Database Security

New compliance and accounting regulations are forcing organizations to rethink how they view software. The emphasis on governance is changing the way companies think about software as an asset and how they account for it with their auditors. Unlicensed or mis-licensed software is a liability. There are 6 simple, basic steps for understanding and managing your software assets:

1. Create a repository. But, remember that electronic key codes are not enough “proof” for most software vendors. You need to keep the proof of purchase, receipt or invoice and the Terms & Conditions during the initial purchase. In addition, if you have Oracle apps, you’ll need the following information in case of an audit: application name, version, executable file date, department unit and users, and whether it was an individual or suite installation.

2. Projection of employee numbers and IT requirements to plan for the short-term future.

3. Review your annual support spend at least twice a year to determine changes in usage that can possibly result in changes within support options.

4. Understand your organizations vulnerabilities - in the case of licensing, it’s really about liability.

5. Implement a discovery tool.

6. Execute a thorough analysis to validate if buying more than you need will lead to additional discounts and results in a long-term, positive return on investment.

It’s ironic that the amount of resources - financial and human - go into IT organizations, yet many (I would say the majority) have trouble tracking assets - anywhere from hardware to software. I can think of one instance when the FBI could not account for all their laptops. You know. The ones with all the super-duper top secret information. They went “missing.” And, software asset management is a struggle for any organization.

Database Support, General

The Institute of Internal Auditors is now seeking nominations of qualified candidates to be considered for the highest awards given by The Institute: The Bradford Cadmus Memorial Award;The Victor Z. Brink Award for Distinguished Service; and The Lifetime Achievement Award. Recipients of these awards will receive complimentary registration and travel arrangements for the International Conference in Johannesburg, South Africa in May 2009 as well as special recognition at the conference. The deadline for nominations is January 31, 2009. The Call for Nominations can be downloaded at http://www.theiia.org/theiia/about-the-institute/awards/individual-awards If you would prefer to receive the Call for Nominations as an attachment, please request a copy from Kristen DellaVolpe Facella at kristen.facella@theiia.org.

Database Audit, General

Apple "encourages" antivirus defense for Macs

General

MySpace bullying trial ends in misdemeanors

General

LewisC's An Expert's Guide to Oracle Technology Ok, I figured out how I am going to do this. I am making my book available three ways: print, ebook and html. For print, you can get it on amazon or through my e-store. It's $14.95 For ebook, you can g...

Database Support, General, Oracle

Companies tend to forget that compliance is the foundation for working with Oracle and it is also the base for creating cost efficiencies. It’s understandable as IT folks are more focused on how Oracle’s app will solve a problem for them. If nothing else keep in mind the following:

1. Never assume a license usage right. In fact, assume that you don’t have the right to use the license and verify.

Whether you’re using an automated SAM or an Oracle compliance package - such as ManageSoft’s Enterprise Compliance Manager - the ultimate goal should be compliance. It can’t be stressed enough, if you aren’t in compliance with Oracle’s licensing rules, then all else is faulty.  Compliance inoculates an organization from unnecessary and unwanted fines during a vendor audit.

Database Support, General

I have finally had time to post up an advisory for the fix I was credited for in the recent Oracle Critical Patch Update advisory released on October 14th by Oracle. My advisory is related to excessive privileges assigned to....[Read More]

Posted by Pete On 22/10/08 At 02:06 PM

General

A new Oracle CIS benchmark has been released recently for Oracle 11g. The Oracle benchmark for 11g is an update of the previous 8i (version 1) and the subseqent 9i/10g (version 2) Oracle benchmarks. There is still only an 8i....[Read More]

Posted by Pete On 24/10/08 At 08:07 PM

General

Database Security, General

Microsoft warns of attacks on recent flaw

General

Oracle customers haven’t seemed too phased by the $1 billion lawsuit filed by Oracle against SAP’s now defunct third-party support subsidiary TomorrowNow.

Last year, analysts predicted that the attention from the lawsuit could actually be a boon to the third-party support market. And just a few months ago, even after SAP closed down TomorrowNow in the midst of “corporate theft” accusations by Oracle, third-party support continues to remain in demand.

So while Oracle customers may not be suspicious of third-party vendors, is a different story emerging for the software giants themselves?

