March 2011

data loss redux: thinking organically

Originally posted to Black Cats and Smoke and Mirrors

A little while ago I wrote about DLP, or Data Loss Prevention, and how the term is something of a red herring because, in reality, everything we do is about preventing data loss; ergo, the concept can’t be neatly productized. I still feel that way.

However, a few days after I posted it, I was contacted by a fellow named Pablo Osinaga, who has co-founded a startup called Kormox. He wanted me to see his company’s DLP solution, profiled by SC Magazine.

After reading SC’s blurb on the subject, I was quite intrigued, and arranged a web/phone meeting with Mr. Osinaga. For a little over an hour, we discussed Kormox and the concept of DLP.

As I said, DLP is a very difficult concept to productize. Everyone needs to prevent the loss or leakage of data, but everyone — every enterprise, every business, every organization, even every person — has different data and different types of data that they need to protect. Some organizations are concerned with mobile data; some are concerned with file shares; some are concerned with PII; and so on. No one vendor — no one product — has a fully comprehensive DLP solution because what DLP means is so dependent on each organization’s mission and needs, which not only differs among organizations but can be subject to change within an organization over time.

One of the first things that Mr. Osinaga mentioned, in presenting his company’s solution, was that enterprises have become more organic and less structured. I could not agree more. I have worked for many different security solutions vendors, and I hear over and over about the “special snowflake syndrome”, how every organization thinks they are “different” in some way, but they are really all the same. The trend, with every security vendor I’ve worked with, is to pigeonhole potential and existing customers, to basically tell them that they can’t have what they say they want, to fit them to the solution that the vendor has, in their infinite wisdom, envisioned and created. Yet as time goes on, and as Mr. Osinaga noted, enterprise structure is becoming more fluid, less definable, and less able to be pigeonholed.

Kormox’s solution starts with data classification. It’s so simple, and so logical. Of course you have to classify your data. But it’s not enough to say “I have to protect medical records” or “I have to protect credit card numbers”. In the DLP-productization game, vendors talk about what kind of data you want to protect, and then they talk about how they’re going to protect it, but they don’t really cover the territory of what, exactly, your data means to the people who are using it. That’s your problem.

And that’s how Kormox differentiates itself from the crowd: data classification is a major step, and it involves finding out not only what the data is (as opposed to merely what kind of data), but the flow of the data: where it is, who is using it, how they use it, where it’s going, where it’s been, and so on. All this is part of the classification, and it brings DLP back to the true “asset management” model of Information Security, where the asset is the data itself, not the (often fungible) hardware on which it rests.

After the data has been classified, the product allows the asset owners to implement controls in a similarly organic fashion. In essence, it takes the organization from the situation of “I know I need to protect our data” to “I know where and what all our data is, how it’s used, and what controls are on it” — something that no other DLP solution does.

I’m not laboring under an illusion that this product is perfect; no product could be. But I do think that Kormox is going in a necessary direction with their concept of data flow as a part of classification. At the moment it’s a bit clunky looking, but from what I saw in our meeting, it is definitely worth a look.

I’d like to note that I am in no way compensated for writing about Kormox; I’m writing about it because Mr. Osinaga contacted me as a result of my last DLP article, and so I thought it was only fair to talk about what I found out in our meeting.

Dumb computer virus story recidivus

A few days ago, I noted a very silly news story about someone getting hit with a computer virus. Well, maybe the administrators don’t know all that much about malware, and maybe a smaller local paper reporter didn’t know all that much about it, either.

But now the story has been taken up by a company that makes security software. A “Microsoft Gold Certified Partner,” according to their Website. A company that makes antivirus software. And their story is just as silly, or even worse.

They say the local admin “stated that, the virus is classified as harmful and they are being quite alert.” I suppose that is all well and good, but then they immediately say that, “[a]ccording to him, the anti-virus firms were not able to recognize it …” So, AV firms don’t know what it is, but it is classified as harmful? Oh, but not to worry, “the good part is that it doesn’t seem to do extensive harm.” So, it’s harmful, but it’s not harmful. Well, of course it’s not harmful. It only “collects information and details, such as bank accounts and passwords …” No possible problem there. (Oh, and, even though nobody knows what it is, it’s Qakbot.)

Right, then. Would you be willing to buy AV software from a firm that can make these kind of mistakes in a simple news story?

APT! Kill it! Kill it!! Kill it!!!

Argh! Another dozen APT stories in the last couple of days! Will no one rid me of this meddlesome buzzword?

(No, I don’t expect an answer to that question. Yes, I know it’s a media meme. I just wish security professionals, who should know better, would stop using it.)

Quick tip: in order to identify useless stories that use the term, check to see if the author, at the beginning, clearly defines what an APT is. Those that do not are garbage. (That would be all of them.) Is it advanced? No, APTs use malware we already know about: viruses, trojans, remote access trojans (RATs), keyloggers, that sort of thing. APTs use social engineering (aka “lying”) in order to get users to install malware. (That’s hardly new or advanced.) Is it persistent? Well, in many cases that’s true: a lot of these attacks go on over time, but that’s not particularly new: even Cliff Stoll’s “wiley hacker” kept it up for years. (Don’t know who Cliff Stoll is? Kids these days. Go away and do some actual research and learn about the field before you start trying to tell me that APT is an actual thing.) Is it a threat? Yes, but so are a lot of things.

The latest article I’ve seen, this morning, says that an “APT occurrence is a low-frequency high-impact incident.” Oh, good. An APT is a Black Swan. As Lady St. Hillier would say, “Good. Very specific.”

Codegate 2011

Korean is a tricky language. It is probably the easiest language on the planet to read and write in, especially for geeks.

