Friday, October 23, 2009
Tuesday, October 13, 2009
Economic Downturn impedes Needed Investments and Increases Security Risks
MEDFORD, N.J.--(BUSINESS WIRE)--The Independent Oracle Users Group (IOUG) today released its second annual database security study, “IOUG Data Security 2009: Budget Pressures Lead to Increased Risks”. The study conducted by Unisphere Research and sponsored by Oracle Corporation surveyed members of the IOUG in July and August of 2009. The 316 respondents oversee complex and multiple database sites, many with large volumes of data. Forty-two percent of those surveyed manage greater than 100 databases, and 20 percent manage in excess of 500 databases.
Among the key findings:
- There has been a 50 percent increase in data breaches since last year and growing wariness of the potential for data security problems. However, the uncertain economic climate over the past year has put a damper on the availability of funding and staff time to address these issues.
- There is pressure to do more with less and unfortunately in many cases less is actually being done. Only 28 percent of respondents reported receiving additional funding for their data security budgets – down a third from a year ago.
- Managers see internal threats – such as access by unauthorized users – as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security risk and regulatory compliance issue.
- Most organizations still do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are still unable to even detect such breaches or incidents.
- Outsourcing of database administration, development and testing functions has increased by up to 40 percent over the past year. More outsourcing and off-shoring without adequate security has also resulted in organizations unintentionally exposing data to additional risks.
- Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, there has been a decline in companies “de-identifying” such sensitive data. A third even ship live un-encrypted production data offsite.
- Overall, corporate management is still complacent about data security. One out of four cited lack of management commitment and lax procedures. Efforts to address data security are still ad hoc and manual. Organizations are not addressing database security as part of overall database security strategy and making the most of limited budgets.
Members of the IOUG received access to the final report document as a benefit of membership with the organization, under the IOUG ResearchWire program. Others may download the final report in PDF through the Oracle web site at http://www.oracle.com/go/?&Src=6811199&Act=294&pcode=WWMK09047366MPP012
To learn more about the survey findings and cost-effective solutions to mitigate risks to enterprise data and Oracle databases, please join us for a complementary live webcast hosted by the IOUG. Register here: http://www.dbta.com/Webinars/Details.aspx?EventID=192&src=webad
For more information contact Aimee Pagano, apagano@smithbucklin.com, (312) 673-5801
About the Independent Oracle Users Group
Founded in 1993, the Independent Oracle Users Group (IOUG) is a global membership organization that provides Oracle users the opportunity to enhance their productivity, maximize their investment and influence the quality, usability and support of Oracle technology. The IOUG represents the voice of Oracle technology and database professionals serving nearly 20,000 database administrators, developers, architects, technical managers and other Oracle professionals throughout North America and worldwide. The IOUG empowers its members to be more productive and successful in their business and careers by delivering education, sharing best practices and providing technology direction and networking opportunities. For more information, visit www.ioug.org or call (312) 245-1579.
by Ericka Chickowski, DarkReading
New Dark Reading report outlines threats posed to databases by end users -- an how to protect your data.
In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.
While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.
"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."
According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.
Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.
Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.
"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.
In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.
While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.
Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.
"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."
In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.
These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.
Thursday, September 24, 2009
Chuck Miller September 09, 2009
Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.
The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.
Meng was planning to take DuPont's proprietary information to Peking University in Beijing, which is involved in research on OLED technology, according to the report.
“When sensitive data is copied to an external hard drive, that typically is a policy violation,” Michael Maloof, CTO of TriGeo Network Security, told SCMagazineUS.com on Wednesday. “Why wasn't there an immediate alert when that external hard drive was attached?”
DuPont was hit by a similar incident several years ago, when a 10-year veteran of DuPont accessed more than 16,700 documents and more than 22,000 scientific abstracts, between August and December 2005, with the intention of giving them to Victrex, a DuPont rival. The culprit in that case, Gary Min, a native of China, eventually was sentenced to 18 months in prison.
