Listen to or download the entire 7:22 podcast below:

Download file

What follows is a transcript of my conversation with Rani Osnat, Vice President of Marketing at Sentrigo, where we discuss current data security, data protection laws around the world, Sentrigo’s data protection product, the Hedgehog, and finally, the future of database protection.

How do you see the current state of data security?

Well, I think within the last decade or so, we’ve seen the larger focus of IT security where the emphasis was on perimeter defense slowly towards the inside of the enterprise. So, data security’s just really beginning to come into the limelight and I think there’s also a realization that the measures that used to be, the primary measures, for data security, like encryption, are good measures, but they’re not sufficient.

Sentrigo is an international company. Do most countries have similar data protection laws as the US?

There is definitely a trend to follow the US. The US is a leader in this market. Date protection laws and regulations in the US are definitely ahead of the curve both in terms of commercial data protection as in Sarbanes-Oxley and also in privacy matters as expressed in various state laws that have to do with breach notification. However, there are certain regulations that cross borders, for example, PCI DSS, which is the credit card industry’s data protection standard that goes across countries basically wherever Visa and MasterCard work so some laws are exclusive to US but we definitely see a trend for going internationally to protect data both for privacy reasons as well as for corporate governance and commercially.

What problems did your company Sentrigo see in data protection that made you want to develop the Hedgehog?

Well, we looked at databases, which is the area we were focusing on. Databases have really been the kind of soft underbelly of the IT infrastructure in terms of security. As I said before, the perimeter has gotten a lot of attention over the years and companies have been busy protecting their boundaries from the outside including things like firewalls and IDS lines, prevention systems and intrusion detection systems preventing spam and viruses and so on from entering their domain. But, increasingly, we see a growing threat from insiders, people within the enterprise, people within organizations are increasingly becoming more of a threat whether that is because the perimeter is better defended so it’s easier to get to them on the inside, if it’s an organized element that’s doing it or just because it’s getting more attention now.

Basically you can run the gamut from disgruntled employees to just a database administrator peaking into his colleague’s salary to much more severe criminal offenses. We saw an opportunity there to protect databases and do it at close quarters and do it in a way that’s different fundamentally than the way the perimeter is defended because databases hold a lot of information and because they are part and parcel of the main business processes within large organizations. You can’t just kind of seal them off that just won’t work because you will paralyze the business. You have to find a way to defend them at the same time leave them open and interoperable with other systems in the enterprise.

Now could you elaborate on the virtual patching and granularity of Hedgehog?

Virtual patching is a mechanism that we created to basically make up for vulnerabilities that are discovered within databases on an ongoing basis. What normally happens is that whenever a new version of the database or a new piece of software is added to the database, someone somewhere will find new vulnerabilities that can be exploited to hack into the database. The issue is that a long time passes from the time the vulnerability is discovered and reported to the time that the database vendor issues the security patch or an upgrade that basically plugs that vulnerability. This can take months and even years. In addition to that, when the patch is issued, it requires downtime for the database because it is an upgrade to the system itself and it could also have an adverse effect on the stability of the database. So database administrators and system administrators are reluctant to apply these patches because they need to test them first and so on. So, you are really talking about an overall lag of many months if not years.

What the virtual patching provides is basically an ongoing protection which is done within Hedgehog which basically sits on top of the database. It doesn’t require any downtime and it issues alerts or prevents activity from taking place that exploits those newly discovered vulnerabilities. So, in effect, it’s another layer of defense that gives the enterprise almost immediate protection because it only takes a couple of days to issue patches until such time that they can upgrade the database. The granularity issue, again, because the Hedgehog sits on top of the database we are very intimate with the database and what’s going on within the database. So, for example, when a stored procedure is used (a stored procedure is a procedure that is stored within the database that can run all sorts of commands) this is something that Hedgehog will be able to see and know exactly what that stored procedure is doing. Whereas a system looking from the outside in would only see that the stored procedure has been activated but it will not know exactly what it’s doing internally. And this is something that sophisticated hackers can exploit in a similar way that Trojans work. Trojans and viruses where they infiltrate the system and then act from the inside.

