Listen to or download the 9:25 podcast below:
---TRANSCRIPT---
PS: So for anybody's that's not aware, can you just give me a quick overview of the Heartland data breach?
MR: Sure. Heartland Payment Systems is actually one of the credit card processors so they're kind of -- think about them as a little bit one-step removed. So you got a merchant, you got the merchant's clearing bank and then you have a credit card processor. So these guys are, again, two steps removed from the actual customer but the bad news is they actually see a huge amount of data.
And a few of their servers on their payment network were compromised with network sniffers or key loggers that were basically stealing data off of the wire or the network as it was passing by. So it's still not clear how many credit card records were actually stolen. It ranges from 10 to 15 million up to -- it could be 400 to 600 million depending, again, just based upon the volume of payments that these guys actually see.
I think fiasco is the right term because, again, hats off to the bad guys on this one -- or gals, right, because they targeted not just the bank but kind of the central repository where almost everything is and they did it successfully.
Wow, that's pretty scary. Now, why exactly is this considered a failure of the PCI requirements?
Well, Heartland was PCI certified. I think they got their stamp in April. And to have compromised servers to be able to steal that much data. Again, even if in the best case scenario where its only 15 to 20 million different credit card records, that's still fairly significant from that perspective. So it makes you wonder about how useful PCI still is as a metaphor for security. I mean, listen, at the end of the day, PCI prescribes 12 different requirements that tend to be good common sense security practice.
But I think a lot of people fell into the false delusion that somebody's that's PCI compliant is somewhat immune to being compromised or immune to hackers. And I think that from the perspective of what Heartland showed us and what Hannaford Brothers, which is only may three or four million identities last year, but they were also PCI compliant.
What this shows us is that compliance does not equal security and we really have to kind of really scrutinize the requirements that are within PCI to figure out whether -- obviously, they're still relevant at what level but where does PCI need to go now given that there've been two high profile breaches of PCI compliant organizations.
What exactly should Heartland have done to have stopped this?
Well, there's one school of thought that says there's really nothing that an organization can do to truly stop these kinds of attacks, right. It's not clear how they got in or compromised the perimeter. It's not clear to what degree the damage was done. It's not clear how long the software was on these servers that was basically stealing data.
So part of my whole philosophy which, of course, I shared when I was working with you guys at ebizQ is really this whole concept of reacting faster and monitoring your environment much more effectively. Now, the attackers always leave a trail. Now, the latest press reports have kind of indicated that the malware or the rogue files were found in an unallocated portion of disc on these servers. Well, that could mean almost anything, right.
That's not an indictment that says, oh, it was something that was done outside of the operating system, nobody could figure out how to do it. It may be just that the malware was actually deleted from the file system when they realized that they may have gotten caught from that perspective.
So, again, I mean, I think that what is important for folks like Heartland and everybody else to understand is that the attackers do leave a trail and that monitoring for things like applications changes, configuration changes, network flow data, that will all contribute some little data point to what is actually happening out there. I think that's important to keep in mind and that's something that a Heartland and anybody else that handles that amount of credit card data really needs to take a lot more seriously.
So is there a specific application you would say that you would say that would've pinpointed this problem?
Given that the Super Bowl was last week, right. The old adage of the Tuesday morning quarterback always completes the pass. Sure, I mean, but the realities without having a lot more information about the actual attack, it's really hard to kind of definitively sit there and say if they did this, they would not have been immune. What you want to do is stop it before it becomes a total catastrophe, right.
And that's the difference between may be in their case maybe a million identities just given the volume of credit card transactions that they see versus what could be potentially be 400 million identities. So I think a lot of lot of it gets back to, again, looking at not just the log data, looking at your configurations, looking at kind of your network flows, and really looking for anomalies.
Because, listen, it was an unnatural act whatever it was. It wasn't supposed to be there. If they were monitoring performance, (Inaudible) characteristics on some of these servers. If there were monitoring the flow of traffic on the network, they should have seen kind of data being sent from one server inside the network all the way out -- somewhere outside the network. That is foreign traffic. That is something that shouldn't happen in any kind of PCI compliant type of environment.
So those are clues, right. You're never going to get a smoking gun. But what you're looking for are enough clues to figure out that you have a problem and to launch a firm investigation as quickly as you can.
