Please join us for a set of informative discussions about Information Security in the Oracle Security Online Forum, sponsored by Oracle and Accenture, where leading industry executives and Oracle product experts will come together to discuss security trends, best practices, and proven solutions for your business.

The illustrious lineup includes:

• Mary Ann Davidson, Oracle’s Chief Security Officer—on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible
• Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond
• Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions
• Vipin Samar, Vice President of Oracle Database Security Solutions—on new approaches to protecting data and database infrastructure against evolving threats
• Nishant Kaushik, Oracle’s Chief Identity Strategist—on how organizations can use Oracle Identity Management solutions to reduce fraud and streamline compliance

Additionally, security solution experts will be on live chat throughout the event to answer your toughest questions.

You can register for the event here.

Hope to “see” you there.

This little video states a pretty good case for making sure those responsible for database administration shouldn’t have free rein over the information those databases contain.

That, and maybe the guy needs a bit of common sense …

According to a CNNMoney.com article today,

“An international cybercrime ring was broken up Thursday by federal and state officials who say the alleged hackers used phony e-mails to obtain personal passwords and empty more than $3 million from U.S. bank accounts.

“The U.S. Attorney’s Office charged 37 individuals for allegedly using a malicious computer program called Zeus Trojan to hack into the bank accounts of U.S. businesses and municipal entities.”

Isn’t it interesting that this sophisticated cybercrime tool was named for Zeus, the Greek "Father of Gods and men" and the Trojan Horse, which allowed Greeks to surreptitiously enter the city of troy and end the Trojan War?

It is as if God and the Greeks have ganged up on the rest of us!

I’m sure God and the Greeks aren’t really conspiring against us, but the Zeus Trojan case underlines the tragic reality that bad guys are  becoming extremely sophisticated in their attacks, and that the cost to us all is rapidly increasing.

The 2010 Independent Oracle Users Group (IOUG) Data Security Survey Report published by Unisphere Research, a division of Information Today, Inc., and sponsored by Oracle Corporation, uncovered the following troubling findings:

1. Fewer than 30 percent of respondents are encrypting personally identifiable information in all their databases.
2. Close to two out of five of respondents’ organizations ship live production data out to development teams and outside parties.
3. Three out of four organizations do not have a means to prevent privileged database users from reading or tampering with HR, financial or other business application data in their databases.
4. In fact, two out of three respondents admit that they could not actually detect or prove that their database administrators and other privileged database users were not abusing their privileges.
5. However, database administrators and other IT professionals aren’t the only people that can compromise data security from the inside. An end user with common desktop tools can also gain unauthorized direct access to sensitive data in the databases.
6. Almost 64 percent indicate that they either do not monitor database activity, do so on an ad hoc basis, or don’t know if anyone is monitoring.
7. Overall, two-thirds of companies either expect a data security incident they will have to deal with in the next 12 months, or simply don’t know what to expect.

More details in the report …

The PwC document, “Findings from the 2011 Global State of Information Security Survey,” states by way of introduction, “As global economic conditions continue to fluctuate, information security hovers in the balance – caught between a new hard-won respect among executives and a painstakingly cautious funding environment.”

The report addresses five areas:

1. Spending: A subtle but enormously meaningful shift
2. Economic context: The leading impacts and strategies
3. Funding and budgets: A balance between caution and optimism
4. Capabilities and breaches: Trends too large to ignore
5. New areas of focus: Where the emerging opportunities lie
6. Global trends: A changing of the guard

Back in July, while studying for the CISSP exam, I proposed that Kerberos (or Cerberus), the three-headed dog from Greek mythology that guards the gates of Hades, ought to be proclaimed the mascot of the CISSP exam.   I furthermore suggested that Busticating a Behemoth into manageable chunks was a good approach to CISSP exam preparation.

Well, I’m pleased to report that I did it!  I received official word this morning that my designation is official.  I can now join the ranks of fellow professionals with the acronym “CISSP” after our names.

I don’t really feel much smarter, but I am gratified to have tackled the big challenge and prevailed.

CNET published a thought-provoking article last week,  about Stuxnet, a sophiscated software worm that “targets critical infrastructure companies.”  It “doesn’t just steal data, it leaves a back door that could be used to remotely and secretly control plant operations.”

This complex software is targeted not at desktop or laptop PC’s, but at industrial control systems.  It has infected systems particularly in Iran and India, but also companies in the US.