What do you see as the future threats against data security?

The future threats, definitely the insider threat is going to grow. I think it’s going to grow, it’s going to become more sophisticated and more driven by organized elements. I think the disgruntled employee type of data breach is going to continue and the negligent type of employee breach is going to continue but they’re not necessary going to grow beyond what they are today. I think that the criminal element, the malicious element is going to grow simply because it’s becoming more and more difficult to do it from the outside. The notion of the lone hacker, teenage lone hacker sitting in a basement somewhere trying to hack into a system just to prove a point, I’m sure these people still exist, but this is not the majority of hackers today.

The majority of hackers today are looking to make money off their hacking and so they’re looking for financial data, personal data and taking these to facilitate identity theft, credit card data and so forth. And they would use any means at their disposal to include using insiders. I think another trend is that we’re going to see more sophisticated, multi-stage attacks. If today, the main attacks against databases are sequel injections. I think that in the future might see sequel injections being used at some stage but they are going to be more sophisticated attacks using worms and stored procedures as I mentioned before and other things that enable a hacker to launch a multi-stage attack that is much more difficult to detect in time.

Tag: Compliance, Perimeter Defense, Data Protection, Sarbanes Oxley, PCI DSS, Database Security, Virtual Patching

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

While we all await the newest advantages and threats from Web 2.0, it seems cybercriminals continue to exploit their own connectivity, the IRC, or Internet relay chat, which is the preferred method of sharing the tricks and the tools of online crime.

I found a recent article by Brian Krebs, Mr. Security Fix, quite fascinating, where he used a tool, something called PieSpy, which is itself a bot, or automated, program, that maps out online IRC social networks. The IRC predates text-messaging, and are used for real-time online communication, and many serve as open marketplaces for all types of stolen consumer information. Also, virus and worm writers use IRC to update and control their infected networks.

Krebs applied PieSpy to map out several of the more heavily-trafficked IRC fraud networks (one known as ccpower, the cc standing for credit card), and once set, the PieSpy graphs all the interconnects, connecting the various user names who communicate together with lines, and the darker the line, the more frequently they communicate. After creating the chart, Krebs was able to trace a number of users to another website where the users posted information about themselves, like birth date, email address, etc.

Makes you wonder how cybercriminals would feel falling victim to cybercrime? But altogether, I found PieSpy a very interesting tool, one that could provide a quick hierarchy of the online criminal gangs and perhaps make cybercrime a little easier to fight.

Tag: IRC, cybercrime, Internet Relay Chat

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

A new approach to improving system security is to improve firewall security. To do that, many vendors are looking to integrate IPS (intrusion prevention systems) with firewalls, essentially creating a smarter firewall.

According to this article at eWeek, this is in response to threats becoming increasingly complex and which keep attacking higher up the network stack, forcing firewalls to improve their management and configuration tools. But this all has to be done without taking a step back in terms of latency and throughput of basic firewall functions.

This is part of the trend of integration security products into a more complete solution for threat management, with Cisco’s ASA and Juniper’s SSG being good examples. This also comes in response to corporate users installing both business and personal applications that are often designed to circumvent legacy network firewalls.

In essence, enterprises have essentially lost control of their connections, which Palo Alto Networks, and it’s recently released PA-4000 series, can identify application traffic across ports, addresses. PA-4000 can open the SSL links to identify an application, or perform deep packet inspection, apply filters and enforce policies based on the application

Cisco’s technology also seeks to integrate reputation technology into a firewall. Said Tom Gillis, vice president of marketing for Cisco, "In the first release of that, which will be in the first half of 2008, [it] will allow you to provide visibility into these connections so you can see how many clients are in your network that are connecting to servers that are known to be botnet control nodes," Gillis said, adding that users would be able to block, throttle or deny connections considered suspect.

