Database Security, Audit, Privacy and Support Blog

Illuminate Solutions is a young Spain-based analytic database vendor that offers a compelling new approach optimized for complex, dynamic, ad hoc queries. Illuminate's correlation database uses what it calls "value-based storage" to greatly reduce the size of the analytic database and the need for manual data modeling. The vendor's approach enables the analytic database — without manual redesign, tuning, or optimization — to continually deliver fast response to complex, dynamic, ad hoc queries. Expect illuminate, which recently established its North American headquarters, to gain significant adoption among data warehouse (DW) and business intelligence (BI) users and system integrators, and also to expand its partnerships with complementary software, hardware, and hosting providers.

A recent article by Laura Milligan, called "50 Firefox add-ons to achieve private and secure web surfing" provides a comprehensive list of add-ons for Firefox to achieve degreees of security and privacy whilst surfing the web:

"Firefox is generally considered a secure web browser, but if you're interested in keeping your activity on certain websites private or giving yourself extra protection against phishing, hackers and viruses, you may want to consider beefing up your Firefox's security in general. Thankfully, there are lots of options available that make achieving privacy and security online as easy as downloading a simple add-on or application that was designed just for Firefox users."

This article classifies these 50 add-ons (and provides links for each of them) in the following categories: Secrecy and Encryption; add-ons that beef-up security; cookies; testing your system; passwords; protect your privacy online.

Have you had any direct experience using these add-ons?  Are they up to their promises?

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Security directors have failed to adapt to the changing security threat landscape. While the prevalence of malicious code has declined, reports of data security breaches have significantly increased. Despite this shift, security directors continue to list viruses, worms, and spyware as their top IT threats in the coming year. Seeing that enterprises have already deployed antimalware, personal firewalls, and host intrusion prevention technologies to protect themselves against the risk of malicious code, security directors should turn their attention to protecting their data.

Information management solutions are moving to the center of IT strategies as a way of driving IT and business alignment and delivering real and visible value to the business. And wherever there is a hot growth market in IT, there are plenty of IT consultants, systems integrators, and managed services providers to help architect, plan, implement, and manage the solution. The global information services market will grow from $7.9 billion today to $10.9 billion in 2012, representing a compound annual growth rate (CAGR) of 8.2%. Business intelligence and business performance solutions will dominate this spend, although the information strategy segment will see the fastest growth throughout the forecast period.

Successful IT investments have a track record of delivering outsized returns. However, they are the minority. The majority of IT investments tend to produce returns that don't justify their high risks. Portfolio management should be used to ensure that risk-adjusted returns are in line with the firm's overall appetite for risk and will generate sufficient returns to compensate for that risk. The efficient frontier represents the optimal portfolio.

Enterprises must support hundreds or even thousands of applications to meet growing business demands, but this growth is dramatically driving up the cost of running and managing the databases under those applications. The stress this puts on the IT budget makes it harder to provide databases to support new requirements such as Web 2.0 applications or other emerging collaboration solutions or even to support more mundane uses such as increased application testing. A new emerging option called database-as-a-service (DaaS) hosts databases in the cloud and is a good fit for some new apps. Amazon, Google, IBM, Microsoft, Oracle, and Saleforce.com as well as small innovators such as EnterpriseDB, LongJump, and Elastra are all targeting the DaaS market. Although most of today's DaaS solutions are very simple, in the next two to three years, more sophisticated offerings will evolve to support larger and more complex apps. Therefore, application development professionals should consider DaaS for some applications today and plan to expand its scope of use as DaaS offerings' capabilities expand.

Intel actively participates in efforts to improve the sustainability of all aspects of the product life cycle and value chain, from the materials it sources to the end-of-life reuse and recycling efforts. To push these efforts forward, Intel uses the support of industry partners, community groups, employees, and government agencies. As a result, Intel creates a more sustainable product life cycle, while helping its end customers see the benefits of greater energy efficiency — positioning Intel in first place on the 2007 "100 Best Corporate Citizens" list published by CRO Magazine.

