Israeli Software

Forrester just started calling lost credit card numbers “toxic asset”. Since when is data that is publicly available toxic?

When I talk about employee data security vulnerabilities, I like to bring examples of how gambling or cyber-stalking can threaten an employee and make them vulnerable into being exploited and disclosing or manipulated company information. A competitor or criminal may offer to help with a gambling debt in return for stealing some documents.   That’s a bribe of course. When an employee steals proprietary company documents and leaks them to a competitor the damage is done – even if the company is not immediately aware.

Bribes are way of doing business in some countries.   In Russia, it’s institutionalized, on the table and part of the process. In the US – it’s been wrapped, packaged and prettified as media consultants, management consultants and congressional lobbyists.  In Russia, it’s acceptable to talk about paying 50,000 US Dollars to get the name of the official in Moscow municipality who approves vending machine permits.  In the US – it’s still taboo to ask how much Obama paid a media consultant to get his name to the top of list of the Nobel comittee.

Of all the the talkbacks I saw the past few days heaping scorn or praise on the Nobel Peace Prize committee, not a single comment was made on when the Obama application was added to the list of 205 candidates for the Peace Prize.   Since – it appears trivial that the selection process takes close to a year and Obama has been in office only 9 months, one may assume that the decision to promote Obama for Peace was taken sometime in the beginning of the presidency.   I can visualize a process where a consultant was retained to identify the key movers and shakers and then additional influencers retained to promote Obama with the key movers and shakers who would then make sure the committee made the right decision – which aligns the particular left-leaning political agendas of both the committee and the US President.

Timing is an important element in a bribe. If you need to make a bubble payment on your mortgage – it’s money you need now. If you’re a President with a declining popularity rating, it’s political capital you need now.  I don’t really see the difference between the two.

From Allan Paller’s testimony before the US Senate I think the quote speaks for itself. Outside the US – it seems even stranger to believe that US companies have enough money for two cyber security organizations paid for by the US taxpayer.

However, federal agencies cannot move effectively to more secure systems unless you shift the emphasis of the FISMA assessments from paper reporting to automated monitoring of essential controls. …  Two weeks ago, a federal CIO told me, “I have a CISO who always gets me to green on my FISMA grades, but the reports he produces have no impact at all on security of our computers or networks, I am setting up a separate group to do real security.” This CIO can do both because of a surge of funding his organization has received from the new stimulus bill.

Hayek wrote in his Nobel lecture – “I confess that I prefer true but imperfect knowledge. . . to a pretence of exact knowledge that is likely to be false.”

One of the biggest sins of man is hubris. The Obama administration is guilty of hubris. As an American living outside the US in the Middle East – I can say that where I live – we see a US President who projects an image of a superstar/saviour/me​dia-star, who turns his back on old relationships, who delivers ultimatums, who waffles on dictators and who bases his foreign policy on appeasement and his domestic policy on regulation.

OK – now that I got that rant out of my system – let’s talk about data loss prevention and the sin of hubris.

A good deal of data security spending on products from companies like Fidelis Security Systems, Verdasys, Mcafee, Websense, Symantec and RSA is driven by privacy compliance and to a lesser degree (since it’s less direct) by corporate governance (SOX says you shouldn’t cook the books which is not exactly a data loss threat but DLP is often part of an enterprise security policy for monitoring data leakage inside the company and detecting certain types of fraudulent activity).

It is a given that the US economy is the most highly regulated on earth – over 1percent of the GDP is spent on corporate governance and compliance to laws like SOX and GLBH. It is a simple observation that despite privacy compliance regulation – the US is a world leader in large scale data loss events.

Therefore – it stands to reason that privacy regulation and all the technology we’re throwing at the problem is not an effective data security countermeasure. IT spend on security and governance is what – about $10BN/year?

And we pretend to be able to prevent data leakage?

This is a sin of hubris.

Are we loving  the attackers and prosecuting the victims?

In data security – I don’t subscribe to utilitarian ethics (which attempts to balance the benefit versus the damage of an act) and can lead to the ends justifying the means.