It seems that way. Oracle has now taken legal action against another company — this time it’s the Denver-based Spinnaker Management Group, a company that recently hired dozens of former TomorrowNow employees to form its software services business.

According to this MarketWatch article about Oracle’s court order, Oracle is “demanding a look at [Spinnaker’s] customer contracts, business plans, internal assessments of the ’legality’ of TomorrowNow’s business model, and documents showing any ‘planned support by you of any Oracle customer,’” according to court filings. Spinnaker has contested the request as overly broad.

Oracle has also issued a subpoena on the software services firm CedarCrestone Inc. and demanded to see documentation of the PeopleSoft service provider’s business model.

Has Oracle gone too far?

Other software companies probably won’t think so, according to analyst Jim Shepherd of AMR Research. Third-party support has long been a “gray area” in the industry, Shepherd said in the MarketWatch story, and “all the software vendors are uncomfortable with this.”

The economy may also be making Oracle and other software giants uneasy. As the MarketWatch article points out, support services can be a significant source of revenue in a down economy, when new software sales tend to be down.

Nevertheless, this is one of the “stalls in the market while the dust [around the TomorrowNow] lawsuit settles,” that consultant Josh Greenbaum predicted last year. And, while not all third-party support customers are wary, it’s important to take precautions. For example, customers should make sure that “any contract they sign states that they are not responsible for misuse of intellectual property by the third-party vendor,” according to a research note from Stamford, Conn.-based Gartner Inc.

How (if at all) has the TomorrowNow lawsuit changed your views of the third-party support market?

Database Support, General

GreenSQL is a database firewall used to protect database from SQL injection attacks. New release fixes a number of critical bugs. We recommend all users to upgrade.

This release includes a number of pre-build packages of popular operating systems. We supply packages for: CentOS, openSUSE, Fedora, Ubuntu, Debian.

List of changes:
1. Code optimization.
2. Minor management bugs were fixes.
3. New MySQL patterns and commands added.
4. A number of risk matrix calculation bugs were fixed.
5. Debian package was enhanced. A lot of bugs were fixed.

In addition to greensq-fw application we released new version of greensql-console management tool. New version contains a number bug fixes.

You can get the latest application version using the following url:
http://www.greensql.net/download

Application installation howto is available at:
http://www.greensql.net/howto

For any questions, ideas, and feedback please join our support forum:
http://www.greensql.net/forum/1

Thanks,

Yuli Stremovsky
GreenSQL Project Admin

General

Deloitte Selected By IIA To "Bridge The GAAP" By Offering IFRS And XBRL TrainingALTAMONTE SPRINGS, Fla. - As capital markets globalize and shift toward unified financial reporting standards, organizations will face increased challenges and opportunities posed by changes associated with International Financial Reporting Standards (IFRS) and eXtensible Business Reporting Language (XBRL). To respond, The Institute of Internal Auditors (IIA) and Deloitte are collaborating on an educational alliance to train internal audit professionals on IFRS and XBRL, enabling them to address the myriad of risks associated with the conversion to these standards in their organizations. More >>

Database Audit, General

Database Security, General

LewisC's An Expert's Guide to Oracle Technology I am soliciting opinions here. First, though, some back story. Way back when, when I was first moving on the track to data modeler and architect, I was responsible for designing schemas and application...

Database Support, General, Oracle

BotHunter aims to find bots for free

General

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

General

The Vice of Vice Presidential E-Mail

General

Integrating More Intelligence into Your IDS, Part 2

General

Blocking Traffic by Country on Production Networks

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

General

WiMax: Just Another Security Challenge?

General

Data Recovery on Linux and ext3

General

Clicking to the Past

General

Microsoft's Stance on Piracy Affects Us All

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

General

Just EnCase It's Not a Search

General

From a legal point of view, if you work for a publically traded company, you must meet certain terms of compliance. However, even if your organization is compliant while using a cloud service provider, the big question remains: who is liable for the data? There is always a risk when using a provider, but David Barley, Chief Technology Officer for Casdex, (a digital archiving firm that also ensures full compliance and security) said, “At the end of the day, if your organization does experience a data loss, you want to be able to prove what happened. Whether it’s an act of God or an error, things happen.”

