Database Security

Six steps to SAM

Software asset management (SAM) doesn’t have to be a daunting process. It can be very simple and rewarding if implemented properly. Here are six necessary steps to a successful SAM program (tongue twister eh?):

1.     Know and understand your SLAs for all your software vendors (not all licensing agreements are created  equal), the terms and conditions, and if you have questions, ask your rep or a consultant to explain them to you. Now this seems basic and it should be, but I would be remiss not to mention it here as the first step.

2.     Take an inventory of all of your IT assets - software and hardware. With Oracle entering the hardware business, companies need to be aware that this may be of significance to future ITAM. Keep track of what is currently in use, who has access to it and where it is being used. Is it being access remotely? How many employees are using it at the same time? While this sounds simple enough, take step 2 and tie it back into step 1.

3.    Compare and Contrast your inventory to the most up-to-date software purchasing records to determine whether or not you have assets that are out of compliance. This should also be checked against employee usage - perhaps more than one employee is using the same licensing which does not comply with your SLA on that program.

4.     Fix the problems  once you know what the problem is, uninstall software that is not compliant,  buy additional licenses and re-negotiate your contract(s). You must plan for the needs of the business over the next 12-18 months to determine whether or not additional licenses will be needed in the near term.

5.     Further planning is needed now that you have a clean slate and have fixed compliance issues. Now is the time to implement a plan for the future, which may include developing a repository for assets, purchasing SAM software with an automated discovery tool, or bringing in outside help. It is always a good idea to assign a group of internal managers to oversee the process and of course, get buy-in from the management team (which can be done by showcasing cost savings associated with a proper SAM program). You will also need to develop and market a new set of policies and procedures across your organization that will keep employees from misusing licenses.

6.    Keep it up! After a plan is in place; policies and procedures have been created and communicated; and licensing is up to date, the last step is maintaining the SAM program. Remember to:

News: iPhone crashing bug could lead to serious exploit

Brief: Researcher aims to tweet Month of Bugs

And the results are in… The Forrester Enterprise GRC Platform Wave 2009

The launch of any new research report is exciting, but I’m especially happy to see the publication of the The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009.

The evaluation speaks for itself. Forrester goes through great pains to assure a fair, detailed process that looks into the strengths and weaknesses customers care about most — and this Wave is no exception. But considering the amount of time and effort we spent putting this report together, I wanted to provide some additional thoughts on what I learned during the process:

• Wave research is very rewarding. Among best practices, trends, and other reports, the Wave research is probably the most enjoyable for me and beneficial to our corporate customers. In a relatively short time period, I sat through hours and hours and hours of product demos (really, it’s not as bad as you think), debated with vendors about market dynamics, and analyzed massive amounts of customer reference data. During the evaluation process, I was also working on several vendor selection projects with Forrester customers. Since the Wave criteria are based on buyer demands, the research I was doing was very applicable to my customer engagements as well.

In additional, the comprehensive and transparent nature of the Wave methodology helps to justify all of the scores and analysis. That means that if a customer (or former colleague) has a question about any of the results, they are able to see exactly what criteria I used and why I scored each vendor the way I did (and then of course they can proceed to agree or disagree as they see fit).

• It’s impossible to include everything. The GRC landscape is vast. For every vendor that appeared in the Wave, there were probably at least two more that wanted to be included. Some were not invited because they didn’t meet all of the participation criteria, while others were invited but declined to participate because they couldn’t meet our required information requests and/or deadlines. The vendors evaluated here, however, have demonstrated strong customer successes and ability to meet the market demands we see from the hundreds of GRC inquiries and advisories we do every year.

One thing you may not be able to tell from the graphic alone is how each vendor is trending relative to their market position. Yes, the vendors that have stayed on top of the Leaders category have had to work very hard to maintain that position. However, it’s often other vendors that are showing the most innovation and progress. In fact, I spend quite a bit of time discussing this in the Wave report as well as a podcast I recently recorded.

• GRC buyers and implementation are more mature. While this will come out more in upcoming reports, GRC buyers and users are more sophisticated than ever. Current budget constraints may require implementations to start very small, but more and more, organizations are seeing long-term value of comprehensive GRC that spans across compliance, risk, audit, IT, and other departments.

Software firms have responded appropriately, which means they can't be easily segmented by which vendors target risk management professionals or which target compliance professionals... the best ones are addressing all relevant users. With that in mind, I chose not to segment out separate Wave graphics for Governance users, Risk users, and Compliance users. If we are truly set on the unique value GRC brings by combining these functions, we should focus on solutions that address each of their needs simultaneously.

