Saturday, July 2, 2011

Forget DLP, think PLD - the Professional Loser of Data

DLP is the technology of choice when it comes to data protection. However in the past few months we are seeing a plethora of incidents which show the presence of antibodies in the system. 

Antibodies or bacteria in an environment protected by DLP are PLD's. A PLD is a Professional Loser of Data and I am not surprised that most of the PLDs are in Government. Or in high places. 

Take for instance the Adarsh scam - no sooner they started talking of big names that files started disappearing. The files in the Navy, Mantralaya, Mumbai Municipal Corp and the Environment Ministry have all been lost. 

Then we had the CWG scam and saw more PLD action. At first the government supported Mr K by allowing him to continue being tje boss and let loose his PLDs. Well these PLDs did a good job and we read abouyt missing files :)

Radia tapes and  Wikileaks are great examples of big time PLDs at work. 

The latest PLD operation, shockingly, or should I say expectedly, was the enabling the loss of files relating to the Gujarat riots by the Gujarat government. The PLDs did this four years back and it has come to light in an RTI application. And the Gujarat riots are still under investigation ! This just shows the professional capability of the people in power, the PLDs, who were likely to be screwed. The government cites data retention timeframe as the reason why the documents were destroyed saying all actions were taken strictly by the book. 

Now, as I write about this, I wonder why the CBI did not discover the loss of documents when they were arresting Minister Shah. Or maybe one should not be surprised considering the recent incidents where they have thrown cases. 

So, as information security professionals, when we go to plug data leaks and consider insider risks we usually think about disgruntled employee or accidents. It is time to think about the bacteria, the antibody - the PLD. And remember no DLP system will be able to detect or control this guy's action.

Friday, May 6, 2011

Oops I got hacked... no no raped.... no no no I got HAPED !

In conversation with a friend we jokingly talked about the situation arising out of the hacking news and the gobbledy gook dished out as an explanation by the hackee CEO. 

Having a drink later, I had an Eureka moment and conceived the theory of Haped. 

Haped, my friends, is a new cyber term for being hacked - the reason why it is "haped" is because the site (or organization) has been raped. 

Once haped, life is never the same. Your hidden fruit has been tasted and a million explanations will not bring back your innocence, your original configuration, your OEM feel, or your default settings... that virgin state. It's like the crack in a mirror which is always there when you are looking at yourself and you will keep telling the world how the hape did not disclose the holes . 

The Theory of Hape (abridged):  

       Every system or technology environment is built with known or unknown holes all over waiting  to be penetrated an exploited. 
       After a hape, weak controls and dirty data is exposed to the world and management has to run around trying to save their reputation, jobs and more. 
       Hape is inevitable if one thinks that having devices, AV and certifications means total security ! Anyone living in such a fool's paradise must be prepared with red faced excuses followed by ulcers, resignations and silly accusations aimed at all and sundry. 

Corollary 1: 
When buying security services with an L-1 mentality you are bound to get the feeling of The Emperor's New Clothes ('s_New_Clothes) - sooner or later you will be hapee (no pun intended).

Corollary 2
If haped, talk and walk straight. Jalebi (Gobbledy gook) stories drive away sympathy or help and bring ridicule. 

HAPE: a cyberworld term coined to mean a site or system that has been hacked. It is a combination of the words hacked and raped which (sort of) mean the same thing in their respective worlds. 

THE EMPEROR'S NEW CLOTHES: A story about an egoistic king believes he was wearing a robe that was invisible to the lower class whereas he wasn't wearing anything. 

MAJOR OR MINOR HAPE: Small incidents like a Website defacement, iframe attack, or a large scale incident like a DOS attack, data theft etc.

You got breached ... as bad as being forced into losing your V  

Thursday, January 13, 2011

An arrow or a bullet once fired...

Being a lawyer is good business and when you are hurt it does not matter what you pay your lawyer or how much  you pay !

I wonder how much did the lawyer tell his client beyond the FUD spiel and how can anyone think that things like arrows, bullets, emails can be recalled. How can any CEO think that a data breach can be just closed. 

Consider these two news items - one in India and the other across the world in California. 

- Ratan Tata has moved the Supreme Court asking that the Radia tapes be destroyed / recalled etc and that a restraint be put on them. It is a violation of his privacy and more. 

- Sony asks for restraining order over PS3 hack - which was announced in December and allows users to run pirated games etc and bypass Sony's 'technical protection measures'

In both instances the litigants, with due respect, have failed to understand that any data in public domain just cannot be erased or recalled ! It is now a part of history and "history cannot be wished away".

Yes the lawyers will make good money and media has good copy.Strangely media does not make any big noises about the Radia tapes and we all know why .  ,To come back to the main issue - so what should these (such) people do - just avoid going to court and sit tight ? No, Any incident is a learning and such lessons prove to be very very expensive. They are expensive (maybe) because someone overlooked the small risks or did not have proper controls in place. 
It is a big bad world in the realm of corporate or national espionage - this is common knowledge. So, I would not expect the boss of India's largest corporate group to EVER speak on an open line. Like I do not expect the PM to have a prepaid connection ! Nor would I expect Sony to chase  a chimera - it's is funny to see them ask a court to restrain someone to release a crack. How will the court enforce the order when there are multiple partners located in different countries ! And how will the court (or Sony) ascertain that there are no copies in the "wild". 

Like I said... good billing for the lawyers.

Indian corporates have to realize that as they celebrate double digit growth figures and billion dollar M & A's it is necessary to accept the existence of current day threats and risks. 
The powerful and successful move around with the feeling of invincibility or (all round) there is a general sense of complacency. Both lead to situations that one wishes never happened even in one's worst dream, 

Proactive risk management and security is needed like never before. We have not yet learned to tame the beast in various applications and networks that are part of our daily life. One can look forward to bigger nightmare scenarios as mobile computing, cloud and handheld devices hit us.

Jaago (Wake up !) - how many more wake up calls are needed.