08. December 2010 · Comments Off on Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study · Categories: blog · Tags: ,

Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study.

Intel commissioned Ponemon Institute report says that one in ten laptops are lost or stolen during the typical three life cycle. The billion dollar number comes from the estimated $49,000 cost associated with each lost laptop incident. While you may disagree with that number, it’s surely higher than simply the cost of the laptop itself.

According to the study only 30% of laptops are encrypted!!

From the InfoWorld article, Corporate America’s lost laptop epidemic:

One way Intel works to ameliorate the problem internally is by letting its workers put their personal information on the computers. People are less cavalier about the security of their laptops when they have their own data on them, said Malcolm Harkins, Intel’s chief information security officer.

28. August 2010 · Comments Off on MPLS WAN Encryption – It’s time · Categories: Data Loss Prevention · Tags: , , , ,

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta
28. December 2009 · Comments Off on Database security – the last frontier · Categories: Database Activity Monitoring · Tags: , ,

i just stumbled on a blog post by John Oltsik of ESG entitled Database Security Is In Need of Repair written on August 26th, 2009. John reports on a survey ESG conducted that showed Database Security is surprisingly weak given the fact that 58% of the survey respondents said that databases contain the highest percentage of their organizations' confidential data. File Servers came in a distant second at 15%.

How can this be? John says:

1. No one owns database security, rather it appears to be a collective
effort done by security administrators, IT operations, data center
managers, system administrators, DBAs, etc. With this many people
involved, it is likely that database security is fraught with redundant
processes, numerous "root" access passwords, and human error.

This resonates with my experience. The worlds of DBAs and IT Security professionals rarely meet. They speak different languages. DBAs are all about availability and performance, just as network administrators traditionally were.

There are two types of Database Security solutions – Encryption and Database Activity Monitoring. Encryption solutions are used for compliance purposes, for example to encrypt the Social Security Number column of a database o block unauthorized users who gain access to the database server. However, it does nothing to block authorized users violating access policies.

Database Activity Monitoring, which I wrote about here, comes in three flavors – logging, network, and host based. In some cases, Database Activity Monitoring can provide a layer of policy control to restrict authorized users (insiders) to just the data they need to do their jobs. And even of those solutions there can be limitations.

In summary, 1) the solutions available are improving and 2) it behooves database administrators to expand their vision to include database security.