Now Showing...The Unprotected!

Its not everyday you see an enterprise software organization have this much fun...or be this creative...but that's just us! Today we launched a new, original dramatic Web film series entitled “The Unprotected.”   Echoing the gritty, fast-paced, dramatic style of "The Wire" and "24", the five-part "webisodic" series highlights real world database security, risk and compliance issues that enterprise organizations face every day.

“The Unprotected" is the first film project developed by Application Security, Inc. The trailer can be viewed immediately and the pilot episode will debut on October 19, with weekly releases of new “webisodes” through mid-November. I mean, we have to keep you in suspense...

The Unprotected" tells the story of Greencrest Financial, a financial services firm that must achieve compliance by the end of the quarter. Unfortunately, Greencrest is failing its audit and also realized they were hacked, compromising tens of thousands of sensitive customer records.

For more information on our exciting new film series, visit www.theunprotected.net yourself, and check out the press release.

Oracle World begins

The show has started and our first session was jam packed." Know what you're up against" is our theme and world champion Byamba is here promoting the message. Stop by if you are in San Fran.
Jeff Coveney

Sent via wireless BlackBerry. Please excuse brevity or typos.

Are Financial Services Organizations Protecting Themselves Better?

Interesting article by Linda McGlasson of Bank Information Security tracking the biggest breaches of 2009. The Identity Theft Center is reporting 356 total data breaches in 2009, 46 or which occurred at financial services organizations.

Of the 46 financial services breaches, IDTC categorized them:

Insider theft: 12 breaches;

Skimming: 8;

Missing paper documents: 10 of the breaches

Exposure of data on the Internet: 4;

Accidental breaches: 2;

Stolen or missing hard drives/laptops: 5;

Outside network intrusions: 2;

Unknown cause: 3.

So between IDTC reporting that fraud cost consumers $1.8 billion and the classification of breach method, doesn't it beg the fact that the thieves are scoring this data from somewhere?

Wait, can you hear that? It sounds like a database being cracked open to steal that information that lead to all that theft. And isn't it more important to protect data where it resides as opposed to focusing on the conduits?

263,379,546?

As of this morning, Privacyrights.org has documented over 263 million records breached ranging from simple laptop thefts to full fledged attacks. The scary thing is this number does not include all the undocumented breaches.

If you are looking for some specific breach examples to build a business case for a database security, risk and compliance solution, check out Privacyrights.org. The site lists just about every documented data breach since 2005.

Information Security: Why Cybercriminals Are Smiling - Knowledge@Wharton

Just came across this great article on how hackers are getting more sophistcated.

Information Security: Why Cybercriminals Are Smiling - Knowledge@Wharton Shared via AddThis

Will the Real Cyber Security Czar Please Stand Up?

Does it strike anyone as odd that even months after the Obama administration announced its cyber security czar, they either can’t find anyone, or no one wants the job?

 

Melissa Hathaway, who was the interim cybersecurity czar, resigned citing personal reasons this week, leaving the job vacant for now.

Are our problems with cyber security simply too large for a dedicated czar to step up and take the reigns? Is it more lucrative to consult to organizations who’ll pay exorbitant amounts of money to expensive advisors to help develop an uber-security posture?

 

Or maybe it’s a matter of politics? Hathaway was one of the holdovers from W’s administration.

 

And let's face it, well, it’s certainly easier to sit on the sidelines and comment. So that’s what we’ll do here.

But we’ll throw out the three qualities Obama should want in the candidate, and see if they stick to the wall – and no, it’s not someone ‘with the right mix of political know-how and deep security expertise.’ C’mon, that’s ridiculous. Here’s some food for thought on what they might want to think about for whoever they get for the job…..

1. Someone who knows the tricks of the trade – someone with a white hat who knows exactly how to break into corporate networks, steal confidential data and not leave a trace. Oh, and they know how to reverse-engineer every step, every piece of code. They know exactly how the most sophisticated attackers get the data they’ve worked hard to get to. Why is this key? Well, they should REALLy understand what they're dealing with, and how knowing these techniques cold can help fight international espionage and global terrorism.

2. Someone not political. Not at all. Who cares if they’re responsible for setting policy? If this individual has the know-how and a broad enough background on the corporate or consultant side, maybe that’s what is need to shake things up. That might just uncover what a lot of people AREN’T doing with regard to this initiative after an initial inventory. Jeez, Barack should have gone to Black Hat in Vegas last week, a perfect recruiting site for this vacant post!

