TrendWatch

New 2009 IOUG ResearchWire Study Finds Companies Making Little Headway in Securing Data

Economic Downturn impedes Needed Investments and Increases Security Risks

MEDFORD, N.J.--(BUSINESS WIRE)--The Independent Oracle Users Group (IOUG) today released its second annual database security study, “IOUG Data Security 2009: Budget Pressures Lead to Increased Risks”. The study conducted by Unisphere Research and sponsored by Oracle Corporation surveyed members of the IOUG in July and August of 2009. The 316 respondents oversee complex and multiple database sites, many with large volumes of data. Forty-two percent of those surveyed manage greater than 100 databases, and 20 percent manage in excess of 500 databases.

Among the key findings:

• There has been a 50 percent increase in data breaches since last year and growing wariness of the potential for data security problems. However, the uncertain economic climate over the past year has put a damper on the availability of funding and staff time to address these issues.
• There is pressure to do more with less and unfortunately in many cases less is actually being done. Only 28 percent of respondents reported receiving additional funding for their data security budgets – down a third from a year ago.
• Managers see internal threats – such as access by unauthorized users – as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security risk and regulatory compliance issue.
• Most organizations still do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are still unable to even detect such breaches or incidents.
• Outsourcing of database administration, development and testing functions has increased by up to 40 percent over the past year. More outsourcing and off-shoring without adequate security has also resulted in organizations unintentionally exposing data to additional risks.
• Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, there has been a decline in companies “de-identifying” such sensitive data. A third even ship live un-encrypted production data offsite.
• Overall, corporate management is still complacent about data security. One out of four cited lack of management commitment and lax procedures. Efforts to address data security are still ad hoc and manual. Organizations are not addressing database security as part of overall database security strategy and making the most of limited budgets.

Members of the IOUG received access to the final report document as a benefit of membership with the organization, under the IOUG ResearchWire program. Others may download the final report in PDF through the Oracle web site at http://www.oracle.com/go/?&Src=6811199&Act=294&pcode=WWMK09047366MPP012

To learn more about the survey findings and cost-effective solutions to mitigate risks to enterprise data and Oracle databases, please join us for a complementary live webcast hosted by the IOUG. Register here: http://www.dbta.com/Webinars/Details.aspx?EventID=192&src=webad

For more information contact Aimee Pagano, apagano@smithbucklin.com, (312) 673-5801

About the Independent Oracle Users Group

Founded in 1993, the Independent Oracle Users Group (IOUG) is a global membership organization that provides Oracle users the opportunity to enhance their productivity, maximize their investment and influence the quality, usability and support of Oracle technology. The IOUG represents the voice of Oracle technology and database professionals serving nearly 20,000 database administrators, developers, architects, technical managers and other Oracle professionals throughout North America and worldwide. The IOUG empowers its members to be more productive and successful in their business and careers by delivering education, sharing best practices and providing technology direction and networking opportunities. For more information, visit www.ioug.org or call (312) 245-1579.

Databases' Most Serious Vulnerability: Authorized Users
by Ericka Chickowski, DarkReading

New Dark Reading report outlines threats posed to databases by end users -- an how to protect your data.

In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.

While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.

"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."

According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.

Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.

"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.

In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.

While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.

Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.

"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."

In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.

These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.

DuPont sues employee for trade secrets data breach
Chuck Miller September 09, 2009


Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.

The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.

Meng was planning to take DuPont's proprietary information to Peking University in Beijing, which is involved in research on OLED technology, according to the report.

“When sensitive data is copied to an external hard drive, that typically is a policy violation,” Michael Maloof, CTO of TriGeo Network Security, told SCMagazineUS.com on Wednesday. “Why wasn't there an immediate alert when that external hard drive was attached?”

DuPont was hit by a similar incident several years ago, when a 10-year veteran of DuPont accessed more than 16,700 documents and more than 22,000 scientific abstracts, between August and December 2005, with the intention of giving them to Victrex, a DuPont rival. The culprit in that case, Gary Min, a native of China, eventually was sentenced to 18 months in prison.

“DuPont obviously did not learn much from the first case,” Maloof said. “Both these guys had access to sensitive data, and only long after the data was gone did they discover that the breach had occurred.”

A DuPoint spokesperson could not be reached for comment on Wednesday.

A database can be secure, but that doesn't help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.

“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com Wednesday. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”

Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.

“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don't forget about proprietary information databases.”

Recent breaches show data theft prevention basics lacking
By Ron Condon, U.K. Bureau Chief13 Sep 2009 SearchSecurity.co.uk

Two new cases of stolen information this week underline the need for basic security measures; both data loss incidents could help bolster the case of security professionals struggling to justify their budget.

The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.

This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.
In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."

Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.

The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.

The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.
In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."

Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.
The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.
Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.

The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.

The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.

Lessons learned
The stolen database case illustrates the following:

• The emergence of the insider threat
• The value of classifying sensitive data and files.
• The importance of technology that prevents confidential information from being emailed out, copied on to portable media, or even sent as an attachment to an instant message.
• The need to protect a company's collateral, including its domain name.
• The power of the Copyright and Rights in Database Regulations 1997.

First Class Protection for the Mid-Size Organization: Control Your Network with an Out of Box Solution
sponsored by ArcSight, Inc.

