Israeli Software

I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures.

The recent case of the Opsec security violation on Facebook in Israel reported by the Jerusalem Post, is a good example of how a hierarchical organization (Army) is threatened by a flat social network. The good news was that the security countermeasure was found the social network itself – herein lies the lesson.

The IDF was forced to cancel a recent arrest operation in the West Bank after a soldier posted information about the upcoming raid on his Facebook page.The operation was scheduled to take place several weeks ago in the Binyamin region. The soldier, from an elite unit of the Artillery Corps, posted on his Facebook page: “On Wednesday, we are cleaning out [the name of the village] – today an arrest operation, tomorrow an arrest operation and then, please God, home by Thursday.”

The status update on the soldier’s page was revealed by other members of the soldier’s unit. His commanders then updated Judea and Samaria Division commander Brig.-Gen. Nitzan Alon, who decided to cancel the operation out of concern that the mission had been compromised.

Organizations need to leave the static top down control frameworks a few times a year and look outside the organization for links and interdependencies – and talk to the soldiers in the trenches in customer service, field sales and field service.

The information you will get from people outside your firm and from people with dirty hands is far more valuable than rehashing the ISO27001 check list in an audit.

The most valuable data is from questions you haven’t asked yet – not from a checklist in an Excel spreadsheet in the hands of a junior auditor from KPMG.

Most people tend to view content protection as a recording industry or corporate espionage  issue.   We have forgotten that people who plagiarize original content are also violating content security – someone else’s security in this case.

My colleague Anthony Freed (who runs Information Security Resources) recently got an email from computer scientist and mathematician, Aaron Krowne.  Aaron got plagiarized by no less than the the NY Times. The original story that Aaron reported is here – NY Times Caught Lifting Implode-O-Meter, Other Online Pubs’ Material

With Aaron’s kind permission, I’ve decided to republish  the original article verbatim as a public service to my data security clients in the tech, bio-pharma and telecom industries – because it could happen to you also. Paraphrasing and proper citations are the kind of thing they teach you in elementary school and this is a blunt reminder to remember what Ms. Bates, your third grade teacher taught you.

We knew it was happening, but it looks like it was more extensive and systematic than we first thought:

How long did New York Times editors know of Kouwe’s story copying?

Shockingly, Kouwe wrote the below, justifying his plagiarism and failures to attribute (my bold, and comments in italics):

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

1. Is your information asset protection spending driven by regulation?
2. Are Gartner white papers your main input for purchasing decisions?
3. Does the information security group work without security win/loss scores?
4. Does your chief security officer meet three to five vendors each day?
5. Is your purchasing cycle for a new product longer than six months?
6. Is your team short on head count, and not implementing new technologies?
7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Read more…

In music, dissonance is  sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

My lawyer once told me that I should be careful with verbal commitments since a verbal commitment can often be construed as a binding agreement.  The question is how to verify the verbal agreement and enforce non-repudiation?

There are many cases in life where you want to be able to verify a verbal commitment using a trusted third party in order to prevent the other side from repudiating/reneging on the agreement.

You’re doing a sales transaction over  the phone, you have a face to face meeting and it ends with verbal agreement and a handshake, you have an accident and you agree terms verbally with the other party, you are in a divorce process and agreed verbally on money and custody issues.

I always thought that this would be a great application for a mobile service provider – you could call up a third party verification number and the two parties would state their names and ID numbers and agree into the phone for a digital recording that would get a timestamp and reference number.

Data Exchange is a company in Tulsa Oklahoma that provides the ability to protect verbal agreements with third party verification.   

In a previous post Sharing security information I suggested that fragmentation of knowledge is a root cause of security breaches.

I was thinking about the problem of sharing data loss information this past week and I realized that we are saturated with solutions, technologies, policies, security frameworks and security standards – COBIT, ISO27001 etc..

The German physicist Helmholtz identified three stages of creativity: saturation, incubation and illumination.   We appear to be in the saturation stage right now.

Henri Poincaré identified a fourth step that follows the other three. Verification is putting a solution into concrete form and checking it for errors or usefulness.

In the early 1960s, the American psychologist Jacob Getzels proposed that a preliminary stage of creativity involves formulating a problem.So let’s start with formulating the problem of security information sharing.

People and their employers are unwilling to discuss the details of security events that happened, their security vulnerabilities,  the damage in dollars was actually caused, how the events were discovered, how the threats that exploited the vulnerabilities were mitigated and most importantly – how well their current security products perform.

In our threat analysis work, we run into these problems daily.  We offer an excellent free threat modeling tool from our colleagues at PTA Technologies called PTA – Practical Threat Analysis. I think we have over 15,000 downloads. Users sometimes have questions that require taking a closer look at their threat model but it almost never happens because of the fear of disclosure. On one occasion – a user shared his threat model after obfuscating the data (you can download the software here – free risk assessment software.)