3. Someone who isn’t just a figurehead. They can’t be mired in the muckiness, and they certainly can’t be tethered by both the National Security Council and the National Economic Council. They should head up this group, period. Sure they should be able to deliver a speech to report progress publicly, but they need to come in and get stuff done. Is that too much to ask given the threat landscape and links to terrorist activity that a lack of a cyber security policy presents?

It's so simple, right?

 

IT Security the Gartner Way...

Sitting here at the Gartner IT Security Summit in National Harbor, MD, something occurred to me. No, its not that the Gaylord Center is perhaps the nicest, most expansive conference center I’ve ever been to. And no it’s not the fact that I was able to book a $300 last-minute ticket into National, previously unheard of before this economic meltdown.

 

Nope. It’s the fact that the sun is out. And it’s shining on IT Security. OK bad segway.

There’s some considerable buzz here, and a few prevalent themes. Generally speaking, there was the usual buzz about cloud computing and securing those applications.

 

There was also a major buzz around the capabilities that come out of data-centric security applications like DLP, IAM and SIEM. From a world events perspective, Obama’s appointment of a cybersecurity czar was referenced more than a few times.

The one thread that really fed through every panel, both from vendors and analysts, was embarking on collaborative efforts between security and compliance – and then, proving an ROI to your management team from programs and spend.

Here are some of the session highlights to those I attended. (more on this in Part II as I report on some of the analyst prezos)  

First off, one of the keynotes brought up some interesting issues. The session My Role in Information Security was interesting because thy paired an interesting cross-section of panelists: a security engineer, an auditor, a CIO and a CISO.

Keynotes:

Ken Mory, the Chief Auditor for San Diego County was an especially interesting panelist. As the others debated security-centric stuff, I’ll paraphrase Ken here.

1. Compliance drives budgets – speaking from his own experience at the state level, compliance initiatives help drive security budgets. You need to meet a particular mandate? Well, that opens up spending, period. This was backed up by Daniel Nunez who said the same thing in a SecureWorks-sponsored session – when you have regulatory initiatives like PCI smack you in the face, all of a sudden there’s money.
2. Ken also commented that compliance helps managers keep their jobs – learn how to get away from security-centric speak and communicate a clear ROI – and you will get what you need.
3. Lastly, and most interesting was that he sees the IT department as the biggest threat to organizations – no, not external attacks, no not malware, but the IT department itself. Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

 

The other guys had some good points too – Eric Cowperwaithe, CISO, Providence Health and Services, made a point saying, security really is the ultimate centralizing force within an organization where every other department is fragmented and decentralized. Basically, he’s saying that if you embrace this, you can win this battle.

Another interesting point in this keynote came up based on an audience question, which was around securing the cloud. Jeff Goeke-Smith, a security engineer from Michigan State, said that essentially, from the security operations side of the house, all that means is just sticking a whole bunch of apps in someone else’s data center.

Good stuff for a keynote, when typically these are too high-level for their own good and don’t accomplish much. Have another post coming I’ll review a few analyst and vendor presentations. Stay tuned.

Healthcare System Going HITECH

There’s been no shortage of announcements on data security out of the Obama administration since he took office. It’s good to see data security’s a priority, but there’s a slew of new initiatives we could probably write a book on at this point.

 

One particularly interesting initiative that was part of the Reinvestment Act is the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Essentially, incentives have been put in place for healthcare providers and hospitals to digitize their health records.  And never before has HIPAA compliance come to the forefront of importance as it is now.

 

Under HITECH, the economic stimulus program provides nearly $20 billion in funding for HIT, including:
– Up to $44,000 per physician for organizations that implement certified EHR systems
– Potentially more than $10 million for hospitals that implement certified EHR systems

 

Incentive payments are highest for physicians or hospitals that implement (and demonstrate meaningful use of) systems by 2010 and decline each year until 2014, after which time penalties begin to accrue for non-implementation.

 

AppSec presented a webinar with KPMG on this topic last month to resounding reviews. We haven’t seen many vendors focus on this topic, but its possibly one of the most critical data protection and privacy issues organizations have had to contend with in some time, relative of course to electronic health records.

 

What no one is discussing is the migration to EHI on a such a potentially massive scale. Are some IT organizations going to skip steps along the way? Will the incentives blind them so that they don’t take the necessary steps to protect that data and comply with HIPAA? And will it make patients more vulnerable if their data isn’t secured?

 

To demonstrate the increasing importance of HIPAA compliance to protect health information, our own research study showed that a third of respondents failed a security audit of some type, but that almost 40% specifically failed a HIPAA audit. 