With little to no security expertise and few to no dedicated security administrators onboard, mid-size firms must find a way to secure their data without breaking the bank. Any security monitoring solution must do the "heavy lifting" and make the IT administrator's life easier through automation and built-in security expertise.

This paper describes the critical security and compliance challenges facing mid-size organizations today, and introduces a new compliance and security monitoring appliance. For organizations that face growing threats to their network and their critical information, yet have limited resources and expertise to address these threats, ArcSight Express provides a simple, automated, cost-effective solution. With this solution, security incident detection and notification is automated and IT personnel are able to focus on responding to important security incidents.

Guardium CTO Shares Best Practices for Database Security and Addressing Insider Threats at San Francisco ISACA Fall Conference

Guardium, the database security company, today announced its CTO, Dr. Ron Ben Natan, will be presenting at the 2009 San Francisco Information Systems Audit and Control Association’s (ISACA) Fall Conference. Dr. Ben Natan’s session, “Anatomy of Insider Data Breaches”, will be held on Monday, Sept. 21st from 3 to 4:30 p.m. at the Hotel Nikko.

Recent headlines showcasing massive breaches involving credit card information, as well as proprietary information, have heightened the industry’s awareness of insider threat. A recent survey by the Independent Oracle User Group (IOUG), reported unauthorized database access by inside administrators, or “super users,” often goes unnoticed inside organizations. These undetected intrusions can expose sensitive corporate and customer data and potentially cause billions of dollars in damage.

In his session, Dr. Ben Natan will detail practical examples of how insider breaches occur and discuss best practices for safeguarding critical enterprise databases against such attacks. Dr. Ben Natan will speak as part of the conference’s Strategies & Techniques track.

Dr. Ben Natan has more than 20 years of experience developing enterprise applications and security technology for blue-chip companies. Prior to Guardium, he worked for Merrill Lynch, J.P. Morgan, Intel and AT&T Bell Laboratories. He has also served as a consultant in data security and distributed systems for HSBC, Phillip Morris, Miller Beer, HP, Applied Materials and the Swiss Armed Forces. An expert on distributed application environments, application security, and database security, Dr. Ben Natan has authored 12 technical books including HOWTO Secure and Audit Oracle 10g and 11g (CRC Press, 2009) and Implementing Database Security and Auditing (Elsevier Digital Press, 2005), the standard texts in the field.

Dr. Ben Natan will share information regarding:

• The most common insider threats and how to prevent them
• Best practices for database monitoring and real-time protection
• Preventing unauthorized access to sensitive data with granular access controls

WHAT: Presentation: “Anatomy of Insider Data Breaches”

WHO: Ron Ben Natan, Ph.D., Guardium CTO

WHEN: Monday, September 21st from 3 to 4:30 p.m.

WHERE: 2009 San Francisco ISACA Fall Conference, Hotel Nikko, 222 Mason Street, San Francisco

Register today for the event.

About ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

About Guardium
Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center.
The company’s enterprise security platform is now installed in more than 450 data centers worldwide, including 5 of the top 5 banks; 3 of the top 5 insurers; top government agencies; 2 of the top 3 retailers; 15 of the world’s top telcos; 2 of the world’s favorite beverage brands; the most recognized name in PCs; a top 3 auto maker; a top 3 aerospace company; and a leading supplier of business intelligence software.

Guardium has partnerships with Accenture, ArcSight, BMC, EMC/RSA, IBM, McAfee, Microsoft, Oracle, Sybase and Teradata, with Cisco as a strategic investor, and is a member of IBM’s prestigious Data Governance Council and the PCI Security Standards Council.
Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable, cross-DBMS enterprise platform that both protects databases in real-time and automates the entire compliance auditing process.

Guardium and “Safeguarding Databases” are trademarks of Guardium, Inc.

Network Solutions starts healing process after data breach
Lauren Bell July 27, 2009


Network Solutions, a provider of Web-related services for small and medium businesses, has started reaching out to customers about adata breach that was discovered in early June. Credit card information on 573,928 individual consumers may have been compromised in the breach, which Network Solutions publicly reported at the end of the day on July 24.

Less than half of the company's 10,000-plus e-commerce services customers were affected in the breach, which occurred when hackers implanted a code on the system used to deliver e-commerce tools to clients. Over a three-month period — from March 12 to June 8 — the code diverted transaction and personal information from 4,343 merchant Web sites to a rogue server.

Susan Wade, director of PR for Network Solutions, said that the unauthorized code was discovered on June 8 during routine procedures, and Network Solutions immediately called in a team of data breach forensics experts to analyze the leak and track it. The experts did not crack the code until July 13. When the team discovered that credit card information was at risk, Network Solutions reported the incident to federal law enforcement, which is currently investigating the situation. So far, none of the at-risk cards has been misused.

Network Solutions informed clients of the breach through e-mail and postal mail last week and has offered to help its clients notify affected individual cardholders. In a preemptive PR effort on Friday, the company also reached out to select bloggers and reporters, started monitoring Twitter and responding to blog posts and launched a new Web site and blog about the breach at CareandProtect.com. The site offers FAQs and invites clients and consumers to weigh in on the breach.

“We were proactive in getting the news out,” Wade said. “We're having an open dialogue with customers, so anyone can go to the site and see what the dialogue is.
Network Solutions is also offering affected cardholders 12 months of free fraud monitoring service from TransUnion. Wade says the company has put additional security measures in place to protect against future breaches.

