CONTACT BLOG

Press Releases   In-the-news   Events   Awards   Reviews   Analysts   Case Studies  

Secerno Says...

4th August 2008

State of Data Security Update

Comments from Paul Davie, Founder.

As we move closer to the end of 2008, we look again at the rapidly changing threat landscape around data security, and consider how the market is adapting to address this new environment.

The Effects of the Economic Downturn

As economic growth slows in western countries, impacting bottom line returns, an increasing emphasis is being made on costs – including losses due to IT fraud and other security incidents – as companies try to maintain investor returns. However, tighter legislative frameworks are acting to increase security-related costs, as the compliance bar is slowly raised. These two forces are acting together to force organizations to look for smarter, more efficient and effective security solutions and the older established technologies will start to feel the pinch.

1. The Emergence of Blocking

We saw it in the Annual Threat Assessment for the Senate Select Committee on Intelligence¹ in February, where it was made clear that simply detecting breaches of sensitive data after the event was not enough – prevention was required. We saw it again in May with the US Government Accountability Office reporting to a Homeland Security panel on cyber security, on requiring electric utilities to implement extra IT security, as their systems increasingly become internet enabled. The level of risk to national infrastructures is rising steeply and defense mechanisms need to keep in step.

Now, more advanced, behavioral-based technologies are beginning to emerge across the security space, offering the promise of error-free anomaly detection. Governmental and commercial pressures are increasing for the adoption of active security measures – after-the-fact analysis being an inadequate response. In the face of cyber terrorism and international extortion, these measures will move into the mainstream – and the next high profile government data breach or attack on an area of national infrastructure will increase the clamour to move beyond simple alerting mechanisms to add blocking capabilities.

2. The Further Demise of the Block/Black List.

As if further proof were needed that signature-based approaches can never deliver adequate protection for databases, along comes the Nihaorr1 – an SQL-borne Trojan which rapidly hit well over half a million internet-facing databases, filling tables with malicious code the world over. It wasn’t particularly complex but it was effective and the nature of SQL is that it can – and will undoubtedly – be replayed in an infinite number of different ways. Any block list enabled security approach in the SQL world is doomed to failure.

The outbreak will mark another step away from the “hard on the outside, soft on the inside” out-dated perimeter model of security, towards defense in depth, with security applied not just at the network, but also locally through new specialist solutions at the application layer to protect key assets, such as databases.

These new solutions are more likely to be enabled by positive security models around understanding allowed behaviors, than the impossible chase to keep up with knowledge on all possible threats. Signature-based block list technologies have had their day. The realisation will grow that it is easier - and ultimately provides a far better security posture - to identify the wanted behavior and to disallow everything else.

3. Data Security from Service Providers

Incidents such as the Niahorr1 outbreak of SQL injection enabled attacks and insider breaches such as that experienced by Hannafords, will all accelerate the adoption of specialist data protection technologies by managed security service providers and out-sourced data management firms, seeking to provide secure, higher-value solutions to their customers. Small and medium-sized enterprises will be driven more to using service providers, rather than relying on in-house solutions, as the overhead of managing data securely themselves becomes unsustainable.

The competition between the managed security service providers will drive data security to become a critical, high-value part of their offerings, integrated into reporting and alerting environments to complement the lower-value, commoditised components such as vulnerability scanning. Conversely, the big challenge for the managed security service providers will be to figure out whether (and how) to adopt the new wave of well-hyped data loss prevention technologies. Their noise levels may make them a nightmare to manage in large-scale deployments.

Of course, the fun will start when a major SaaS vendor gets breached.

4. The Audit & Compliance Market Maturity

The market for audit solutions will consolidate quickly. There is a growing realisation that compliance as defined today has done little to improve many companies risk profile and management. The economic squeeze has left companies keen to adopt more cost-effective solutions to solve a problem the solution to which, in the worst cases, adds no value to their operations. The market for compliance solutions will continue to move in two directions:

• Integrated solutions will consolidate current point solutions, offering investment and operational cost savings
• Solutions will increasingly add value, such as integrated security measures, to the point where audit, reporting and compliance capabilities become beneficial system side effects, rather than the investment driver themselves. Companies thus acquire compliance while improving their security practice – which is the way it was meant to be, all along.

