Israeli Software

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a networked Windows-based embedded medical device used for patient monitoring.  The system helps hospital staff prevent crisis situations through ongoing supervision of patient status, early detection of warning signs, and alert notifications of changes in patient condition.  The threat analysis used the PTA (Practical threat analysis) methodology, described in Appendix A of the full article reporting on the threat analysis of a medical device in PDF format.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures is suggested in Section III. We devoted special interest to the issue of propagation of viruses and malware into the hospital network.

Our analysis shows that installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate the most severe threats – ePHI leakage, software defects and USB access to bedside units.

A detailed discussion appears in Section IV of this paper. Section V suggests segregating the bio-med functions from the hospital enterprise IT.  Section VI provides a summary of the analysis and its findings.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by the medical device manufacturers and hospital customers to model changes in risk profile as technology and customer environment evolve. The threat model can be downloaded here and the threat modelling software can be downloaded here.

Read more…

It’s World Cup season and Mondial fever will probably put a lot of regional conflicts on the back burner for the next month – not to mention put a dent in a lot of family budgets (husbands buying the latest 60 inch Sony Bravia and wives on retail therapy while the guys are watching football)

I  wanted to write a review of the 2010 FIFA World Cup South Africa video game (it would have been a great excuse for my wife) but I don’t have the right platform – I use Ubuntu and I have neither an Xbox 360 nor a Playstation 3.

It’s ironic that the South African  World cup game doesn’t run on Ubuntu.  It would have been a huge marketing coup and poetic justice if the game software was released for Ubuntu in a GPL license.

That got me thinking about open source licensing and it’s advantages for developing countries, which really got my hackles up  after reading the Seventh Annual BSA and IDC Global Software Piracy Study – that screams:  Software Theft Remains Significant Issue Around the World

The rate of global software piracy climbed to 43 percent in 2009. This increase was fueled in large part by expanding PC sales in fast-growing, high-piracy countries and increasing sales to consumers — two market segments that traditionally have higher incidents of software theft. In 2009, for every $100 worth of legitimate software sold, an additional $75 worth of unlicensed software made its way onto the market. There was some progress in 2009 — software rates actually dropped in almost half of the countries examined in this year’s study.

Given the global recession, the software piracy picture could have taken a dramatic turn for the worse. But progress is being outstripped by the overall increases in piracy globally — and highlights the need for governments, law enforcement and industry to work together to address this vital economic issue.
Below are key findings from this year’s study:

• Commercial value of software theft exceeds $50 billion: the commercial value of unlicensed software put into the market in 2009 totalled $51.4 billion.
• Progress on piracy held through the recession: the rate of PC software piracy dropped in nearly half (49%) of the 111 economies studied, remained the same in 34% and rose in 17%.
• Piracy continues to rise on a global basis: the worldwide piracy rate increased from 41% in 2008 to 43% in 2009; largely a result of exponential growth in the PC and software markets in higher piracy, fast growing markets such as Brazil, India and China.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor – patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That’s called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn’t change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia article on price elasticity of demand )

Back when I ran Bynet Software Systems – we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel – where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 – after the Windows NT launch, the demand for NT was almost totally inelastic – Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software – Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continued with this marketing strategy and most Vista sales were not retail boxes but pre-installed hardware. After Windows 7 released – users have been upgrading en-masse, proving once again the elasticity of demand for a good product.

Microsoft (who are a major stakeholder in BSA) probably don’t have a major piracy problem with operating system sales. Let’s run some numbers. In 2008 –  Microsoft Windows Vista sales were at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue was $15.8 BN. Single unit OEM pricing for a Windows operating system  is about $80 and in a volume deal – maybe $20. Let’s assume an average of $50/OEM license. This means that the operating system  accounts for about 50*3*9/15800 = 8.5% of Microsoft revenue.

The BSA Global Piracy Study states that the “median piracy rate in is down one percentage point from last year” – 1 percent of 8.5 percent is meaningless for Microsoft – in dollar terms – BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar rate in 2009.

Microsoft might have a problem with their cash cow – Microsoft Office. Microsoft Office 2007 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Windows 7 and XP and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve – calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world – assuming that the BSA efforts at combating software piracy are successful - only the very rich would have access to applications like Microsoft Office. The middle and lower class people won’t have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words -download Open Office – the free and open productivity suite.

Finally – I can only anonymously quote a senior Microsoft executive who told me a number of years ago that off the record, Microsoft didn’t mind people copying the software and using a crack because it was a good way of introducing new users to the technology and inducing them to buy the new, improved and supported release a year or two later.

• Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, imagine layering another 100MB of software, another 20MB of data security rules and loads of network traffic for management just for the luxury of getting a good deal from Symantec on a piece of integrated software that IT doesn’t know how to manage anyhow.
• Software vulnerabilities – if you have issues with the anti-virus – you don’t want them affecting your data flows via the DLP agent. Imagine a user uninstalling  the anti-virus and impacting the DLP agent.
• Diversity – the strong anti-virus products have weak DLP agents – which means that the advantage of a single management platform is spurious. Having strong anti-virus software on your Windows PCs from a vendor like McAfee complements having strong data loss prevention from a company like Verdasys.
• Not a good fit for the organization – IT manage the Anti-virus,   Security manage the data security and never the twain shall meet.