Now, as you used to be ebizQ's resident security expert, any other threats you can scare us about right now or maybe, hopefully, calm us down a little bit as well.
Well, with this kind of technology, which is really, think about it like a masking technology, right. It's in there and what it's doing is its just listening. And again, those are hard to detect because you're not doing anything different, you just have something looking over your shoulder. And whether it's a sniffer or a key logger, that's exactly what this technology does. And by the way, this isn't new stuff, right.
Key loggers have been around for at least seven to ten years. Sniffers will -- gosh, sniffers have been around for 20 years because a lot network people use them to detect problems on their network. So this is older technology that's being used for malicious intent. And this kind of attack is -- it can do all sorts of different things, right. Most of the phishing attacks, most of the trojans and zombies, which we certainly talked about a lot on the show in the past.
All of that -- this is all the same technology. What they're trying to do is catch you in your daily activities, figure out what it is you're doing, and in effect mine that data for the stuff that's important to them, right. I do all sorts of stuff on my computer. Most of it isn't relevant to somebody that's trying to steal my identity.
But every so often, I'll go to my bank. I'll kind of check my e-mail and enter a password, so on and so forth. That's the stuff that these guys are looking for. And the big difference now between now and a couple of years ago is the fact that they're just much more effective at mining that data. So they scads and scads of data, terabytes of data that they get and they're getting better at finding that needle in a haystack, which is a password, an account number, a credit card number, or CBB2, any of those kind of information.
They can check and they can find that data in their big stolen data set and that's where they're really doing the most damage.
Well great, Mike, thanks so much for the info. I'd ask everybody listening to check Mike out at Security Incite and as well as eIQnetworks. I imagine you guys must have some interesting stuff going on.
We do and, again, PCI is something that we work with a lot customers on to help them put the right defenses in place as well, again, the right kind of documentation, which is critical for a compliance. So you never like to see a breach but we do think that folks can certainly do things a little bit more effectively.
]]>A recent report by the Center for Strategic and International Studies urged the incoming administration to take a leading role in protecting both the public and private sectors on the web. The report was compiled by a group of more that sixty experts coming from various positions within in the security industry.
What are some of the recommendations?
No more passwords -- the future of effective security will depend on
what is known as "strong authentication" (this can range from
serial device identification to physical confirmation). Further recommendations
include the creation of a semi-centralized cyber security agency, a
drastic restriction of general access, and closer cooperation between
the government and business. More than anything else the report emphasized
the need for a less market based approach -- protecting the enterprise
should be part of an overall approach to national cyber security. Interested
in how the new administration's approach could effect your business's
security plan, download the full report.
http://www.csis.org/media/
Listen to or download the 9:42 minute podcast below:
---TRANSCRIPT---
Can you just give me a quick rundown of your past few months and how you came to join eIQ Networks?
Sure Pete. I mean it was kind of really kind of an interesting process because I was pretty fortunate in that I wasn't really looking for a job, right.
I was doing some work with you guys at ebizQ. I was, obviously, kind of had a successful public speaking and consulting and analyst/research business. But it turned out to be an interesting opportunity at EIQ Networks. It was really driven by the president, a guy named Jim Geary who I had previously founded a company with back in the late 90s.
So we decided and we've been looking to do something together for a long time and then when he got the opportunity to do EIQ and it makes sense for me to think about doing it as well. It was something that it just felt right from the standpoint of interesting market segments, and security and compliance management, great team, interesting opportunity and market from that perspective. So it was just one of those things were a lot of things had to go right for me to decide to make the jump and it turned out that it did.
So now, what exactly are the characteristics of low and slow attacks and how can they be detected?
That's actually an interesting thing that we've detected over at EIQ Networks. And what we do just for a little bit of background is we have a security and compliance management platform that really gathers and aggregates a lot of the traditional security information, and network information, and configuration information, and performance information that's happening out there in a technology infrastructure aggregated into our --I'll call it a correlation machine.
And really look for interesting relationships and look for potential attacks scenarios as well as really correlate a lot of that information to try to pinpoint specific attacks. And one of the things that we have really detected or what I'll call a low and slow attack, which is an attack that from the get go, is designed to be evasive. So back in the history of kind of Internet crime, it used to be the attacks were much more about brute force. They were about trying to knock a network down, doing denial of service, and really trying to create havoc from that standpoint.
