Israeli Software

Assuming you knew why a data breach will happen, wouldn’t you take your best shot at preventing it?

Consider this:

Your security defenses don’t improve your understanding of the root causes of data breaches, and without understanding the root causes –  your best shot is not good enough.

Why is this so?

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up.  Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

Obviously we need a better way of understanding what threats really count for our business. More about that in some up coming posts.

Now it’s some lazy journalist at Information Week aiding and abetting the pseudo-statistics of of the Ponemon Institute – screaming headlines of  the cost of data breaches of PHI – protected healthcare information

According to Information Week; Analysis: Healthcare Breach Costs May Reach $800 Million

Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRUST, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That’s $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

What is the connection between the Ponemon studies (sponsored by data security vendors) and the PHI leakages.

Nothing.

Why is a PII leak and a meaningless plug number of $60 relevant to PHI (which requires a combination of medical data and personal identifiers?

Why can’t someone make a phone call and ask how much the companies actually paid in fines and then make a few more phone calls and start estimating ancillary costs and direct costs such as legal.

Why not just multiply by the average cost of an iPhone?

After all you can steal data with your mobile easily enough can’t you.

Aug 7, 2010 WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.

I cannot believe my eyes – “no single federal standard”??

I am at a loss to understand why the US needs another data security bill – when there are already a plethora of regulations regarding personal information – Graham Leach Bliley (financial services), PCI DSS (credit cards), HIPAA (health care) and the state data security bills (CA SB 1386, Mass Data privacy etc.. ).  This is without even mentioning FISMA and the NIST security requirements for implementing HIPAA. With Obamacare in effect – it seems to me that the gold standard for PII protection will soon become HIPAA and since health care appears to becoming nationalized in the US – NIST will soon be the king of data security control frameworks.

Looking at data security  as an exercise in providing cost effect security countermeasures, it appears to me that the bill is most likely either a public relations play  or congressional logrolling. The interesting item is the requirement to provide credit card monitoring services after a breach for a year – perhaps the bill is intended to help stimulate the business of companies like Experian, Symantec, RSA and Mcafee.

The US does not need more data security regulation (requiring “strong security features” whatever that means) because with over 350 million US credit cards breached – the data is already out there. This bill is equivalent to closing the barn door after the horses have already fled.

What I would recommend to the esteemed Senators is a totally different approach – one adopted by Poland. Poland, which is a member of the EU and subject to the EU Privacy Law decided a few years back to make data security breaches expensive. If a firm in Poland breaches personal data – they are liable to up to a 2.5% fine of their annual gross revenue.

None of this hokey – “provide monitoring services and notify within 60 days” nonsense. Make US data breachers pay for their security vulnerabilities and even the playing field with the consumers – who are indeed paying the price for poor data security at American retailers and banks.

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

It seems that with amorphous and rapidly evolving trend of storing data in cloud providers and social media like Twitter and Facebook, that social media and cloud computing is the next frontier of data security breaches.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

Are the security lights on, but no  one is home at your company?

Question No. 1 – Does your organization have a formalized risk analysis process? … 90 percent of the respondents, said that their organizations have such a formalized risk analysis process.

Question No 2 – Does your organization have an executive with a mandate to manage enterprise risk ? … only about 40 percent of the respondents had an executive with such a mandate.

Enterprise Security Risk Management Benchmarking Survey - April 2010

“That’s hard to believe, given that extreme events and risk management are making headlines almost every other day.”

In order  to understand why large enterprises invest in risk analysis process but not in risk management we need to take a closer look at Western (US and EU for the sake of argument) corporate value systems.

For a manager of a company on the verge of bankruptcy, equity compensation is a one-sided bet with upside only. For example, say the CEO  bets on a bridge loan at usurious terms in order to buy time to close an acquisition deal. If the bet pays off, his equity compensation pays off, but if he loses the bet (and the company goes bankrupt or is sold for a pittance), his personal compensation exposure is zero, but the stockholders, bond holders, customers and business partners will be left holding the bag.  Since it’s a one-sided bet with no downside, executives may also be tempted to adopt borderline business practice in order to proactively optimize their compensation.

Risk analysis provides invaluable input to improve business practice and reduce security breach exposure but you have to execute on the implementation of the security countermeasures and be prepared to hold them up to scrutiny of your peers on a regular basis.  That requires a strong work ethic, transparency and accountability.

Since executives are generally not held personally accountable for security breaches  - it is not surprising at all that most enterprises have  formal risk analysis processes but few firms have managers with  the personal responsibility to execute on security risk management.

Let’s return to our original question – ‘Is IT equipped to deal with clear and present danger?’

We now see that IT and their information security colleagues may indeed have the formal risk analysis processes and even the latest in data security technology countermeasures to reduce the impact of security breaches but they don’t function inside a corporate value system that rewards them for cost-effective security.

And that my friends – is already an ethical question, not a process management nor a compensation question.

Best practices for data security are still evolving – as there are no industry-standard data security metrics and a confusing array of regulatory compliance and industry standards – PCI DSS 1.2, Sarbanes-Oxley, FISMA, ISO2700x – just to name a few.

Organizations (government included) currently use a combination of tactics – penetration testing, vulnerability analysis (usually at the network and sometimes at the application software layer), “fire and forget” compliance exercises and technology countermeasures such as IPS/IDS, network DLP, agent DLP, database firewalls, encryption on demand, Web application firewalls.