 

This points to just how critical HIPAA compliance has become for organizations, and it also speaks to how stringent the standards within HIPAA are.  If you look at the fact that over the past 2-3 years over 40% of respondents have failed a compliance audit, it demonstrates that organizations aren’t prioritizing their security and compliance needs, and most aren’t implementing the required levels of protection.

 

With only a quarter of providers and hospitals currently classifying records electronically, what if only a fraction of providers nationwide skipped steps on their way to going digital?

It’s worth mentioning that organizations found in violation of HIPAA-mandated security measures will incur penalties and collateral damages 10-20 times higher than the cost of HIPAA security compliance. This is important as those entities migrating to electronic records will also be held accountable to HIPAA mandates under the HITECH Act.

 

Application Security, Inc. also took a poll of customers and prospects on their feelings on the HITECH Act:

 

Could the HITECH Act be the catalyst, given the incentives, to make data security a much bigger priority on a global scale?

• 65% - Yes – protecting data will become a global priority as a result
• 10% - No – it won’t make a difference
• 26% - the catalyst will be a large-scale data breach

Will steeper fines set forth by the HITECH Act in accordance with HIPAA get more organizations to comply?
    Yes – 87%
    No – 13%

 

Would you say the HITECH Act will:

• Benefit rather than be a hindrance to IT organizations at hospitals - 46% yes
• Become an obstacle and cost hospitals/physicians more in terms of infrastructure build-out - 49% yes
• Actually make sensitive health information more secure when providers are in full compliance -49% yes

Application Security, Inc. and KPMG have posted some additional resources that will help guide your organization through some of the finer points on the HITECH Act, as well as what you should be looking at relative to the database layer.

 

Is moving toward EHI a good thing? Absolutely. But there’s going to be a lot of data to secure, and to ensure compliance with much stricter HIPAA requirements. We plan to stay on top of this issue and will post more resources soon. Data HAS to be more secure electronically than it is on a piece of paper in a manila folder!!

Obama Administration Cybersecurity Plan Announced

Just to add to this post - the shortlist of candidates to take the cyber-czar position have been announced.

So at RSA we all knew it was coming. And then, BAM!! There it is smacking us in the face with all its might...the Obama Administration Cybersecurity Plan. So, are we all supposed to think that we’ll all be a little more safe from the universe of cyber criminals who stalk consumers and organizations everyday?

Well, no, but there actually, maybe, could be, possibly...hope. What the plan outlines, which is probably most important, is the collaboration between the federal and the private sectors. This has long been a difficult place to seek alignment of ideals, concepts and whoa, maybe technology?

Forrester’s Andy Jaquith has an excellent synopsis of the plan’s announcement. What Jaquith points out is that FISMA policies and regulations are in many ways inadequate. (not just because it doesn’t explicitly call out the database either) But that the focus on compliance has really hampered the effectiveness of these guidelines, based on recent attacks on government systems like FAA.

But the plan is much more about elevating the level of importance of cybersecurity, and essentially overhauling who is responsible and give someone the authority to make the changes necessary to enforce new security standards.

What many pundits of the plan have argued might be a stumbling block is that the new cybersecurity czar who’s yet to be named officially has to report to two agencies - the National Security Council and National Economic Council.

With both agencies pushing dual agendas that ultimately align in many respects, progress is likely, based on the state of the economy and the havoc that massive data attacks can wreak on individuals and organizations.

As the plan outlines the need for increased education, you tend to scratch your head…but with incentives for private sector innovation, this is where the plan gets serious because we all know that innovation is driven out of the private sector – and this helps everyone.

You’ll see that a number of media outlets covering the announcement of the plan looked to AppSec, not surprisingly, for some valuable commentary, including USA Today and New England Cable News. AppSec will continue to support the government's efforts in their acknowledgement of the state of cybersecurity...

Infosec Europe - The Highlights

Just a few short days after RSA, we hit Infosec Europe 2009. A little better facility in Earl’s Court than last year’s Olympia (and the roof doesn’t leak).

Similarly to RSA, there didn’t seem to be one dominant topic threading through the conference, but a few that sparked some conversation. Future attacks was right up there, along with securing the cloud.

For starters, we saw that fear is alive and well overseas as former UK home secretary David Blunkett warned of massive cyber attacks on an unprecedented scale at the 2012 London Olympics. He certainly got things going, saying people defending disparate systems could be outsmarted by a coordinated attack on those systems, due to the distribution and number of different technologies that need to be defended.

