Security Pie

The ramblings of three security curmudgeons

Archive for the ‘Security Policy’ Category

Spam Bot Should Be More Sophisticated

without comments

(4:46:13 PM) ashleybishop8327: Hey
(9:31:58 PM) Sharon: BOT
(9:32:13 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:27 PM) Sharon: so you are not a bot
(9:32:40 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:32:59 PM) Sharon: now I’m confused. Are you a bot or not?
(9:33:11 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!
(9:33:28 PM) Sharon:
(9:33:42 PM) AshleyBishop8327: hello?
(9:35:27 PM) Sharon: bot
(9:35:42 PM) AshleyBishop8327: whats a bot? im 100% all real and natural, from tits to ass!

Written by sharon

September 20th, 2009 at 8:43 pm

Posted in Security Policy

Tagged with

The fickle nature of risk

without comments

Many security companies sell what they call a DLP solution. In many cases this DLP solution is a grouping of regular expressions that looks for SSN and CCN and maybe other items. The limited protocol coverage and limited granularity of the engine gets re-positioned as built in simplicity. Cisco and Proofpoint jump to mind but there are many others.

At the heart of this approach is an assumption that data security is just another version of network security. A credit card in an email is somehow just the same as a virus in a web download. Well, technically it might seem that way, but I would like to propose that this assumption is as far from reality as possible.

To demonstrate this point, let’s look at the nature of the risk surrounding data security. I will demonstrate using a single standard, with a single set of predefined “punishments”, a similar scope of breach, but a resoundingly different outcome. I compare two incidents where PCI DSS (payment card industries notorious and somewhat silly data security standard) was triggered by having a lack of any data governance whatsoever, resulting in massive breaches.

The two companies are CardSystems Solutions which lost 40 million customer records out of its Tucson office and TJX where over 94 million customer records were siphoned (according to the lawsuit filed against the perpetrators of that breach).

The cases are similar:

1. Both companies had very little to no data governance. (The companies will not agree to this point, but a company that sends out 94 million records whether knowingly or not has NO data governance IMHO).

2. Both companies had installed some malware that siphoned off millions of records that were used to steal identity of customers.

3. Both companies had an abrupt change in PCI status (fully compliant the day before the breach, and non compliance the day after – funny, and indicative of a fundamental flaw in PCI DSS)

4. Both companies accepted their responsibility witht he caveat that “it was not their fault” (as if it was not their servers, their IT systems, or their lack of governance).

In spite of the above similarities, there is very little resemblence in the risk profile, as can be attested by the outcome of the breach. CardSystems ended up paying the ultimate price, cleaning up shop and being required to sell their assets to Solidus Networks (Pay by Touch). Meanwhile TJX is doing well. The discount retailer thrives in bad economy scooping back customers from Nordstrom and Neiman Marcus (Ahem). At most, TJX response was summarized in a series of letters from its CEO Carol Meyrowitz.

The one difference between the two scenarios is the risk profile. CardSystems had no public face. They were one of many processors operating in the background. They could not afford the cleanup (expensive post breach hush money to pay-off FTC, PCI members, court fees, class action payoffs, etc.). Visa, MasterCard, and Amex exercised their muscles and forced the company (now without customers) to sell its assets and cease existence.

TJX meanwhile, was a cash cow, making the credit card industry vast amounts of cash. A “slap on the wrist” was the most the credit card comapnies did to TJX. After pay-offs (100′s of millions of dollars) all was well.

(BTW, the latter is not unique: Hannaford Brothers supermarkets had a similar incident with similar results to TJX).

So next time you hear the message that in data security “one size fits all”, I propose that you verify that the technical and business capabilities of the solution really do align with your risk profile.


Written by assafl

August 14th, 2009 at 2:29 am

Well Done!

without comments

Contrust, which I honored me as advisor, was selected as a finalist in LeWeb ’08 startup competition

Here’s a short description of the company: 

ConTrust takes the Pain out of “User Generated Content” (UGC) moderation, Enables you to focus and monetize only on the content you can trust. 

As the social media market will bloom and reach a ~20 billion market cap by 2013, social media moderation will play a key role in its growth and monetization models; Companies will spend time and money to leverage the real value of UGC, whilst dealing with threatening, inappropriate and offensive contributed content on their platforms, thus try to create a trustworthy environment for their customers, partners and advertisers. 

Congratulations for getting selected, now it’s time to win!

Written by sharon

November 19th, 2008 at 1:09 pm

Posted in Security Policy

Tagged with , ,

Palo Alto Networks’ Security Pie

without comments

Finally, some interesting security pie.  Palo Alto Networks Application Usage and Risk Report contains lots  and lots of pies. One can follow the link and read the document.  Two obvious items had caught my attention:

  • HTTP has become the universal application protocol
  • Obvious attempts at activity concealment continue

At this time (September 2008 ;-) , one could think that the different security solutions would solve the different HTTP tunneling and concealment attempts. After all, there are so many and diverse methods including URL filtering (to block the destination), application identification, proxy authentication (to prevent unmanned applications etc).

I’m curious if and when applications will start to use 53/udp to sneak through the security systems.

Written by sharon

September 18th, 2008 at 8:24 am

Dog’s DNA For Carrot and Stick Agsint Pooing

without comments

Reuters brings the story of Dr. Tika Bar-On, Petah Tikva’s city’s chief veterinarian who came up with the idea of using analysis of dog droppings to reward and punish pet owners. Under a six-month trial program launched this week, the city of Petah Tikva, is asking dog owners to take their animal to a municipal veterinarian, who then swabs its mouth and collects DNA.

The city will use the DNA database it is building to match feces to a registered dog and identify its owner. Owners who scoop up their dogs’ droppings and place them in specially marked bins on Petah Tikva’s streets will be eligible for rewards of pet food coupons and dog toys.

Read the rest of this entry »

Written by sharon

September 16th, 2008 at 12:20 pm

Posted in Security Policy

Tagged with ,