Herman Miller, designer and manufacturer of furnishings and other building interior systems and technologies for the office, healthcare, education and home, began to incorporate sustainability into its business practices in the early 1950s. Since then, Herman Miller has committed to audacious environmental goals and transformed its organization, design and manufacturing processes, marketing materials, and relationships with customers. As a result, Herman Miller has seen significant cost savings from energy reduction and more efficient manufacturing processes as well as progress toward its goal of zero emissions by 2020.

As a small credit union in the Vancouver area, Vancity was founded on principles of community and has won numerous awards for its work around sustainability and climate change. With a re-branding effort that included an opportunity to better highlight its sustainability efforts, Vancity actively engages members and prospective members through new social media channels, member forums, unique brand campaigns, educational activities, and numerous opportunities for stakeholder feedback. As a result, brand preference went up by 30% and Vancity announced that it became carbon-neutral at the end of 2007, two years ahead of plan.

Organizations are under pressure from consumers, shareholders, and government bodies to develop green strategies. However, many maryketers are jumping on the green bandwagon and committing common green marketing mistakes. To avoid these mistakes and build effective green strategies, marketers should focus on seven key actions: 1) assessing current impact and attitudes toward green; 2) listening to consumers about their wantsy, needs, and ideas for better sustainability; 3) aligning the green strategy with the organization, brand, and consumer values; 4) committing to environmental goals and making significant changes; 5) partnering with outside organizations for credibility, expertise, and joint solutions; 6) educating stakeholders on the issues and benefits of green products; and 7) engaging stakeholders in open dialogue and activities to facilitate behavior change.

People increasingly expect firms to behave in a socially responsible manner, but many companies are only beginning to take action. Corporate social responsibility (CSR) is not simply a passing fad; it's a growing trend that CMOs need to acknowledge and that will affect every part of the organization. As their firms assess which CSR initiatives to take, marketing leaders should take the lead in understanding the customers' needs and voicing them inside the firm. With more consumers willing to pay more for environmentally friendly products and fair trade, CMOs will find that CSR can add to the profitability of the business.

Perhaps the biggest concern with securing x86-based virtual server environments is updating existing management and security processes to cope with relatively new technology. There are no known exploits that can critically compromise a virtual server based on Citrix/Xen, Microsoft, or VMware technologies — although the vendor community is in the process of improving control and visibility of the underlying virtualization layer. In the interim, Forrester believes that updated security practices will adequately protect most organizations' systems.

Online investment functionality like portfolio trackers, stock selection, and retirement planning tools equip investors with the support they need to make investment decisions themselves. To help eBusiness executives decide what investment tools to spend their money on, we surveyed European online investors to find out what tools and functionality they consider important and what they actually use. The results show that the demand for many online tools far exceeds current use. In particular, the number of online investors wanting online customer service functionality is 2.5 times more than the number of investors actually using it. If eBusiness executives want customers to use the Web, they need to improve the usability of existing online tools, build more extensive customer service functionality, and promote the benefits of their more advanced investment tools.

Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server).  The CVE ID is CVE-2008-3257.  The CVSS 2.0 score for this vulnerability is 10 out of 10.  To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.

The major risk associated with this vulnerability is that there are multiple published expliots, which allow for an attacker to compromise the integrity of the web server.

In previous posts of mine (here and here) I introduced our vision of Identity Analytics and the focus and purposes of our R&D activities.

I received a few emails and queries asking to clarify the link between Identity Analytics and Unstructured Data, considering that this was mentioned in the "On Identity Analytics: Setting the Context" HPL Technical Report.

We believe that "Unstructured Data" is a possible, fertile and rich "case study"/scenario where to explore the concept of Identity Analytics, the applicability of our approach and potential limitations..

The adoption of new "web 2.0" collaborative tools within organizations (TWiki, Sharepoint, IM, etc.) and social networks (Facebook, LinkedIn, del.icio.us, etc.) provides users with better ways to collaborate, create and share contents. At the same time this poses new threats and security risks, due to the nature of unstructured data, the fact that confidentiality issues could emerge from aggregated, simpler pieces of information and the difficulty to retain control on this data. This is where traditional Identity management solutions can show their limitations and where decision makers need to better understand the implications of their choices and/or the impact of defining new policies.

