Sameers Blog

Views on Information Risk Mgmt

Sameer Shelke

About Me

I am Sameer Shelke, Co-Founder, COO & CTO at Aujas. My work experience over the last 16 years gave me the opportunity to work with several customers, colleagues and business partners across the world.

While working for various companies (Fidelity, HP, Cisco, Microland & Microline), I have come across some very interesting experiences and people from whom I learn every day. I have had the pleasure of visiting more than 30 countries and each experience has been one to cherish and learn from.

This Blog is an attempt from me to share some of the experiences and learn from other like minded professionals.

My detailed profile is published at: www.linkedin.com/in/sameershelke

My Company information: www.aujas.com
Back to Main Page
Recent Entries
1. Economics of Security
  Monday, February 15, 2010
2. ALL is well !
  Monday, January 11, 2010
3. The Four Diplomatic Principles
  Wednesday, December 16, 2009
4. The Colombo experience - learnings for our Security posture
  Saturday, November 14, 2009
5. The Long Tail of Security
  Sunday, November 08, 2009
6. IT Amendment Act, 2008- An act to amend the IT Act 2000
  Sunday, November 08, 2009
Syndicate
March 2010

Su Mo Tu We Th Fr Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
Recent Comments
Quick Search

Search only in titles: Keyword:

Search in:

Date Range:

Advanced Search

Basic Search
Monthly Archives
- 2010
  - February 2010 (1)
  - January 2010 (1)
- 2009
  - December 2009 (1)
  - November 2009 (3)
Category Archives
Subscribe

Sameers Blog

Economics of Security

We have always talked about the need for a proactive approach to security and its effectiveness and benefits in managing risks. E.g. it’s always more effective and economical to build secure software rather than testing and fixing it after development or in production. In fact we even learned in school with lessons which said “Prevention is better than cure”.

In risk management we come across controls which are:

Preventive: Controls which ensure than exposure don’t or can’t occur

Detective: Controls which help us capture exposures if they happen or are happening

Corrective: Controls which enable us to correct exposures

Nowadays there is lot of focus on Detective controls which includes deployment of technology solutions which detect and capture unwanted network activity, access attempts, patterns etc. Needless to say these investments and focus is fine, but we need to move our risk management posture more towards the preventive side. Which is we must do more to ensure we don’t have weak areas which can be exploited.

I recently read the book “Superfreakonomics” by Steven Levitt and Stephen Dubner. I am usually apprehensive of sequels as they never match up to the original, but gladly this book was a good read. I came across two examples in the book which illustrate the point about preventive controls.

After the 7/7 terrorist attacks in London there was a team formed to use statistical information to identify terrorists. Data points used to identify suspects were banking usage patterns such as:

- They make large deposits in cash and withdraw small amounts

- PO boxes are used as addresses and they often change

- There are regular wire transfers to other countries but always below the threshold for Bank triggering requirements

- They never use savings accounts or fixed deposits even though the account had idle money

- Transactions don’t show normal living expenses and regular out flows such as insurance payments etc.

As one can imagine it would be difficult to come up with a algorithm to make the system accurate. Let’s say a system is developed with 99% accuracy and that there are 500 terrorists in the UK, 495 of them would be identified which would be great. The problem is that with 50 million adults living in the UK the system would also wrongly identify 1% of them which is 500,000 people. This would be huge problem to manage, which is similar to the “False positive” issue in the information risk management world. Hence the best detective control system or technology would always have a false positive issue which would significantly reduce the benefits from the system.

Another example is the detective control deployed at airports which require us to remove our shoes at the security check / scan. This started after one Richard Reid tried to ignite a shoe bomb; fortunately he failed but statistically succeeds in killing equivalent of 14 lives a year in the US!

Let’s say it takes on an average one minute to remove the replace the shoes in the airport security line. In the US this happens for about 560 million times a year, which is equal to 1,065 years. Average US live expectancy is 77.8 years, which yields a total of 14 person-lives a year.

The above examples may sound dramatic (statistics and economics can be used to communicate any message depending on which side you are!). However the underlying theme makes sense, we have to focus on proactive approach to security to be more effective and economical in comparison to other approaches.

Posted by Sameer Shelke at 2/15/2010 1:36 PM | Add Comment

ALL is well !

I had the opportunity to watch “3 Idiots” which in my view is one the best Hindi movies of all times. Several things in the movie stood out, the basic theme from Chetan Bhagat’s book, the amazing adaption and modifications by Raju Hirani, the concept of “be the best in what you do and success will follow”, the astonishing transformation of Aamir Khan to a 22 year old student etc.

One interesting element of the movie is the use of “All is well” and the story behind it. Rancho (Aamir Khan) uses the words “All is well” whenever he is in trouble (including the highly melodramatic child birth!) and explains the logic behind it. When he was small they used to have an old watchman who used to roam around the streets shouting “All is well” and every one used to sleep peacefully. Only later did they realize that the watchman was actually night blind! The “All is well” shouts used to give great level of comfort to all and as he says it’s required to fool the heart once in a while.