As the economic environment hardens, companies are being forced to tighten expenditure across the board. Merely throwing money at the compliance problem will not work any longer – business value and return on investment will loom large in this space.

5. Insiders Continue to Embarrass the PCI Compliant

Why will those insiders not all behave? We have seen with so many breaches the involvement of insiders, enabling in a few cases data theft on a grand scale. The problem is that so much security focus goes on merely ticking the compliance boxes that companies often lose sight of where the risks really lie.

Authentication processes are essential, of course, in all environments to control access to sensitive data. But for the first time, failure of authentication will be recognised as undermining the power of encryption as the panacea for data protection.

When authentication fails, or simply enables a malicious insider, then no amount of water-tight encryption will help. Your staff members may well not be using the web applications your customers do, so a Web Application Firewall (WAF) will not help either.

PCI compliance is just the first step in a road to adequate security to protect consumers’ credit card data. Those stopping after the first step should not be surprised to find themselves blinking in the glare of publicity when they find they have spilt consumers’ data, especially if one of their own staff appears to have been involved.

^[1] Annual Threat Assessment for the Senate Select Committee on Intelligence
J. Michael McConnell, US Director of National Intelligence. February 2008

Archived Comments from Secerno

• Secerno muses over the state of data security in 2007/8
• Authentication technology is muddying the data security waters, says Secerno
• Commentary on the Information Commissioner’s report on organizations breaching data protection rules
• Commentary on Credit Card Thefts of TK Maxx Customers
• Commentary on Halifax Disclosure of Data Theft
• Secerno commentary on Nationwide laptop theft
• Secerno commentary for 2007 technology predictions

18th December 2007

Secerno muses over the state of data security in 2007/8

Simplistic security solutions based on signature block lists or rules-based network security will put organizations at risk in 2008, warns Secerno.

For more information on this see the complete State of Data Security 2007/8 report (www.secerno.com/state_of_data_security)

2007 has been regularly punctuated with data breaches, and as a result public awareness of data protection has risen to an all-time high of 85%[1]. The Information Commissioner’s annual report also highlighted the ICO received almost 24,000 enquiries and complaints concerning personal information over the 2006/7 period, prosecuting 16 individuals and organizations just over 12 months[2].

Steve Hurn, CEO, Secerno commented, “The memory of the damage caused by 2007’s numerous security breaches will not fade quickly. Breaches such as the HMRC’s loss of two discs affected 25 million people, whilst Leeds Building society recently lost sensitive data relating to workers payslips and just last week, the DVLA compromised 6,000 drivers after losing their sensitive information. Consumers and credit card companies will no longer tolerate what have now become exceedingly routine data loss incidences.”

“While the business drivers of cost and centralisation make sense, the security issues pertaining to authorised access and authentication to prevent abuse of access rights to a single, large source of sensitive data are tremendous. 2008 will finally see the acceptance of monitoring and auditing procedures in an attempt to achieve control over data access through the adoption of more intelligent blocking approaches to protect enterprise scale environments,” adds Hurn.

During 2007, legal compliance has also been a key driver for security spending globally. However, as complexity of compliance increases due to political pressure and government legislation, IT security purchasers will demand reporting procedures to be integrated into their existing technology platforms. Hurn believes, “This will force point solutions providers to deliver added value and security beyond audit and reporting. Those without the required assets will fade away.”

Hurn concludes, “Security will increasingly become an issue of tracking and proactively securing data in its many forms, rather than seeking footprints of intruders on the network. Approaches that follow the data across the enterprise and model the behavior of those using it will start to make headway.

“Traditional security approaches will buckle under the strain of new threats and increasing numbers of authorised users. Firewalls in complex environments can run into tens of thousands of rules. The hope that any human can understand and manage the complete picture is rather fanciful.”

For more information go to The State of Data Security 2007/8 report (www.secerno.com/state_of_data_security)

[1] Compliance and privacy.com

[2] ICO Annual Report 2006/7

26th July 2007

Authentication technology is muddying the data security waters, says Secerno

In the scramble to secure confidential data, authentication technology is lulling businesses in to a false sense of security, says Steve Hurn, CEO of database security company, Secerno:

“Recent high-profile breaches are forcing businesses to take the issue of data security very seriously. Some, like Oracle, are turning to authentication technology to shore up their defences. Last week, the company announced that it will acquire Bharosa, an identity theft and fraud detection company – this is fine for auditing and privacy purposes, but much more is needed for security purposes.