But now that the objective of many of these attacks is much more about crime than it is about actually trying to log down a network, the attackers are trying to remain undetected. They're trying to steal information over and over again so it makes a lot more sense for them to adopt a much more patient type of structure to compromise a network. So what I mean by that is they'll take over a server and then they'll wait, right.
They'll compromise a device and then they'll wait for maybe a week, maybe two weeks until everything seems to be back to normal, and then they'll do it again and get a little bit deeper into the network, and then a little bit deeper, and a little bit deeper. And this whole attack may take months but in most cases, the attacker will remain undetected and for them that's much more important thing, than kind of the quick easy hit so that's kind of a low and slow attack.
And in order to detect those, you have to be able to maintain a long history of what's happening in your environment and not disregard a lot of that data. So a lot of the existing security management products out there, actually just look at two or three days worth of data and if somebody kind of attacks one of these or uses one of these low and slow type of attack vectors, that is not going to become detected by the security products. So what we do at EIQ is we actually gather 90 days worth of traffic in our correlation machine and use that to really try to detect not just low and slow attacks but pretty much every other attack that's out there as well.
That's interesting. Now, how can you tell if your company is a prime target for one of these attacks and what it exactly is one of the best ways to prevent them?
Well, I would actually say that every company is a target for pretty much every attack, right. A lot of the attackers, Pete, they're working on the lowest hanging fruit principle, right, which is there are literally millions and millions of places to attack they're going to focus on the places where they have the highest likelihood of being successful and obviously with some kind of economic benefit to them for perpetrating that attack.
So folks that have a lot of Internet facing activities, so if you do customer service, or if you have an order system that you host yourself, or if you do logistic management, you're obviously a target for pretty much all of these attacks. So let's use an example like Hannaford Brothers, which was -- that was a big PCI oriented attack but it really turned targeted all their stores and targeted their point of sale systems.
But that was a typical kind of attack in that, again, these guys laid low and then they started compromising these devices and stealing the point-of-sale data before it got encrypted to send back to the processing plant. So from that standpoint, again, I think that everybody is a target to these kinds of attacks and the way to prevent them is again to really have an idea about what's happening in your infrastructure and just looking at IDS logs, or IPS logs, or firewall logs, that's not really enough.
What you have to do is also look for other indications of an attack right, right. So not only do you have to have the data from your log system that says, hey, you know something funky may be happening because my IPS fired and firewall fired for any number of different reasons things or got some router ACL types of log events.
But then you want to check for other corroborating evidence for what may be happening out there so that could be a configuration change. So again, going back to the example of Hannaford Brothers, if you were monitoring the configurations on those servers that were hosting the point-of-sale application, you would have seen a different configuration, you would have seen a new executable loaded onto that machine and known something was kind of funky.
Then, if you were actually looking at the network flow data, for example, you would have detected that there was kind of strange traffic from that server back to a place outside of the network, which is uncharacteristic of what you would see. So if you're paying attention, again, I have this whole thing back when I was a columnist for you guys I kind of use whole idea of react fast, right, especially to application oriented types of attack.
You're never going to get out ahead of that threat but by you doing in a savvy fashion actually looking at what's happening in your infrastructure and looking for anomalies, you can't detect that these attacks are happening and then, again, try to react faster before you have a catastrophe or your hands.
So people can find you at EIQ Networks then?
Yeah, you bet, EIQNetworks.com, that's where we're at. Right now, and anonymously I'm still blogging at securityinsight.com as well on my hobby site. But as we talked about before, Pete, you know having a day job I have to spend most of my time focused on the EIQ Networks thing.
Now, to take a step a little bit back, and back to your ebizQ role, as you were our main security brain here, besides low and slow attack, what other type attacks do companies need to be worried about in this upcoming year?
Interesting enough, Pete, listen there are always going to be kind of new attacks du jour, right. They're a whole bunch of new different SOA-based attacks. They're a whole bunch of different web oriented attacks and you know what, the only thing I know in 2009 is that we're going to have more of those attacks. And I don't know what they are yet. But the thing I think a lot of customers need to be really focused on is how can they do their activities and really operate their security infrastructure more effectively and more efficiently. And that gets back to automation.