“The main message we want to get out is that we're there for our customers, and we are very sorry about this,” Wade said. “Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously.”

Amichai Shulman, CTO of database security company Imperva, lauded Network Solutions for bringing in a forensics team right away, but noted that the breach illustrated larger database security problems faced by many companies.

“This incident points out the basic problem of cloud computing,” he said. “With many more companies hosting their data on the Internet, the databases and the servers they are hosted on become phenomenally attractive. The lesson: once you've penetrated the cloud, you've got an easy path to the important, underlying data.”

He added that announcing the breach closer to its time of discovery would have seemed more credible.

“I don't think they did worse than others in such cases, but I think that the industry standard is behind what customers expect,” he said.

Integrating Privileged Accounts with Existing Security Infrastructure
Published by SearchSecurity.com

While these accounts are required by the platform, a lack of accountability exists for the administrators that use them. Join The Burton Group's senior analyst Mark Diodati as he discusses the do's and don'ts around managing privileged accounts and how vendors are offering solutions for those who have root access.

View this videocast to discover:

• The risk of leaving privileged accounts unprotected
• Best practices that security professionals should employ
• The differences between programmatic access and interactive access and how to decide which to choose
• Integration of privileged accounts with other systems and technologies: Windows, SIMs, SSO, provisioning, and more

VIEW VIDEOCAST

How to use Excel for security log data analysis
sponsorsed by Tom Chmielarski

Microsoft Excel, already installed on most corporate desktops, is commonly underappreciated by IT security practitioners. Data analysis is a common security task and Excel can often be the quickest option to analyze firewall logs, antivirus data, proxy logs, OS logs and a file listing from a compromised server. Data is everywhere and is often more useful than we expect, if we know how to look at it.

To read further, please click HERE.

Fact or fiction: Reining in Privileged Access

sponsorsed by Guardium

Learn about some of the common misperceptions around privileged access management and how organizations can implement sounds access controls around root access so confidential data does not leak out of an organization.

Speaker

Mark Diodati

Senior Analyst, Burton Group

Mark Diodati, CPA, CISA, CISM, has more than 19 years of experience in the development and deployment of information security technologies. He is a senior analyst for identity management and information security at Midvale, Utah-based research firm Burton Group.

To listern to the Podcast, please click HERE.

Integrating Privileged Accounts with Existing Security Infrastructure

sponsorsed by Guardium, Inc.

In this videocast, Burton Group Senior Analyst Mark Diodati discusses the risk of leaving privileged accounts unprotected and best practices that security professionals should employ. He also talks about the differences between programmatic access and interactive access and how to decide which to choose, as well as integration of privileged accounts with other systems. Finally he discusses best practices for implementing a privileged account management product.

To view the videcocast, please click HERE.

Tech Insight: Database Security -- The First Three Steps

Protecting sensitive data means locating and enumerating the information in your databases -- and finding the right method to secure it

By John Sawyer
DarkReading

A Special Analysis For Dark Reading First of two articles

One of a security professional's biggest challenges is to keep an organization's most sensitive data out of harm's way. When it comes to the huge volumes of information stored in databases, however, that's no simple task.

Protecting sensitive information means finding and securing it in any location, from corporate headquarters to branch locations to mobile devices. Such data isn't always easy to locate -- it may be stored in a variety of formats, from the small Excel files on a CFO's laptop to enormous databases that contain critical inventories or customer information.

Frequently, databases hold the "crown jewels" of the organization -- the largest and most mission-critical data. This means a database breach can have serious consequences, whether it comes from an employee with authorized access or from a hacker who comes in via vulnerabilities in poorly written Web applications that are linked to the database.

Complying with regulations, like PCI DSS or SOX, has helped many organizations become more aware of their most sensitive data repositories, but it is easy to lose track of what network resources exist when these repositories are spread across multiple office locations. To prevent this sort of oversight, we should look at database security and compliance as a three-stage process: locating your databases, enumerating the data, and securing the critical database servers.

The first stage -- locating the databases themselves -- can be achieved through a couple of different methods. The easiest, but often less fruitful, method is to consult the documentation. If you're lucky, then there will be an extensive, searchable repository containing the information you're looking for. Otherwise, you'll be digging through a lot of docs. This is where sysadmins and developers can help fill in the missing gaps.

When documentation fails, the best method for locating databases is scanning the network with Nmap to find hosts that are running database services and actively listening for connections. For even better coverage, use Nessus with administrative credentials to audit your hosts for installed and running applications -- this will help you find the database servers that are running but not listening on the network.

The second stage to securing your database environment is to enumerate the data contained in the databases you found in the first stage. Not all database servers will need the same level of protection. A test database containing bogus data for use by developers, for example, will obviously not need the same level of defense as a production database server containing customer information and front-ended by a Internet-exposed Web application.

Documentation, developers, and database administrators (DBAs) should provide insight into the database's contents -- but they aren't always as accessible or helpful as they could be. To get the full picture of what's in your databases, you may need to look into data discovery products, like Identity Finder, or discovery features included in data leakage prevention (DLP) and database activity monitoring (DAM) tools.

The discovery process will be straightforward -- as long as the tool you're using properly understands how to access the databases in your organization. If you haven't purchased a product -- or if you have a DLP/DAM solution already -- then be sure what you choose will work with all of the technologies you discovered in the first stage.