For instance, when you use Google e-mail, you’re using a free service. If there’s down time, Google doesn’t have to communicate with their users. Barley stresses the importance of trust while performing business operations in the cloud: “If you have the information you need and you have a trusted relationship [with your provider], it makes it easier. When you join with a provider, you’re joining a business relationship. It’s your company, but the service providers need to be able to help,” said Barley.

Before committing to any data storage provider, there are a few questions you should ask of the service before becoming a customer. Barley said you should be clear on exactly what the service provider is offering: data storage, e-mail, transactional data for the database, archiving and long term protection of data? Even though you may choose to go with a service provider brand name you trust, Barley stresses to learn more about the people running it: “Have they run IT shops in the past? Managing storage at the enterprise level is a different skill set.” Most importantly, what are the rules in place to get access to your data? “Information is your most critical asset. Even if you operate a dry cleaners, your contact list, your list of customers; that’s your gold,” said Barley. You want to be sure you would be able to retrieve your data in the event the provider is no longer in business. “Are they using fly by night facilities?” These are some things to watch out for as you want your provider to be readily available to you when you need to access your data. Barley said, “What types of guarantees do they offer? Things happen; companies go out of business. How do you get your data back?”

The Linkup, formerly known as MediaMax, allowed users to backup and share files online, but then lost 45 percent of their customers’ data. They had about 20,000 paid, disgruntled subscribers. Much of the error was a result of all of the data being on a few computers instead of a system where the data is spread out and stored at several locations. “Casdex’s data is in more one place because it has to be.” As an archive data company, most of their customers’ data does not need to be pulled for everyday business use, but more for auditors. That’s why the data is stored in different locations so if access to Los Angeles is busy, you can be redirected to Las Vegas.

Casdex has setup an escrow account, a fund that is set aside for your organization, in the worst-case scenario that they would go out of business. The funds are set aside as Casdex’s guarantee to continue to run your services for a period of six months. Within those six months, you would be able to go into the service to download your data back out to retrieve it.
In the past, companies backed up their data in filing cabinets, offsite paper file storage facilities and onsite with CDs or thumb drives. Now with an increased risk of data theft, new government regulations, natural disasters, an increasing number of businesses need digital archiving. Casdex offers an Internet storage solution to provide proof of authenticity in court and guarantees that the data has been accurately reproduced. Casdex’s digital archiving solution allows businesses to maintain full compliance with federal regulatory retention policies outlined by the SEC, HIPAA and SOX. When archiving a document, the owner may program the retention time, at the end of which the document is both destroyed and deleted from the server.

There are several different regulations that most companies need to comply with that include retention policies, grant access, etc. “But when you turn on compliance, retention policies tend to change,” said Barley. Casdex can prove with hashes that your data is the same file that it was three years ago to prove compliance or for court cases. With data archiving, it’s important to be able to verify that the data you stored ten years ago is the same data today. HIPAA states that the files stored can’t be read by third parties and to delete the data after ten years, so there are mechanisms in place to control these regulations. Barley said, “Everything is logged, and you can’t tamper with them. If you want to meet these regulations, you need these mechanisms in place. You need these log reports to prove compliance which is as simple as logging into the portal and pulling the report yourself.”

General

Paul Wright pointed out a new paper to me today about PL/SQL injection. The paper is called " Assault on Oracle PL/SQL - Injection ". Beware of the profanity in the paper if you read it at work and because....[Read More]

