Israeli Software

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a networked Windows-based embedded medical device used for patient monitoring.  The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition.  The threat analysis used the PTA (Practical threat analysis) methodology, described in Appendix A of the full article reporting on the threat analysis of a medical device in PDF format.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures is suggested in Section III. We devoted special interest to the issue of propagation of viruses and malware into the hospital network.

Our analysis shows that installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate the most severe threats – ePHI leakage, software defects and USB access to bedside units.

A detailed discussion appears in Section IV of this paper. Section V suggests segregating the bio-med functions from the hospital enterprise IT.  Section VI provides a summary of the analysis and its findings.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by the medical device manufacturers and hospital customers to model changes in risk profile as technology and customer environment evolve. The threat model can be downloaded here and the threat modelling software can be downloaded here.

Read more…

How does your company mitigate the risk of data security threats?

Is your company management adopting a policy of “It’s other peoples money”?

In a recent thread on LinkedIn - Jody Keyser shared some quotes from David Vose’s book on risk, reliability and computerized risk modeling:  Risk Analysis a quantitative guide.

The responses to correctly identified and evaluated risks are many but generally fall into one of the following categories:

- Cancel Project
- Eliminate ( do it another way)
- Transfer (insure back to back contract)
- Share (with partner or contractor )
- Reduce (take a less risky approach)
- Add a contingency (increase budget, deadline etc.,to allow for possibility of risk)
- Collect more data to better understand risk
- Do nothing (cost is just too dang high)
- Increase ( maybe the plan is too cautious )

In my experience – when it comes to data security, data loss prevention, DLP projects – the top 2 responses to data security threats are “accept the risk” followed by “cancel the project” in a close second place.

The other alternatives are almost all non-starters. The question is – why?

Eliminating risk by changing the business process is often not an option or too much trouble for employees. For example – consider the process of transferring documents to external contractors – even though it’s trivial to encrypt documents inside a Zip file and share the password – most companies don’t make it part of their security procedure and those that do require encryption of documents sent to external business partners, don’t deploy DLP monitoring to ensure compliance with the encryption policy.

There are multiple reasons for data security risk being accepted by business managers.  Most are related to cost, complexity, changing business requirements and a tacit disbelief in effectiveness of technology in preventing data theft and fraud.

The reasons for accepting data security risk are related to  the difference between being secure and feeling secure.  Since most companies don’t monitor data flows, they don’t know how many sensitive digital assets are being leaked to the competition – ergo they don’t have the empirical data to analyze their data security threats and measure data security risks in terms of dollar threat to the business.  This would lead to enable a business to deploy data security countermeasures and be secure at an acceptable cost. It would also enable them to measure the cost effectiveness of their data security technology and challenge their innate beliefs and skepticism.

However – the company management already feel secure because they have delegated that part of  the business to the information security folks and reading the papers tells them that customers (not the business management) pay the cost of a data security breach.

As a kid growing up in South Jersey – when there was the occasional report of an urban boondoggle or million dollar NASA toilets – my Dad (who worked for RCA on defense projects and knew about these things) would always use the expression – “Other peoples money” or if it was closer to home – “Pa’s rich and Ma don’t care”…which is really close to home this year for Americans as President Obama takes the US to an unprecedented $1.35 trillion budget deficit in  2010.

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Richard Stiennon is a well known and respected IT analyst – he has a blog called IT Harvest.

A recent post had to do with Trusted insider threats.Despite the length of the article, I believe that the article has a number of fundamental flaws:

• Overestimating  the value of identity and access management in mitigating trusted insider threats
• Lacking  empirical data to support the claim that “the insider threat actually outweighs the threats from cyber criminals, hackers and the malware”
• Missing a basic management issue of accountability

The role of identity and access management in preventing trusted insider security violations

Stiennon writes that IAM (Identity and access management) “is the single most valuable defense you have against the insider threat.”. I beg to disagree – and I will attempt to explain by using the model of a crime.

Like any other crime, in order to steal or disclose assets, a person needs a combination of means, opportunity, and intent

IAM provides the means for the trusted insider. Companies issue users legitimate user accounts with the rights to access certain data, applications, databases and file services. Insiders have knowledge of how the system works, the business processes, the company culture and how people interact. They know who manages the rights management systems and who grants systems permissions. With the right knowledge and social connections, means can be obtained even if they were not originally granted by design in the IAM system.

A trusted insider is an employee who is motivated by self-interest, influenced by personal preferences, social context, corporate culture and her aversion to risk taking compared with the premium gained by stealing data.   There is little in the traditional access control model to mitigate any of these threats once access has been granted.