The third stage is to secure the database servers themselves and ensure they comply with corporate configuration policies. Manually checking database server settings is a monotonous, tedious task best-suited for automation. Free and commercial tools are available that make the process easier, so it can be done enterprisewide with little effort.

The most important part of the third stage is to ensure you have a well-defined database security configuration policy; hopefully, this was created and refined well before you started this process. The policy should be based on best practices, while meeting the needs and required security level of your environment.

Next, choose an auditing tool that suits your database environment. The CIS Security Benchmark tool and Nessus vulnerability scanner come with customizable configuration files that can be edited to match your security policies. You can also get configuration files from groups like DISA, which can serve as a basis for your auditing.

Though the CIS tools are free, Nessus is a good upgrade to consider because it can scan for vulnerabilities in the database server and underlying operating system. Also, remember that they don't both support the same number of database server types, so be sure to confirm the one you're using can work with all, or at least most, of the software types that run your critical data.

For truly comprehensive database security, you must also consider secure network design, DLP and DAM technologies, secure application development, and proper backup and disaster recovery. However, if you execute these first three stages properly, then you'll be well on your way to securing your most sensitive database information, and you can add additional security capabilities later.

Forrester: Database security a must
Erin Kelly, Contributor (sources from SearchSecurity)

When the economy is in a downturn and the fear of layoffs loom, enforcing database security using database monitoring and database encryption tools is fundamental to defending against data leakage and can be implemented even on a tight budget, said Jonathon Penn, principal analyst at Forrester Research.

"[The database] is a target for external attack, it's also a target for abuse and misuse by internal people," Penn said. "So protecting that is important, whether it be monitoring for large downloads by authorized people or monitoring the extent to which they're interacting with the database, whether [their activity] be suspicious or indicate they're taking information with them because they're leaving the company or worried about layoffs."

In the recent report, "TechRadar For SRM Professionals: Database and Server Data Security, Q2 2009," Forrester investigated the current state of eight significant technologies: centralized key management, data classifiers for security, data discovery scanners, database encryption, database monitoring and protecting, outbound Web application filtering and tape and backup encryption.

"We found protecting data is an incredibly complex task, and there is no single technology or process you can put in place in order to safeguard your information," Penn said. "On top of that, threats have become more sophisticated, more targeted, and the criminals behind these attacks have excellent resources at their disposal."

Penn recommended desktop, laptop and full disk encryption as some of the easiest and most cost-effective ways to manage security. However, he stressed that a cost-effective approach is not always about what you go out and buy, but can be as simple as implementing security measures on an ongoing basis.

The report, authored by Forrester senior analyst Andrew Jaquith, claims brute-force technologies like encryption will remain popular and monitoring technologies will also see an uptake in adoption, yet data classification and data discovery technologies that span multiple technology domains still have complexities that need to be worked through.

Data encryption and monitoring technologies are favorable for users because they focus on targeted assets and are very specific products, Penn said. Data discovery and data classification tools require different stakeholders in an organisation to come to a consensus and must be coordinated across these different groups in order to be effective, making them more complicated and expensive projects, he said.

Forrester urges security professionals to move forward on data discovery and classification projects. Security pros should work with knowledge management professionals, storage managers, business units, and information officers within their organisation to define and locate customer data as well as agree on and implement an appropriate policy, Penn said.

"The need to come up with a coordinated approach is paramount to really solving this problem and we're not there yet by any means," Penn said. "It's not just the technology – it's the maturity of the organisation to get to that degree of coordination."

Data discovery and data classification are also the most expensive technologies studied in the report because that state of the market requires organisations and users to adopt multiple tools to carry out the projects, Penn said.

"Data discovery and data classification tools right now are not at the level of maturity where you can buy a single tool or product to coordinate everything," Penn said. "That's why those tools will be lagging by which the speed they are adopted."

Dedicated tape and backup encryption technologies are expected to decline in the next five years, according to the report. The tools are fairly mature and are being built into storage devices instead of being purchased separately, Penn said.
In the future, Penn recommends security and risk professionals build awareness and momentum around understanding data and enforcing policy.

"I think that's the biggest challenge – getting people involved and coordinating an understanding of data," Penn said. "Security professionals have not been able to do this so far, but they need to move slowly and work with the legal department and build up support for coordinating projects together so an organisation has a single view of the policy."

Expert Video -- DLP: Enterprise Tools and Strategies
sponsored by Guardium

Data leak prevention (DLP) tools are a hot ticket on the security market, but what are they really capable of, and how easy are they to operate?

In this interview, DLP expert Rich Mogull expounds on the multifaceted uses of these tools and gives best practices for implementation and operation. Topics addressed include:

• How much information a DLP tool needs in order to be effective
• Eye-openers that companies experience when using the tools
• DLP tools' deep inspection capabilities
• Whether full suite DLP tools are preferable to individual DLP solutions

Click on the following link for the movies,
http://link.brightcove.com/services/player/bcpid17952547001?bclid=17971677001&bctid=18010200001

Speaker
Rich Mogull Founder, Securosis LLC
Rich Mogull has over 17 years experience in information security, physical security, and risk management. Prior to founding Securosis, Rich spent 7 years as one of the leading security analysts with Gartner, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner’s top international speakers. He is one of the world’s premier authorities on data security technologies.