“Simply put, authentication – even multifactor authentication – can only ever offer limited protection. Proving that someone is who they claim to be solves only one half of the problem. Even if the user is authorised to access the database, how can a company be sure that the user won’t use it for something s/he shouldn’t? It’s not enough for a company to identify who is accessing its database; a company needs to know what that person is doing with the data when they’re accessing it.

“The only way to ensure that you don’t open your data to someone with malicious intent is for a security system protecting the database to ‘recognise’ the intent of the person or application querying it.

“Using SQL injection, an attacker can ‘piggyback’ a technically legitimate database instruction on a query sent by an application, allowing a criminal to use the contents of the database in any way they want.  This means that the security threat comes from the database trusting the application, not the database itself.

“It’s great to see organizations like Oracle taking data security seriously; but if we’re to tackle the problem effectively, we must make sure we’re looking at the whole picture. Firstly, there needs to be a mindset change – companies need to be pre-emptive and encourage employees to access only the data they actually need to perform the task at hand. Secondly, this needs to be back up with technology. And not just with authentication technology. It needs to be intelligent database technology that can not only authenticate the user, but also understand the intent of the requests made by the user or application.”

11th July 2007

Commentary on the Information Commissioner’s report on organizations breaching data protection rules

Richard Thomas, the UK’s Information Commissioner, claims companies must take the personal data of both customers and staff seriously. http://news.bbc.co.uk/1/hi/business/6289410.stm

Steve Hurn, CEO of database security company, Secerno, says: “Richard Thomas has said in public what many companies are likely to have admitted to themselves in private – that data security is an immediate issue, and that by not handling it accordingly, organizations are vulnerable to attack and consumer confidence is being eroded.

The problem for many organizations is that the law is unclear and that they do not know exactly how to deal with the intimidating scale and complexity of the problem. They are hiding their heads in the sand, hoping that they won’t be the next victim of a high profile breach. However, storing huge volumes of data on a system without using the appropriate database security technology is akin to operating without a firewall or anti-virus technology – it’s a case of when a security breach will happen, not if.

All personal data is incredibly valuable and should be treated as such. Companies can mitigate the risk by allowing employees access only to data needed to perform their role. A company wouldn’t make its payroll details accessible to anyone outside of its payroll or finance departments, so why make other equally valuable data available to those that do not need access to it? Who monitors the access to senstive data by the system and database administrators? This is often an overlooked loophole. Database security technology can help companies put appropriate controls and policies in place, allowing them to monitor and block any abnormal behavior within their database before a breach occurs.

We need to square up to the problem of data security and embrace the technology that is already available, which will not only protect organizations from further breaches, but will also help rebuild waning consumer confidence.”

30th March 2007

Commentary on Credit Card Thefts of TK Maxx Customers

Comments from Paul Davie, Founder.

It has been widely publicised that no fewer than 45 million customers have been hit by the theft of credit card data at TK Maxx, owned by TJX. Effectively anyone who bought anything at a TK Maxx store between January 2003 and June 2004 is at risk and that includes customers at the 210 stores in Britain. TK Maxx has admitted that computer hackers have broken in and managed to steal the data of as many 45.6 million cards.

“The issue of protecting confidential customer data is a time bomb that has been waiting to explode. Given the lax attitude of some businesses in addressing data security and the increase in targeted attacks on data by sophisticated criminals, it was only a question of time before a major breach of this type thrust this issue in to the public eye.” Says Paul Davie, Founder of Secerno.

TK Maxx spokesperson said “These figures only relate to what we do know. There is a lot more we do not know and may never know.” The theft of customer records held on computers at the company’s British headquarters in Watford, Hertfordshire and TK Maxx offices abroad is the biggest heist of credit card information anywhere in the world.

All the major credit card brands are affected and Visa and others are working with TJX to investigate what has happened.

Estimates as to the direct cost of replacing a credit or debit card run at $5-20 each, suggesting costs of $200-800m. The Ponemon Institute suggests that the total direct and indirect costs run at $186 each, which would take the damage to an eye-watering $8.3bn.