"Future firewalls are going to have the ability to route traffic through the appropriate scanning measure based on the reputation of the connecting server," Gillis said. "The firewall is effectively the traffic cop."

Tag: Firewall, IPS, Intrusion Prevention, Threat Management

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 10:07 podcast below:

Download file

What follows is a transcript of my discussion with Mike Rothman, top analyst and founder of the website Security Incite, where we discuss if things are ever going to get better with security, the concept of 'endpoint security', five reason for security from a business standpoint, whether 'Patch Tuesday' is outdated, corporate compliance, and finally, Rothman's own 'The Pragmatic CSO Bootcamp.'

The first time you were here, I asked you how things would get worse before they would get better. This time, I’d like to start out by asking how you ever see things getting better with security.

Well, you know, one point of view is that if we don’t ever see it getting better, why do we even bother? So, I’m not necessarily a defeatist by nature, although I assume many security folks are. I just think we have to get back to the basics, you know. We’ve really made security a lot more complicated that it needs to be. There’s a new device for every new type of attack and it is very complicated and the problem space and the attack services are very broad but, you know, as you mentioned, in my book, “The Pragmatic CSO”, what I talked about is the idea of trying to contain risk by doing some fairly simple things ahead of time and really monitoring your environment very aggressively because, again, I don’t believe you can really get out ahead of the threat.

What you have to be able to do is react a lot faster. And that means you have to know what is happening on your network, you have to know what is happening on your devices and within your applications and when something is a little bit amiss there, then you have to be able to react quickly, figure out if it is an issue. And if it is an issue, then obviously jump into an incident response type of process very quickly to make sure that you are containing damage because I just don’t think this idea of buying another widget is really going to solve the problem.

Now tell me how anti-virus is evolving into what you refer to on Security Insight website as “endpoint security”?

That’s actually a great question, because for a long time everybody just kind of assumed that anti-virus equaled security. So, hey, I’ve got anti-virus on my desktop and life is good. With the sophistication of the attacks now, as well as the general maturation of the business, where we’re at is really a set of, I’ll call them security applications that happen to run on your desktop that are all basically managed by a common, certainly if you’re in an enterprise or a mid-size business, a common management framework that gives you things like anti-virus, anti-spyware and maybe something called application control that only allows you to run applications that have been authorized and a VPN type of client to make sure that you can connect into your network resources regardless of where you are in the world or on the network.

What’s happening is that you see companies like Symantec and McAfee and Sophos and Trend and all the big anti-virus vendors, Webroot coming at it from an anti-spyware standpoint, really continuing to add value to their general suite because there’s a new entrant here and I think a few people out there are familiar with them. They’re called Microsoft and that’s obviously going to really push the existing, incumbents in the securities space to continue to add to their value proposition because you try to fight Microsoft on their turf and I’m pretty sure that game doesn’t end too pretty.

Now, while I believe that most businesses are concerned with security, why do you think they need to think about security in a business context?

That’s actually pretty simple because the people that pay the bills, regardless of what organization you work in, they think about things from a business context. So, if you come in as a Security Professional and really expect them to worry about cross-side scripting attacks you probably need to have your head examined. You know, the folks that sit in the C level positions are interested in, basically a couple of things and I break that down in The Pragmatic CSO into basically five reasons to secure:

1) Maintain business system availability
2) Protect Intellectual Property
3) Limit corporate liability
4) Protect the corporate brand
5) Ensure compliance

In every kind of business problem, every security capability that we can bring to the table can really be couched within a value proposition of one of those five different things that we’re trying to achieve for the business. So, don’t talk about, “hey, we’ve got these new attack vectors and all of our applications are at risk”, you talk about the fact that “hey, if one of our applications is compromised, we could lose critical data”. Or, we could lose, our systems could go down and then we basically, can’t collect money or ship things or support our customers, so on and so forth. So, it’s not really about talking about the technical nuances because, again, people that write checks don’t really care about that. What they’re interested in is “how is this going to affect my business? How is this going to really impact my shareholders and my customers and my employees?” How they do it is really not so much of an issue.