That's one of the things at EIQ that we really hammer on which is they're going to be new attacks which means you have to bring in new devices and those new devices take new people to actually manage. And then you get into the math problem, right. So if over the next couple of years you're going to bring a couple more products in and each one of those products requires a couple more people. Guess what? That math looks pretty ugly when we're in an economic situation that says not only can you not add people, in many cases you may have to contract and certainly work a lot more effectively.
So automation to me in 2009 from a security standpoint, automation is really kind of the key words because you can't do it all yourself, you can't wade through all the crap that's happening out there, all the attacks that are the really been perpetrated against your organization. So what organizations -- what successful organizations are going to need to do is strategically automate what they're doing much more effectively than they're doing today.
]]>Along with this abrupt departure the company revealed its next moves into the future of internet security. To replace its desktop offering Microsoft revealed two completely new server based security developments: a free consumer version slated to come out in mid 2009 and a enterprise level SaaS product to be released sometime in 2010. Mircosoft's new strategy seems based on the premise that the old model for security services is no longer viable. The free consumer version especially appears to be an attempt at undercutting its competitors profit model.
]]>According to the latest ScanSafe research, the top 5 industries most at risk of Web-delivered malware are:
1. Energy & Oil – 156% heightened risk compared to other verticals
2. Pharmaceutical & Chemical – 152% heightened risk
3. Engineering & Construction – 116% heightened risk
4. Transportation & Shipping – 96% heightened risk
5.Travel & Leisure – 44% heightened risk
Besides refuting the notion that younger sectors of the economy are at higher risk than older ones, ScanSafe's research reveals the vulnerability of industries that have a critical bearing on infrastructure and intellectual property rights.
What follows is my podcast with Samir Gulati, Vice President of Marketing for Appian. Samir has 15 years of enterprise software experience and in this podcast we discuss how BPM is transforming the insurance industry, and we also offer a quick glimpse at what will be covered at Appian's upcoming Webinar, BPM for Insurance, which will be moderated by Deb Smallwood, ebizQ's Community Manager for Insurance.
Listen to or download the 7:45 minute podcast below:
---Transcript---
How should companies new to BPM first get started?
So Peter, we normally give advice around three dimensions. First of all, pick small projects that can be completed in 60 to 90 days, so you can show rapid results and then bite off a bigger project, many time companies get involved in trying to improve a very big business process end to end and get stuck in internal politics.
So the first advice we give is start small and show quick results again. The second one is big projects with a lower risk and high impact. So we normally plot projects around an axis so when we’re first talking to our customers and we say pick the ones that have low risk but have medium to high impact so that if they go astray you can quickly fix them.
And then finally, we say pick something internal which is customer facing just so you get familiar the technology and the methodologies and get by internally. So a typical process might be HR on boarding, or your internal procurement process, or some other purchase order approval process. Something that you have relatively well defined internally but you want to automate and improve and sort of picking something which is immediately customer facing. And once you have experience with the internal process becomes so much easier to then take on projects that are more customer facing.
That makes a lot of sense. Now, why are so many companies in the insurance industry now focusing on improving their business processes?
So there are two primary reasons. I think that processes are ineffective and their inefficient. So let's just talk for a second about each one. They're ineffective because most of the processes today are kind of linear and sequential but were design many years ago to be the paper-based or phone base with kind of a single thread.
What's happening today is that exception handling is becoming much more complex with all the industry rules and regulations that have to be incorporated and the processes are becoming multithreaded in order to improve cycle time. So that is why a lot of these processes need to be re-architected.
And then finally, they really lack flexibility in the way that they been implemented so that's one of the reasons why insurance companies need to focus on improving in the process. On the inefficiency side, there are multiple handoffs.
Many of the steps are unautomated and the more handoffs you have, the more chance of literally work falling between the cracks, falling on the floor as Forrester calls it. So that's where they need to make sure a lot of these processes are automated and insurance companies who’ve done that immediately see a lot of cost savings and impact to the bottom line.
Now would you agree that the insurance industry is one of the industries that has the most to gain from BPM and what would you say those gains would be?
Yeah, absolutely. Across the assurance industry, people are now looking at some of the key business processes, and I'll talk about that in a minute, and really looking at their end-to-end process and saying how can I improve this. And most of the time, there is significant IT savings upfront. But more importantly, the return on investment from a business perspective, cycle time, reductions, productivity savings, customer service improvements are things that they begin to see over a period of time.
