Israeli Software

Media reporting of data breach events like the UK NHS, Heartland, Hannaford  and Bank of America has overwhelming focussed on the raw numbers of customer data records that were breached.

Little information is available regarding the root causes – how attackers exploited the system and people vulnerabilities to get the data.

Although US legislation requires disclosure of a data loss event, it does not require disclosure of the root causes of  the event.

Read more…

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

A few years ago I did some work for an Israeli startup called nLayers that did  applications, servers and devices discovery. They were later acquired by EMC. I thought it was a brilliant idea at the time, since large IT organizations don’t really know what assets they have in their IT portfolio.

Therefore, it should be no surprise to anyone that a similar situation exists where large companies don’t realyl know what, where, when and how their data assets are located.

This is given rise to a relatively new concept called “Data Discovery”.

Symantec has one of those cute 4 step risk management processes for data loss prevention – discover, monitor, protect and manage. Security vendors have a predilection for this sort of a 4 step cycle,  often presented on a circular chart but sometimes in a box or on a line.

Why is data discovery the first step in the endless 4 step wash-cycle designed to maximize product subscription revenues for companies like Checkpoint and Symantec instead of minimizing customer data security risk for organizations like the British NHS.

Read more…

A common conversation I have with my technology clients  touches on patent protection as a  security countermeasure against abuse of intellectual property. The short answer is that if you’re not DuPont or Roche, then patent protection is not going to help you very much. If you develop software , you are probably infringing  someone’s patents as we speak.

Outside the chemical and pharmaceutical industries, the cost of litigation far exceeds the benefits of patent protection. (See “Patent Failure, How judges, bureaucrats and lawyers put innovators at risk”, Bessen and Maurer, Princeton University Press, 2008 pages 130-156, “The cost of dispute”)

Read more…

Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?

I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor,  or customer service outsourcing provider can be destroyed by a  single data loss event.

The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization.  An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.

A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.

The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.

Read more…

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Read more…

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

Polish digital TV broadcaster N (owned by ITI Neovision) has disclosed a breach of customer data records – after PII was discovered accidentally on the Net by a subscriber via a search engine.

The partner who manages our offices in Warsaw (the team specializes in high end data security consulting and DLP projects in Central Europe) called me this morning after hearing about the data loss event on the radio on the way to work.

The details are fairly typical for a telecommunications service provider.

Read more…

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage. Read more…

It seems that the GFC is creating a movement of migratory hi-tech workers from Silicon Valley to the Beltway. I’m not sure that an unemployed IT security analyst turned hacker is the best choice for a defense contractor – the really good guys and gals are always in demand – and those DC summers are the pits. The weather in Mountain View is a lot nicer.

Daniel D. Allen, who works for Northrop Grumman, claims that federal spending on computer security now totals USD 10 billion annually, including classified programs. So there is a lot of lard in the pork barrel for cyberninjas who don’t mind the 95% humidity.  And with the recently publicized data breach of sensitive design and electronic systems data  from the $300BN F-35 Lightning II fighter project – there’s plenty of asses to be covered. Then again – with peace in our time looking to arrive by end of year from President Obama, we will not need all that hardware – I hear the beer is pretty good in Munich.

Here is the article on Presstv -

Military giants including Northrop Grumman, General Dynamics, Lockheed Martin and Raytheon are now busy with recruiting “hacker soldiers” to address the new demand for an unconventional cyberwar and in a way to blend the new capabilities into the nation’s war planning.