Security Pie

When I’m reading an article or an analysis about the effectiveness of a specific security tool I often get upset. The main reason is that security researchers (at least the one that I’m reading) are taking an “all or nothing” approach to security products analysis – it either works or not. Even when talking about defense in depth in conjunctions with Information/data/network security some people have a tendency to write about this “all or nothing approach”.

When I read Rich’s post on Web Application Firewalls I thought that it would be very useful if anyone could come with detailed analysis on the effectiveness of different products. Similar to the way that the National Highway Traffic Safety Administration (NHTSA) is measuring the effectiveness of seat belts. Even when using amperic data, researches will argue about the effectiveness of data:

A recently publicized claim by one analyst that seat belts reduce vehicle occupant deaths 70-80 per cent is based on studies found to contain fundamental systematic error. Deaths occur only 50 per cent less often to belted compared to nonbelted vehicle occupants in crashes, according to previously unanalyzed data from three U.S. states during recent years.

I’d like to see more information providing statistical analysis like used in this US Roads 1997 article, showing the effectiveness of security solutions under different circumstances:

• Mode of deployment
• Attack vector
• Policy used
• Other combined security tools/methods used

This will allow to measure the effectiveness of security tools and provide proper analysis that will allow an organization to perform proper risk analysis.

Wikileaks here, Wikileaks there, (information) leaks are everywhere. Now that the site is planning to release leaked documents from “a major US bank”, security professionals might start to think about “leak prevention” in line with “loss protection”.

ILP anyone?

If you are not familier with the name of Herve Falciani you should. In my opinion he is “serving” the security community is a similar way that kevin Mitnik (or others, pick your name) did.

Mr. Falciani is a former IT employee at the Swiss subsidiary of HSBC Private Bank (Suisse) SA that, according to the bank and French authorities, “obtained” sensitive customer information and hand it to the tax authorities in France.  The data theft took some time until it was discovered and the bank was suffering some issues.

This is all history now…. The assets are up as HSBC Private Bank shrugs off data theft. The Bank also reported that it has spoken to almost all current clients that were affected by a data theft.

I’m sure that now, ANY bank is taking data protection and activity monitoring more seriously.  Having said that, I do not think for a second that the risk management and  security teams at the bank did not take such issues seriously. Working with different security teams for over a decade, I am sure that they were trying to do the right things for ever. Thanks to folks like Herve, the “risk” factor in data security risk management is more clear and security teams can spend what they need in order to improve security.

On a second thought, I’m sure that many security vendors and consultants also thank Mr. Falciani.

RSA Conference, the biggest security event of the year will take place next month.

IMO now is a good time to review how we are doing as an industry, fulfilling our destination (that is, securing).

On Jone 2003, Gartner declared that IDS are dead and “recommends that enterprises redirect the money they would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product.”

6.5  years later, are we there yet?

Encryption != Security

I was reading “Enabling cloud Storage for the Enterprise” white paper from Emulex . First, I’d like to the compliment the unknown author. I’ve read (and wrote) many white papers. This document is among the best.

As always, I have some reservations about the Data Security arguments that were made.

First, the unknown authors claim that “When moving data outside of the data center, as is the case with public cloud storage, security concerns become a top priority” since “When data is kept within the confines of a data center, there are recognized methods for ensuring that it is kept safe”. While I totally agree that there are recognized methods to protect data inside the data center, I do not agree that placing data in the cloud is a top concern. In most cases the end user or even the organization that is placing the data in the cloud is unaware of its location and even if it does, security (unfortunately) is not a top priority. I’m saying that when we discuss security in the context of  ”the cloud” one should demand security. In the same way that business users are demanding secure systems today, they should demand it when “the cloud” is involved.

But there is a bigger problem with the security section of this document. A big problem. There is a logical flow with the main security assumption made in that section since the document assumes that IDA (Information Dispersal Algorithms) is good (“enough” ?) to be used as the method to secure the data.

I have an issue here since the white paper sets an agenda that encrypted data should be considered as secure, since ”To make use of the data in the cloud, a hacker or SSP employee would have to also gain access to a quorum of the data slices stored elsewhere” but we know – by way of living, that no encryption method is secure enough, as the problem is related to the application that will get hacked.

Indeed if the risk that Emulex writes about is related to employees stealing drives with data, then encryption might be good enough (depending upon encryption  management  and so many other factors).  But as we know, security issues are mostly related to the way that the application is accessing the data, which will not be encrypted since the application is required to access the data…  Just think about SQL injection and why it happens…

Bruce Schneier begins his book Secrets and Lies by saying “I have written this book partly to correct a mistake” that he made with his utopian vision of cryptography and algorithms keeping “your deepest secret safe”.  I will allow myself to paraphrase that when it comes to secure Cloud Storage ”Cryptography can’t do any of that”. I suggest that anyone that thinks that security=(only) cryptography will think again.

” … Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.”

BTW, IDA was developed by Michael Rabin that won the Turing Award in 1976 and the Israel Prize (in computer sciences) in 1995.

Image source: http://ulcercity.blogspot.com/

Many security companies sell what they call a DLP solution. In many cases this DLP solution is a grouping of regular expressions that looks for SSN and CCN and maybe other items. The limited protocol coverage and limited granularity of the engine gets re-positioned as built in simplicity. Cisco and Proofpoint jump to mind but there are many others.

At the heart of this approach is an assumption that data security is just another version of network security. A credit card in an email is somehow just the same as a virus in a web download. Well, technically it might seem that way, but I would like to propose that this assumption is as far from reality as possible.