With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights.

There are 3 general classes of internal attacks that are never going to be mitigated by access controls:

Trusted insider theft

A trivial example is a director of new technology development at a small high-tech startup who would have access to the entire company’s IP, the competitive analyses, patent applications and minutes of conversations with all the people who ever stopped in to talk about the startup’s technology. That same person has access by definition but when he takes his data and sucks it out the network using a back-door, a proxy, an HTTP GET or just a plain USB or Gmail account – there is no way an Active Directory access control will be able to detect that as “anomalous behavior”.

Social engineering

Collusion between insiders, gaming the system, taking advantage of friends and DHL messengers who go in and out of the office all the time with their bags.

Side channel attacks

Detecting data at a distance with acoustic or Tempest attacks – for example. or watching parking lot traffic patterns….

What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world.  The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.

Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.

The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).

In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health.  In a successful business unit – people are happy, and happy people contribute to the success of the business.   Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.

For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.

If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.

Small businesses need information security – perhaps even more than a big business because they probably have less resources and are more vulnerable to hackers.

NIST has released guidelines for Small Business Information Security -

Ted Ritter has suggested that we rename DLP a Disturbing Lack of Process

Indeed DLP is not a well-defined term – since so many vendors (Kaspersky anti-virus, McAfee anti-virus, Symantec anti-virus, Trend Micro Provilla, CA Backup…you name it) have labeled their products “Data loss prevention” products in an attempt to turn the tide of data breaches into a  franchise that will help them grow sales volume.

I disagree however – that DLP might be renamed as a “Disturbing lack of process” . Not even as a joke.

I do not think that lack of business process is the issue. Any company still afloat today has  business processes designed to help them take orders, add value and make money. They understand by themselves that they must protect  their intellectual property from theft and abuse.

The question is not lack of process but whether or not security is being used to help enforce business process in the relevant areas of product safety, customer service, employee workplace security and information protection in business-to-business relationships.

In a profitable company, the business processes are aligned with company strategy to one degree or another. Good companies like Intel are strong on business strategy, process and execution while government organizations tend to be strong on strategy (President Obama) and regulation (FISMA) and short on execution (Obama Nobel Peace Prize).  This is true in most countries, maybe Germany, Singapore and Japan do a better job than most.

I think we are doing most businesses an injustice by asserting that they have a “disturbing lack of process”- instead we should focus on the question of where and how security fits into the business strategy and how it can help enforce relevant processes in the areas of customer protection and privacy, customer service, employee security and privacy and information protection with business partners.

An approach that uses data security for process enforcement automatically aligns data security with company strategy (assuming that the business processes support the company strategy, we may assume an associative relationship).

Using data security for process enforcement also simplifies DLP implementations since the number of business processes and their data models is far smaller than the number of data types and data records in the organization. Easier to enumerate is easier to protect.

It is indeed immensely easier to describe a 7 step customer service process and use DLP to enforce it than try and perform e-Discovery on 10 Terabyte of customer data contained in databases and workstations.

The 3 basic tenets of information security are data confidentiality, integrity and availability. DLP addresses the confidentiality requirement, leaving integrity and availability to other technologies and procedures that are deployed in the enterprise.

The key  to effective enterprise information protection is making information security part of enterprise business processes – for example:

• Confidentiality: not losing secret chemical formulas to the competition. (Note that credit card numbers on their own, are not confidential information according to any of the US state privacy laws. A single credit card number without additional PII is neither secret nor of much use).
• Integrity: not enabling traders to manipulate forex pricing for personal advantage.
• Availability: protecting servers from DDOS attacks.

DLP is having an uphill battle because (in the US at least), DLP technologies are point solutions deployed for privacy compliance rather than for business process enforcement and enterprise information protection.

DLP technology is best used as a process enforcement tool not as a compliance trade off;  unlike PCI DSS 1.2 section 6.6 that mandates a Web application firewall or a software security assessment of your web applications. It is easier (but perhaps more expensive) to buy a piece of technology and check off Section 6.6) than fix the bugs in your software – or … enforce your business processes.

I recently saw an article on Computerweekly that asks – “Is data loss prevention possible?”

I think that a more relevant question is “Is information protection possible?”

The  author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data.  However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.

Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the “copyability” of data

Companies already manage access and control “copyability”. This is not new, nor is it effective against the threat of a major data loss event.

Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.  Controlling access and copyability in the service of business objectives is precisely the objective of these systems.

If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.

If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection. DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.

However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford. The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he  or she wants.

We need information protection,  not copy protection; and in a way and at a cost that is a good fit for the business.

Information protection is possible by taking a value-based approach that integrates with the business operation.   Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like  enterprise information protection from Verdasys, agent DLP from Mcafee or a gateway DLP solution from  Fidelis Security.

The new Israeli administration has invited Microsoft to head a government IT steering comittee – the item caused a bit of a ruckus in the Israeli Open Source community a few months ago – although I personally feel that as the world’s largest software vendor – they have a lot to contribute.

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer