Israeli Software

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

Richard Stiennon is a well known and respected IT analyst – he has a blog called IT Harvest.

A recent post had to do with Trusted insider threats.Despite the length of the article, I believe that the article has a number of fundamental flaws:

• Overestimating  the value of identity and access management in mitigating trusted insider threats
• Lacking  empirical data to support the claim that “the insider threat actually outweighs the threats from cyber criminals, hackers and the malware”
• Missing a basic management issue of accountability

The role of identity and access management in preventing trusted insider security violations

Stiennon writes that IAM (Identity and access management) “is the single most valuable defense you have against the insider threat.”. I beg to disagree – and I will attempt to explain by using the model of a crime.

Like any other crime, in order to steal or disclose assets, a person needs a combination of means, opportunity, and intent

IAM provides the means for the trusted insider. Companies issue users legitimate user accounts with the rights to access certain data, applications, databases and file services. Insiders have knowledge of how the system works, the business processes, the company culture and how people interact. They know who manages the rights management systems and who grants systems permissions. With the right knowledge and social connections, means can be obtained even if they were not originally granted by design in the IAM system.

A trusted insider is an employee who is motivated by self-interest, influenced by personal preferences, social context, corporate culture and her aversion to risk taking compared with the premium gained by stealing data.   There is little in the traditional access control model to mitigate any of these threats once access has been granted.

In 100 percent of the cases we investigated in our data security practice – the client’s permissions systems were working properly, the trusted insiders involved all had been granted appropriate rights, they did not perform any elevation of privilege exploits – they took data that they had appropriate access to. Directors of new product development, system managers, sales managers – each and every one that took and/or abused data did so with appropriate permissions.

Lacking empirical data

“While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on”

Stiennon doesn’t bring any evidence for this populistic statement. As a research analyst, I would expect some independent numbers behind the statement. Au contraire Richard – according to our data security practice of over 5 years in Europe and the Middle East (and according to the Verizon Business report, the past 2 years),  insider events are a rare, high-impact event that are a complex interplay of agents ( criminals, competitors, business partners) and vulnerabilities (human and application software).

Missing a basic management issue of accountability
Stiennon talks about HR and IT. The truth is that there is a fundamental management disconnect between HR and IT (HR hires but has no accountability when an employee is involved in a security breach and gets fired) IT has some of the data and almost never shares it with HR. I suggest higher levels of HR accountability and involvement in data security together with their audit, IT and information security management colleagues.

I wrote about the great IT-management divide last year in my post on the 7th anniversary of the Al Queda attack on the US

In the late 80’s I was a hyperactive programmer at a small VAX/VMS software house.

We were group of 5 programmers – we had some nice accounts – like Intel, and National Semiconductor, Hadassah Hospital and Amdocs, but I always felt intimidated by the big IT integrators. One day – my DEC account manager told me that we should hold our heads high – he figured that our largest competitor didn’t have more than 1 or 2 experts at our level.

Are data security specialists like programmers – where the rock stars have 3 orders of magnitude better productivity than the average guy or gal?

And should we try to have one of these folks on the staff and make sure they are happy?

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

We had a discussion with a prospect for a DLP (data loss prevention) system) that started with discussing the pros and cons of various DLP solutions (Verdasys, Mcafee DLP, Websense, Fidelis Security) and finished with a drill-down into how they can build a business case to acquire and implement data security technology. After a very interesting session – the CIO asked me – “So why did you start with technology? we should have started with the business case?”  I replied – “Got your attention, didn’t I!”

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

Read more…

Like the warnings on cigarette packets – whistle blowing may be hazardous to your health.

HBOS chief risk officer Paul Moore blew the whistle on the bank’s risk exposure and lost his job. Last week, the UK Treasury Select committee heard allegations from  Moore ( who was sacked by Sir James Crosby in 2005) – that senior executives ignored repeated warnings about excessive risk-taking.

Following the political firestorm – Sir James Crosby has left his position as deputy chairman of the UK Financial Services Authority. Crosby was a close adviser to prime minister Gordon Brown, and former HBOS CEO – leading HBOS during a period of high-rolling profits.

Are there sins of hubris at your company – let me know!

Read more…

Are test equipment sales  a bellwether of the telecommunications and technology industry prospects?

I have been looking for macro indicators of what will happen in the telecommunications industry. We specialize in  data  security for telecommunications. Data security is a big issue for companies in flux – firing employees, turning more to outside contractors and merging operations. The question is whether or not data security is getting slashed out of 2009 budgets.

