Israeli Software

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

A client recently asked:

How do I assign a dollar value to an assets?…should I use the  purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?

Estimating asset value is without doubt the most frequent question we get when it comes to calculating data security risk in monetary terms. There are several practical guidelines for measuring information assets value:

• Use the right metric – a common mistake made by marketeers who work for data security vendors is to estimate the cost of a data security breach as the number of records multiplied by some plug number.  The cost of a data security breach to a company is not the same as the cost of a customer data record breach to a customer.  A customer may not even know that her credit card number is breached (considering that 250 million credit card numbers have been stolen in the past few years – it is a reasonable assumption that your credit card number is known to someone who stole – but your cost is zero, isn’t it?
• Ask an expert – usually the CFO. The expert can and should provide confidence intervals for his estimate. The CFO is the best source and best equipped to decide if replacement value, purchase value/depreciated or opportunity cost is the relevant metric to measure the value of an asset. It’s ok, if your CFO says that company IP is worth $50 million with a confidence level of 85%.  If you do a practical  threat modeling exercise, you will be able to test sensitivity of your threat model to the confidence boundaries.
• Use test equipment. For example – If the cost of acquiring a customer is $50, you can write a sql query to find out how many customers you have and then multiply by $50. Looking at the Fixed assets and GL modules is an example of using test equipment.  If you have to measure the number of credit cards in clear text circulating on your network – I suggest  network surveillance.
• Use random sampling from a population of asset value estimators. The Rule of Five says that there is a 93% chance that the median of a population is between the smallest and largest values in any random sample of the population.   So – if you have to estimate value of a digital asset like intellectual property – you can ask five people for their estimate – for example, the CFO, the CTO, a customer, your VP marketing and a software developer who worked for one of your competitors.
• Measure in small increments and be prepared to iterate. In other words – when you do a threat model exercise, take small steps -  measure 5-10 asset values and move on from there. Most of the information value is gained at the beginning of a measurement exercise and most companies measure things that have zero information value to the business because they are easy to measure (for example – how ssh password attacks were made on company web servers) instead of the important things – like what is the value of a field service engineer diagnostic database that is distributed to notebook computers.

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

I was talking to Ilan Meller from Identiwall recently. Ilan was a SVP at CA and his latest company is doing serious work with strong identity and authentication management. They have over a million installed home banking users in Israel.. Ilan told me about three product lines – Identiwall for Secure online transactions, Identiwall VPN and Identiwall Dynamic security that was developed for an Israel defense customer. I thought that Dynamic Security was the most impressive of the 3 products – I’ll let you decide.

Read more…

For fear of becomming(sic) the next victim of identity theft, 150 million U.S. consumers don’t bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers’ confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

I don’t doubt that US banks, after having received all that tax payer money, will spend some of it on biometrics and multi-factor authentication. I predict that they will eventually abandon ship on authentication technology for home banking, when they realize that authentication technology doesn’t protect their customers on the Internet.

Multi-factor doesn’t prevent phishing. It doesn’t prevent identity theft. It doesn’t  secure online accounts from fraudulent transactions.  Take two attacks for example:

Man in the middle - an attacker sets up a fake banking web site and gets people to login, by passing the request for authentication thru to the real bank – the attacker doesn’t care if the user is authenticated with  biometrics or with out of band SMS messages – that’s great.   He still gets the user into his system in order to harvest usernames, passwords, credit cards and account numbers

Trojan horse - an attacker distributes a Trojan on a CD or from a online adult content site.  When the user logs in to the bona-fide banking site, he can use the connection to perform fraudulent transactions – like account withdrawals and funds transfers while the user is logged-in and authenticated.

Multi-factor and biometrics work well in a controlled environment like a corporate local area network but in the wild – the threats are changing too fast for multi-factor authentication solutions to provide effective data security.

What will get more people to use online banking?