Here is a possible solution to the  problem we just formulated:

• Define a language for describing a security event -  having a canonical language to describe things is a basic requirement for sharing information between people.
• Build models of attackers, vulnerabilities, assets under attack and security countermeasures in order to describe loss events using the common language.
• Enable people to build, maintain and share models anonymously. What is important is not the identity of the company who had the loss event, but the details of the model.
• Use the models to measure the loss impact and the effectiveness of their security countermeasures in dollars. This provides a security metric that will enable people to look at models and compare ‘apples’ to ‘apples’ without involving marketing factors such as product features and distribution channels.

I usually write about best practices and practical tools to prevent data theft, data loss and data leakage – since our professional services focus on data security in Central and Eastern Europe. Data security is, I guess a sub-specialty of security and compliance.

Security is chartered with ensuring the survival of a business and protecting it’s capability  to generate value for customers and share holders. The most effective security organizations  are integrated for enterprise protection of physical, information, system and employee assets.

But – I was reminded today that data security is not just about data loss prevention – it’s about ensuring confidentiality, integrity and availability of data in all 4 realms – physical, information, systems and employees.

From on article an MedScape today:

Fewer than half of the clinical trials reported in high-impact-factor journals are adequately registered, while nearly a third show “some evidence of selective outcome reporting,” according to research published September 2 in the Journal of the American Medical Association.

Selective outcome reporting – is a data security violation, tampering with the integrity of the data.

Only this time – it’s human lives not credit cards.

Yikes.

I think fragmentation of knowledge is a root cause of data breaches.

It’s almost a cliche to say that the  security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years.

It is apparent that government regulation is  ineffective in preventing identity theft and major data loss events.

Given: direct data security countermeasures go a long way;  data loss prevention and network surveillance work well inside a  feedback loop to improve security of systems, increase employee awareness and support management accountability.

However: I believe that even if every business deployed Fidelis XPS Extrusion Prevention system or Verdays Digital Guardian or Websense Data Security suite – we would still have major data loss events.

This is because a major data loss event has three characteristics:

1.Appears as a complete surprise to the organization
2.Has a major impact to the point of maiming or destroying the company
3.Event, after it has appeared, is ‘explained’ by human hindsight.

The root cause of the surprise is, in most cases, a lack of knowledge – not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top 10 in your type of business.

The root cause of the lack of knowledge is fragmentation of knowledge.

Every business from SME to Global 2000 deals with security issues and amass their own best practices and knowledge base of how to protect their information.  But, the knowledge is fragmented, since business organizations don’t share their loss data, and the dozens or maybe hundreds of vendor web sites that do disclose and categorize attacks don’t provide the business context of a loss event.

Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.

So what’s the solution?

With our clients, we see growing evidence that the more organized a company is with their security operation – having a single security organization responsible for digital assets, physical security, permissions management and compliance – the better security they deliver. What’s more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.

The concept of sharing best practices  and  aggregating support so that companies of all sizes can access knowledge and support resources is not new, it’s a common theme in  industrial safety and Free Open Source worlds – to name two. I imagine that there are a few more examples I am not familiar with.

But what’s in it for security professionals? In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practioners in the world; having access to resources to improve your own systems and procedures and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation? How about having peers with a common goal of providing the best security for customers?

It’s time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security  across the full continuum of security, not just point technology solutions or professional regulatory services. And it’s time for firms to recognize that sharing some data may be worth the benefits to them and their customers.

That’s my opinion. I’m Danny Lieberman.

The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Don’t ask me why, but I was invited (and joined) the Pakistan Networkers group on LinkedIn.  I see all kinds of cool job opportunities in the Emirates which I can’t really take but the traffic is interesting.

I saw this picture in a post today from the Pakistan Networkers group. It graphically describes the complexity of ObamaCare:  the Obama health care reform bill.   I then sat down and started to learn more about this proposed solution to the US health care system that will cost over a trillion dollars in the next 10 years.

The Obama Health plan and the problems the administration is currently facing getting it through Congress is second page news here in Israel (front pages this weekend in Israeli papers are how Obama and Rahm are throwing their weight around and dictating to the Jews where they can live and not live….)

I started reading about the House Tri-committee Health Care bill and my eyes started popping at the cost and complexity of the proposal. I then read the response of the Mayo Clinic – Mayo Clinic’s reaction to House Tri-Committee bill and I finally realized that just like in Cyber Security and data loss prevention – the Obama administration is more interested in compliance and big government than customers and health, safety and security.

I’ve been arguing for basing data security product purchasing decisions on value at risk and cost-effectiveness of the DLP product in reducing the value at risk of a data breach. Therefore, it is  obvious to me that the notion of a value-based decision is an important cornerstone in redefining health care – see a discussion on pay for value in health care in the open letter to congress