Our R&D work in Identity Analytics really aims, in this context, to explore how modeling and simulation can help to explain and predict the impact of some of these decisions on the organizations (e.g. in terms of risks, reputation, costs, etc.) and explore options and "trade-offs" by providing "what-if" analysis.

Of course the "unstructured data" scenario is just one of the various scenarios we are exploring. I would be interested in hearing from you about other areas you think the "Identity Analytics" approach could provide help and/or address (decision support) issues you might have.

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

NIST has recently released the Revision 1 of their "Special Publication 800-55", called "Performance Measurement Guide for Information Security", which focuses on Security Metrics.

This is of some relevance also for people working in the "Identity Management" space and related control points (despite primarily targeting US federal agencies):

"This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance and increase accountability through the collection, analysis, and reporting of relevant performance-related data-providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission. The performance measures development process described in this guide will assist agency information security practitioners in establishing a relationship between information system and program security activities under their purview and the agency mission, helping to demonstrate the value of information security to their organization."

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Forrester held its second Security Forum EMEA in Amsterdam on April 2 and 3, 2008, with 125 security and risk management (SRM) professionals in attendance discussing how to tackle transformation and achieve excellence in SRM. We asked many of these delegates about the issues that matter the most to them in performing their jobs — the challenges and worries that they face every day. The SRM professionals we spoke with are focusing their attention more on the internal threats to their information security rather than on those coming from beyond the extended enterprise.

As businesses embrace mobility, IT operations professionals are facing new challenges. But gone are the days when stodgy IT departments fight this business imperative. Most organizations today are simply trying to get smarter about how to manage and secure their increasingly mobile population and distributed assets. Through the first half of 2008, Forrester has assisted 89 organizations with refining or defining their mobile strategy. We've learned that IT operations professionals face challenges like steadily increasing mobile operations expenses, too much device diversity, and a total lack of insight while assessing, planning and purchasing, building, and managing their mobile infrastructure and operations. What can you do? The key is to make mobile device management and security the foundation of your business's mobile strategy. By doing this, your business will be well-positioned for the next phase of mobility, which will be driven by line-of-business applications, mobility shifting down the corporate pyramid, and a phenomenon we call Tech Populism.

Good news. The W3C Policy Languages Interest Group (PLING - co-chairs: Renato Iannella, Marco Casassa Mont) charter has been extended until June 2009.

Please have a look at the PLING Twiki site for current outcomes of phone meetings, discussions and collection of material, about the following policy-related topics: use cases, policy languages review, related initiatives, interesting cases, open issues and scientific resources. Feel free to contribute and ensure that your positions and views are covered.

The PLING Twiki site also provides up-to-date information about coming PLING phone meetings. These meetings are open to anybody interested in the policy topic.

We are looking for speakers that are willing to provide a short presentation (30 min), during our phone conferences, illustrating their work in the space of policy/policy management, open/new issues, interesting use cases and their vision in this space.

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

While US banks have successfully leveraged technology to simplify the account opening process, little progress has been made in using technology to help new customers easily move their online bill payment info over from their existing bank. The technology solutions that exist today merely substitute one online process for another. When switching banks, bill pay users will benefit more from hand-holding during and after account opening than they would from these automated online switching tools. eBusiness executives will see better bill pay activation results from new checking account customers by focusing on in-branch efforts and employee incentives.

Forrester surveyed 15 vendors of globally deployed banking platforms on their 2007 deals. What is the outcome of the regional and functional analysis? Asia Pacific has overtaken Europe in the global banking platform race, with the Middle East, North America, and South America seeing a better-than-average increase in new named deals. Customer data management/party centricity has pushed core banking from the functional throne — albeit only with a very minor gap between the two. Risk management follows as number three, with a somewhat larger gap separating it from the leading pair. Overall, the functional footprint broadened globally, and enterprise architects will identify suitable combinations of regional functional requirements and vendor solutions more easily now than in the past. However, the different regional focus areas of the functionality sold globally in 2007 indicates that close scrutiny of banking platform functionality will remain mandatory for some time.

