Yesterday, Verizon issued its 2009 Data Breach Investigations Report, and what stands out is the report’s findings of increased exploitation of known network or database weaknesses by outsiders. Specifically, 91 percent of all compromised records were linked to organized crime groups, and 67 percent of the breaches occurred because of significant errors on the part of the network or database security.
One of the two types of hacking identified in the report, SQL injection, has seen an insurgence since last May, and has been tracked intensively by Secerno. The ability to automate SQL injection attacks has resulted in an explosion in number of these attacks. In plain terms, an SQL injection attack sends an extra command to the database, getting it to perform an action, such as stealing data. When you combine SQL injection attacks with the presence of organized crime, you have a scenario in which data is stolen or manipulated almost immediately for fraudulent means. These are not proof-of-concept attacks or efforts by hackers to make a name for themselves. SQL injection has changed the data breach game by providing a quick means for financial gain for organized crime syndicates and others.
Verizon provided solid recommendations for prevention against data breaches, including not holding sensitive data. Obviously all businesses run on data so this, they admit, is not practicable so they advise “the next best thing is to retain only what is required for business or legal reasons, to know where it lives and flows, and to protect it diligently.”
Secerno recommends taking these efforts one step further by understanding typical behavior for all databases, and creating blocks against activity that deviates from normal actions. This granular level of understanding is essential in environments under threat, but, unfortunately it is not commonplace, as Verizon found, 69% of the data breaches were discovered by a third party.
Understanding where data flows and protecting databases diligently is what we do at Secerno.
Thursday, 16 April 2009
Wednesday, 15 April 2009
The excitement builds towards the RSA Conference
It seems IT security people are turning their attention to next week’s RSA Conference, 20th - 24th April 2009, Moscone Centre, San Francisco. It is probably one of the premiere IT security trade-shows on the planet (Register here to attend).
Secerno will again be actively attending and you can visit us on stand 2259. For me, I have a busy schedule for the week.
First I have a McAfee partner presentation at the theater in the SIA Partner Pavilion (booth #1017). I will be talking about the challenges of data security and how the Secerno and McAfee integration provides a compelling solution.
Later in the same day I am a member of the panel “In The Cloud or on the Desktop? Expert Views of Data Security Trends”. The panel moderator is Dr. Larry Ponemon, Founder, Ponemon Institute and he is supported by an interesting group of panelists: Eva Chen, Trend Micro CEO; Mary Ann Davidson, CSO Oracle; Renee Guttman, CISO Time Warner; and myself, Dr. Steve Moyle, CTO Secerno. There are some lively personalities on the panel, so if the session is even half as interesting as our pre-conference calls, then the audience will be educated and entertained. The Session ID is HOT-107 and will start at 16:10 PST.
Finally, I have a presentation “Beyond Regular Expressions: the Future of Data Protection” on Wednesday 22nd April at 08:00 PST. This is a Network session and I will be driving home, using practical examples, why it is that security founded on regular expression signatures is a technological blind alley. Even more compelling are the mathematical foundations that prove why application languages (like SQL and JavaScript) can never be defended using regular languages (Iike regular expressions). If you want to find out more, feel free to attend Session ID: NET-201.
If you are at the RSA Conference feel free to come and say hello.
Secerno will again be actively attending and you can visit us on stand 2259. For me, I have a busy schedule for the week.
First I have a McAfee partner presentation at the theater in the SIA Partner Pavilion (booth #1017). I will be talking about the challenges of data security and how the Secerno and McAfee integration provides a compelling solution.
Later in the same day I am a member of the panel “In The Cloud or on the Desktop? Expert Views of Data Security Trends”. The panel moderator is Dr. Larry Ponemon, Founder, Ponemon Institute and he is supported by an interesting group of panelists: Eva Chen, Trend Micro CEO; Mary Ann Davidson, CSO Oracle; Renee Guttman, CISO Time Warner; and myself, Dr. Steve Moyle, CTO Secerno. There are some lively personalities on the panel, so if the session is even half as interesting as our pre-conference calls, then the audience will be educated and entertained. The Session ID is HOT-107 and will start at 16:10 PST.
Finally, I have a presentation “Beyond Regular Expressions: the Future of Data Protection” on Wednesday 22nd April at 08:00 PST. This is a Network session and I will be driving home, using practical examples, why it is that security founded on regular expression signatures is a technological blind alley. Even more compelling are the mathematical foundations that prove why application languages (like SQL and JavaScript) can never be defended using regular languages (Iike regular expressions). If you want to find out more, feel free to attend Session ID: NET-201.
If you are at the RSA Conference feel free to come and say hello.
Wednesday, 1 April 2009
Protecting the April Fool
This year's April Fool's day has had concerns about whether the Conflicker worm will trigger or not. I am keen to go beyond malware and consider a more general security question: How do we distinguish between the fool that only wants to comply with the law and the diligent person that wants to protect their precious assets?
When it comes to physical systems we have all seen it. Take the wearing of helmets for motorcyclists for example. We can only presume that the head is precious enough to protect, but it has taken legislation and policing to get riders to wear helmets. There is a great range of motorcycle helmets on the market with varying features and price.
It is easy to spot those riders that are not interested in true protection – the chopper riders that choose to wear a helmet that is a skimpy fashion item – like the small open face cap that sits on top of the skull. It looks really cool, complies with the minimum standard of the law – but what level of protection does it offer in even the mildest collision? The alternative full-face helmet will truly protect and prevent a visit to the dentist.
Don’t be a data security fool – go beyond compliance and place a full-face security device around your precious data assets.
When it comes to physical systems we have all seen it. Take the wearing of helmets for motorcyclists for example. We can only presume that the head is precious enough to protect, but it has taken legislation and policing to get riders to wear helmets. There is a great range of motorcycle helmets on the market with varying features and price.
It is easy to spot those riders that are not interested in true protection – the chopper riders that choose to wear a helmet that is a skimpy fashion item – like the small open face cap that sits on top of the skull. It looks really cool, complies with the minimum standard of the law – but what level of protection does it offer in even the mildest collision? The alternative full-face helmet will truly protect and prevent a visit to the dentist.
Don’t be a data security fool – go beyond compliance and place a full-face security device around your precious data assets.
Subscribe to:
Posts (Atom)