Report: No Magic Bullet For Database, Server Security New Forrester report says encryption, data monitoring technologies key tools for now
contributed by Kelly Jackson Higgins, DarkReading

There's no quick fix for securing data on databases and servers, and new tools that can prevent attacks on these systems are a long way off, according to a new report.

For the near term, encryption will remain the most popular defense for locking down data on databases and servers, while database monitoring and Web filtering will continue to be pervasive tools for breach detection, according to Forrester Research's new report.

Protecting data on servers and databases has never been easy, and doing so has become only more challenging with mobile users, cloud computing, and an unstable employment climate, says Jonathan Penn, vice president of tech industry strategy/security at Forrester, who co-authored the report with Forrester's Andrew Jaquith. "Over the foreseeable planning horizon, help for CISOs will not arrive in the form of a miracle tonic. Forrester does not foresee that a miraculous technology -- for example, error-free data discovery and classification -- will emerge to save the day," he says.

Instead, existing "brute force" tools, like encryption and data masking, will continue to emerge as the key tools to keeping data under wraps, while database monitoring and Web application filtering will provide insight into breaches. "While prevention may not prove practical in all cases, detection will be," Penn says. Compliance and contractual requirements will keep organizations buying those technologies, which "give them visibility to theft, corruption, and abuse as it happens," he adds.

The Payment Card Industry Data Security Standard (PCI DSS) and states' data breach disclosure laws are driving enterprises to adopt these data security technologies.

Meanwhile, enterprises aren't ready to deploy data discovery and classification technologies, Forrester says. The data discovery market won't mature for several years, Forrester says, even though the concept of crawling an enterprise network to find where the sensitive data lives should be a no-brainer by now in this age of big search engines.

Data classification, meanwhile, won't hit its stride until about 2014, when security-specific data classification tools will blend with knowledge management and electronic records classification technologies.

"Classification is a challenge because many different groups are looking at [it] from different perspectives and not coordinating their efforts," Penn says. The security, storage management, legal departments, and information/knowledge management groups all need these tools, but they won't make it into the organization until security/risk management and information/knowledge management team, he says.

"These groups will realize that by aligning their interests, they can be more effective, consolidate vendors, and cut costs," Penn says.

Plus, data classification tools, such as data protection, archiving/retention, e-discovery, and knowledge management, are very focused, he says. "For example, e-discovery classification tools have far less sophistication in their content analysis capabilities than the DLP [data leakage protection] tools security people are employing," he says. "Classification needs to be done in the infrastructure, across areas, so that a file managed by the archive system is classified the same way that a rights management [system] would classify it when deciding who can look at it, and the same way a DLP product would classify it when deciding whether a user can send it off to a USB or by email."

Forrester's report, "TechRadar For Vendor Strategy Professionals: Database And Server Data Security, Q2 2009," is geared for vendors looking at how to plan their strategies in this space.

Why Your Databases Are Vulnerable to Attack - And What You Can Do About It
contributed by Dark Reading

Most of an enterprise’s most sensitive and valuable information resides in databases. Yet, in many organizations, database security is often neglected, misunderstood, or even ignored. In this report, we discover why databases have become one of the most popular targets for hackers - and how everyday mistakes in database administration contribute to these attacks. We also offer some advice on what your organization can do to protect your most critical data - and to stop hackers in their tracks.

To read more, you can download the whitepaper HERE.

Best Practices for Improved Database Security: Data Discovery and Classification for Database Activity Monitoring
comtributed by Imperva, Inc.

Read this white paper to learn the need for database discovery and data classification, two processes that constitute the first steps in database activity monitoring.

Download from HERE.

Protect: Protect Today, Secure Your Future. Best Practices
Publisher Symantec Corporation

Preventing data breaches is a primary challenge. Companies must adopt industry best practices and help them build a robust security program for effective enterprise data protection. These best practices also enable companies to demonstrate compliance with both internal policies and key government regulations.

To find out more, please download the whitepaper from HERE.

Guardium appoints new director of sales for government markets
contributed by http://www.datamonitor.com

Jun 15, 2009 (Datamonitor via COMTEX) -- Guardium, a database security company, has appointed Craig Marr as director of sales for government markets.

Mr Marr has more than 20 years of federal technology sales experience, including more than 13 years focusing on security. As director of federal sales for IBM/Internet Security Systems
(ISS), the trusted security advisor to thousands of government organizations and businesses. At ISS, he also teamed on federal programs with system integrators such as CSC, Lockheed Martin, Northrop Grumman, SRA, General Dynamics, Unisys, IBM and Boeing.

Ram Metser, CEO of Guardium, said: "Emerging insider threats and cyber threats, particularly from sophisticated hackers and criminals looking to infiltrate the US government, reinforce the immediate need for agencies to have strong automated controls in place to safeguard sensitive information and demonstrate compliance. With Craig's extensive industry experience coupled with Guardium's innovative technology and major reference accounts, we expect to further expand our footprint as federal spending in this vital area continues to grow."

Abu Dhabi Commercial Bank Implements Guardium to Strengthen Database Controls

Abu Dhabi Commercial Bank (ADCB)
Abu Dhabi Commercial Bank has announced the successful implementation of Guardium's real-time database security and monitoring solution to prevent unauthorized changes to critical financial tables by privileged users such as DBAs.

