Database Security, Audit, Privacy and Support Blog

In previous posts of mine (here and here) I introduced our vision of Identity Analytics and the focus and purposes of our R&D activities.

I received a few emails and queries asking to clarify the link between Identity Analytics and Unstructured Data, considering that this was mentioned in the "On Identity Analytics: Setting the Context" HPL Technical Report.

We believe that "Unstructured Data" is a possible, fertile and rich "case study"/scenario where to explore the concept of Identity Analytics, the applicability of our approach and potential limitations..

The adoption of new "web 2.0" collaborative tools within organizations (TWiki, Sharepoint, IM, etc.) and social networks (Facebook, LinkedIn, del.icio.us, etc.) provides users with better ways to collaborate, create and share contents. At the same time this poses new threats and security risks, due to the nature of unstructured data, the fact that confidentiality issues could emerge from aggregated, simpler pieces of information and the difficulty to retain control on this data. This is where traditional Identity management solutions can show their limitations and where decision makers need to better understand the implications of their choices and/or the impact of defining new policies.

Our R&D work in Identity Analytics really aims, in this context, to explore how modeling and simulation can help to explain and predict the impact of some of these decisions on the organizations (e.g. in terms of risks, reputation, costs, etc.) and explore options and "trade-offs" by providing "what-if" analysis.

Of course the "unstructured data" scenario is just one of the various scenarios we are exploring. I would be interested in hearing from you about other areas you think the "Identity Analytics" approach could provide help and/or address (decision support) issues you might have.

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

NIST has recently released the Revision 1 of their "Special Publication 800-55", called "Performance Measurement Guide for Information Security", which focuses on Security Metrics.

This is of some relevance also for people working in the "Identity Management" space and related control points (despite primarily targeting US federal agencies):

"This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance and increase accountability through the collection, analysis, and reporting of relevant performance-related data-providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission. The performance measures development process described in this guide will assist agency information security practitioners in establishing a relationship between information system and program security activities under their purview and the agency mission, helping to demonstrate the value of information security to their organization."

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Forrester held its second Security Forum EMEA in Amsterdam on April 2 and 3, 2008, with 125 security and risk management (SRM) professionals in attendance discussing how to tackle transformation and achieve excellence in SRM. We asked many of these delegates about the issues that matter the most to them in performing their jobs — the challenges and worries that they face every day. The SRM professionals we spoke with are focusing their attention more on the internal threats to their information security rather than on those coming from beyond the extended enterprise.

As businesses embrace mobility, IT operations professionals are facing new challenges. But gone are the days when stodgy IT departments fight this business imperative. Most organizations today are simply trying to get smarter about how to manage and secure their increasingly mobile population and distributed assets. Through the first half of 2008, Forrester has assisted 89 organizations with refining or defining their mobile strategy. We've learned that IT operations professionals face challenges like steadily increasing mobile operations expenses, too much device diversity, and a total lack of insight while assessing, planning and purchasing, building, and managing their mobile infrastructure and operations. What can you do? The key is to make mobile device management and security the foundation of your business's mobile strategy. By doing this, your business will be well-positioned for the next phase of mobility, which will be driven by line-of-business applications, mobility shifting down the corporate pyramid, and a phenomenon we call Tech Populism.

Good news. The W3C Policy Languages Interest Group (PLING - co-chairs: Renato Iannella, Marco Casassa Mont) charter has been extended until June 2009.

Please have a look at the PLING Twiki site for current outcomes of phone meetings, discussions and collection of material, about the following policy-related topics: use cases, policy languages review, related initiatives, interesting cases, open issues and scientific resources. Feel free to contribute and ensure that your positions and views are covered.

The PLING Twiki site also provides up-to-date information about coming PLING phone meetings. These meetings are open to anybody interested in the policy topic.

We are looking for speakers that are willing to provide a short presentation (30 min), during our phone conferences, illustrating their work in the space of policy/policy management, open/new issues, interesting use cases and their vision in this space.

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

While US banks have successfully leveraged technology to simplify the account opening process, little progress has been made in using technology to help new customers easily move their online bill payment info over from their existing bank. The technology solutions that exist today merely substitute one online process for another. When switching banks, bill pay users will benefit more from hand-holding during and after account opening than they would from these automated online switching tools. eBusiness executives will see better bill pay activation results from new checking account customers by focusing on in-branch efforts and employee incentives.