So they're both IT cost savings due to productivity as well as reusability but more importantly, a lot of the key business metrics that they focus on from a customer perspective has started seeing significant gains. And so all across insurance, I think insurance is one of the industries which has been at the forefront of actually using process management technology
Interesting. Now, what types of processes are many insurance providers focusing on in their BPM initiatives and what sort of results have they realized?
Sure. So they're both processes that are kind of back office and customer facing. So let me start with the back office ones first. Claims management is something that's very commonly used for improving using BPM technology, how they handle their customer claims in the back office. And more importantly, how they handle exceptions to those customer claims because many of them are routed straight through a process but a few of them have exceptions and normally it takes a while to make sure those exceptions are handled appropriately. So claims management is one that is improved using BPM.
A new product introduction, many insurance companies have improved their new product introduction cycle times and more importantly, new product introduction trials. So if they want to try, for example, a new insurance product in a particular geography or particular demographics, very often they’ve used BPM to try that and see if it works, implemented more widely otherwise roll it back to the previous process. And a lot of BPM technologies can actually do it. So both new product instructions and kind of new product trials is an area that insurance companies have used.
And finally, customer service, at the end of the day, insurance companies are looking for consistency and reliability in their customer service operations and a lot of BPM tools help the customer service reps either manage the call appropriately, get routed internally to the right people, document the customer service issue, and then report back to the customer. So BPM tools are being used widely in the customer service area as well
Right. Now what you see for the future of BPM in the insurance industry?
Peter, the future is very strong. I think the more insurance companies are aware of some of the benefits that other companies have begun to see, the more that they’re jumping on the process management bandwagon. I'll give you one example. A very, very specific process in the reinsurance space is something that we are looking at Appian with the partner called SMART that we will be talking about during the Webinar.
They have built a reinsurance application using BPM. So there’s so many different areas that BPM can be deployed to help insurance companies. And more importantly, they're beginning to use BPM to better align business and IT because BPM does it very well and promote reusability.
And finally, I think what business leaders in the insurance industry are beginning to see is that while their core gain might be productivity improvements, or better cycle time, or better customer service, all of them are getting better visibility into their business and they can run reports and see exactly where their -- what processes are working well and what need to be improved.
And BPM is giving them the flexibility to change their business process to respond to changing market conditions. In today's economic climate, with the financial crisis and so on, financial services industry crisis, its becoming more and more important that they have the flexibility to change their business processes on a dime and that's really, what BPM provide to the insurance industry.
Very interesting. This is ebizQ’s Peter Schooff. And I want everyone listening to make sure they sign-up for the BPM and Insurance: Are You Staying Competitive? Webinar coming up this Tuesday, October 28.
]]>I guess in an industry that makes sure to kick a dog when it's down, all the high-anxiety in banking has made bank employees more likely to fall prey to the attacks of hackers and cyber-scum. And in a banking era when you have to be ready for almost anything, that means everyone is less ready to defend themselves against message that purport to be from an auditor, or a message that appears to be about the companies welfare.
Last week, the CTO of Errata, a security company, was mistaken for a federal auditor and was able to gain access to an unoccupied office where he made off with a computer backup tape full of transaction data. Others say that this isn't entirely true, that in fact banks always made easy prey.
So no matter how bad the news gets at your bank, just stay away from suspicious emails and funny looking auditors, and for the time being, maybe banks should just return to the inner-office memo that's dropped in your inbox.
]]>The Computer Security Institute will be releasing their 13th Annual Computer Crime and Security Survey in a webcast this Wednesday, Oct. 8, and the full report will be available after. In a preview of their findings they found that in a study of 500 enterprises the effects are clearly being felt of the two new types of attacks.
CSI Director Robert Richardson said he was struck by the fact that 27 percent of the respondents said they had been hit by a targeted attack this past year. A targeted attack is defined as an attack directed exclusively at the individual enterprise or a specific business group
"We've heard a lot of warnings from security researchers about targeted attacks, but what this data says to me is that these attacks are really happening," Richardson says. "They may have been hypothetical a few years ago, but these are a reality today."
The same is true for DNS vulnerabilities, where design flaws of the Internet's basic naming structure have been revealed, and therefore can't be easily repaired, and which have opened up a Pandora's box of exploits. 10 percent of the survey respondents reported DNS style attacks, up from 2 percent the previous year. "What's scary about that is that it's growing, yet the flaw is inherent in TCP/IP, and can't be easily patched," Richardson said.