“DuPont obviously did not learn much from the first case,” Maloof said. “Both these guys had access to sensitive data, and only long after the data was gone did they discover that the breach had occurred.”
A DuPoint spokesperson could not be reached for comment on Wednesday.
A database can be secure, but that doesn't help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.
“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com Wednesday. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”
Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.
“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don't forget about proprietary information databases.”
Wednesday, September 16, 2009
By Ron Condon, U.K. Bureau Chief13 Sep 2009 SearchSecurity.co.uk
Two new cases of stolen information this week underline the need for basic security measures; both data loss incidents could help bolster the case of security professionals struggling to justify their budget.
The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.
This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.
In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."
Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.
The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.
The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.
In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."
Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.
The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.
Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.
The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.
The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.
Lessons learned
The stolen database case illustrates the following:
- The emergence of the insider threat
- The value of classifying sensitive data and files.
- The importance of technology that prevents confidential information from being emailed out, copied on to portable media, or even sent as an attachment to an instant message.
- The need to protect a company's collateral, including its domain name.
- The power of the Copyright and Rights in Database Regulations 1997.
sponsored by ArcSight, Inc.
With little to no security expertise and few to no dedicated security administrators onboard, mid-size firms must find a way to secure their data without breaking the bank. Any security monitoring solution must do the "heavy lifting" and make the IT administrator's life easier through automation and built-in security expertise.
This paper describes the critical security and compliance challenges facing mid-size organizations today, and introduces a new compliance and security monitoring appliance. For organizations that face growing threats to their network and their critical information, yet have limited resources and expertise to address these threats, ArcSight Express provides a simple, automated, cost-effective solution. With this solution, security incident detection and notification is automated and IT personnel are able to focus on responding to important security incidents.
Guardium, the database security company, today announced its CTO, Dr. Ron Ben Natan, will be presenting at the 2009 San Francisco Information Systems Audit and Control Association’s (ISACA) Fall Conference. Dr. Ben Natan’s session, “Anatomy of Insider Data Breaches”, will be held on Monday, Sept. 21st from 3 to 4:30 p.m. at the Hotel Nikko.
Recent headlines showcasing massive breaches involving credit card information, as well as proprietary information, have heightened the industry’s awareness of insider threat. A recent survey by the Independent Oracle User Group (IOUG), reported unauthorized database access by inside administrators, or “super users,” often goes unnoticed inside organizations. These undetected intrusions can expose sensitive corporate and customer data and potentially cause billions of dollars in damage.
In his session, Dr. Ben Natan will detail practical examples of how insider breaches occur and discuss best practices for safeguarding critical enterprise databases against such attacks. Dr. Ben Natan will speak as part of the conference’s Strategies & Techniques track.
Dr. Ben Natan has more than 20 years of experience developing enterprise applications and security technology for blue-chip companies. Prior to Guardium, he worked for Merrill Lynch, J.P. Morgan, Intel and AT&T Bell Laboratories. He has also served as a consultant in data security and distributed systems for HSBC, Phillip Morris, Miller Beer, HP, Applied Materials and the Swiss Armed Forces. An expert on distributed application environments, application security, and database security, Dr. Ben Natan has authored 12 technical books including HOWTO Secure and Audit Oracle 10g and 11g (CRC Press, 2009) and Implementing Database Security and Auditing (Elsevier Digital Press, 2005), the standard texts in the field.
Dr. Ben Natan will share information regarding:
- The most common insider threats and how to prevent them
- Best practices for database monitoring and real-time protection
- Preventing unauthorized access to sensitive data with granular access controls
WHO: Ron Ben Natan, Ph.D., Guardium CTO
WHEN: Monday, September 21st from 3 to 4:30 p.m.
WHERE: 2009 San Francisco ISACA Fall Conference, Hotel Nikko, 222 Mason Street, San Francisco
Register today for the event.
About ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
About Guardium
Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center.