Forrester surveyed 15 vendors of globally deployed banking platforms on their 2007 deals. What is the outcome of the regional and functional analysis? Asia Pacific has overtaken Europe in the global banking platform race, with the Middle East, North America, and South America seeing a better-than-average increase in new named deals. Customer data management/party centricity has pushed core banking from the functional throne — albeit only with a very minor gap between the two. Risk management follows as number three, with a somewhat larger gap separating it from the leading pair. Overall, the functional footprint broadened globally, and enterprise architects will identify suitable combinations of regional functional requirements and vendor solutions more easily now than in the past. However, the different regional focus areas of the functionality sold globally in 2007 indicates that close scrutiny of banking platform functionality will remain mandatory for some time.

Open source databases continue to grow in adoption, offering enterprises a reliable and low-cost alternate solution for supporting small to moderately sized applications. Although the rip-and-replace method of trading a commercial database management system (DBMS) for an open source database is still slow, enterprises are mainly looking to open source databases to support new applications such as Web 2.0, Web-based applications, small portal applications, radio frequency identification (RFID), and other new workloads. More enterprises are deploying open source databases than ever before, with many planning mission-critical deployments in the coming years. SUN Microsystems’ acquisition of MySQL further validated the open source database market’s worthiness, and enterprises can now expect even more reliability and improved support in the coming years. The future of open source databases remains bright, with more innovations on project road maps in the areas of high-performance real-time data warehousing, XML, database-as-a-service, Web services, and content management. Every enterprise should now consider open source databases as part of its overall DBMS strategy, as doing this will deliver cost savings, especially when supporting small to midsized applications.

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called "Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments"):

"Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with."

Even more interesting is this statement, mentioned by the above article:

 "Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it."

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users' preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) - aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents ... Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen ...

So, the other part of the story, for the enterprise, is putting in place proper "data governance processes" and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any "control point" in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions ...

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.).  Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories.  The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier.  The format of the CVE identifier is (1) a fixed "CVE" to indicate it is a CVE identifier, (2) the year (i.e., 2008), and (3) a sequential number of when the entry was added to CVE (i.e., 2607).  As an example, the first database vulnerability is CVE-2008-2607.

The previous Oracle proprietary numbering scheme had several issues in relationship to CVE numbering -

1. Oracle provided a mapping to previously released vulnerabilities only for those vulnerabilities in core components like Apache and OpenSSL.  No mapping was provided for previously publicly disclosed vulnerabilities, so there are cases when the same vulnerability has two CVE identifiers.
   
2. A single CVE identifier was usually assigned to multiple vulnerabilities in an almost arbitrary fashion.  This meant that a CVE identifier might include vulnerabilities from multiple components and in the case of the Oracle E-Business Suite across multiple patches.  For Integrigy, this caused problems with our vulnerability scanning tool, AppSentry, since our reports have to handle many-to-many mappings when dealing with CVEs, patches, and vulnerabilities.
   
3. The CVE numbers were usually assigned 1-2 days after the Oracle release.

The CVE identifiers in the Oracle advisory does use a single CVE identifier per vulnerability and maps directly to previously disclosed vulnerabilities (see CVE-2007-1359).  Although it would have been nice if Oracle had included hyperlinks in the advisory to either CVE or NVD for easier access.  It will be interesting to see if CVE-2007-1359 is fixed in this CPU as either CVE-2008-2589, CVE-2008-2594, or CVE-2008-2609, which would reduce the effectiveness of using the CVE identifiers and again result in duplication of vulnerabilities in CVE if CVE identifiers for previously disclosed vulnerabilities are not used.

Using the CVE Identifiers

Additional information on vulnerabilities can be found either in the CVE or the National Vulnerability Database (NVD) sponsored by the Department of Homeland Security.  NVD contains the most detailed information including a break-down of the CVSS2 score and links to external references that may have more information on the vulnerability.  The typical process is that a generic NVD is created with only a reference to the original Oracle advisory.  When there is public disclosure with additional details on the vulnerability, the NVD entry is updated with links to those disclosures.  This process should be much more timely and accurate as most public disclosures will now include the CVE identifier.  Usually, about 30% of the vulnerabilities per quarter will have additional information and the database vulnerabilities typically have more information than the other products.

An example of a fully populated entry is the ModSecurity vulnerability that was previously fixed in ModSecurity 2.1.1 -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359

An example of an entry with additional details is the buffer overflow in the Oracle AQ package SYS.DBMS_AQELM -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2607

Most enterprises face a growing tax burden and audit risk, yet many are not stepping up efforts to automate tax processes and reduce tax risk factors. Finance and risk professionals must pursue risk management and enterprise tax automation concurrently to avoid inefficiency or financial fallout. How? First, consider implementing a tax management software application to automate tax process best practices. Next, identify the key task risk elements — including reputation, regulatory, operational, economic, and corporate risks — that could affect your organization and create ongoing monitoring and mitigation plans.

