10. October 2010 · Comments Off on Oracle fixes add to massive patch load expected Tuesday – SC Magazine US · Categories: Data Loss Prevention · Tags: , , ,

Oracle fixes add to massive patch load expected Tuesday – SC Magazine US.

Of the 81 fixes in Oracle’s quarterly patch release, seven of them are for databases.

The question is how long will it take to test and install these patches? Experience says months. That means your systems will be exposed to these vulnerabilities for months.

I am by no means suggesting you should rush the deployment of these patches. Thorough testing is a must.

The answer is the virtual patching capability of Sentrigo, a database protection solution. In a matter of days, if not sooner, Sentrigo updates their agents protecting your databases with new “vulnerability signatures” that protect against threats looking to exploit the well documented vulnerabilities for which Oracle is providing patches.

In many cases, Sentrigo ships the “vPatches” before Oracle ships their patches.

We recommend Sentrigo as a core component of our next-generation defense-in-depth architecture.

28. August 2010 · Comments Off on MPLS WAN Encryption – It’s time · Categories: Data Loss Prevention · Tags: , , , ,

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management
30. December 2009 · Comments Off on DLP Administration Requirements & Security/Compliance Portfolio Management · Categories: Data Loss Prevention, Security/Compliance Portfolio Management · Tags: , ,

Dark Reading's December 21, 2009 article, 4 Factors To Consider Before Firing Up that DLP Solution provides welcome insight into the administration requirements of DLP systems. Too often, the press just hypes the latest security solution types (think NAC in 2006 and 2007; where is Cisco's TrustSec?). While DLP is surely not new, this type of article is still refreshing.

The four factors described are:

  1. Policy – Initial creation and/or customization, ongoing modification
  2. Data Discovery – Initial and ongoing configuration of data identification algorithms
  3. Integration – e.g. ICAP, email, encryption
  4. Administration – Alert Adjudication

The article says that the amount of administrative work is a function of "the size of your organization and the level of deployment." I would add a third – the product you select.

Actually, all security products require at least Policy Management, Integration, and Alert Adjudication. Therefore when considering adding a new security/compliance solution type, review your overall security/compliance portfolio and consider consolidation opportunities as a way to control administration costs.

While the major security vendors have been acquiring and integrating additional functionality for years, start ups have been coming to market with innovative approaches to unifying functions designed and built from the ground up. Next generation firewalls, as described by Gartner, comes to mind.

24. November 2009 · Comments Off on Massive T-Mobile UK trade secret theft perpetrated by insider · Categories: Breaches, Data Loss Prevention, Trade Secrets Theft · Tags: , , ,

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data…"

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk – Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from
significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk
mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.

NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

09. October 2009 · Comments Off on Cloud-based Data Leak Detection complements Data Leak Prevention – Monitoring P2P Networks · Categories: Breaches, Data Loss Prevention, IT Security 2.0, Privacy · Tags: , ,

Can you imagine your Data Leak Prevention system not being perfect? Is there value in a service that scans P2P networks looking for leaked data that eluded your Data Leak Prevention (DLP) controls?

Tiversa offers such a service. In an example of the value of their service, according to a Washington Post article, they claim that "the personal data of tens of thousands of U.S. soldiers – including those in the Special Forces – continue to be downloaded to unauthorized computer users in countries such as China and Pakistan…"

On a separate, but possibly related note, there was an Ars Technica article last last week on a bill working its way through Congress called the "Informed P2P User Act." From the Ars Technica article:

"First, it requires P2P software vendors to provide "clear and
conspicuous" notice about the files being shared by the software and
then obtain user consent for sharing them. Second, it prohibits P2P
programs from being exceptionally sneaky; surreptitious installs are
forbidden, and the software cannot prevent users from removing it."

It's clear that P2P represents risks that can be reduced by both technical and legal means.