To demonstrate this point, let’s look at the nature of the risk surrounding data security. I will demonstrate using a single standard, with a single set of predefined “punishments”, a similar scope of breach, but a resoundingly different outcome. I compare two incidents where PCI DSS (payment card industries notorious and somewhat silly data security standard) was triggered by having a lack of any data governance whatsoever, resulting in massive breaches.

The two companies are CardSystems Solutions which lost 40 million customer records out of its Tucson office and TJX where over 94 million customer records were siphoned (according to the lawsuit filed against the perpetrators of that breach).

The cases are similar:

1. Both companies had very little to no data governance. (The companies will not agree to this point, but a company that sends out 94 million records whether knowingly or not has NO data governance IMHO).

2. Both companies had installed some malware that siphoned off millions of records that were used to steal identity of customers.

3. Both companies had an abrupt change in PCI status (fully compliant the day before the breach, and non compliance the day after – funny, and indicative of a fundamental flaw in PCI DSS)

4. Both companies accepted their responsibility witht he caveat that “it was not their fault” (as if it was not their servers, their IT systems, or their lack of governance).

In spite of the above similarities, there is very little resemblence in the risk profile, as can be attested by the outcome of the breach. CardSystems ended up paying the ultimate price, cleaning up shop and being required to sell their assets to Solidus Networks (Pay by Touch). Meanwhile TJX is doing well. The discount retailer thrives in bad economy scooping back customers from Nordstrom and Neiman Marcus (Ahem). At most, TJX response was summarized in a series of letters from its CEO Carol Meyrowitz.

The one difference between the two scenarios is the risk profile. CardSystems had no public face. They were one of many processors operating in the background. They could not afford the cleanup (expensive post breach hush money to pay-off FTC, PCI members, court fees, class action payoffs, etc.). Visa, MasterCard, and Amex exercised their muscles and forced the company (now without customers) to sell its assets and cease existence.

TJX meanwhile, was a cash cow, making the credit card industry vast amounts of cash. A “slap on the wrist” was the most the credit card comapnies did to TJX. After pay-offs (100′s of millions of dollars) all was well.

(BTW, the latter is not unique: Hannaford Brothers supermarkets had a similar incident with similar results to TJX).

So next time you hear the message that in data security “one size fits all”, I propose that you verify that the technical and business capabilities of the solution really do align with your risk profile.

/al

I have a passion for Risk Management. In my opinion it does not matter if one is managing information security or financial risk. If we watch closely we see that the financial guys aren’t the best risk managers (Assaf wrote about it many times…). One of less touched areas of risk management is related to food safety. Sure, there are plenty of regulations and mandates as well as different agencies including the CDC, FDA, USDA just to name a few, but overall there are too many health issues with food.

Take sprouts. Those harmless looking, healthy food are known to cause health issues.  According to this article:

Between 1996 and 2005, raw or slightly cooked sprouts have caused an estimated 1,636 cases of illness, or 40 percent of all food- borne illness associated with produce, according to the FDA. Though the number of cases has dropped substantially since 1999 due to stepped-up decontamination attempts by the industry, federal regulators say the current push is necessary because sprouts–a favorite among health-food enthusiasts–still pose a measure of risk to consumers.

Years later, we are still facing food- borne illness associated with sprouts.

Just recently the FDA and the CDC advised people not to eat raw alfalfa sprouts after at least 31 people were sickened by Salmonella Saintpaul infection.  According to the FDA, an investigation shows that the problem may be linked to contamination of seeds for alfalfa sprouts.

The FDA and the CDC note that suspect lots of seeds may be sold around the country and may account for a large proportion of the alfalfa seeds being used by sprout growers, and cases of illness are spread across multiple states.

Even my favorite grocers, Trader Joe had to recall my favorite Nature’s Choice Alfalfa Sprouts.

But now, we can all rest assure.  They always test the product. Where were you during the Salmonella outbreak?

The point I’d like to make is that risk management is a never-ending story process. One should understand the associated vulnerabilities (e.g. sprouts can contain Salmonella) review the business process and add the necessary controls (e.g. test for Salmonella), adding compensating controls if necessary.

At least now I have more confidence. I know that they ARE testing. Good to know.

How it works?

Every few days I am sorting through Securitypie’s spam queue. Our anti-spam engine detects most of the spam messages but there are few that it asks one of the administrators to approve. Most of those messages are targeting a single post. Assaf’s self confession “Why I miss the Soviet Union is like a spam magnet.

Why? What is so unique about those 875 words that make it different? Could it be that the desire to see “a visionary CTO with a set of brass balls. Not a Cisco kowtowing CIO” makes the difference?
It would be interesting to see how the spammers threat this post. If you have a clue, send us a comment.

The road to/from deficiency

I found the following definition of “significant deficiency” in a GAO report and I liked it. If you are outside of the US or not regulated by US regulations, you can change the reference regulations mentioned in the first sentence:

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

Then, it also explains what a control deficiency is:

A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis.

The government is now asking people to avoid eating raw alfalfa sprouts, including sprout blends that contain alfalfa sprouts, because of possible salmonella contamination.  According to the FDC press release, 

Initial investigation results trace the contaminated raw alfalfa sprouts to multiple sprout growers in multiple states. This suggests a potential problem with the seeds used, as well as the possible failure of the sprout growers involved to appropriately and consistently follow the FDA Sprout Guidance issued in 1999 . The guidance recommends an effective seed disinfection treatment immediately before the start of sprouting.

To me, this whole issue sounds like a classic case of malfunction with the risk management process: I’m not an expert in food safety, but I know few things about risk management. From reading the last reports, it looks like someone in the FDA should start to enforce better controls on food manufacturers.  We can’t change our diet because someone forgot to read a manual from 1999.