ADCB started deploying Guardium in December 2008 by StarLink which has a distribution partnership with Guardium covering the entire Middle East region. ADCB looking for a distinctive method of database auditing to ensure the deployment be trouble-free with no impact to the Databases and Guardium met these criteria.

"We were seeking a unified, cross-DBMS solution that delivers granular, real-time controls without the complexity, overhead and risk of native DBMS-resident auditing, and Guardium fulfilled all our requirements. Our goal is to ensure that critical information is stored securely through the adoption of best-of-breed technologies." said Steve Dulvin, Head of IT Security at Abu-Dhabi Commercial Bank

"Through partnering with Guardium, ADCB will ensure the integrity of enterprise data and help to enforce change controls, while simplifying and automating compliance processes," Steve added. "Unlike traditional database logging solutions, Guardium provides 100% visibility into all database activities - including both privileged and application user actions - across all DBMS platforms, without impacting on performance or IT infrastructure. We believe in layered security to ensure confidentiality and integrity of the bank's & customer information."

Guardium monitors all database transactions, without adding overhead or relying on traditional DBMS-resident logs that can easily be disabled by DBAs. It creates a verifiable audit trail of all transactions - including DBA activities that access databases via "back-door" protocols such as Oracle Bequeath, named pipes and shared memory - and immediately generates real-time security alerts whenever policy violations are detected. This enables organizations to effectively enforce corporate change controls, such as preventing changes outside of authorized change windows and automates the entire compliance auditing process.

-Ends-

T-Mobile mum on hacker claim

The company claims to have beefed up database security since then. And it almost certainly has done that. Nonetheless, Paul Davie, COO of security firm ...

To read more about the stories, please click HERE.

Merrick Bank vs. Savvis Could Affect "Liability Dynamic"
contributed by SANS NewsBites Vol. 11 Num 44

The lawsuit brought by Merrick Bank against Savvis raised important
issues about compliance and liability. Merrick, a merchant bank, is
suing Savvis because Savvis's certification of CardSystems as compliant
with Visa CISP (a compliance standard that predates the Payment Card
Industry Data Security Standard, or PCI-DSS) was faulty, causing Merrick
to lose US $16 million after CardSystems suffered a data security
breach. Merrick is alleging negligence and negligent misrepresentation.
The case could "force increased scrutiny [of] largely self-regulated
credit-card security practices," and raises the specter of
government-imposed regulation. One article also points out that to
generate an accurate report, auditors rely on honesty and cooperation
from the people at the entity being audited.

read more

Security Experts Raise Alarm Over Insider Threats Economic troubles raising the stakes on potential threats, FIRST members say
By Tim WilsonDarkReading

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

read more ......

Cyber attacks continue to grow
Hacking, viruses breach government, industry, university firewalls
contributed by msnbc.com news services

Cyber espionage, attacks, breaches, viruses — they are all among the concerns President Barack Obama cited Friday when he announced he will create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council.

The nation’s vulnerability to cyber attacks has long been a concern. The Center for Strategic and International Studies said in a December report that the U.S. Defense Department alone has said its computers are probed hundreds of thousands of times each day.

These publicly known cases of hacks, thefts and viruses at government, military, utilities and educational sites are just some examples:

read more ......

Aetna Contacts 65,000 After Web Site Data Breach
Jeremy Kirk, IDG News Service


Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.

The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor.

The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information.

The spam campaign showed the intruders successfully harvested e-mail addresses from the Web site, although Michener said it's not clear if SSNs were also obtained.

Nonetheless, Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. The company is offering them one year of free credit monitoring, as SSNs are often used by identity thieves.

"We wanted to err on the side of caution," Michener said.

Aetna hired an IT forensics company to investigate how the Web site had been compromised. "At this point despite a thorough review, they've not been able to pinpoint the precise breach," Michener said.

Aetna posted alerts on the job site, its main Web site and its internal intranet about the spam campaign, Michener said.

read more

Anti-U.S. Hackers Infiltrate Army Servers

read more

Data breach prevention techniques: Helping customers avoid data breaches
Allen Zuk, Contributor

No one wants to read about their organization -- or that of their customers -- in the headlines following a breach of customer data or other sensitive information. And now that the Privacy Rights Clearing House maintains a comprehensive list of all known data breaches since 2005, major breaches live on in infamy long after the incident. Even more embarrassing is that most breaches are preventable.

In this tip, we'll review data breach prevention techniques and policies that can help ensure your customers don't make headlines for the wrong reasons.

Data breach prevention techniques
There are numerous techniques and a variety of tools that can help stop leakage or loss of information. In the following sections, we will briefly discuss each method and what solution providers can do to help their clients implement stop gaps to improve their overall information security posture.

Information security policies
Instituting information security policies and procedures is the least expensive way to help combat data loss. Policies and procedures are developed to instill a common set of principles for all personnel. That being said, policies and guidelines are also infrequently enforced. If staff members are not educated on these policies and guidelines, then enforcement becomes almost impossible.

To start, help your customers by either assisting them with conducting an information security policy assessment or by offering them the service. Solution providers will need to be well-versed in the use of information security baseline standards, such as ISO 27002 (formerly ISO 17799) and COBIT. Having a thorough understanding of these guidelines will help you (the solution provider) position yourself as a trusted advisor to the client.