The company’s enterprise security platform is now installed in more than 450 data centers worldwide, including 5 of the top 5 banks; 3 of the top 5 insurers; top government agencies; 2 of the top 3 retailers; 15 of the world’s top telcos; 2 of the world’s favorite beverage brands; the most recognized name in PCs; a top 3 auto maker; a top 3 aerospace company; and a leading supplier of business intelligence software.
Guardium has partnerships with Accenture, ArcSight, BMC, EMC/RSA, IBM, McAfee, Microsoft, Oracle, Sybase and Teradata, with Cisco as a strategic investor, and is a member of IBM’s prestigious Data Governance Council and the PCI Security Standards Council.
Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable, cross-DBMS enterprise platform that both protects databases in real-time and automates the entire compliance auditing process.
Guardium and “Safeguarding Databases” are trademarks of Guardium, Inc.
Thursday, July 30, 2009
Lauren Bell July 27, 2009
Network Solutions, a provider of Web-related services for small and medium businesses, has started reaching out to customers about adata breach that was discovered in early June. Credit card information on 573,928 individual consumers may have been compromised in the breach, which Network Solutions publicly reported at the end of the day on July 24.
Less than half of the company's 10,000-plus e-commerce services customers were affected in the breach, which occurred when hackers implanted a code on the system used to deliver e-commerce tools to clients. Over a three-month period — from March 12 to June 8 — the code diverted transaction and personal information from 4,343 merchant Web sites to a rogue server.
Susan Wade, director of PR for Network Solutions, said that the unauthorized code was discovered on June 8 during routine procedures, and Network Solutions immediately called in a team of data breach forensics experts to analyze the leak and track it. The experts did not crack the code until July 13. When the team discovered that credit card information was at risk, Network Solutions reported the incident to federal law enforcement, which is currently investigating the situation. So far, none of the at-risk cards has been misused.
Network Solutions informed clients of the breach through e-mail and postal mail last week and has offered to help its clients notify affected individual cardholders. In a preemptive PR effort on Friday, the company also reached out to select bloggers and reporters, started monitoring Twitter and responding to blog posts and launched a new Web site and blog about the breach at CareandProtect.com. The site offers FAQs and invites clients and consumers to weigh in on the breach.
“We were proactive in getting the news out,” Wade said. “We're having an open dialogue with customers, so anyone can go to the site and see what the dialogue is.
Network Solutions is also offering affected cardholders 12 months of free fraud monitoring service from TransUnion. Wade says the company has put additional security measures in place to protect against future breaches.
“The main message we want to get out is that we're there for our customers, and we are very sorry about this,” Wade said. “Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously.”
Amichai Shulman, CTO of database security company Imperva, lauded Network Solutions for bringing in a forensics team right away, but noted that the breach illustrated larger database security problems faced by many companies.
“This incident points out the basic problem of cloud computing,” he said. “With many more companies hosting their data on the Internet, the databases and the servers they are hosted on become phenomenally attractive. The lesson: once you've penetrated the cloud, you've got an easy path to the important, underlying data.”
He added that announcing the breach closer to its time of discovery would have seemed more credible.
“I don't think they did worse than others in such cases, but I think that the industry standard is behind what customers expect,” he said.
Thursday, July 16, 2009
Published by SearchSecurity.com
While these accounts are required by the platform, a lack of accountability exists for the administrators that use them. Join The Burton Group's senior analyst Mark Diodati as he discusses the do's and don'ts around managing privileged accounts and how vendors are offering solutions for those who have root access.
View this videocast to discover:
- The risk of leaving privileged accounts unprotected
- Best practices that security professionals should employ
- The differences between programmatic access and interactive access and how to decide which to choose
- Integration of privileged accounts with other systems and technologies: Windows, SIMs, SSO, provisioning, and more
sponsorsed by Tom Chmielarski
Microsoft Excel, already installed on most corporate desktops, is commonly underappreciated by IT security practitioners. Data analysis is a common security task and Excel can often be the quickest option to analyze firewall logs, antivirus data, proxy logs, OS logs and a file listing from a compromised server. Data is everywhere and is often more useful than we expect, if we know how to look at it.
To read further, please click HERE.