Earlier this week was another “patch Tuesday” from Microsoft. Do you think “patch Tuesday” is an outmoded concept?

I don’t so. You know, a lot of it has to do with people who kind of say these things have never really spent a lot of time with large organizations that have thousands and thousands of devices that need to be patched. You know, these folks tend to have 2, 3, 4 days, sometimes they’re 2, 3, 4 week change control processes, especially like at the end of the quarter. So, if Microsoft were basically just to willy nilly go out and say, “hey you’ve got to patch all your Windows machines now”, you know, you take a Fortune 50 type of company, and that kind of creates a ripple effect in terms of their whole change control process that would be very difficult for them to really manage. Obviously, there are times and situations where it requires an out-of-band patch.

The ability to run one of those things when the danger is imminent but for a lot of these other issues, again, I think monthly is very reasonable and actually may be even too frequent for the way a lot of these organizations actually run their businesses. So, from that standpoint, what Microsoft has done is a model that the rest of the large organizations out there – do you hear that Apple? – should be paying attention to because these guys have learned through the school of hard knocks what works and what doesn’t work at scales that no other company in the world has to deal with in terms of kind of updating software.

Let’s shift to compliance. To me, it seems like compliance is getting more complex every day. How should companies approach compliance?

Well, this is a little bit of a controversial position, Peter, but I actually don’t think that companies should be positioning or thinking about, I mean, you’ve got to think about it, but really being focused and approaching compliance. See, when I sit down with somebody and I ask them what their two biggest projects you’re working on and one of them is compliance, you know, I know it’s either going to be a very short conversation or I have a lot of work to do in that organization because the reality is, you don’t really do compliance. You protect your assets, you do security and then if you do all that stuff right, and you can document what controls and capabilities you’ve put in place, then you actually get compliance. So, this idea of somebody saying “hey, I’ve got to get PCI compliant”, it’s like, what does that mean? How do you do that? Is that a product I can go down to Best Buy and buy off the shelf? No, I mean, you know, so why counsel my clients and my readers in terms of thinking security first.

If you have a strong security posture, a replicable security program and you’re taking and documenting the controls and metrics about the effectiveness of those controls, then you can pretty much prove compliance with whatever regulation you’re worried about as opposed to sort of reacting to the regulation du jour, you know. Five years ago it was HIPAA and then there was GLB and then Sarbanes-Oxley and now, you know, PCI. It’s just, it becomes one of these hamster wheel things that you can never get out ahead of so, again, I always counsel people to think security first and if you do that well, then compliance will kind of fall into place.

Now I read that you recently finished with The Pragmatic CSO bootcamp. Tell me how did it go and what do you think people learned from it?

It was great. The Pragmatic CSO is a 12-step program and what I did, we got a number of people in the room and I kept it, actually, intentionally small because I wanted to foster a lot of discussion because you can read the book and you can talk to me and you can read my newsletters and get a feel for what the process is, but there’s so much to be said about actually sharing that valuable perspective and insight with your peers. So, what the boot camp is really designed to do is use the 12 steps as a model for kind of how you go about doing security but the reality is that you kind of go all over the place depending on what the attendees need to think about and what their biggest problems are.

I put together a new set of templates that help kick-start the effort so we spent some time going through those. I found it just very valuable, not just for me, but I like to think that the folks that were the attendees actually found it fairly valuable, too, just in terms of sharing information and really kind of understanding and adding to the body of intellectual property that I built with The Pragmatic CSO and really making it their own kind of process and how it’s going to work in their own environment and that was very gratifying to see.