It takes literally hours to learn: if you have any background in breaking codes as a hobby, you will be able to learn to read and write Korean fully, within the day. Now you can read signs, read most of the newspaper and decipher the airplane safety card on Korean Airlines.

But reading is not understanding, and this is where the trap springs. While its writing is possibly the easiest of all languages, the vocabulary/grammar part is one of the hardest that exist. Forget hash functions: identical Korean sentences can look totally different just because you’re speaking to your father instead of your son; Ask a few native Koreans how to say “the Apple is red”. I have 3 different answers so far (with no resemblance whatsoever to one another). The real code here is the semantics. It’s like doing a simple XOR cypher to a book cipher. What a clever trick.

But by the time I hit the brick wall with the honorifics, Subject-Object-Verb and impossible pronunciation I was already too deep in to stop. Plus, I never let security by obscurity stop me. Though in this case, I have to mention they’ve perfected their obscurity to impressive levels.

So I was very excited when I was asked to speak at Codegate 2011 in Seoul. It looks like a really fun conference. If you are in Seoul or the area, I recommend it.
I will be speaking on April 5th, and don’t expect too much: the Korean part of my lecture won’t go beyond Annyeong haseyo and je ireum eun Abiram imnida. And even that will be with incomprehensible pronunciation so bad they might have to subtitle that part.

In any case, if you are in the conference, come say hello and test my Korean. Just don’t be offended if I get my honorifics completely wrong.

Update: The correct date is April 5th and not as I originally wrote.

The decline of credit cards

At the BC ISMS User Group meeting last week we were concentrating on the relationship between the ISO 27000 family of standards, and the PCI-DSS (Payment Card Industry Data Security Standards, usually just known as PCI).  PCI-DSS is of growing concern for pretty much anyone who does online retail commerce (and, come to that, anyone who does any kind of commerce that involves any use of a credit card).

It kind of crystalized some ideas that I’ve been mulling over recently.

Over the past year or so, I’ve been examining some situations for small charitable organizations, as well as some small businesses.  Many would like to sell subscriptions, raffle tickets, accept donations, or sell small, specialty items over the net.  However, I’ve had to consistently advise them that they do not want to get involved with PCI: it’s way too much work for a small company.  At the same time, most small Web hosting providers don’t want to get involved in that, either.

The unintended end result consequence of PCI is that small entities simply cannot afford to be involved with credit cards anymore.  (It’s kind of too bad that, a decade ago, MasterCard and Visa got within about a month of releasing SET [Secure Electronic Transactions] and then quit.  It probably would have been perfect for this situation.)

Somewhat ironically, PCI means a big boost in business for PayPal.  It’s fairly easy to get a PayPal account, and then PayPal can accept credit cards (and handle the PCI compliance), and then the small retailer can get paid through a PayPal account.  So far PayPal has not created anything like PCI for its users (which is, again, rather ironic given the much wilder environment in which it operates, and the enormous effort phishing spammers make in trying to access PayPal accounts.)  (The PayPal Website is long on assurances in terms of how PayPal secures information, and very short on details.)

This is not to say that credit cards are dead.  After all, most PayPal purchases will actually be made with credit cards: it’s just that PayPal will handle the actual credit card transaction.  Even radical new technologies for mobile payments tend to be nothing more that credit card chips embedded in something else.

These musings, though, did give a bit more urgency to an article on F-commerce: the fact that a lot of commercial and retail activity is starting to happen on Facebook.  Online retail transactions aren’t new.  They aren’t even new in terms of social networks or a type of currency created within an online system.  Online game systems have been dealing with the issue for some time, and blackhats have been stealing such credits and even using them to launder money for a number of years now.  However, the sheer size of Facebook (third largest “national population” in the world), and the fact that that entire population is (by selection) quite affluent means that the new Facebook credit currency may very quickly balloon to an enormous size in relation to other currencies.  (We will leave aside, for the moment, the fact that I personally consider Facebook to be tremendously divisive to the Internet as a whole.  And that Facebook does not have the best record in terms of security and privacy.)  Creation of wealth, ex nihilo, on a very, very large scale.  What are the implications of that?

Dumb computer virus story

I really don’t know who is more ignorant here, the city authorities “protecting” the computers, or the journalist writing up the story

If you know anything about the technology, this is howlingly funny (or, it would be, if it weren’t so sadly representative …)

“Officials at Nanaimo city hall are desperately working to find out how a virus attacked their computer system Wednesday afternoon.”

(Oh, oh!  Pick me!  I can tell you!  You didn’t tell people NOT TO CLICK ON RANDOM ATTACHMENTS THEY GET IN STRANGE EMAIL MESSAGES AND SUPPOSED E-CARDS!!!)

“Per Kristensen, director of information and technology, said he was shocked by how quickly the virus infected the system.

“The first time anyone anywhere in the world noticed this new virus was on [March 15] and then it hit us on the 16th,” he said Thursday.”

(How many new viruses are “created” every day, these days?)

“People can be assured that all their information is secure. Protection of their personal information is a priority. The city’s system won’t be turned on until we are confident we have this solved,” he said.

(Ummm, how are you going to clean up the computers if they are turned off?)

“Kristensen said the virus is so new, it has no signature that security devices can recognize.”

(Let me guess: a certain antivirus in a yellow box couldn’t recognize it, so you figure that nobody can, right?)

“We’ve got multiple levels of protection and firewalls, but nothing recognizes this.”

(Yeah, firewalls do a GREAT job against viruses …)

“We may have to shut down throughout the weekend and we won’t put the system back up until we know we have this under control. And right now, we don’t know how long that will be.”

(Based on this, I’m not holding my breath …)