Solution providers should have solid policy-writing skills and knowledge of the various data breach laws as well as those that are being drafted. Solution providers also need to be aware of the various State Security Breach Notification Laws that are in existence and to be able to articulate and integrate these with their clients' information security policies. Other best practices include making sure customers update their antivirus software, and maintaining an exit policy for employees that ensures privileges are revoked.

Emerging technologies
There are a variety of products available in the DLP (data loss prevention) category that combine software management and policy implementation and control. These products provide an "automated" mechanism that responds to defined attributes for policy management. In the simplest terms, these products allow the administrator to define criteria that determines how information will flow in and out of an organization as well as provide an audit trail and an alert notification process for exclusionary requirements.

DLP vendors that offer such products include NextLabs Inc., Orchestria Corp., Proofpoint Inc., Vericept Corp., Verdasys Inc. and Symantec Corp. (via its acquisition of Vontu). Their technologies utilize customizable "policies" defined by the organization to monitor, report against, redirect and stop data flow within the organization's network and computing systems. When enabled, these products could, for instance, disable USB ports or prevent laptops from accessing the network.

Solution providers should be well versed in the use and application of these tools to assist their clients with policy development and implementation. Organizations often face challenges implementing and managing their data loss prevention programs, and solution providers should be prepared to fill those gaps.

Information technology risk management assessments
An information technology risk management assessment can be used to assess a company's information security posture. An information technology risk management assessment gauges the effectiveness of IT security controls and ensures the implemented security technologies do not introduce unnecessary risk and exposure to the business.
The risk management assessment includes two core program components: the first is an organization's current maturity posture snapshot for security and management of the technologies implemented, second is a detailed gap analysis report that includes a mitigation roadmap containing recommendations for continuous improvement.

The Information risk management maturity matrix diagram illustrates a sample maturity matrix that is used to evaluate the organizations current and desired posture for IT/IS security and management.

Partner with third-party vendors that specialize in conducting risk management assessments. Leverage your relationship with the customer and introduce your extended advisory support by offering strategic assessments of the customer's IT risk posture. Demonstrate the value these assessments have with simple, yet,effective "heat maps." Heat maps are high-impact illustrations that pinpoint specific gaps or deficiencies visually so the client sees where they need to focus resources immediately. This heat map illustrates a sample "heat map" highlighting areas of severe deficiency (red), minimal deficiency (yellow) and no deficiency (green).

Conclusion
While it is nearly impossible to completely stop all data loss and data leakage, there are a variety of options to mitigate the risk and exposure. However, this is not to say that solution providers should just simply throw an assortment of tools, policies and approaches at the problems.
The best value a solution provider can bring to the customer is to understand the organization, its challenges and obstacles, and develop a strategy that integrates fundamental policies for awareness and education with technologies aimed at preventing the unauthorized removal of corporate information assets, and a comprehensive IT risk management assessment to reduce the risk of breaches and exposure.

LexisNexis data breach may have affected 32,000 people

To read more about the article, please click HERE.

Hackers take over PIN numbers via banking vulnerabilities to leave us all exposed to fraud

To read more about the article, please click HERE.

Credit card fraud expected to increase as banks instructed to use real-time monitoring

To read more about the article, please click HERE.

British consumers do not trust the government to protect data but are satisfied with banks

To read more about the article, please click HERE.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites

New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

To read more about the story, please click HERE.

10 Essential Steps to Oracle & MS-SQL Security & Compliance
contributed by Guardium

Securing customer and corporate data - while reducing staff workload - has become a top priority for most organizations. It is critical to be able to protect sensitive data from both insider and outsider threats.

Learn the first steps and best practices for effectively securing Oracle, SQL Server, DB2, MySQL and Sybase environments, including:

• Hack-proofing your databases (with specific tips for each DBMS platform)
• Tracking security vulnerabilities
• Anatomy of buffer overflow vulnerabilities
• Why database auditing is important
• Resources and further reading
  

Download an essential chapter from "Implementing Database Security and Auditing" (Elsevier Digital Press), authored by database security expert and Guardium CTO Ron Bennatan, Ph. D. This 413-page book contains hundreds of practical tips and examples for protecting sensitive information and passing audits smoothly.

Download HERE.

15 Minutes to a Secure Business: Daily Practices for IT Security Management contributed by McAfee, Inc.

Download the whitepaper from HERE.

How to prevent a cross-site tracing vulnerability exploit
contributed by Michael Cobb

My constant concern about rushed and unrealistic development timetables for websites was borne out the other day when I was called in to investigate what turned out to be a case of cross-site tracing (XST).
A cross-site tracing attack exploits ActiveX, Flash, Java and other controls that allow the execution of an HTTP TRACE request. The attack is not a new one; it was discovered by Web security researcher Jeremiah Grossman in 2003, and enables an attacker to gain access to an individual's cookies and authentication credential information.

Read More.

Most security breaches originate internally
sponsorsed by TechRepublic

To read more, please go HERE.

E-Guide: A Batch File to Back up All Active-State BlackBerry Databases sponsorsed by Blackberry

To read more, download the whitepaper HERE.

Developing an Effective Corporate Mobile Policy
sponsored by Blackberry

To read the whitepaper, please download from HERE.