Tag: Compliance, CSO, Antivirus, spyware, Patch Tuesday, Microsoft, PCI, Sarbanes-Oxley, HIPAA, PCI,

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Recently dropped in on the press conference announcing HP’s acquisition of SPI Dynamics, Inc., which they plan to integrate into HP’s Technology Solutions Group, and which will be completed by the third quarter of this year.

Anyone notice a similarity with IBM’s purchase of Watchfire? SPI Dynamics enables customers to assess and identify security vulnerabilities along the entire lifecycle of web applications, which is quite similar to Watchfire. SPI Dynamics currently employs 140 people and has 1,000 customers worldwide. HP emphasized that one of the critical aspects of this deal was the SPI talent they'd be getting, and said they fully intend to continue the often leading-edge vulnerability research of SPI Labs.

When questioned about the timing of the deal just a week after IBM's announcement, HP said it was purely coincidental, in that they have had a five year relationship with SPI Dynamics, and have been in talks for months. And while HP said they didn’t see themselves moving as strongly into security applications as some of the more established players, they did say they saw application security testing as crucial to their commitment to the enterprise software space.

This is evidence of a growing trend in the security industry: with compliance growing ever-stricter with application security, and with more applications becoming web-based, that means that security will continue to move up the lifecycle of application development, and both application development and security will become more integrated. It also doesn't hurt that, as was brought up in both the IBM and HP press conferences, this is one of the fastest growing sectors in security.

In my estimation, the application security testing sector will only continue to heat up. And where there's heat, there's gold.

Tag: Compliance, Application Security Testing, Web-Based Application

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Where much of the news about data protection following the TJX debacle has focused on hardening the storage of consumer information from direct attack, according to eWeek, an entirely other avenue of data vulnerability continues to operate right out in the open.

This vulnerability exists when retail businesses need to test out a credit card processing system. As they need concrete proof that the payment system actually functions (from my days in retail, there is nothing more frustrating then have a store all primed and ready to sell only to have the cash register malfunction), the tests they do -- which include point-of-sale upgrades, operating system patches, database changes, and more -- involves real live customer data.

Apparently, this test credits and debits real customer accounts using real customer credit card info, and while retailers have been generally ignorant about this vulnerability, cyberthieves are well aware of it. During the test there is the real risk of thieves accessing the data or penetrating the network, leaving behind a Trojan horse program to do their dirty work later on.

This has also caught the attention of Richard Simpson, who has 21 years with the Bank of America and has recently been appointed to the newly created senior IT risk coordinator for the Fed. Simpson has the tough task of "raising awareness of risks that might undermine public confidence in the U.S. financial system." Wonder if he’s going to start a blog.

Said Simpson: "A vulnerability that the Fed has observed during supervisory reviews is the practice of retaining unencrypted test data. Often large amounts of data will be pulled into a separate file for use as test data to verify program patches, run volume tests or simulate production output or reporting. The proper approach for temporary data is to destroy it immediately after use, to encrypt it if future use is planned, or to mask fields containing any customer confidential information."

“But that's not typically happening,” he continued. "Companies often consider test data to be less vulnerable than live transaction data and, therefore, take fewer precautions. Test data may also be accessed by third parties—such as vendors and outsourcers—more frequently than live data. Yet if the test data contains reusable customer information—credit card numbers, social security numbers, name and address—it can easily be used for fraudulent purposes if accessed by internal or external hackers."

And if a breach occurs with test data, companies often have a difficult time retracing their steps and figuring out exactly which file was breached and the full amount of consumer data it contained.

So why hasn’t an artificial list of test data been created? As is always the answer in these cases, it comes down to money, and who’s going to pay for it. So it seems that unless someone makes them do it, or a massively publicized breach occurs during the testing stage that faults a large retail organization like TJX, it simply will not become a priority.

Tag: PCI, Data Breach, TJX, PCI

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Another Microsoft Patch Tuesday is here, and on the menu is six patches, four deemed critical. One is categorized important, and the last one moderate.

