Security Pie

Security pie was the first to alert you to “The unprecedented use of the term unprecedented in the current crisis is terrifying” back in September 08. Hopefully you used that warning wisely and moved all your money and houses to a safe place like Iceland.

Well, here we are again with another scoop.

“We have hit the bottom” “prices are stabilizing” “leading indicators show us that a recovery is imminent” are all positive leading signs that we had enough with the emotional rollercoaster that are sideffects when we invest our collective psyche in hysteria, and would now like to displace that hysteria with a well earned sense of complacency.

But English is beautiful just like American customers remind me of non-confrontational adolescents: the word imminent is boundless. It can be now, and it can be a year from now (i.e. nascent).

I for one, will start a political movement called “Recovery Now”. That is if I were a non-confronational adolescent.

/al

No – it is not coke.

For sheer geek delight nothing comes close to espresso. Imagine a beverage that comes bundled with a heritage of being invented in 1900′s Italy (that is like Python having the prestige heritage of Fortran: ordained – but miserably failed – to take over the world); a drink so chemically complicated that generations of italians have toiled in garages and basements to create and refine brilliant but dangerous contraptions that would guarantee a perfect cup of joe.

Read the rest of this entry »

According to a new Proofpoint study of 220 leaders at American companies with over 1,000 employees, 38% employ staff to read or otherwise analyze the content of outgoing email, compared to 29% last year. Why the big increase in surveillance? 34% said their businesses had been affected by the exposure of sensitive or embarrassing information, up from 23% in 2008.

Dear outbound email reader. While you are reading my emails, can you look into the way I write my emails? Simply correct any spelling and grammar mistakes.

Thank You!

I’m sure that I asked for it in the past, and there might be a Feature Request somewhere…

Many security companies sell what they call a DLP solution. In many cases this DLP solution is a grouping of regular expressions that looks for SSN and CCN and maybe other items. The limited protocol coverage and limited granularity of the engine gets re-positioned as built in simplicity. Cisco and Proofpoint jump to mind but there are many others.

At the heart of this approach is an assumption that data security is just another version of network security. A credit card in an email is somehow just the same as a virus in a web download. Well, technically it might seem that way, but I would like to propose that this assumption is as far from reality as possible.

To demonstrate this point, let’s look at the nature of the risk surrounding data security. I will demonstrate using a single standard, with a single set of predefined “punishments”, a similar scope of breach, but a resoundingly different outcome. I compare two incidents where PCI DSS (payment card industries notorious and somewhat silly data security standard) was triggered by having a lack of any data governance whatsoever, resulting in massive breaches.

The two companies are CardSystems Solutions which lost 40 million customer records out of its Tucson office and TJX where over 94 million customer records were siphoned (according to the lawsuit filed against the perpetrators of that breach).

The cases are similar:

1. Both companies had very little to no data governance. (The companies will not agree to this point, but a company that sends out 94 million records whether knowingly or not has NO data governance IMHO).

2. Both companies had installed some malware that siphoned off millions of records that were used to steal identity of customers.

3. Both companies had an abrupt change in PCI status (fully compliant the day before the breach, and non compliance the day after – funny, and indicative of a fundamental flaw in PCI DSS)

4. Both companies accepted their responsibility witht he caveat that “it was not their fault” (as if it was not their servers, their IT systems, or their lack of governance).

In spite of the above similarities, there is very little resemblence in the risk profile, as can be attested by the outcome of the breach. CardSystems ended up paying the ultimate price, cleaning up shop and being required to sell their assets to Solidus Networks (Pay by Touch). Meanwhile TJX is doing well. The discount retailer thrives in bad economy scooping back customers from Nordstrom and Neiman Marcus (Ahem). At most, TJX response was summarized in a series of letters from its CEO Carol Meyrowitz.

The one difference between the two scenarios is the risk profile. CardSystems had no public face. They were one of many processors operating in the background. They could not afford the cleanup (expensive post breach hush money to pay-off FTC, PCI members, court fees, class action payoffs, etc.). Visa, MasterCard, and Amex exercised their muscles and forced the company (now without customers) to sell its assets and cease existence.

TJX meanwhile, was a cash cow, making the credit card industry vast amounts of cash. A “slap on the wrist” was the most the credit card comapnies did to TJX. After pay-offs (100′s of millions of dollars) all was well.

(BTW, the latter is not unique: Hannaford Brothers supermarkets had a similar incident with similar results to TJX).

So next time you hear the message that in data security “one size fits all”, I propose that you verify that the technical and business capabilities of the solution really do align with your risk profile.

/al

Fortinet will end the Drought

So the good news arrives from Sunnyvale CA: Fortinet, Inc., a provider of network security appliances and unified threat management (UTM) solutions, announced that it has filed a registration statement on Form S-1 with the Securities and Exchange Commission relating to a proposed initial public offering of its common stock.

This is great news. For our friends working at Fortinet, partners, security vars, VC and anyone who cares about the economy and of course security.

Fortinet is a profitable security vendor. The IPO filling is very encouraging as it represents the first US venture-backed company to submit an IPO filing in more than six months.

I believe that Fortinet’s S-1 filing represents the start of quality security companies IPO filings wave in the coming months which is extremely important in order  to improve the overall sentiment for security companies. I believe that since Websense (WBSN) acquisition of PortAuthority Technologies, our industry financiers (ok, the Venture Capitalists) did not see a good return on their investment…

Go get em’