• Trusting their bank.
• Banks that don’t lose customer data
• A simple but robust online login method (account, username, password) that uses offline, face to face authentication to validate identity before issuing a username/password and enforces strong, frequently updated passwords.
• Education about the dangers of phishing
• A well engineered online banking web site that doesn’t require hardware dongles and Java or ActiveX client software

I think fragmentation of knowledge is a root cause of data breaches.

It’s almost a cliche to say that the  security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years.

It is apparent that government regulation is  ineffective in preventing identity theft and major data loss events.

Given: direct data security countermeasures go a long way;  data loss prevention and network surveillance work well inside a  feedback loop to improve security of systems, increase employee awareness and support management accountability.

However: I believe that even if every business deployed Fidelis XPS Extrusion Prevention system or Verdays Digital Guardian or Websense Data Security suite – we would still have major data loss events.

This is because a major data loss event has three characteristics:

1.Appears as a complete surprise to the organization
2.Has a major impact to the point of maiming or destroying the company
3.Event, after it has appeared, is ‘explained’ by human hindsight.

The root cause of the surprise is, in most cases, a lack of knowledge – not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top 10 in your type of business.

The root cause of the lack of knowledge is fragmentation of knowledge.

Every business from SME to Global 2000 deals with security issues and amass their own best practices and knowledge base of how to protect their information.  But, the knowledge is fragmented, since business organizations don’t share their loss data, and the dozens or maybe hundreds of vendor web sites that do disclose and categorize attacks don’t provide the business context of a loss event.

Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.

So what’s the solution?

With our clients, we see growing evidence that the more organized a company is with their security operation – having a single security organization responsible for digital assets, physical security, permissions management and compliance – the better security they deliver. What’s more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.

The concept of sharing best practices  and  aggregating support so that companies of all sizes can access knowledge and support resources is not new, it’s a common theme in  industrial safety and Free Open Source worlds – to name two. I imagine that there are a few more examples I am not familiar with.

But what’s in it for security professionals? In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practioners in the world; having access to resources to improve your own systems and procedures and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation? How about having peers with a common goal of providing the best security for customers?

It’s time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security  across the full continuum of security, not just point technology solutions or professional regulatory services. And it’s time for firms to recognize that sharing some data may be worth the benefits to them and their customers.

That’s my opinion. I’m Danny Lieberman.

We had a discussion with a prospect for a DLP (data loss prevention) system) that started with discussing the pros and cons of various DLP solutions (Verdasys, Mcafee DLP, Websense, Fidelis Security) and finished with a drill-down into how they can build a business case to acquire and implement data security technology. After a very interesting session – the CIO asked me – “So why did you start with technology? we should have started with the business case?”  I replied – “Got your attention, didn’t I!”

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

Read more…

This is a classic case of trusted insider threat  – as reported by yesterday’s morning paper – “Israel Today”: ( i assume that this has been under investigation for a while so the actual event may have happened over a year ago…).

The arrest sheet in the Tel Aviv district court depicts collusion between an information security employee and outsiders.

An employee in the information security department of the First International Bank in Tel Aviv has been charged as an accessory in a theft of over 100,000 shekels from bank customers.  The employee, Dan Tirspolski exploited access to confidential information to identify foreign resident customers of bank and their online user names and passwords. The foreign residents, not being physically present in Israel – use the Internet to occasionally access their account. He then transferred this information to accomplices outside the bank who used their Internet access to withdraw money from the accounts.

The case reveals a direct link between data loss, fraud and money theft.   The trusted insider did not exploit a vulnerability of weak passwords – in cases like this, trusted insiders are insider threats that exploit a minimum of two vulnerabilities in the bank’s software applications – both vulnerabilities are a violation of the principle of separation of duties:

1. One application may disclose clear text versions of the username password relating to a particular account number
2. Another application may disclose account details such as the address and the fact that the bank customer is a foreign resident and not physically present in Israel – enabling the crime where a malicious insider collaborated with malicious outsiders.

Read more about data breaches and the consequences for managers who ignore data security.