Two critical patches are for the Vista operating system (with the moderate one as well), and the one marked important fixes Visio, which is business software used to create technical drawings.

Also, Microsoft said it will distribute an updated version of their Malicious Software Removal Tool along with seven non-security updates for MS Update and Windows Server Update Services.

FYI, this is Microsoft's first advance notification giving such detailed notification, with each bulletin containing a patch's security rating, vulnerability impact, detection information and affected software. And if you're reading this, so are the bad guys, so if you don't have Microsoft's automatic update, go here and look for the Microsoft Update link.

Tag: Patch Tuesday, Vista, Malicious Software Removal Tool, Visio,

Posted by pschooff in Microsoft | Permalink | Comments (0) | TrackBacks (0)

A recent article at Dark Reading explores how enterprises really need a new way of and thinking about both the constant level of threats and how to defend against them. The central point is that companies need to realize that security is a daily (just daily, I’d even say hourly) concern.

The issue was part of a recent vulnerability panel discussion moderated by Gartner, and made the point that vulnerability research is critical to staying one-step ahead of the threats. This is right on topic with my last blog about IBM purchasing Watchfire.

As Chris Wysopal, CTO of Veracode, said, "If you leave crumbs on the floor, the ants are going to show up." And once ants ruin one or twoof your picnics, folks might be reluctant to come to another picnic (just trying to stick with the metaphor while introducing brand damage).

It’s still true that most don’t see the purpose of quality security investments until an attack has already occurred. But the panel all agreed that security is increasingly entering the IT investment picture. Also, applications are starting to be extensively tested before they're being introduced.

But doing your own security testing is by no means cheap. Gartner estimates that for every hundred employees a company has at least one custom application. Security testing gets expensive for every one.

The rule of thumb is companies should allocate 5 percent of their development budget to testing. Other estimates go as high as 25 percent (which includes quality assurance). David Maynor, CTO of Errata Security, said "At the end of the day, what are you developing your applications for? If you're in [financial] trading, it could potentially mean millions of dollars if you are down for a couple of minutes," he said. "It's easier to allocate resources on the front end."

Still, that’s not guaranteed to catch all the bugs and vulnerabilities. Said Maynor, "You're never going to make a 100 percent secure app, but there are things you can do to minimize [vulnerabilities]."

Tag: security, application security, vulnerability research, IT Investment

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Just got off the news conference announcing IBM’s purchase of Watchfire. While it may not seem immediately apparent why a huge company like IBM would be interested in a company as small as Watchfire, with only 189 employees and 800 customers, growing corporate security concerns, and also the growing concerns of IBM’s customers, pretty much makes this deal inevitable.

I’m certain everyone is well aware that not only are security and data attacks on the rise, but so is the news coverage of these attacks. So when you have both attacks and the perception of these attacks growing rapidly, a company with the size and reach of IBM pretty much has to act.

IBM’s purchase of Watchfire, subject to standard regulatory approval, gets IBM closer to offering a true end-to-end security solution. While IBM Rational already provides clients with comprehensive software quality management solutions, which includes the ability to perform functional and performance tests in software development, Watchfire adds security, compliance and quality testing to ensure business integrity before applications go live.

As Danny Sabbah, IBM Rational Software GM, said, this is just IBM responding to customer needs. He added that he has been hearing about his customers security concerns all the time.

And with the 2005 CSI/FRI Survey that found internal security attacking costing U.S. businesses $400 billion a year, businesses are right to be concerned. It certainly doesn’t hurt that this sector is expected to grow 68% annually. Altogether, except for hackers and cybercriminals, this deal is a win-win.

Tag: security, compliance testing, software development,

Posted by pschooff in IBM | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire10:40 podcast below:

Download file

What follows is a summary of my discussion with Adam Bosnian, Vice President of Products, Strategy and Sales at Cyber-Ark Software, where we cover the many problems of insider attacks: why they have become such a problem, why privileged passwords are often used in insider attacks, what Cyber-Ark can do about it, where most companies fail in password compliance, and finally, what’s in store for the future of password security.

