Israeli Software

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

For fear of becomming(sic) the next victim of identity theft, 150 million U.S. consumers don’t bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers’ confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

I don’t doubt that US banks, after having received all that tax payer money, will spend some of it on biometrics and multi-factor authentication. I predict that they will eventually abandon ship on authentication technology for home banking, when they realize that authentication technology doesn’t protect their customers on the Internet.

Multi-factor doesn’t prevent phishing. It doesn’t prevent identity theft. It doesn’t  secure online accounts from fraudulent transactions.  Take two attacks for example:

Man in the middle - an attacker sets up a fake banking web site and gets people to login, by passing the request for authentication thru to the real bank – the attacker doesn’t care if the user is authenticated with  biometrics or with out of band SMS messages – that’s great.   He still gets the user into his system in order to harvest usernames, passwords, credit cards and account numbers

Trojan horse - an attacker distributes a Trojan on a CD or from a online adult content site.  When the user logs in to the bona-fide banking site, he can use the connection to perform fraudulent transactions – like account withdrawals and funds transfers while the user is logged-in and authenticated.

Multi-factor and biometrics work well in a controlled environment like a corporate local area network but in the wild – the threats are changing too fast for multi-factor authentication solutions to provide effective data security.

What will get more people to use online banking?

• Trusting their bank.
• Banks that don’t lose customer data
• A simple but robust online login method (account, username, password) that uses offline, face to face authentication to validate identity before issuing a username/password and enforces strong, frequently updated passwords.
• Education about the dangers of phishing
• A well engineered online banking web site that doesn’t require hardware dongles and Java or ActiveX client software

I believe that 3 psychological reasons are the root cause of why many organizations worldwide do not take a leadership position in enterprise information protection.

1. Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
2. We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
3. Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I posted this question  on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing;  I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.

Read more…

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty.

I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat.

Walking the exhibit hall, I realized that Risk Assessment is a threat to security product vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to a vendor salesperson who must make quota.

If you do a risk assessment with Practical Threat Analysis (shameless plug for PTA – download here you systematically collect assets, threats, vulnerabilities …and THEN produce a cost-effective risk mitigation plan. Your vendor wants to sell you a $100,000 database firewall, but it may turn out that your top vulnerability is from 10 Field service engineers with company source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Vendors often attempt to mitigate the risk assessment threat by using compliance as a universal countermeasure.

This is can approach absurd levels as we shall see in the following example.

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

Read more…