Specifically he warned of hacks on ticketing systems, the transport system, hotel bookings and communications that could result in "chaos." Could this be a case of actually inviting hackers to the table by referencing all the different systems they could potentially penetrate? On the other hand, it’s probably just another day in the office for attackers.

Security pundit Bruce Schneier got some face time at Infosec, saying that, among a few things, security is headed to a services model – essentially outsourced. This dovetails into the cloud discussion where a lack of standards around cloud computing means a lack of standards around securing the cloud. But he warned that this shift toward the cloud was inevitable for organizations globally because of the massive cost savings that cloud computing offers.

Sophos was toting their survey that found that a quarter of companies have fallen victim to spam, phishing or malware attacks via these sites. They were also stating that individuals are responsible for TMI (too much information) being shared on social networking sites. That’s all well and good, but to be honest, other than rumors and tiny bytes of data, I don’t think any attacker is looking at information on Facebook and thinking, ‘Oh yeah, I can sell this.”

No sightings of the Queen, Amy Winehouse, or Gordon Ramsay unfortunately. But all in all, a decent forum for security vendors.

RSA 2009 Ramblings (Days 2 & 3)

More on RSA 2009…

As RSA continued through Wednesday and Thursday, an air of optimism seemed to be resonating with most of the vendors and end users that IT Security still has a place in the budget at most organizations. Its great news for all, and we heard from quite a few folks that they were having the most qualified conversations with buyers in a long time at a trade show.

Although, it’s safe to say that there were a few folks who quipped to me after I had asked the obligatory - so ‘how’s RSA going for you’ question that things were slow. Well, that my friend could be because you are selling encrypted USB drives. Or you were trying to sell security solutions with booth babes (yes, companies still do this, even at security shows).

In fact, it would probably be fascinating to sit in on the post-RSA meetings for the companies who did hire booth babes. “So did our message come across to buyers? Did they understand our value proposition?” Either there was consensus that these were times of desperation and they needed sex to sell, or it was April 19th and they scrambled to hire some modeling agency. Maybe they should have just staged a mock protest instead.

  OK, of real importance at RSA, days 2 & 3…

The much-anticipated Melissa Hathaway keynote, although encouraging in many ways, wasn’t as detailed as some would have liked because it was expected that she’d lay out the Obama administration’s plan to address national cybersecurity issues. What she emphasized most was that the commercial, government and academic sectors would have to come together to effectively mitigate the seemingly insurmountable threat environment.

She challenged the vendors at RSA to help come up with innovative ideas and solutions. She challenged government officials not to ignore this problem, especially in the current economic climate. It appears they’ll be creating a new Pentagon cybersecurity command station, and they’ll unveil the overall US cybersecurity plan this month sometime. So while it left folks wanting more, we’ll see what the plan addresses in depth soon…

Also there was a little more banter around cloud computing and virtualization and being able to secure those frameworks. Virtualization was the buzz last year, and the discussions haven’t gone away. 

Anyway, a decent set of recommendations from the Cloud Security Alliance was unveiled that should kick start a framework for organizations to follow in security their cloud environment.

Kaspersky is behind a new media model/content aggregator that could pave the way for other vendors to follow suit. Threat Post is headed up by former eWeek writers Dennis Fisher and Ryan Narraine, with ‘punditry’ content coming from a slew of security vets. Kaspersky isn’t branding this at all, but it seems like an interesting concept that will challenge the trade publications in reporting styles and content delivery.

Lastly, the McAfee party rocked, again. And it wasn’t just the free beer. If you like rock and roll, it was impossible not to like Anthem, a classic rock band that literally lugged stadium-level sound equipment into a small club Mezzanine that surprisingly didn’t shatter windows from the extremely high decibels they were playing at. Stairway to Heaven, check. Hot Blooded, check. Bohemian Rhapsody, check. All this while they had their own music videos for each and every song projected onto one wall of the club, synched precisely with the live performance. Brilliant marketing. I probably need a hearing aid now though.

The bar has been set pretty high to top RSA 2009 next year...

 

RSA 2009 Ramblings

It’s that time of year again…the trees are budding, folks are exiting the winter doldrums and the RSA conference is back again. Yep, every IT Security vendor from New York to Norway, Boston to Budapest and California to Canada is trying to tell you how their solutions will help your organization secure something. 

Some observations from Day 1…

First off – the major news publications are paying attention to our announcement of AppDetectivePro 6.0 User Rights Review.

Oracle acquiring Sun somehow has dominated the conversations on the exhibit floor and briefing rooms. With this announcement, Oracle has managed to dominate headlines at RSA, and its not exactly a security play.