To say this is bad enough somewhat understates the case. But consider statements from the Privacy Rights Clearing House, which suggest 100m records have been exposed during their two years of monitoring such events.

In the UK, we have no comparable legislation which demands the publication of such breaches, so the extent of the problem here is hidden.

So what can UK business do to protect themselves from these type of problems? It should be more than abundantly clear that organizations need to tighten up their security policy.

Organizations need to be ahead of the game and put in place technology that allows them to monitor and block any abnormal behavior by anyone trying to access confidential data. This type of technology IS now available.

28th March 2007

Commentary on Halifax Disclosure of Data Theft

Comments from Paul Davie, Founder.

Clearly the punitive example the Financial Services Authority (FSA) made of Nationwide – fining them almost £1 million primarily for failing to be proactive in the wake of the theft of an employee’s laptop containing thousands of customer records – has not gone unnoticed by its rivals. Fellow building society, Halifax, has been swift to take action, alerting the FSA to the theft of mortgage details for some 13,000 customers last Wednesday and starting to write to the customer base. The data was in a briefcase stolen from an employee’s locked car and of the 13,000 records stolen, 1,800 had the name, address, mortgage account number and balance of the customer’s account.

“We applaud Halifax’s prompt action in communicating with the FSA. Disclosure is definitely the right route forward and it’s good to see an organization acting responsibly,” said Paul Davie, Secerno Founder. “However this is another example of an incident that could so easily have been avoided. To err is human and it becomes essential to minimise the impact of human error by putting in place automated controls. Checks must be put in place to prevent any one individual – even if his intentions are honourable – from accessing and downloading this volume of data.”

A survey launched this week by Websense suggests that 50% of employees believe their company simply would not know if they took - or accidentally took - company information.

This is a situation where technology could so easily step in to help. Of course organizations need to tighten up their security policy. But they also need to be ahead of the game with a system that effectively isolates each and every request made to the database that is inconsistent with what should normally be going on and prevents the database ever being asked to do something that they really would prefer it didn’t do – even if the request is coming from an authorised source. This type of technology is now available.

14th February 2007

Secerno commentary on Nationwide laptop theft

As the FSA fines building society Nationwide almost £1million following the theft of a laptop that contained the confidential information of nearly 11 million customers, we are reminded that data loss is something that could – and should by now – be a problem banished to the past.

Deploying effective database security to control the effects of this kind of breach is a no brainer – whether or not staff are able to download so much customer information that they leave organizations exposed to such basic risks as the theft of a laptop.

Even though employees may well need to access critical business data, every organization should be able to identify requests to download such large amounts of information as ‘out of the ordinary’ and block them.

It’s been an expensive lesson for Nationwide to learn, not just in monetary terms but in brand value and reputation. Especially as it could have cost a small fraction of the fine with which they have been hit to resolve with today’s new deperimeterised security technology to protect business database assets.

8th December 2006

Secerno commentary for 2007 technology predictions

Comments from Paul Davie, Founder.

In terms of security, the traditional focus on the perimeter is now proven to be a dangerous anachronism - old techniques centred on protecting infrastructure, rather than facilitating business. The approach was geared to delivering point solutions to combat individual insecurities. Nowadays security is evolving as a business enabler. Key technologies in 2007 will be those which support business and make it easier to trade in a safe way. There has been a real shift in the nature of the threats to be addressed. It is no longer just a case of simply keeping the individual hacker out, but has now shifted to addressing the new threat landscape where hackers and crime groups are working more closely together, with insiders turning into malicious outsiders. Instances hitting the headlines now show that customers need new technologies to address the changing business need and that these should be easy to deploy, eminently scalable and above all effective.

New database assurance technology delivers precisely that. For example, Secerno’s new technology is effective because it automatically measures actual system behavior, rather than requiring system owners to define and maintain lists of allowed functions. The result is a fast, accurate IDS/IPS capability which secures databases and automatically delivers valuable audit data. Applications can easily be made more secure from the outset and audit costs are dramatically reduced.

This type of technology provides an excellent opportunity for resellers as the system installs easily and quickly – without lengthy consultancy periods – and is able to scale across the enterprise, whichever database platforms are being used.

< Go Back

Copyright 2010, Oracle Corporation and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Site by The Stream