Securing Web Applications and Databases for Payment Card Industry
Compliance: The Most Challenging Aspects of PCI Compliance
courtesy from Imperva, Inc.

To read more, download the whitepaper HERE.

Zscaler EDUCATIONAL WEBCAST: Keynote by GARTNER'S Peter Firstbrook,
"Newer Threats and Newer Defenses against Web 2.0"

Learn from here, http://www.sans.org/info/43728

Complete Firewall Security Audits in 25% of the time with Tufin.

Learn how at http://www.sans.org/info/43718

UK Serious Organized Crime Agency Tackles Cybercrime
contributed by SANS Newsletter Vol. 11 Num 39

The UK's Serious Organized Crime Agency (SOCA) revealed in its annual
report how it has been involved in tackling cybercrime. The report
highlights the agency's involvement in the FBI's undercover operation
against the online criminal forum Darkmarket. The results of that case
resulted in 57 arrests worldwide, including 12 in the UK, and over
16,000 compromised UK credit cards being recovered. The agency also
discussed its investigation into the attempted GB229 million robbery at
Sumitomo Mitsui Banking Corporation in London resulting in the
conviction of five men. SOCA has also recently called for greater use
of "remote search" techniques, which allow law enforcement agencies to
legally hack into a suspect's computer in tackling cybercrime
http://news.zdnet.co.uk/security/0,1000000189,39652583,00.htm
http://www.pcadvisor.co.uk/news/index.cfm?newsid=115940
http://www.theregister.co.uk/2009/05/15/soca_hacking/
http://www.soca.gov.uk/assessPublications/

Former FBI Agent Gets Probation for Unauthorized Data Access
contributed by SANS NewBites Vol.11 Num 38

Former FBI agent Mark Rossini was sentenced to one year of probation for
using agency computers to search for information about a Hollywood
wiretapping case in which he was not involved. Rossini admitted that
he gave the information to a woman he was dating who then gave it to an
attorney for Anthony Pellicano, a private investigator who is presently
serving a 15-year sentence for wiretapping celebrities' phones for
clients. Rossini pleaded guilty to five counts of criminal computer
access late last year. He also faces fines amounting to US $5,000.
http://www.nextgov.com/nextgov/ng_20090514_8408.php
[Editor's Note (Northcutt): The problem with a hand-slap type sentence
at a time when the government is increasing access to private data about
citizens, is that it sends the wrong signal. It needs to be clear that
abusing lawful access is wrong. And the government needs to implement
role-based access control. Far too often, if you have access, you have
access to everything.]

DHS Information Sharing Platform Breached
contributed by SANS NewsBites Vol.11 Num 38

A US Department of Homeland Security official has acknowledged a
security breach of the platform the department uses to share sensitive,
unclassified information with state and local authorities. Chief
Information Officer for DHS Office of Operations Coordination and
Planning Harry McDavid said that the US Computer Emergency Readiness
Team detected two intrusions into the Homeland Security Information
Network: one in March and one in April. The intruders managed to gain
access to the system through an account belonging to a federal employee
or contractor.
http://fcw.com/Articles/2009/05/13/Web-DHS-HSIN-intrusion-hack.aspx
[Editor's Note (Pescatore): The new secretary of the Department of
Energy, Steven Chu, was recently quoted as saying "well-meaning people"
in the chief information officer's office and in the procurement and
finance offices "whose job it is to protect the Department of Energy"
actually hinder what the department can do." I hope he looks at this DHS
incident to make sure that DoE increases, vs. decreases, building
security into its systems and applications.
(Northcutt): ".. gained ACCESS through an account belonging to a federal
employee." Maybe we could get a special holiday commissioned, "access
control day."]

MAINTAINING YOUR CUSTOMERS' SECURITY AMID LAYOFFS
Kevin McDonald, Contributor

According to a recent study commissioned by Symantec Corp. and conducted by Ponemon Institute, 59% of nearly 1,000 former employees surveyed admitted to stealing data from their employers. If an employee believes he or she may be laid off, passed over for a raise, or asked to do more for less, they may be compelled to cause damage by deleting or stealing data. Are you putting measures in place to maintain your customers' security amid layoffs? Could you tell whether something had been stolen or damaged? Could you assist them in legal proceedings or would you become a defendant for failing to protect them?

Read the rest of this tip:
http://go.techtarget.com/r/6879887/648712

Reducing Corporate Risk: Best-practices Data Protection Strategy for
Remote and Branch Offices (ROBOs)

Whitepaper is HERE.

Blackberry Enterprise Solution: Security Technical Overview

To get the whitepaper, please click HERE.

Observe IT Pro 4.0.3 - Free Software for Recording & Replaying Terminal
and Citrix Sessions

To get the tools, click HERE.

Data loss prevention benefits in the real world

[by Rich Mogull, Contributor]



Data loss prevention (DLP) is one of the most promising, and least

understood, security technologies to emerge during the last few

years. It dangles promises of ubiquitous content protection before

our eyes, with shadows of complexity and costs glooming over its

shoulder. As with everything, the reality is somewhere in-between.

Users see it forming the core of their data protection initiatives

because of its ability identify where data is located, where it's

moving and how it's being used. In this article, DLP users explain

how the technology works in the real world.



To read more, please click HERE.

Download the May 2009 issue of "Information Security" in PDF format: HERE