In 100 percent of the cases we investigated in our data security practice – the client’s permissions systems were working properly, the trusted insiders involved all had been granted appropriate rights, they did not perform any elevation of privilege exploits – they took data that they had appropriate access to. Directors of new product development, system managers, sales managers – each and every one that took and/or abused data did so with appropriate permissions.

Lacking empirical data

“While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on”

Stiennon doesn’t bring any evidence for this populistic statement. As a research analyst, I would expect some independent numbers behind the statement. Au contraire Richard – according to our data security practice of over 5 years in Europe and the Middle East (and according to the Verizon Business report, the past 2 years),  insider events are a rare, high-impact event that are a complex interplay of agents ( criminals, competitors, business partners) and vulnerabilities (human and application software).

Missing a basic management issue of accountability
Stiennon talks about HR and IT. The truth is that there is a fundamental management disconnect between HR and IT (HR hires but has no accountability when an employee is involved in a security breach and gets fired) IT has some of the data and almost never shares it with HR. I suggest higher levels of HR accountability and involvement in data security together with their audit, IT and information security management colleagues.

I wrote about the great IT-management divide last year in my post on the 7th anniversary of the Al Queda attack on the US

In the late 80′s I was a hyperactive programmer at a small VAX/VMS software house.

We were group of 5 programmers – we had some nice accounts – like Intel, and National Semiconductor, Hadassah Hospital and Amdocs, but I always felt intimidated by the big IT integrators. One day – my DEC account manager told me that we should hold our heads high – he figured that our largest competitor didn’t have more than 1 or 2 experts at our level.

Are data security specialists like programmers – where the rock stars have 3 orders of magnitude better productivity than the average guy or gal?

And should we try to have one of these folks on the staff and make sure they are happy?

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

We had a discussion with a prospect for a DLP (data loss prevention) system) that started with discussing the pros and cons of various DLP solutions (Verdasys, Mcafee DLP, Websense, Fidelis Security) and finished with a drill-down into how they can build a business case to acquire and implement data security technology. After a very interesting session – the CIO asked me – “So why did you start with technology? we should have started with the business case?”  I replied – “Got your attention, didn’t I!”

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

Read more…

Like the warnings on cigarette packets – whistle blowing may be hazardous to your health.

HBOS chief risk officer Paul Moore blew the whistle on the bank’s risk exposure and lost his job. Last week, the UK Treasury Select committee heard allegations from  Moore ( who was sacked by Sir James Crosby in 2005) – that senior executives ignored repeated warnings about excessive risk-taking.

Following the political firestorm – Sir James Crosby has left his position as deputy chairman of the UK Financial Services Authority. Crosby was a close adviser to prime minister Gordon Brown, and former HBOS CEO – leading HBOS during a period of high-rolling profits.

Are there sins of hubris at your company – let me know!

Read more…

Are test equipment sales  a bellwether of the telecommunications and technology industry prospects?

I have been looking for macro indicators of what will happen in the telecommunications industry. We specialize in  data  security for telecommunications. Data security is a big issue for companies in flux – firing employees, turning more to outside contractors and merging operations. The question is whether or not data security is getting slashed out of 2009 budgets.

One macro indicator is sales forecasts of technology vendors to the telecom industry – Cisco, which is regarded as being very good at forecasting, predicts a sales drop of 10 percent in the next quarter. However – the supply chain doesn’t stop with telecom equipment and  network security manufacturers like Cisco, Nortel. HP. Juniper, IBM, Alcatel and Nokia.   These vendors  need test equipment to test their products on telco and corporate networks.

Amid the telecom industry storm of warnings and worries, test equipment vendor Spirent Communications plc (NYSE: SPM – message board; London: SPT) believes it’s on-target for 2008 and a capable of maintaining a similar level of sales during 2009.

The crash of Lehman Brothers , in September 2008 caused widespread financial woes by companies of all shapes and sizes and also caused a blip for Spirent. But – Spirent sales bounced back in October. Telco equipment firms continue to spend in areas that are core to their strategies: wireless, carrier Ethernet, data center developments, and the automation of lab-based testing processes. “Customers are aiming for better utilization of their resources,” says the Sprient CEO.

Since customers need better utilization of their resources, that means that we need to show how our data security solutions will not only help protect telecom digital assets but also reduce the cost of ownership and do the job with less head-count.

I suppose I didn’t really need Spirent for that insight.

See  the full article on Light Reading