For customers that are looking for solutions that skew to specific areas of GRC, I would recommend using our Wave model to adjust the score weightings to meet your unique needs. Are you more interested in products that can help automate your control testing? Do you care more about training and awareness capabilities? You can adjust the weightings of these criteria as you see fit, and then see which vendors rise to the top of your own custom Wave.

I wanted to thank all of the vendors that participated and the teams that spent time gathering the necessary information for our evaluation. For those that did not participate, rest assured... we still get a lot of customer inquiries asking for details about vendors that are not in the Wave. And so it is of course my intention to keep up to date with all vendors in the GRC market.

For GRC buyers, there are of course questions that you have that could not be fully covered in this report. I encourage you to look through the details of our evaluation, and feel free to set up an inquiry to discuss any other issues in more detail.

[posted by Chris McClean]

Enterprise Asset Management: Latest Developments for a Vendor …

TfL Board Meeting Report – 06/09: Roads, Buses and Cars

IT Security the Gartner Way…

Sitting here at the Gartner IT Security Summit in National Harbor, MD, something occurred to me. No, its not that the Gaylord Center is perhaps the nicest, most expansive conference center I’ve ever been to. And no it’s not the fact that I was able to book a $300 last-minute ticket into National, previously unheard of before this economic meltdown.

Nope. It’s the fact that the sun is out. And it’s shining on IT Security. OK bad segway.

There’s some considerable buzz here, and a few prevalent themes. Generally speaking, there was the usual buzz about cloud computing and securing those applications.

There was also a major buzz around the capabilities that come out of data-centric security applications like DLP, IAM and SIEM. From a world events perspective, Obama’s appointment of a cybersecurity czar was referenced more than a few times.

The one thread that really fed through every panel, both from vendors and analysts, was embarking on collaborative efforts between security and compliance – and then, proving an ROI to your management team from programs and spend.

Here are some of the session highlights to those I attended. (more on this in Part II as I report on some of the analyst prezos)  

First off, one of the keynotes brought up some interesting issues. The session My Role in Information Security was interesting because thy paired an interesting cross-section of panelists: a security engineer, an auditor, a CIO and a CISO.

Keynotes:

Ken Mory, the Chief Auditor for San Diego County was an especially interesting panelist. As the others debated security-centric stuff, I’ll paraphrase Ken here.

1. Compliance drives budgets – speaking from his own experience at the state level, compliance initiatives help drive security budgets. You need to meet a particular mandate? Well, that opens up spending, period. This was backed up by Daniel Nunez who said the same thing in a SecureWorks-sponsored session – when you have regulatory initiatives like PCI smack you in the face, all of a sudden there’s money.
2. Ken also commented that compliance helps managers keep their jobs – learn how to get away from security-centric speak and communicate a clear ROI – and you will get what you need.
3. Lastly, and most interesting was that he sees the IT department as the biggest threat to organizations – no, not external attacks, no not malware, but the IT department itself. Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

Good stuff for a keynote, when typically these are too high-level for their own good and don’t accomplish much. Have another post coming I’ll review a few analyst and vendor presentations. Stay tuned.

NAC Can Play An Important Role In Securing The Nation’s Critical Infrastructure

I came across an interesting article discussing how the U.S. Department of State has recently shown interest in adopting network access control (NAC) tools that perform pre-admission access control. The intent is driving the development of standards that help organizations secure their network from malicious hacker attempts. There is a mounting concern that the nation's critical infrastructure — ranging from the electricity grid to banking systems to defense contractors — is far from being secure. To this end, the SANS (SysAdmin, Audit, Network, Security) Institute has worked with security professionals both inside and outside of government agencies to develop the Consensus Audit Guidelines. There are 20 controls in this program to tackle cybersecurity issues. NAC is identified to help with “Critical Control 12: Malware Defenses.”

NAC helps organizations create or leverage existing security policies by enforcing them at the various layers of the network. The most common use case for NAC is to enforce policies for keeping endpoints up-to-date; this includes patch management and system configuration. However, this is a pretty rudimentary use case. NAC is much more valuable when applied to the automation of various security, asset management, and access control policies. That’s why NAC is such a good fit in many cybersecurity initiatives. Specifically, it can help: 1) develop a secure B2B environment; 2) build a secure Smart Grid; and 3) streamline government and industry compliance mandates like FISMA, NERC, PCI DSS, and HIPAA.

We predict NAC tools will play an important role in end-to-end access control lifecycle management. The majority of cybersecurity initiatives require an ongoing management of user identity tied to specific users’ devices and applications. But there will need to be some enhancements beyond today’s standard NAC deployment. The industry needs to build out support for the TNC IF-MAP standards. Doing so will make sure NAC plays a critical component in building out: 1) IAM-based solutions to provide role-based access control; and 2) next generation SOC initiatives that leverage SIM to monitor assets and devices for vulnerabilities and threats.