For data security and compliance – I personally implement the “Ten commandments” approach – if it’s not ethical to steal data then it’s never acceptable to steal data  – neither as an employee, contractor, consultant or hacker.

I recently read a short article by the Chazon Ish (who passed away in 1953 and is well known for both his saintliness and extreme breadth of knowledge). He speaks about the importance of distinguishing between the attacker and the victim.   He explains how we must carefully tread the line of understanding who is the attacker and who is the victim.  Basic morality dictates showing compassion to the victim and and harshness to the attacker.   Therefore – how terrible it is when we mistakenly reverse the roles and show compassion to the attackers and penalize the victims!

Translated to the world of security and compliance – we can understand that a basic component of data security in the workplace, is an ethical approach where we maintain a clear identification of who is the malicious attacker and deal with him in an uncompromising and harsh way.  The vast majority of employees are not malicious attackers and there is no reason to penalize them as long as they comply with the company’s acceptable usage policy. On the other hand, there is no ethical basis to treat an attacker with compassion.

Like Sun Tzu wrote in “The Art of War” – “When you lay down a law, make sure it is not disobeyed”.

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

It seems that the GFC is creating a movement of migratory hi-tech workers from Silicon Valley to the Beltway. I’m not sure that an unemployed IT security analyst turned hacker is the best choice for a defense contractor – the really good guys and gals are always in demand – and those DC summers are the pits. The weather in Mountain View is a lot nicer.

Daniel D. Allen, who works for Northrop Grumman, claims that federal spending on computer security now totals USD 10 billion annually, including classified programs. So there is a lot of lard in the pork barrel for cyberninjas who don’t mind the 95% humidity.  And with the recently publicized data breach of sensitive design and electronic systems data  from the $300BN F-35 Lightning II fighter project – there’s plenty of asses to be covered. Then again – with peace in our time looking to arrive by end of year from President Obama, we will not need all that hardware – I hear the beer is pretty good in Munich.

Here is the article on Presstv -

Military giants including Northrop Grumman, General Dynamics, Lockheed Martin and Raytheon are now busy with recruiting “hacker soldiers” to address the new demand for an unconventional cyberwar and in a way to blend the new capabilities into the nation’s war planning.

I recently ran into a 2 year old post that decried the use of the term extrusion prevention calling it the “worst tech term of the year”

I will cut the author of the article some slack as it was back in 2007 and a lot of folks were just coming to grips with the spate of data breach events and stating with straight faces that PCI DSS and a bunch of other compliance regulations were going to be our savior.

Regulation is not an effective measure – neither for data breaches nor for crooked bankers.

Massive government regulation and intervention of the sort that President Obama is pushing is precisely the wrong thing to do right now (or ever for that matter). Big government will always do a worse job of protecting consumers than consumers themselves.  Take your lumps, shoot the bad guys and get the strongest and most innovative economy in the world back on track without wasting a trillion dollars of America’s future and dragging the entire world into 20 years of depression.

Apropos Obama and his far left agenda – there is no empirical evidence that US government stimulus packages after the Stock Market crash of 1929 improved things for the consumer – the opposite is true – by 1935 unemployment had actually increased to 35 percent. My guess is that the same thing will happen in the US over the next 5-10 years – a lot of money being printed for social good, that will put the next generation of Americans in hock to the Chinese. That is not a pleasant thought.

Getting back to data security.

Extrusion prevention is now commonly called DLP – data leakage prevention. Actually – extrusion prevention is more logical since it is the opposite of intrusion prevention. If intrusion prevention prevents bad guys from getting in, then extrusion prevention prevents good data from getting out. This actually makes it a much more logical and accurate description than DLP – as if data security was a plumbing problem. DLP is also an incorrect data security approach as it assumes that the majority of threats to information assets are from trusted insiders. Maybe – maybe not. You’ll never know until you do some threat analysis accompanied by some hard network surveillance.

You can read more on my web site at

Danny Lieberman