Managing risk and compliance and assuring a commitment to corporate social responsibility (CSR) is hard enough internally. As global corporations extend their partner network, professionals in these functions struggle to define and enforce requirements outside the walls of their organization. Leading companies establish teams to assure a greater level of responsibility among their business partners —most notably in the supply chain. Forrester studied and interviewed companies with successful programs, the best of which maintain a closed-loop process, use stakeholders as a collective early warning system, and extend resources for ongoing improvement.

Client security has always been a hot topic for IT infrastructure and operations professionals — and this year was no different. Between January 2007 and April 2008 Forrester’s IT infrastructure and operations team fielded 3,246 inquiries on myriad topics — 111 of them were on client security from end user IT professionals, making up approximately 30% of all desktop operations and architecture inquiries. The most common subjects of client security inquiries focused on the individual technologies an enterprise would deploy to protect its PCs against the latest threats and the type of tools (point products or security suites) IT ops should deploy to protect its PCs. While these inquiries highlight what’s currently top of mind for IT staffers, they also show a shift in mindset of IT organizations. No longer do IT professionals care only about malicious code and hackers — they’re now showing a keen interest in data security and other advanced security technologies. Furthermore, these folks recognize that managing all of the security tools necessary for PC protection can’t happen on a one-off basis — consolidated suites are the only option to their management woes.

In a previous post of mine I announced the release of a new HPL Technical Report, titled "On Identity Analytics: Setting the Context" (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu), providing an overview of an HP Labs R&D project in the space of "Identity Analytics".

I received a few emails asking (among other things) about HP/HPL strategies in Identity Management and how Identity Analytics fits in all this. Some additional details follow, based on what I can publicly discuss.

Identity Analytics is an HP Labs project, in the context of the Security Analytics project (Systems Security Lab). The R&D goal of this project is to innovate in the space of Identity Management (in a broad sense, i.e. including also human, social and economic aspects) by moving from an approach purely based on operational Identity Management solutions to an approach that also takes into accounts the "strategic" needs and requirements of key decision makers (e.g. CIOs/CISOs).

What is the impact on an organisation (e.g. in terms of costs, risks, reputation, trust, etc.) when making strategic decisions and/or defining policies in the space of Identity Management? Are current policies adequate based on current (business, security, etc.) objectives? How technical, educational, human, social and business aspects are going to affect the (economic, security and business) outcomes, based on choices and decisions made?  What are the relevant trade-offs that need to be analysed and how to evaluate them? How to provide strategic, forward-looking, "what-if" analysis to decision makers? These are some of the questions to be answered ...

This is a green field, open to innovation. In this context, technical Identity Management solutions are just one aspect of the overall equation (and sometimes not the most important ...), that also includes costs, (security and business) risks, business priorities and economic aspects.

I am confident that there are new business and market opportunities in this space, considering also the current shift (backed by key decision makers) from a pure "compliance-based" approach to a "risk-based" approach ...

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Here is a brief analysis of the pre-release announcement for the upcoming July 2008 Oracle Critical Patch Update (CPU) -

• Overall, 45 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
  
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.2, and 12.0.x

The major CPU version support changes for July 2008 are -

• Database version 10.2.0.4 is included in the list of affected versions
  
• Oracle E-Business Suite 11i versions 11.5.9, 11.5.10.0, and 11.5.10.1 are no longer supported for CPUs
  

Oracle Database

• There are 11 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
  

Oracle Application Server

• There are 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in Hyperion BI Plus, Oracle HTTP Server, Oracle Internet Directory, and Oracle Portal.
  
• The Oracle HTTP Server vulnerabilities may be related to recent Apache HTTP Server and OpenSSL fixes.
• The Oracle Portal vulnerability may be related to CVE-2008-2138, which is an access restriction bypass issue in the WebDav component of Oracle Portal.

Oracle E-Business Suite 11i and R12

• There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  However, since iStore allows for customer self-registration, most likely these vulnerabilities can be readily exploited by an unprivileged user.
• For the Oracle E-Business Suite 11i, only 11.5.10.2 is now supported for CPUs and requires ATG_PF.H RUP 5 or RUP 6 be installed.

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

As part of an initiative to differentiate its customer care centers to attract top talent, Cox Communications turned to hosted application virtualization to enable its care agents to work from home. Over the past three years, Cox has embraced home workers in two of its Arizona care centers, with hopes for continued expansion. Why? Because Cox has seen significant benefits of its teleworker program, including improved agent productivity, a reduction in necessary office space (leading to lower costs), improved disaster recovery preparedness, and an overall reduction in the carbon footprint associated with running a call center. Over the next year, Cox will roll out its teleworker program to more agents, proving that a virtual care center is just as good, if not better, than a physical one.