However, there was definitely some banter on the Pentagon hack of their F-35 Lightning II jetfighter project data. What had some folks buzzing was the Journal article’s startling statistic that the government has experienced 18,050 breaches last year.

Compliance is king. We’ve been saying it at AppSec for quite some time now – but honestly organizations MIGHT be getting it now. You can’t silo compliance and security separately – smart companies get this, like us! But it never ceases to amaze when companies integrate half-baked compliance language into how they position themselves…

We met with Byron Achiodo of USA Today/Last Watchdog blog today – if you aren’t reading his articles (or his book) you are missing out. http://lastwatchdog.com/  Its interesting listening to what he’s working on because he is a guy who wants to get inside what is REALLY happening in the hacker universe – what are they doing, how, and how the heck to we stop them? (Um, protect your database environment.)

There’s a lot of anticipation for Melissa Hathaway’s keynote tomorrow on her review of President Obama’s cybersecurity plan. There’s a lot at stake to determine the key areas of focus, not to mention the $$$ supporting this plan.

Flower power - FaceTime staged mock protests across the way from our booth complete with sit-in’s and a guy strumming a guitar. When did the Moscone Center become part of the Haight?

 

Patch 'em up, Patch 'em up....

By Josh Shaul

Every couple of weeks I hear a complaint from a DBA that they have been flagged for a security violation for not running the latest database patch. It usually goes something like:

“I got written up for a high-risk vulnerability because I’m running one or two patches behind the database vendor. I think it’s unfair and more to the point just plain wrong. I checked out the readme files for the missing patches, and there is no listing of any security fix at all, or at least not one that applies to my system.” 

At first glance, this sounds like a pretty solid argument. Why should someone get written up for a serious security violation for missing a patch when it appears that the patch has no security implications? The problem is, sometimes a patch is more then it appears or claims to be. Database vendors, actually nearly all software vendors release patches for their software periodically. Generally there is some description of the patch, what it’s for, etc…. The part that most folks don’t realize is that software vendors make no promises about fully disclosing what changes go into each patch. Some companies choose to document all changes, however most choose to document only the changes that are directly related to issues reported by customers. Issues uncovered internally are generally patched without any notice. This includes both functional bugs and security vulnerabilities.

There was recently a good example of this with an Oracle July 2008 CPU. In that CPU at least one undocumented issue was fixed, a flaw with Database Vault that allows a DBA to bypass the vault protections and gain access to all the data in the system. If you’re not familiar with database vault, it’s a special kind of Oracle database designed to segregate database management from the data being managed. Basically it’s a tool to keep DBAs from looking at sensitive data in the database. The flaw that Oracle corrected made it trivial for anyone with DBA rights to gain access to any data in the database. 

This is important to know about. The vulnerability Oracle fixed is a fairly big one….but it only impacts data vault. In the grand scheme of things, for the database community at large this was a fairly minor issue. Maybe that’s why Oracle chose not to document it. Not enough deployments of database vault to make it worth their while? Embarrassing to fix a vulnerability in a security bolt-on for the database? Who knows. Thing is, if you’re running database vault to protect your organization’s crown jewels, I’m sure you would want to know about this issue. Otherwise you may choose to skip the patch….and that’s really the point of this post. 

Those complaints that I get about missing patches causing security violations always get the same response: “You can’t trust the vendor to fully disclose what a patch fixes, so you should assume the worst case and patch if you want to ensure your systems are protected.” That’s the bottom line. Missing patches, no matter what the readme docs may say, should always be viewed as a security violation. Not doing so leaves you open to get bit on the you know what……. 

So if Oracle didn’t disclose the vulnerability or the fix, how do we know about it? Well, there is the folly of the partial disclosure approach. Some smart security researcher  (Alex Kornburst) found the vulnerability on his own. He reported it to Oracle, and they responded by telling him that this was a known issue that was (silently) fixed in July 2008 CPU. Oracle is getting better about this kind of stuff, but they still have some room for improvement. I hope that as their security processes continue to grow, that they’ll become much more open about what security issues they are fixing with each patch.

It’s got to be a little embarrassing when one of these “secrets” gets out. Oracle has taken so many big steps to improve their perception about being very serious about security (no doubt Oracle is VERY serious about security)…but when this kind of thing happens, it reminds folks of the dark days when security issues were swept under the rug, and that’s not good for anybody…… 

Interested in learning more? Check out Alex’s blog post about this and another issue with database vault:

http://blog.red-database-security.com/2008/11/21/oracle-database-vault-privilege-escalation-exploit-published/ 

Happy New Year everyone!