So what's the good news? Numerous threats were down. Insider threats have returned to normal levels (about 42 to 48 percent), which makes one wonder if last years rise was simply due to hype. Also, laptop thefts, wireless abuse, and denial of service attacks were also all down, but this being security, not totally out.
]]>A by the North Carolina State University Psychology Department found that participants were fooled by phony system error messages 63 percent of the time, which means they chose the OK button on the fake alert instead of just closing it. These error messages were similar to those in Windows XP but with a few differences like a flashing black and white background, or one that changed the cursor to a hand when placed over the box.
This study was done on 40 undergraduates, who were not told the actual purpose of the study, but instead were told to rate different health-related websites. The researchers found that even getting hit with multiple warnings didn't even improve the students ability to distinguish the good from the bad.
One solution for this problem would be for the vendors to create more unique and noticable pop-up warning messages, but as one could probably figure, those could be quickly copied too. Another method would be, instead of pop ups, simply have a vendor rep skydive to that persons back-yard or rooftop to warn them about a system error, but that probably wouldn't work either, as nobody likes answering the door when they're typing at a computer.
]]>What follows is my podcast with Jason Bloomberg, Managing Partner and Service Oriented Architecture industry analysis and advisory firm, ZapThink, LLC. In this podcast we discuss SOA Governance and also offer a quick introduction to ebizQ’s upcoming SOA Governance Virtual Conference coming this September 24th were Jason will participate in a panel discussion.
Listen to or download the 5:24 minute podcast below:
--------TRANSCRIPT--------
How important is governance to SOA?
Well governance is really the key to making a SOA project successful. The challenge SOA projects have is that we are building services and were implementing these services that support flexible business needs so the business can implement business processes in a more flexible way.
And this will only work if the business is able to be responsible for those services and take control over the business processes that they build by leveraging those services. So you wouldn't be able to do this unless the IT organization is able to empower the business and give them the responsibility and capabilities that they need in order to achieve this level of agility. And that's where governance comes in. Without governance, IT is never going to be able to give that level of responsibility to the business.
What are the differences between design time, runtime, and change time SOA governance?
Well, this is one of the challenges when you look at SOA governance is that, there's a lot of different aspects to it. Basically, when we talk about governance, were talking about creating, communicating, and enforcing policies that are important in organization. So within the context of SOA governance, if you're just looking at really the narrow view of SOA governance, which is governance of the SOA initiative, well that initiative breaks down into these three areas.
You have design time governance issues where you're creating the services, and implementing them, and publishing them, discovering them as well. So for developers or other people on the team who want to find a service to be able to implement it in production environment, all of those are design time activities and the organization’s is going to have policies that apply to all of those.
So what are your policies for discovery? What are your policies for when to create a service versus when to reuse a service? How do you go about publishing services? All of these are design time governance issues. So runtime governance is really more of the management side of things. Once the service is deployed, it’s up and running. Well then, how do you maintain quality of service levels for it? How do you maintain the security policies for it?
All of these are runtime governance issues. But SOA also involves what we call change time where we're you can reconfigure and recompose services without necessarily doing any new development work so is not necessarily a return to design time although there may be some additional development that that we might need to do is well.
But even when you don't have any new service development, you may still have a reconfiguration, recomposition of services, and you need to have policies for that as well. So what are those policies are focused on? How services are composing into processes? How are you going to share services at runtime as the needs for those services change over time?
That makes a lot of sense. Now what types of tools do companies need to buy to help them with their SOA governance strategies?
Well, as you might expect, there are a range of different tools that provide for SOA governance. On the design time, there are number of repositories that don't just store SOA related artifacts but that also managed to policies that are related to those artifacts. So how are you going to publish them, and discover them, and create them, and deploy them?
And then on the runtime side, you have runtime SOA governance as I said is consistent of management tools. So you have SOA management tools that go in there and both discover as well as enforce the policies at runtime so you may have a policy enforcement point that enforces service security policies or a management tool that runs as an agent that may enforce a quality of service policy for instance.
Right. Now which people in a company need to be involved just to make sure that the SOA governance is going to be successful?