Open source databases continue to grow in adoption, offering enterprises a reliable and low-cost alternate solution for supporting small to moderately sized applications. Although the rip-and-replace method of trading a commercial database management system (DBMS) for an open source database is still slow, enterprises are mainly looking to open source databases to support new applications such as Web 2.0, Web-based applications, small portal applications, radio frequency identification (RFID), and other new workloads. More enterprises are deploying open source databases than ever before, with many planning mission-critical deployments in the coming years. SUN Microsystems’ acquisition of MySQL further validated the open source database market’s worthiness, and enterprises can now expect even more reliability and improved support in the coming years. The future of open source databases remains bright, with more innovations on project road maps in the areas of high-performance real-time data warehousing, XML, database-as-a-service, Web services, and content management. Every enterprise should now consider open source databases as part of its overall DBMS strategy, as doing this will deliver cost savings, especially when supporting small to midsized applications.

This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called "Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments"):

"Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with."

Even more interesting is this statement, mentioned by the above article:

 "Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it."

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users' preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) - aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents ... Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen ...

So, the other part of the story, for the enterprise, is putting in place proper "data governance processes" and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any "control point" in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions ...

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.).  Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories.  The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier.  The format of the CVE identifier is (1) a fixed "CVE" to indicate it is a CVE identifier, (2) the year (i.e., 2008), and (3) a sequential number of when the entry was added to CVE (i.e., 2607).  As an example, the first database vulnerability is CVE-2008-2607.

The previous Oracle proprietary numbering scheme had several issues in relationship to CVE numbering -

1. Oracle provided a mapping to previously released vulnerabilities only for those vulnerabilities in core components like Apache and OpenSSL.  No mapping was provided for previously publicly disclosed vulnerabilities, so there are cases when the same vulnerability has two CVE identifiers.
   
2. A single CVE identifier was usually assigned to multiple vulnerabilities in an almost arbitrary fashion.  This meant that a CVE identifier might include vulnerabilities from multiple components and in the case of the Oracle E-Business Suite across multiple patches.  For Integrigy, this caused problems with our vulnerability scanning tool, AppSentry, since our reports have to handle many-to-many mappings when dealing with CVEs, patches, and vulnerabilities.
   
3. The CVE numbers were usually assigned 1-2 days after the Oracle release.

The CVE identifiers in the Oracle advisory does use a single CVE identifier per vulnerability and maps directly to previously disclosed vulnerabilities (see CVE-2007-1359).  Although it would have been nice if Oracle had included hyperlinks in the advisory to either CVE or NVD for easier access.  It will be interesting to see if CVE-2007-1359 is fixed in this CPU as either CVE-2008-2589, CVE-2008-2594, or CVE-2008-2609, which would reduce the effectiveness of using the CVE identifiers and again result in duplication of vulnerabilities in CVE if CVE identifiers for previously disclosed vulnerabilities are not used.

Using the CVE Identifiers

Additional information on vulnerabilities can be found either in the CVE or the National Vulnerability Database (NVD) sponsored by the Department of Homeland Security.  NVD contains the most detailed information including a break-down of the CVSS2 score and links to external references that may have more information on the vulnerability.  The typical process is that a generic NVD is created with only a reference to the original Oracle advisory.  When there is public disclosure with additional details on the vulnerability, the NVD entry is updated with links to those disclosures.  This process should be much more timely and accurate as most public disclosures will now include the CVE identifier.  Usually, about 30% of the vulnerabilities per quarter will have additional information and the database vulnerabilities typically have more information than the other products.

An example of a fully populated entry is the ModSecurity vulnerability that was previously fixed in ModSecurity 2.1.1 -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359

An example of an entry with additional details is the buffer overflow in the Oracle AQ package SYS.DBMS_AQELM -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2607

Most enterprises face a growing tax burden and audit risk, yet many are not stepping up efforts to automate tax processes and reduce tax risk factors. Finance and risk professionals must pursue risk management and enterprise tax automation concurrently to avoid inefficiency or financial fallout. How? First, consider implementing a tax management software application to automate tax process best practices. Next, identify the key task risk elements — including reputation, regulatory, operational, economic, and corporate risks — that could affect your organization and create ongoing monitoring and mitigation plans.