The one countermeasure I have never seen is standardized screening.  Borrowing an approach from health-care, consider the following:

Standardized screening for suicide risk in primary care can detect adolescents with suicidal ideation, allowing referral to a behavioral healthcare center before a fatal or serious suicide attempt is made, according to the results of a study reported online April 12 and published in the May print issue of Pediatrics.

“Several associations and federal agencies have called for depression screening in pediatric primary care,” writes Matthew B. Wintersteen, PhD, from Thomas Jefferson University in Philadelphia, Pennsylvania. “Screening for suicide risk is a natural adjunct to this call….To our knowledge, this is the first study to prospectively examine the impact of standardized screening for suicide risk on detection and referral rates in pediatric primary care.”

The goals of the study were to evaluate whether brief standardized screening for suicide risk in pediatric primary care practices could improve detection of youth with suicidal ideation, maintain improved rates of detection and referral, and be duplicated in other practices.

It seems to me that duplicating brief standardized screening to data security practice is eminently possible.   A possible approach would involve using a standard threat model based on a comprehensive set of security controls – (ISO 27001 would work fine for this purpose).  The process would start with a pre-screening preparation exercise that an organization could do in the office in 1-2 hours.   After the preparation exercise, a group of 3-5 people from a business unit would meet with a data security specialist for the standardized screening that would walk through the threat model and gauge probability of occurrence of vulnerabilities and  percent damage to assets by threats.  Based on my experience, this sort of walk-through would take 2-3 hours using the structured threat model.  The result of the threat analysis would be a level of value at risk to the organization for data security and indeed a 1/2 day qualifies as brief enough.

How does your company mitigate the risk of data security threats?

Is your company management adopting a policy of “It’s other peoples money”?

In a recent thread on LinkedIn - Jody Keyser shared some quotes from David Vose’s book on risk, reliability and computerized risk modeling:  Risk Analysis a quantitative guide.

The responses to correctly identified and evaluated risks are many but generally fall into one of the following categories:

- Cancel Project
- Eliminate ( do it another way)
- Transfer (insure back to back contract)
- Share (with partner or contractor )
- Reduce (take a less risky approach)
- Add a contingency (increase budget, deadline etc.,to allow for possibility of risk)
- Collect more data to better understand risk
- Do nothing (cost is just too dang high)
- Increase ( maybe the plan is too cautious )

In my experience – when it comes to data security, data loss prevention, DLP projects – the top 2 responses to data security threats are “accept the risk” followed by “cancel the project” in a close second place.

The other alternatives are almost all non-starters. The question is – why?

Eliminating risk by changing the business process is often not an option or too much trouble for employees. For example – consider the process of transferring documents to external contractors – even though it’s trivial to encrypt documents inside a Zip file and share the password – most companies don’t make it part of their security procedure and those that do require encryption of documents sent to external business partners, don’t deploy DLP monitoring to ensure compliance with the encryption policy.

There are multiple reasons for data security risk being accepted by business managers.  Most are related to cost, complexity, changing business requirements and a tacit disbelief in effectiveness of technology in preventing data theft and fraud.

The reasons for accepting data security risk are related to  the difference between being secure and feeling secure.  Since most companies don’t monitor data flows, they don’t know how many sensitive digital assets are being leaked to the competition – ergo they don’t have the empirical data to analyze their data security threats and measure data security risks in terms of dollar threat to the business.  This would lead to enable a business to deploy data security countermeasures and be secure at an acceptable cost. It would also enable them to measure the cost effectiveness of their data security technology and challenge their innate beliefs and skepticism.

However – the company management already feel secure because they have delegated that part of  the business to the information security folks and reading the papers tells them that customers (not the business management) pay the cost of a data security breach.

As a kid growing up in South Jersey – when there was the occasional report of an urban boondoggle or million dollar NASA toilets – my Dad (who worked for RCA on defense projects and knew about these things) would always use the expression – “Other peoples money” or if it was closer to home – “Pa’s rich and Ma don’t care”…which is really close to home this year for Americans as President Obama takes the US to an unprecedented $1.35 trillion budget deficit in  2010.

Apache is the world’ most popular Web server for Linux and Windows platforms, and with such a large attack surface, it’s no surprise that attackers are looking to exploit Apache software vulnerabilities. The approach used by XerXeS is somewhat novel in that it is based on a DoS (not DDos) attack and apparentlyrequires relatively modest computing resources to execute.

The object of such an attack goes beyond denial of service where a more interesting and potentially valuable attack would gain access to the back end database (typically MySQL) generally used by Apache web servers.  The trick of course is identifying – who has valuable data assets – since the vast majority of LAMP installations are small content/blogging Web sites.

Courtesy of my colleague Anthony Freed -

Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS attack recently developed by the infamous patriot-hacker known only as The Jester (th3j35t3r).

This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations…

See the video on the enhanced DoS exploit of Apache vulnerabilties

Automated discovery of data at rest is  an unsurmountable  challenge for institution with large quantities of PCs, data and thousands of document formats, most of which are not well-documented and all the application and database server technologies that were ever invented. Smaller companies may find it either unnecessary or not cost-effective.

Discovery of data at rest is also  a double-edged sword.  From a compliance perspective, it’s not only not required by PCI DSS 1.x but it can create exposure issues that no business in their right mind would want to deal with.  Also – why would a business want to buy products and services from a technology vendor vendor and allow them to “discover” their data?

Love to hear your comments and what you think.