In lot of ways we risk managers are like the watchman. Our job is to provide assurance to our organizations that “All is well”. This “All is well” feeling is seen by the general users and employees of the organization by the “visible” controls and their implementation. We often come across controls which are not “real” but more “visible”, maybe more deterrents than controls. E.g. the checking of underbellies of cars by guards at shopping malls or hotels. These guys seldom have any clue on what they are looking for; they are doing it just because someone has instructed them to do so. Worst of course is when we are asked to open the boot, they shove a metal detector inside and wait till it makes some noise and then let you pass!

In an ideal situation we should have controls which are specific, manage the risks effectively, are visible, are easy to manage, are not too expensive and don’t cause too much inconvenience. Since most of us don’t operate in the ideal world, it’s important to balance the real and visible controls. It is important to visibly inform the users that security is taken seriously and any deviation would be captured. It’s not about getting it 100% right; it’s about having something in place instead of nothing. As they say “it’s better to be approximately correct, that completely wrong”. Needless to say only having “visible” controls would be disastrous, it’s about having the right balance.

It’s our responsibility to provide assurance and the “All is well” feeling to our organization and users. Hopefully we would be doing it consciously and not as the night blind watchman of 3 Idiots.

Posted by Sameer Shelke at 1/11/2010 5:11 PM | Add Comment

The Four Diplomatic Principles

For those of us working in the information risk management space, times are challenging. For the last 12 to 14 months, the focus was on how we can get more out of our information assets while controlling the risk management costs. Now that the economy is showing signs of revival, we might get challenged with new forms of risk as organizations become aggressive and would try to regain lost ground and market share.

One key element which we need to manage always are our relationships, many times we hear ourselves say “My management doesn’t understand the value of risk management and security” or “My users just look at convenience and any controls we define are met with resistance” etc. Hence relationship management is important for us to be successful in our function (like most others I guess).

At a high level following are our interfaces or “Configuration items (CI)” (a term borrowed from ITIL!).

§ Management: They look at the strategic view – e.g. how do I grow market share?

§ Business Operations: They look at the tactical view – e.g. how do I ensure this customer
is happy?

§ Employees: They look at the convenience view – e.g. I need access to this resource
and now.

§ Security: They look at the control view – e.g. Do exactly as I say!

Each of the above CI’s would need to align for an organization to runs its business and manage risk effectively. As Risk managers and CSO’s how do we ensure this happens and everyone contributes?

Srimad Bhagavatam speaks about Catustayam—the four diplomatic principles:

§ Saama: The process of pacifying

§ Daama: The process of giving money (rewards)

§ Danda: The principle of punishment

§ Bheda: The principle of dividing

We need to effectively apply the right principle to the right CI at the right time for the right situation to get the desired result. Hence a matrix needs to be built mapping the four CI’s and the four principles, examples of which I have attempted to explain in a presentation.

The presentation is available online at:

http://www.aujas.com/presentations.html

Posted by Sameer Shelke at 12/16/2009 11:44 AM | Add Comment

The Colombo experience - learnings for our Security posture

I recently had the opportunity to visit Colombo for few days. Srilanka as a country seems to be changing rapidly after the conclusion of the unrest. The people are very positive; investments are coming in to the country and the mood is very upbeat.One still gets to see few glimpses of the war, when an old captured tank is carried on a trailer across the city. The most visible aspect is that of the “check posts” across the country. There are many police and army check posts on the roads, e.g. from the Bandaranaike International Airport to the hotel we came across at least 8 – 10 of them and we were stopped at 2.

During the day we traveled across the business areas, where too there were several check posts. What happens at the check post is interesting:

1. There is a young commando with full battle gear and an automatic assault rifle, who waves a stop signal. The commando’s are very young in their early twenties.

2. As soon as our car driver saw it, he stops the car on the left where there is a check post. (I asked the driver, what happens if you don’t stop. He said with a straight face “they shoot”)

3. At the check post the drivers lowers the window.

4. Another young commando asks a few questions

5. All Srilankan’s in the car show the commando their identification card. All Srilankan’s have an unique ID card with photo and number!

6. The commando asks about us, and the driver says we are foreigners. “India” the commando asks us, we nod, he smiles and we move on

The above takes just about 2-3 minutes even on a very busy city road. Few meters down the road is a sensitive installation (e.g. an army office) which seems to have the most impressive physical security system. Multiple layers of armed commandos, barricades, spikes on the ground, bunkers with heavy artillery etc.

Two things standout for me:

1. The security posture is serious, effective and efficient: You don’t see the commando’s relaxed, they are serious about their jobs but there is no unnecessary steps, the check is over in 2-3 minutes

2. The people know their role and comply: The Srilankan’s don’t step out without their ID card. They don’tcomplain about being stopped. An auto (yes they have Bajaj auto’s there) is stopped so is a BMW.They don’t throw their weight around. They know and appreciate the security is for them.

Needless to say there are weaknesses in the security posture also and they might not be so diligent after few months/ years when the memories of the war fade and the risk perception is lower.