This is one of the tricky parts of SOA governance is that it's fundamentally important but it does involve different people at different parts of the project. So early on in the initiative when this just in the planning stage, its very important to tackle SOA governance early on because if you don't think through issues like service versioning, and service maintenance, and discovery over time, then you're not going to be able to achieve the business benefits SOA promises.
So early on, you have the architect team as well as participation from operations, from security, as well as the lines of a business who are driving the business process aspect of the story. As the project moves on, the focus moves more toward deployment and now operations is even more involved. This is one of the challenges many organizations have is that they think of SOA as an architectural initiative that is implemented by your application development team but it has to run in a runtime environment and now its operations security the network people have to supported and so they have to be involved in governance as well.
This is ebizQ’s Peter Schooff having spoken with ZapThink’s Jason Bloomberg. If you have any questions on SOA governance, make sure you log onto ebizQ and ask them so we can address them during the SOA Governance Virtual Conference coming this September 24th.
And a bit later I sit down with Keith Swenson, the VP of Research and Development of Fujitsu, and he starts talking about Fujitsu's Interstage BPM suite, and he tells me, in our rush for process efficiencies, there is one big element we often overlook: the human element. And I immediately think to myself, Yep, I sure can relate to that!!
Keith goes on to give me the best phrase of the summit, what he calls 'Process Confabulation,' and I'd love to explain it to you, but Keith does a much better job explaining it himself. Give the 3 minute 48 second podcast a listen below.
]]>Google's announcement of the Chrome browser did shed some light on one of the company's past acquisitions. When Google acquired the California startup Greenborder back in May 2007, the value of the company's security expertise to the search giant were less than clear. Now with its new browser to serve as an in-between between the web and the user's desktop, Google has to be at the top of its security game.
Google's security innovations in Chrome are part of the company's continuing efforts to rein in malicious parties and keep users happily clicking on their sponsors' ads. Chrome introduces the technology "sandboxing," a means of regulating a Web application's interaction with a computer to a virtual border.
At a time when Web applications are growing in both popularity and complexity, sandboxing limits the ability of web processes to communicate with anything but the browser. Well sandboxing definitely adds another solid layer of protection, many security experts believe that it does not offer any special guarantees against breeches for Chrome.
Java had attempted employing a similar concept by virtually limiting a program's access with code, but was unable to protect against a number of bugs that were exploited. The success of Chrome's launch may rest on the ability of its engineers to find and fix the bugs before they are exploited.
Makes you wonder what cybercriminals will think about being sent to the sandbox...one thing's for sure, you better keep a close watch on your sand shovel.
]]>Listen to or download the 9:18 minute podcast below:
--------- TRANSCRIPT ---------
Now, can you just give me a quick overview of what exactly happens so that 40 million personal records were just recently compromised?
Yeah, absolutely. We don't know a tremendous amount because those details will be released at different points during the trial. But we do know that approximately 11 criminals and that's really, what they are. I mean these were real criminals around the world, Eastern Europe, Asia, and the U.S. are accused of the theft and sale of approximately 40 million credit and debit card numbers, conspiracy to commit these frauds, and there were the actually theft related crimes.
There are a series of computer related crimes that they could also be charged under, fraud and identity theft. And basically, what they did was that they were able to penetrate into the wireless computer networks of a lot of companies, TJX Companies, BJ Wholesales Clubs, OfficeMax, Boston Market a restaurant, Barnes and Noble, the Bookstore, Sports Authority, Forever 21, and DSW.
So they actually were able to install sniffer programs that were used to capture these credit and debit card numbers as well as the passwords, and then they were able to process that, sell those cards, and people who would buy those cards could simply go to ATMs, or wherever and receive cash in return for the transaction.
That's a big number of companies, sort of a mis-Fortune 500, I guess. Now, I can imagine a lot of companies are thinking, I've been spending a lot of money on security but why in the world does this keep happening to us?
It's a good question and it's a question that a lot of companies do ask because a lot of them as you say, they say, hey, we're spending a sizeable piece of our budget. And there are a number of reasons that it is not working as well and that they're not as well defended, as they believe would be justified by the amount of the expenditures in security. And the reasons are this:
This is a very complex set of crimes and I believe that it will be proven during this trial that we're going to see the emergence and the overtones of things like organized crime, narcotics trafficking, possibly terrorist financing, which are all elements of money laundering. And so it's globally distributed, there are multiple legal, and adjudication jurisdictions. There are multiple compliance requirements that often create conflict so there are lots of people involved across a lot of countries.