Posted by Pete On 21/10/08 At 07:08 PM

General

Deloitte Selected By IIA To "Bridge The GAAP" By Offering IFRS And XBRL TrainingALTAMONTE SPRINGS, Fla. - As capital markets globalize and shift toward unified financial reporting standards, organizations will face increased challenges and opportunities posed by changes associated with International Financial Reporting Standards (IFRS) and eXtensible Business Reporting Language (XBRL). To respond, The Institute of Internal Auditors (IIA) and Deloitte are collaborating on an educational alliance to train internal audit professionals on IFRS and XBRL, enabling them to address the myriad of risks associated with the conversion to these standards in their organizations."We are witnessing an evolution in the financial reporting environment - a paradigm shift. These changes are creating increased expectations for internal audit. The IIA and Deloitte are addressing - head on - a very real need in the marketplace for this type of knowledge," said Eric Hespenheide, global internal audit leader, Deloitte & Touche LLP. "We are pleased to have been selected by the IIA to develop and teach IFRS and XBRL, as these conversions will have a far-reaching impact on organizations and their internal auditors."The first training format - slated for early December 2008 - will be live, two-hour Internet Webinars featuring professionals from Deloitte providing high-level overviews of IFRS and XBRL. The second format will be traditional live, one- to two-day sessions - slated to be offered the first quarter of 2009. The IIA and Deloitte will also consider providing both curricula in a "virtual seminar" environment, allowing for participation over multiple days in two and three-hour segments. "Deloitte has knowledgeable professionals with deep experience in both IFRS and XBRL, and they understand how these topics impact the organization and its internal auditors. Their experience in IFRS conversions on a global scale was also a key factor in this partnership as well as their recognition for excellence in education and training (by The American Society for Training and Development and Training magazine)," said IIA President David Richards, CIA. "By partnering with a global industry leader such as Deloitte, the IIA continues its commitment to elevating the professionalism of all internal auditors."Results from two recent surveys confirm that training on IFRS and XBRL is needed. In a 2008 Deloitte survey on IFRS issues, 64 percent of companies believe their personnel currently lack sufficient knowledge about IFRS to make the conversion and to maintain IFRS financial statements. And in a 2008 IIA survey, more than half of chief audit executives said that they didn't have any XBRL knowledge at all. As the SEC continues to move toward the convergence and globalization of reporting standards and regulation over the next few years, internal auditors can take immediate action to gain a better understanding of IFRS and XBRL to position themselves on the forefront of this financial reporting evolution which has far reaching impact throughout the organization.To learn more about the IFRS and XBRL training offered by the IIA and Deloitte, visit www.theiia.org/training http://www.deloitte.com/us/ifrs, http://www.deloitte.com/us/xbrlAs used in this document, "Deloitte" means Deloitte & Touche LLP and Deloitte Services LP, subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.Contact: Scott McCallum, IIA Media Relations, +1-407-937-1247, scott.mccallum@theiia.orgDaniel Mucisko, Deloitte Public Relations, +1-212-492-2870, dmucisko@deloitte.com

Database Audit, General

Microsoft Volume Licensing models address organizations in two main categories based on size: organizations with more than 5 but less than 250 computers and organizations with more than 250 computers.

If your company is part of the SMB (small to mid-size business), defined as having less than 250 computers, The MS Open programs offer volume discounts, with little upfront costs. There are two options for Open programs: Open Value and Open License.

Open Value offers software assurance, simplified license management and an annual payment structure best suited for the smallest organizations. This program comes in three options: company-wide, subscription-based and non-company-wide.

Open Value Subscription is for organizations that prefer a subscription model for licensing. This program offers the lowest upfront costs of the Open programs because of the option to make annual payments on your agreement. This program also offers the most flexibility to decrease/increase your licensing costs as business needs change. Annual payments will be based on the PC count you have at the end of the year and the ability to add licensing throughout the year, with no additional costs.

Open License is a “pay as you go” license model with a minimum initial purchase of just five software licenses.

If you’re a large enterprise with more than 250 computers, there are four licensing models that will apply to you: Enterprise Agreement, Enterprise Subscription Agreement, Select Plus and Select License.

Enterprise Agreement is for organizations that are looking to standardize IT across the enterprise and is based on a 3-year enrollment term. Enterprise Agreement provides the deepest discounts and Software Assurance.

Enterprise Subscription Agreement is similar to the Open Value license model, but targeted for companies on a larger scale. It allows an enterprise to subscribe on an annual basis, rather than acquire software licensing for a longer term agreement.

Select Plus is best suited for larger organizations with multiple affiliates that wish to be viewed as a single organization - and benefit from volume licensing - but need to purchase various licenses and services at different levels. This program has lower annual payments than the Enterprise programs, but the usage right is limited to only 3 years.

Select License is based on forecast licensing models and offers a flexible method to purchase software licensing on a “pay as you go” basis. This program also has lower annual payments that the Enterprise programs, but the usage right is limited to only 3 years, similar to Select Plus.

If you need help sorting through how Microsoft defines certain technical terms within the legal mumble jumbo, Microsoft’s technical jargon by Straightline Technology Group is a great place to start.

Database Support, General

Pop-up porn case closes with plea deal

General