The U.S. Department of State’s interest in implementing Consensus Audit Guidelines in conjunction with NAC is encouraging, but at the same time it's important not to pigeonhole NAC’s functions to commodity features like pre/post admission, remediation, and policy enforcement. Organizations should look at the bigger picture and specifically how NAC can help streamline security operations by automating and performing recursive security tasks.

Can NAC help the federal government to streamline controls for cybersceurity initiative?

IT Security’s Critical Role During Layoffs

Client Firms Scrutinize Green IT Services Providers

Khmer Rouge torture survivor saw “hell on earth”

CCTV Maintenance, Camera Systems Need Maintenance Too | Article Todays

Brief: Mozilla adds more privacy in Firefox 3.5

Brief: Juniper pulls talk on ATM vulnerabilities

The Forrester Wave(tm): Enterprise Governance, Risk, And Compliance Platforms, Q3 2009

TSA’s Muddy Response to the Clear Shutdown

Based on the facts, I’ve concluded that:

Fun ways to learn SQL injection

50 ways to Inject your SQL

http://www.youtube.com/watch?v=5pSsLnNJIa4

I see your input’s not validated properly
You have to check it at all tiers: 1, 2 and 3
Give me a browser and quite soon you will agree. There must be
50 ways to inject your SQL

You see it really is my business to intrude
The CTO wants to see this web app broke into
Turn on my proxy and all doubt will be removed. There must be
50 ways to inject your SQL
50 ways to inject your SQL

Try a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL query

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Use “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the query

He said our application is secure against your kind
There are no simple vulnerabilities to find
I said your coders write their code like they are blind, there must be
50 ways to inject your SQL

Taliban scrap deal in Pakistan tribal area

New Jersey Appeals Court Broadly Construes Employee’s “Right To Privacy” Using Company Computers

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

• obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
• inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
• specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
• inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.
 

June 2009 Alert

The June 2009 Alert, Unified Compliance Framework, is now available: http://gocsi.com/membersonly/showArticle.jhtml?articleID=218102039&catID=14122. If you’re a CSI member, go read it! If you’re not, shoot an e-mail to me at kristen.romonovich@ubm.com or call 212-600-3026.

This issue of the Alert considers an area of considerable challenge to many security and compliance professionals—that of achieving, proving and maintaining compliance with many regulations at once. We discuss both how to leverage unified compliance projects and how to develop your own internal unified compliance program.

Find out why one of the largest such projects, the Unified Compliance Framework, has been slow to truly take off, and what some security, privacy and compliance officers have done in other organizations to tackle this issue.

The Forrester Wave(tm): Enterprise Database Management Systems, Q2 2009

GRC for financial compliance

We are always talking about software asset management (SAM) as a means to cut costs and also keep up with compliance. For financial firms, SAM, combined with a Governance, Risk and Compliance (GRC) program are a necessity to keep those regulators happy. Many firms choose to use GRC software to automate the process should they get audited (which the frequently do) to have information at the ready. Here are some tips for those that are in need of a GRC program to track data and remain in compliance:

Oracle Fusion 11g Middleware Launch Webcast

Hot Insurance Tech Companies To Watch In 2009: Q2 Update

Brief: Jackson searches resemble attack to Google

2 Day Oracle Security Seminar in York, England

We are holding a public training event in my home city of York on July 13th and July 14th 2009. The two day seminar is aimed at getting anyone who needs to perform a security audit of an Oracle database....[Read More]

Posted by Pete On 01/06/09 At 12:52 PM

Two sets of slides added from Helsinki and Wolverhampton

I have just uploaded the slides from two recent talks. I gave my Oracle security masterclass in Helsinki for the OUGF last week which went really well and also yesterday I gave my talk "the right way to secure a....[Read More]

Posted by Pete On 21/05/09 At 05:10 PM

Checking if a password is valid using SQL

A question was posted on the Oak table mailing list some time back asking if its possible to validate a users password from within the database without creating a session. One of the replies suggested looking at my PL/SQL based....[Read More]

Posted by Pete On 11/05/09 At 02:28 PM

The right way to secure a database

I have just posted the slides to my recent talk ( The Right Method To Secure An Oracle Database ) at the UKOUG Northern Server technology day held in my home city of York to my Oracle security white papers....[Read More]

Posted by Pete On 01/05/09 At 11:08 AM

April 2009 CPU is out

Oracle Corp. issued 43 fixes Tuesday as part of its quarterly Critical Patch Update, repairing flaws in its database management system, application server and application product lines. " Oracle issues 43 updates, fixes serious database flaws " Oracle's advisory is....[Read More]

Posted by Pete On 15/04/09 At 05:57 PM