Many of these crimes take place beneath the traditional radar screen. Companies have a false sense of security and so if they keep doing one thing and they think its working, a lot of times they don't look at what else might be happening in that environment so all of a sudden they get hit with this big crime, it goes on for several years potentially, like these went on, I think, for approximately three years and it could be very devastating for these companies.
But the process of laundering money is multilayered and that really is part of this complexity. There are levels of anonymity when these people are doing these transactions so it's very hard sometimes to actually see who's doing what to be able to identify them immediately and to go out and stop them from doing it.
So a lot of companies spend money on treating elements of the problem but we don't see a lot of companies treating this as holistically as they might and that is part of the problem. It's sort of like if you take a patient that is ill and you treat them for pneumonia when they actually have cancer but that you haven't identified and that's part of the problem.
That's interesting. So then what would you say do companies need to do to start addressing the whole problem to stop this from happening?
Well, the key thing, Peter, is really this. The number one issue is you've got to get a certain level of recognition that this is a problem, number one and that you can be impacted by it. So you've got to get the attention of the board of directors, either the audit or the risk committee, or the CEO and get them to acknowledge that this is a problem.
So it requires examining the condition and the situation, looking at these crimes, what is the business impact of that where it's happened before, and then translate that into what is the potential business impact for your organization? And you need to look at that potential impact from four different ways. What is the financial impact, the regulatory or statutory impact, the reputational impact, and the legal impact?
Because when these things occur, those are the four areas that are going to translate into what is the business impact on your organization. If you take, for example, that there is a certain cost per compromised file, numbers vary but lets say its between $200 and $300 per file and you start looking at multiplying that number by 40 million cards, that's a big number, its in the $200 to $300 million dollar plus range and that's before you start looking at any of the civil litigation costs and settlements that may occur and we know that those are occurring as a result of these crimes.
The other thing is that that it requires a transition. In my view, it requires a transition from a regulatory-based privacy program to a risk based privacy program. And what I mean by that is that that a good compliance doesn't necessarily make for good security. But good security will usually make for good compliance plus give you the additional benefit of providing improved integrity in your information environment.
So if you are working to provide a strict regulatory environment that may be good when the regulators come in, but it's not good enough to prevent or reduce the likelihood that these crimes are going to occur in your environment.
Gotcha. That actually makes a lot of sense. Now, there are other key risks out there that companies are looking the wrong way on or just simply aren't addressing that they need to know about now?
Well, I'll you what seems to be attracting a lot of interest when I go around the country and speak at a number of different private and public forums and that is the concern over intellectual property and trade secret theft. And there's actually linkage between identity theft and intellectual property and trade secret theft.
And here's the linkage. Both personal information and intellectual property and trade secrets have value when it comes to money laundering. So organized crime views these things personal identification, and intellectual property, and trade secrets as legal tender or actually illegal tender. So it doesn't matter to them what the actual product is, or the element, or the component.
All they know is that if they take that and sell it illicitly after they've stolen it; it provides revenue for them. So if we look at what happens to personally identifiable information that is acquired through identity theft and we look at the theft of intellectual property and trade secrets, it does often involve organized crime, international narcotics trafficking, which provides a lot of the terrorist financing around the world.
And the linkage here is clear. There's approximately $1.5 trillion of annual drug profits produced every year. Those drugs profits need to be turned into clean money. And identity theft and the theft of intellectual property and trade secrets is just simply one way in which to do that. Now, what's also driving intellectual property and trade secret theft is the demand for countries to join the engaged, join global electronic commerce, join the developed nations, and move from the developing nation status to a developed nation status, and that puts information at risk.
So if you look at, for example, China's Program 863, it is literally a blueprint of all the technology, the engineering, and energy products and designs that are required to move to that next economic level in a developed nation. So I am looking at the rise of economic espionage as being the next great threat.
So now, you already sort of given us an idea of the future, but will there ever be a time when these attacks will be done, or through, or over?
No, I don't think so. I mean the history of conflict and crime is very long and it dates to the beginning of history and that's why we're not going to see an end to this. We may find a change in tactics, which are driven by technology and culture. We may see a change in the actual targeting of the certain types of information but as long as information has value, then we are going to see a risk to that information. That's very clear to me.
]]>