Monday 17 November 2008

Addressing the insider threat to Database Security

I was out and about on the European Conference circuit again last week. A trip to the Netherlands included an invited presentation at the ISACA Network Security Conference and a scout around the InfoSecurity Netherlands show.

My presentation – “Addressing the insider threat to Database Security” – was well attended with people having to stand in the doorway for the 90 minute session. After the talk, I was approached by a couple of security guys from Germany who wanted to know how they should implement separation of duties on a database (one of the recommendations in my presentation). I suggested they might like to ensure that the database operating system was managed separately from the database itself. This was a sensible enough scheme that they felt comfortable with. They asked whether it was secure. I then explained that it was quite straight forward to get remote operating system access through a badly written application (e.g. SQL Injection + netcat). This made their faces drop! Their moods improved when I said that Secerno DataWall™ neatly stops this.

A couple of the other ISACA presentations that I really liked were from Maksym Schipka of MessageLabs and Steve Orrin of Intel. Maksym gave a very thorough expose of the sophisticated micro-economics of the e-crime world:” Revealing the Secrets of the E-crime Underworld”. This is a world where anonymity rules and every supplier of a “service” is trying to scam every purchaser. I like the idea of “trusted intermediaries” who escrow bespoke malware and test the author’s claims before passing to the end ab-user – and taking a fee for the service. Steve from Intel gave a good session on the ins-and-outs of virtualisation and the security challenges and potential benefits: “From Virtualisation vs. Security to Virtualisation-based Security”. When we chatted after his talk he agreed that Secerno’s offering of a virtualised appliance was aligned with the ideas he spoke about.

I managed to get a few hours in Utrecht at the InfoSecurity Netherlands trade show. This was my first visit to that show and it seemed to be bustling. The usual larger security vendors were there including McAfee as well as many small specialist firms. It was good to see how many F5 resellers there were (F5 and Secerno products have a close relationship – more soon). The number of exhibitors was fewer than the InfoSecurity London show, but more than at the recent RSA Conference Europe – although of course the RSA Conference in San Francisco still trumps them all in terms of size. I was assured by a local journalist that it was bigger and better than last year. So this makes me wonder whether the recession is biting in continental Europe. One of the keynote speakers at InfoSecurity NL was David Litchfield from NGSSoftware. He is the world’s expert on database security having co-authored the “Database Hacker’s Handbook”. I was not able to attend his talk this time but I admire his work.