Israeli Software

For fear of becomming(sic) the next victim of identity theft, 150 million U.S. consumers don’t bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers’ confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

I don’t doubt that US banks, after having received all that tax payer money, will spend some of it on biometrics and multi-factor authentication. I predict that they will eventually abandon ship on authentication technology for home banking, when they realize that authentication technology doesn’t protect their customers on the Internet.

Multi-factor doesn’t prevent phishing. It doesn’t prevent identity theft. It doesn’t  secure online accounts from fraudulent transactions.  Take two attacks for example:

Man in the middle - an attacker sets up a fake banking web site and gets people to login, by passing the request for authentication thru to the real bank – the attacker doesn’t care if the user is authenticated with  biometrics or with out of band SMS messages – that’s great.   He still gets the user into his system in order to harvest usernames, passwords, credit cards and account numbers

Trojan horse - an attacker distributes a Trojan on a CD or from a online adult content site.  When the user logs in to the bona-fide banking site, he can use the connection to perform fraudulent transactions – like account withdrawals and funds transfers while the user is logged-in and authenticated.

Multi-factor and biometrics work well in a controlled environment like a corporate local area network but in the wild – the threats are changing too fast for multi-factor authentication solutions to provide effective data security.

What will get more people to use online banking?

• Trusting their bank.
• Banks that don’t lose customer data
• A simple but robust online login method (account, username, password) that uses offline, face to face authentication to validate identity before issuing a username/password and enforces strong, frequently updated passwords.
• Education about the dangers of phishing
• A well engineered online banking web site that doesn’t require hardware dongles and Java or ActiveX client software

I believe that 3 psychological reasons are the root cause of why many organizations worldwide do not take a leadership position in enterprise information protection.

1. Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
2. We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
3. Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I posted this question  on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing;  I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.

Read more…

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty.

I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat.

Walking the exhibit hall, I realized that Risk Assessment is a threat to security product vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to a vendor salesperson who must make quota.

If you do a risk assessment with Practical Threat Analysis (shameless plug for PTA – download here you systematically collect assets, threats, vulnerabilities …and THEN produce a cost-effective risk mitigation plan. Your vendor wants to sell you a $100,000 database firewall, but it may turn out that your top vulnerability is from 10 Field service engineers with company source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Vendors often attempt to mitigate the risk assessment threat by using compliance as a universal countermeasure.

This is can approach absurd levels as we shall see in the following example.

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

Read more…