Why have insider attacks become such a serious issue for businesses?

I think there's really two answers to that: no. 1 -- organizations have done a very good job in the last five or six years in terms of securing the perimeter of their network and making sure they're keeping the bad guys out. What they're not as aware of today is what's going on inside the network and what the insiders are doing, what they are having access to and what they are doing with their data. We have actually had some conversations with bank examiners from the office of the comptroller of the currency where they communicate exactly the same point, where they feel that banks have done a good job of securing the perimeter but they really don't have a good idea of who's doing what within their organization. That's No. 1.

No. 2 is -- traditionally, people have been "trusting" their internal resources and making sure the bad guys from the outside don't do anything untoward. But the truth is, we have a lot of data out there that says that the data breeches that are occurring and some of the security incidents that have been occurring have been caused from inside the organization rather than outside the organization. We have some data that says 80% of security incidents have been caused by people on the inside and of those, 50% of them could have been dealt with if they had a better deprovisioning and better security model within their organization.

Why are privileged passwords so often used in insider attacks?

Well, number one, they’re very powerful accounts. When we talk about a privileged account or privileged password, we're talking about that system administrator account on a Wintel box or a root user on a Unix box or a Cisco enabler on a Cisco environment, etc. And these accounts have, since they are the administration accounts, have full access to be able to control that target system configuration, who can access it, etc. And they also have full access to all of the data that's on that system. So first, they have full control and a lot of access to that target system. No. 2, though, those privileged accounts are also generic. It's that "invisible man" concept that says, "well, it looks like in the log system that the administrator logged in and they did x, y, z but I don't know who the system administrator is because it isn't attributed to Adam Bosnian or to Peter, it just shows up in the log as system administrator.

So, no. 1, the accounts are very powerful. Full access to the machine. Full access to the data. And no. 2, they're generic, meaning there are no footprints. And so people can get away with whatever they want to without it being attributed to their specific end user.

How does Cyber-Ark protect the company against insider attacks?

Well, first of all, we want to make sure that we secure access to these privileged accounts. So we use what we call our enterprise password vault and the core technology being a digital vault to really wrap a lot of security around these privileged passwords, no. 1. So that we know the bad guys can't get them and only the good guys with the right access rights can have access to them. That's no. 1.

No. 2, we personalize access to those accounts. So that when you need to get a password out of the Enterprise password vault, the first thing you need to do is you need to authenticate to the Enterprise password vault with whatever authentication mechanisms your organization uses. So that you are identifying yourself. Okay, "I'm Adam Bosnian, I need access to the root user password for that UNIX system." So now I know that having gone through that process, whatever I do on that target UNIX system is going to be attributed to me as Adam Bosnian not to the generic root user which would give me that invisible man background behind it.

No. 3, we also go change the passwords to those target accounts on a company defined basis for frequency, for length, strength and uniqueness across multiple systems, so that at any one time, no one within your organization will know what the then-current password is for one of those target systems without going through the enterprise password vault first.

So we secure those accounts, we personalize those accounts, we manage those accounts and the passwords in terms of length, strength, frequency and uniqueness, and then we provide a nice detailed audit trail behind it, so if anybody wants to see what activity happened around those accounts, they can look at in those audit trails and attribute it down to the actual end user who did what, when they did it, etc.

Let's say a disgruntled employee builds a secret back door into a company's computer system. How would Cyber Ark stop that person before he could do damage later on?

What we found was a lot of times when those back doors are created, they are created again to be invisible. And so they don't create them as the Adam Bosnian identity is going to access, I'm going to create an Adam Bosnian account on that target system and then use that to log in after I'm fired. Because the truth is, my active directory, once I'm deprovisioned out of active directory because I've left the organization, that account will no longer be viable, correct?