One macro indicator is sales forecasts of technology vendors to the telecom industry – Cisco, which is regarded as being very good at forecasting, predicts a sales drop of 10 percent in the next quarter. However – the supply chain doesn’t stop with telecom equipment and  network security manufacturers like Cisco, Nortel. HP. Juniper, IBM, Alcatel and Nokia.   These vendors  need test equipment to test their products on telco and corporate networks.

Amid the telecom industry storm of warnings and worries, test equipment vendor Spirent Communications plc (NYSE: SPM – message board; London: SPT) believes it’s on-target for 2008 and a capable of maintaining a similar level of sales during 2009.

The crash of Lehman Brothers , in September 2008 caused widespread financial woes by companies of all shapes and sizes and also caused a blip for Spirent. But – Spirent sales bounced back in October. Telco equipment firms continue to spend in areas that are core to their strategies: wireless, carrier Ethernet, data center developments, and the automation of lab-based testing processes. “Customers are aiming for better utilization of their resources,” says the Sprient CEO.

Since customers need better utilization of their resources, that means that we need to show how our data security solutions will not only help protect telecom digital assets but also reduce the cost of ownership and do the job with less head-count.

I suppose I didn’t really need Spirent for that insight.

See  the full article on Light Reading

Remember the “The  Phil Spector Sound”? (I grew up on rock and roll just outside of Philly and when you say Spector, I associate it with  Phil Spector or Arlen Spector – my mind is just wired that way….

A business partner of ours in a developing country asked me a security product question today. What is the difference between Spector CNE and Fidelis XPS.   Or translated – what is the difference between desktop software on your PC that tracks your keystrokes and surfing habits and a network gateway data loss prevention/extrusion prevention system.

If you are a big company and you need a very good http traffic cop I would recommend Fidelis XPS (due disclosure – my company, Open Solutions, is a Fidelis business partner. We have installed a number of their systems at large accounts and it is a fantastic product in my personal experience).

This is what I told him.

Spector CNE is a very cool product but it requires installing client recorder software on every PC. This is a big downside for most companies.

Spector mitigates the threat of employee misuse of the Internet / AUP enforcement.
Spector uses a client recorder, which is software that must be distributed and installed on every PC in the organization.  If the Spector CNE client recorder is not installed – the system cannot detect anything.

Client side recorder software can break Windows,  Windows Update can cause the PC with the PC recorder software to become unusable.   This happened to one of our clients  – after a Microsoft Tuesday update,  all 500 users in the customer service center were unable to use their PCs.
This client went on to acquire an extrusion prevention solution from Fidelis.

Fidelis XPS mitigates a wide range of threats to data assets:

• Violations of corporate AUP, Internet misuse
• Data loss from inside the network to public Internet services by employees and
• Data theft from the network perimeter or DMZ by hackers
• Data loss from elevation/abuse of privilege on corporate database servers
• Data loss from exploits by hackers on Web application servers.

Fidelis XPS is based on a Layer 2 sniffing engine which intercepts content from the network at gigabit rates. It doesn’t interfere and is totally invisible since it doesn’t have an IP address. No client software is required.

Fidelis XPS is a bi-directional data loss prevention appliance and decodes and retrieves the data from the network in all protocols and file formats, mail, instant messaging, Web, Webmail, Oracle, DB2, file and print services, Active Directory and LDAP/Open LDAP.

This my experience and it’s based on fighting in the trenches. Comment on this entry and let me know what you think.

This is a classic case of trusted insider threat  – as reported by yesterday’s morning paper – “Israel Today”: ( i assume that this has been under investigation for a while so the actual event may have happened over a year ago…).

The arrest sheet in the Tel Aviv district court depicts collusion between an information security employee and outsiders.

An employee in the information security department of the First International Bank in Tel Aviv has been charged as an accessory in a theft of over 100,000 shekels from bank customers.  The employee, Dan Tirspolski exploited access to confidential information to identify foreign resident customers of bank and their online user names and passwords. The foreign residents, not being physically present in Israel – use the Internet to occasionally access their account. He then transferred this information to accomplices outside the bank who used their Internet access to withdraw money from the accounts.

The case reveals a direct link between data loss, fraud and money theft.   The trusted insider did not exploit a vulnerability of weak passwords – in cases like this, trusted insiders are insider threats that exploit a minimum of two vulnerabilities in the bank’s software applications – both vulnerabilities are a violation of the principle of separation of duties:

1. One application may disclose clear text versions of the username password relating to a particular account number
2. Another application may disclose account details such as the address and the fact that the bank customer is a foreign resident and not physically present in Israel – enabling the crime where a malicious insider collaborated with malicious outsiders.

Read more about data breaches and the consequences for managers who ignore data security.