There is a simple but very important learning for us here. The security posture we develop needs to be:

1. Applicable

2. Effective

3. Committed

4. Efficient

5. Accepted (by the users)

AECEA here we go another acronym!

One would say its “obvious”, a word with Dictonary.com defines as “easily seen, recognized, or understood; open to view or knowledge; evident” however we all know we tend to miss what’s in plain sight. This Colombo experience reminded me about basics of Risk management and the security posture.

Posted by Sameer Shelke at 11/14/2009 3:47 AM | Add Comment

The Long Tail of Security

Background

“The Long Tail" is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.

Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store or distribution channel is large enough. Research showed that a significant portion of Amazon.com's sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.

An Amazon employee described the Long Tail as follows: "We sold more books today that didn't sell at all yesterday than we sold today of all the books that did sell yesterday."

Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.

Time and again we are faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the “long tail” to the “head” with everyone taking about it and taking appropriate protection measures.

The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.

Sounds complex isn’t it; well we are already facing this issue, “how do we protect ourselves against those seemly obscure risks which suddenly might become important”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time.

We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.

Posted by Sameer Shelke at 11/8/2009 9:28 PM | Add Comment

IT Amendment Act, 2008- An act to amend the IT Act 2000

The Information Technology (Amendment) Act, 2008 an act to amendthe IT Act 2000 received the assent of the President on 5^th February2009. Several legal & security experts are in the process of analyzing thecontents and possible impacts of the amendments. The objective of this note isto try and study the possible implications and impacts on Indian companies.This note is not intended to be a comprehensive analysis of the amendments, butonly certain key points which could impact Indian Companies

1. Data Protection

The IT Act 2000 did not have any specificreference to Data Protection, the closet being a provision to treat datavandalism as an offence. The Government introduced a separate bill called“Personal Data Protection Act 2006” which his pending in the Parliament and islikely to lapse. The ITA 2008 has introduced two sections which address DataProtection aspects to an extent, which gives rise to certain key considerationsfor the sector.

The sections under consideration are:

Section 43A: Compensation for failure to protect data
Section 72A: Punishment for disclosure of information in breach of lawful contract

Section 43A states

Where a body corporate, possessing, dealing or handling any sensitivepersonal data or information in a computer resource which it owns, controls oroperates, is negligent in implementing and maintaining reasonable securitypractices and procedures and thereby causes wrongful loss or wrongful gain toany person, such body corporate shall be liable to pay damages by way ofcompensation, to the person so affected.

By way of explanation: “Body corporatemeans Indian companies”

“Reasonable security practices mean a mutualcontract between the customer and service provider OR as per the specified law.In absence of both then as specified by the Central Government”

Hence it would be important for Indian companies to seriously look at SLA’s andagreements which have been signed with clients to understand the dataprotection implications. The same goes for understanding the applicable laws.

A major modification is that this clause doesn’tmention the compensation limit of Rs. 1 Crore which was there as part ofsection 43 of the ITA 2000. This implies that there is no upper limit fordamages that can be claimed. This essentially is “unlimited liability” forIndian companies, which could cause serious business implications.

Section 72A:

Under this section disclosure without consent exposes a person including an "intermediary" to three years imprisonment of fine upto Rs.Five lacs or both.
This section uses the term “personal information” and not“sensitive personal information” as in section 43A. Hence it could apply to anyinformation which is obtained in order to deliver services. Hence in some waysbroadens the definition of information.

2. Information Preservation

Across the amendments there are several references to “service providers” or“intermediaries”, which in some form would apply to all Indian companies.

e.g. Section 67C: Preservation and Retention ofinformation by intermediaries.

Intermediary shall preserveand retain such information as may be specified for such duration and in suchmanner and format as the Central Government may prescribe”. Any intermediarywho intentionally or knowingly contravenes the provisions shall be punishedwith an imprisonment for a term which may extend to 3 years and shall also beliable to fine.

The notifications on time for preservation etc.are not yet released. However since this is a “cognizable” offence any policeinspector can start investigations against the CEO of a company.

Apart from the two aspects discussed in this note, there are other areas whichcould also be considerations for E.g.Section 67C: Preservation and Retention ofinformation by intermediaries

The notifications on time for preservation etc.are not yet released. However since this is a “cognizable” offence any policeinspector can start investigations against the CEO of a company.

Apart from the two aspects discussed in thisnote, there are other areas which could also be considerations for E.g.

Sec 69: Power to issue directions forinterception or monitoring or decryption of any information through anycomputer resource.

Sec 69B: Power to authorize to monitor andcollect traffic data or information through any computer resource for CyberSecurity.etc.

In summary, IT Risk management and responseneeds to be looked at by all companies for various reasons including customerassurance, compliance, customer regulations, protection of information assetsetc. The ITA 2008 amendments provide us with few additional factors forconsiderations which could have significant impact on business. Informationtechnology regulations and laws would only get more stringent and defined;hence it’s imperative for organizations to be aware and prepared.

Posted by Sameer Shelke at 11/8/2009 2:58 PM

About Me

Back to Main Page

Recent Entries

Syndicate

Recent Comments

Quick Search

Monthly Archives