago in the Binyamin region. The soldier, from an elite unit of the Artillery Corps, posted on his Facebook page: “On Wednesday, we are cleaning out [the name of the village] – today an arrest operation, tomorrow an arrest operation and then, please God, home by Thursday.”

The status update on the soldier’s page was revealed by other members of the soldier’s unit. His commanders then updated Judea and Samaria Division commander Brig.-Gen. Nitzan Alon, who decided to cancel the operation out of concern that the mission had been compromised.

Organizations need to leave the static top down control frameworks a few times a year and look outside the organization for links and interdependencies – and talk to the soldiers in the trenches in customer service, field sales and field service.

The information you will get from people outside your firm and from people with dirty hands is far more valuable than rehashing the ISO27001 check list in an audit.

The most valuable data is from questions you haven’t asked yet – not from a checklist in an Excel spreadsheet in the hands of a junior auditor from KPMG.

Reading through the trade press, DLP vendor marketing collateral and various forums on information security,  the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation.   However -

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

1. Is your information asset protection spending driven by regulation?
2. Are Gartner white papers your main input for purchasing decisions?
3. Does the information security group work without security win/loss scores?
4. Does your chief security officer meet three to five vendors each day?
5. Is your purchasing cycle for a new product longer than six months?
6. Is your team short on head count, and not implementing new technologies?
7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Read more…

This seems to be my weekend for  product counterfeiting.   I was in Tel Aviv last week on Dizengoff and picked up a couple of paperbacks at the “Book Junkie” bookstore for 5 sheqels/book (that’s about $1.25!) – one of them was Michael Crichtons’ novel Airframe (The book is genuine… and they have an amazing collection of really cheap paperbacks.)

I won’t give away the plot – (you can read the outline on Wikipedia) but it’s a good read and it underscores a point that is extremely familiar to data security / data loss prevention practitioners – namely that human error and poor training and not sophisticated technology is usually the root cause of an event. Although a number of counterfeited parts were discovered in the wing slats, it was a person, not type-certified for the aircraft, that caused the death of 4 people.

Counterfeiting is a hot issue not only because it hits vendors in the pocket but because of the public health/safety implications.

Product counterfeiting ranges from fashion, such as Dolce & Gabbana handbags,  high performance bike frames such as Specialized Bikes to faking innovative drugs such as Viagra.

The Israeli onlline business daily “The Marker” recently ran an item on drug counterfeiting,  pegging the volume of drug counterfeiting in Israel at 80-100 million sheqels/year.  The source for the number is the Israeli Ministry of Health, the World Health Organization and an  organisation called “The Center for Pharmaceutical Security” (המכון לביטחון פרמצבטי)  I could not find any reference to this organization online – but from the name it sounds like a pharmaceutical industry lobby.

The core issue is public health and safety. This is why I personally believe that anti-counterfeiting supply chain initiatives such as ePedigree are well-intentioned but ineffective countermeasures to this threat.  I believe that the interest of public health and safety (you can be killed on a defective road bike frame…) requires involving consumers at the point of sale.
Read more…

Back in the late 70s when I was a grad student in physics I gave a paper in Pisa and then in Bari.  The differences between Pisa and Bari were very clear – Pisa – Northern Italy, very European and industrialized, Bari, South of Italy, very agricultural and very Mediterranean – the one thing that stuck in my memory though was how distrustful the people in Bari were of strangers. I asked our host at the University of Bari and he said “well of course, this is Mafia country, they ARE suspicious of strangers, you never know…”

Italian police say they’ve made 96 arrests after busting a European counterfeiting and money laundering ring. Most of the arrests were made in southern Italy’s Calabria and Campania regions.

Read more…

Counterfeiting is old as money itself.

We recently had the opportunity to work with a large generic pharmaceutical company examining innovative methods for preventing product counterfeiting. In order to build cost justification for the project, we performed a quantitative threat modeling exercise that involved valuation of assets and analysis of a number of product counterfeiting threat scenarios.

The threat model is available on request – please contact us and we will be happy to send you a copy of the threat model and an explanation of how to use it in your own product counterfeiting scenarios.

The first question to be asked – what is the volume of financial damage due to drug counterfeiting?

Read more…