Corporate social responsibility (CSR) as a topic is currently enjoying the limelight in shareholder meetings, political debate, industry events, advertising space, and other arenas throughout business and popular culture. Corporations worldwide are feeling pressure to respond to this trend, although questions of what to do and how much to commit persist. Forrester views CSR through the eyes of many different roles, helping clients to develop CSR strategies, share and coordinate best practices, and leverage existing and burgeoning technologies to facilitate its execution.

This community might be interested to a new HPL Technical Report, just released, titled "On Identity Analytics: Setting the Context" (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu).

This report reflects R&D work we are doing at HP Labs, Systems Security Lab. I am very keen in getting your views and input. The abstract of this technical report follows:

"This paper aims at setting the context for "Identity Analytics" within enterprises and paving the path towards new R&D opportunities. In our vision, Identity Analytics is about explaining and predicting the impact of identity and identity management (along with other related aspects, such as users' behaviours) on key factors of relevance to decision makers (e.g. CIOs, CISOs), in complex enterprise scenarios - based on their initial assumptions and investment decisions.

Ultimately the goal is to provide rigorous techniques to help decision makers gain a better understanding of the investment trade-offs within the identity space (e.g. investing in technologies vs. changing processes vs. investing in users' education, etc.). This means providing "decision support" and "what-if analysis" capabilities to decision makers enabling them to explore these investment trade-offs, formulate new policies and/or justify existing ones. Our vision of "Identity Analytics" is introduced and discussed, along with the methodology that we intend to adopt.

There are many research opportunities and challenges in this space: we believe that a scientific approach is required, involving the usage of modelling and simulation techniques, coupled with the understanding of involved technologies and processes, human behaviours and economic aspects. To ground some of the concepts discussed in this paper, we provide an illustration of Identity Analytics focusing on emerging "web 2.0 enterprise collaborative data sharing", where unstructured information is created, stored and shared by people in collaborative contexts, within and across organisations. We demonstrate how trade-offs can be explored using the modelling approach hence allowing decision makers to explore the different impacts of policy choices."

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

As part of the Black Tuesday release this month from Microsoft, we have a critical vulnerability in ...

As part of the Black Tuesday release this month from Microsoft, we have a critical vulnerability in ...

The strategy for corporate sustainability focuses on resource management and is deployed for a number of reasons, including energy efficiency, legislation, and corporate social responsibility (CSR) commitments to name a few. Sourcing does not set the sustainability agenda but plays a pivotal role in its implementation, ensuring that suppliers align to the business' sustainability objectives. To ensure that sourcing strategy connects to business requirements, smart executives must build sustainability targets into sourcing tools, processes, and procedures. For this strategy to move forward, clear sustainability objectives must exist — whether hedging against rising energy costs or preparing to meet upcoming climate-change legislation. New tools sanity-check corporate thinking while the request for proposal (RFP) morphs into the "green" RFP, pushing suppliers in the right direction. But sourcing's role does not stop at this — resource management objectives remain open ended, and sourcing needs to monitor suppliers for compliance.

Ensuring that email messages make it to the inbox continues to be a critical challenge for email marketers, particularly as spam volumes increase and Internet service providers (ISPs) change their guidelines for which messages get delivered. Marketers who follow email marketing best practices have a better chance of getting their messages to the right place, especially if they also embrace basic deliverability tools, analyze the return on investment (ROI) of their delivery efforts, and take a hands-on approach to deliverability management. Forrester also expects that email delivery will become less troubling as reputation management improves.

I tend to agree with the outcomes of a recent Gartner’s Report on the top seven cloud-computing security risks. A related article, by Jon Brodkin, provides a nice overview and summary of the key taking points of this report:

 “Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”   Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,” Gartner says.” In particular I believe that the aspects related to “privileged user access”, “regulatory compliance” and “data location/data segregation/privacy management” are potential key issues that, if not properly addressed, can expose organizations (and users) to high risks.  

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

As highlighted in this recent article (called “FTC recruiting identity theft victims”), FTC is planning to conduct a wide-range study on identity theft victims: “In an effort to buttress its enforcement and better understand the scourge that is identity theft, the Federal Trade Commission said today its plans to conduct a wide-ranging study of victims of the crime.The FTC is looking for people harmed by the crime and said the survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge.” More details are in the article mentioned above, including the URL of the FTC survey site (NOTE: at the moment of writing I tried to connect to this site but it does not work …). 

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article tha...