So a lot of those back doors are created as the system administrator or privileged accounts in a shared generic manner so that there are no footprints. What will happen in that case is that we have an auto-discovery capability that allows our product to go and traverse the windows infrastructure within that organization to identify any privileged accounts on those target systems.

So let's say on day 1, when the employee is working there, we know that there are a hundred privileged accounts within that environment. If that employee goes and creates an additional account, if you run that auto-discovery process a second time, we'll find that additional account. We can then have that brought into the enterprise password vault. We go ahead and change the password that is required to access that account, and then once that the person is deprovisioned from the vault and leaves the organization, he no longer is going to gain access to the password through the back door that he just created.

Where do most companies fail when it comes to compliance?

You know, I'm sure there is a range of areas where companies are having challenges within the compliance and regulatory arena. We only really see it from that privileged world. And there are really four areas that we see highlighted in a variety of audits, whether it's a PCI audit, Sarbanes-Oxley audit, OCC bank examination, etc. No. 1 is are you securing these passwords so only the good guys can get them and the bad guys can't? Are you doing something more than yellow sticky-notes, Excel spreadsheets, data center white boards, etc.

So securing privileged accounts and securing privileged passwords is the no. 1 area where we're seeing organizations being highlighted on and being dinged on. Secondly, though, and I think the most common and maybe the most important area that is being highlighted in audits, is you need to attribute who did what to the actual end user, Adam Bosnian or Peter, etc. And a lot of organizations don't have that attribution in their environment without something like the enterprise password vault and so the auditor says, "Show me who accessed that box. OK, system administrator accessed that box. Who was system administrator access that box at 1:05?" Well, the organization can't say because they have 50 system administrators, it could have been any one of those 50.

Third area is passwords and accounts not being managed according to company policy. The company policy makes end users change their password every 30 days, 60 days, 90 days, whatever it might be. When was the last time you changed the system administrator account on that Wintel machine? Very often, they haven't changed it at all or it's once every six months, something along those lines. We have situations where embedded application identities in a lot of cases, have never been changed. We have 42 percent of people responding to a survey saying they've never changed an embedded application identity password in the history of that application being up and running.

And then, fourthly, is do you have any of those embedded application identities and their passwords available in the script or in a config file in a hard-coded clear-text manner? What I mean by that is I have an application that needs to access a data base. There's some kind of script or config file in the middle that allows that application to actually log into the data base.

That password for the application doing that work, very often, in most cases, is hard-coded and in most cases, in clear text. So that anybody with a grep tool or being able to search within that environment could very easily find one of those password and identity pairs and then start to access the data base and from the data base perspective it just looks like the application logged in. That is something that's being highlighted by the audit community over the last six months as an egregious area that needs to be addressed because at that stage, you really have no footprints of who is doing what within your critical data pages.

What do you see for the future of corporate password security?

We're seeing it happen right now. And what I mean by that is if organizations are no longer looking at their identity management from just "I need to deal with the end user identities." I think they're starting to look at it more from a holistic perspective in saying, "I have end user identities. I have privileged identities. I have application identities. I need to put together a strategy for my organization to address the range of identities within my organization." And do it from a holistic perspective from how I provision, how I report, how I have the audit trail, etc.

And you're seeing that happening not only within the company or customer perspective but you're also seeing it in the vendor community. We announced some relationships with Oracle and IBM and Corian over the last several months. Traditional identify management players that to this point have been focusing mostly on the end user identity. Now they want to be players looking at that holistic set of identities and are working with Cyber Ark to bring our functionality on the privilege and application identity side to bear in addition to their end user capabilities.

Tag: Password Compliance, Insider Attacks, Privileged Passwords, Password Security, Sarbanes Oxley, Data Breach, PCI, OCC,

Posted by pschooff in Podcast | Permalink | Comments (1) | TrackBacks (0)