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. …

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems

The eCommerce Times commented:

“The Stuxnet worm, which targets industrial control systems, or "SCADA" systems, is one of the most sophisticated bits of digital malware security researchers have come across in a long time. Now, those researchers want to know where it came from. Was Stuxnet the product of a den of hackers working on their own accord, or did a national government somewhere in the world have a hand in its creation?

"Given the sophistication and organization behind it, we highly suspect it has nation-state involvement rather than being a tool for competitive intelligence," Roel Schouwenberg, a senior antivirus researcher with Kaspersky Lab, told TechNewsWorld.

In a recent post, I quoted a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” where the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

By targeting systems that control vital parts of a nation’s critical infrastructure, this worm is an example of how increasingly sophisticated technology can be used as an offensive weapon.  Lots of questions still exist about this specific worm, but it really illustrates how we must be concerned about the security of all computer-based systems, not just those in data centers.

Somehow, this causes more concern in my paranoid mind than vulnerabilities in my iPhone.

Yesterday’s announcement that Intel would pay $7.68 billion for McAfee, Inc. triggered a couple of instant thoughts:

1. McAfee has come a long way from when I first met founder John McAfee in the early 1990’s in a small, cluttered office in Santa Clara.
2. Intel/McAfee: What strange bedfellows!

According the Wall Street Journal article where I first read the news, Intel executives were bullish (as they should have been, after laying nearly $8 billion on the table in a surprise deal.)

“Intel executives argued growing security dangers require new measures, describing the acquisition as an essential step to design chips and other hardware that can protect systems better than software alone. …

"’We believe security will be most effective when enabled in hardware,’ Intel Chief Executive Paul Otellini said in a conference call.

In Yahoo press coverage, Mr. Otellini is quoted:

"Everywhere we sell a microprocessor, there’s an opportunity for a security software sale to go with it … It’s not just the opportunity to co-sell, it’s the opportunity to deeply integrate these into the architecture of our products."

Business week’s analysis was a bit less upbeat:

“Intel will have to persuade customers they need security in non-PC electronics in much the same way it has convinced businesses and consumers that they required chips that speed computing tasks or ensure seamless wireless connections.

“’Right now nobody is screaming for security in their cars and in their cell phones,’ said Gartner’s Peter Firstbrook.”

Forrester Research’s Andrew Jaquith was downright negative:

“What on earth does Intel expect to get for all of the money it is spending on McAfee? I’ve been scratching my head over this, and despite McAfee CTO George Kurtz’ helpful blog post, I am still struggling to figure this one out. …

“I see four problems with Intel’s strategy (at least as much as I can glean, so far):

• Neither Intel nor McAfee are serious players in the mobility market …
• Intel’s hardware platform strategy will not work. …
• Intel doesn’t understand software. …
• The security aftermarket will be very different on Post-PC devices. …”

What do I think?

1. I agree that security at the chip level is part of an integrated end-to-end security chain that will be essential in the mobile market, especially as mobile devices are enabled for mobile payments and other high-value functions.
2. I wonder why Intel had to buy a whole company to get the security expertise necessary to build in security at the silicon level.  Maybe McAfee has some diamonds in the rough hidden away in the R&D lab that will justify Intel’s big acquisition.
3. This very visible acquisition highlights the critical need for Information Security, a topic that is near to my heart.

What do you think?

Earlier this week, I participated in a spirited discussion with some of my colleagues about whether the popularity of devices such as iPhone and iPad would result in increased attempts and successes in hacking those platforms.  On the heels of that discussion, it was ironic to see the following announcement from iTunes when I plugged my iPhone into my PC this morning:

iOS 4.0.2 Software Update

Fixes security vulnerability associated with viewing malicious PDF files.

Products compatible with this software update:
• iPhone 3G
• iPhone 3GS
• iPhone 4
• iPod touch 2nd generation
• iPod touch 3rd generation (late 2009 models with 32GB or 64GB)

(Emphasis mine)

Windows has long been lambasted for the sheer volume of security flaws it contained.  Could it be that at least some of that volume was due to the popularity of that platform and the sheer numbers of hackers trying to break it?  Hopefully, newer platforms are the beneficiaries of the increased focus on security.  But we still need to be careful.

I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle.  Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices.  The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.

In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.

Again, our lives have converged because of common professional focus on Identity Management and Information Security.

In a recent blog post, Alan pointed out a recent Colorado legal case:

“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’”

A report from TheDenverChannel.com further elaborated:

Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.

How did she do it?  Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around.  Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.

Interestingly enough, preventative Separation of Duties (SOD) controls were in place.  But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work.  In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.

So if you want to steal $11 million, perhaps you can leverage orphan accounts.  However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.