Why it is all too easy to become a cybercriminal

By Byron Acohido, The Last Watchdog

The disclosure of Operation Aurora last month and the outing of the Kneber botnet gang’s stolen booty this week have much in common.

Both involved nothing-out-of-the-ordinary cyberattacks that quixotically rose above the din to grab international headlines.

The mainstream attention is welcomed. It helps to underscore how the Internet underground has advanced to the point where a plethora of powerful hacking tools and services is readily available to novice hackers and elite crime gangs alike – with prices to fit every budget.

In Operation Aurora, Chinese hackers sent targeted messages to specific senior managers at 30 corporations luring them to click on a corrupted Web link. Clicking on the link activated a hacking tool designed to tap into a fresh zero-day vulnerability in Internet Explorer browser.  The crooks likely paid $5,000 or maybe more for this cutting-edge malicious code.

Such zero-day attacks have long become commonplace, of course. The template for zero-day attacks dates back to December 2005, and the antics of the Russian iframeCash.biz gang, led by Andrej Sporaw. The enterprising Sporaw and company flushed out a fresh zero-day hole in a Windows operating system component, called Windows metaframe file, and began exploiting the WMF hole to launch pop-up ads for early versions of scareware.

In the Chinese zero-day attack last month, one of the targeted corporations happened to be Google — in a mood to complain. The search giant cried foul, igniting an international brouhaha over how China does business. Corporations are having a difficult time keeping up.

“Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters … others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

Why becoming a data thief is all too easy

by Byron Acohido, USA TODAY

The Internet underground has advanced to the point where anyone with $325, average computer skills and a stomach for larceny can begin to amass a trove of corporate data like the one plundered in 30 days from 2,411 large organizations worldwide.

Shell out $25 and you can hire a spamming specialist to send out email lures to 250,000 people enticing them to click on a corrupted Web link that will infect their PCs with your free copy of ZeuS. Spend a bit more, and you can customize your viral spam to spread to via Facebook messages and Twitter microblogs. The only other thing you need to do is shell out $300 to rent an Internet-connected server to collect and store the harvested account logons that your bots will obediently harvest…

It was one of these type of servers that NetWitness tracked down and accessed in late January. NetWitness’ report on what it found—68,000 account logons stolen from 75,000 botted PCs in corporate networks—drew big headlines in the Wall Street Journal and New York Times.

Corporations are having a difficult time keeping up. “Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters ... others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

CUs Need to Look to Monitoring to Prevent Large Breaches

By Lindsey Siegriest, Credit Union Times

Recently, thousands of employees at the Iowa racing and gaming commission had records with their names, birth dates and social security numbers compromised when a hacker broke into the commission’s server. According to early reports, the breach was caused by changes in configuration.

Phil Neray, vice president of security strategy at Guardium, said that criminals now have automated tools that allow them to search for vulnerable Web sites. Maloof added that over the last six to 18 months the trend has been to target smaller companies and institutions.

Neray said for smaller institutions, like credit unions, that may not have the manpower to dedicate to detailed monitoring than technology is the answer. “Technology can automate the monitoring processes and analysis so it reduces the need for more people and also address compliance challenges. Having someone manually assembles compliance reports is a huge burden and technology can streamline that.”

Neray cited a recent breach a regional bank in Texas were criminals made transfers to accounts in Europe. “You need to go beyond the traditional firewalls. A larger bank has controls in place that would prevent those types of transactions from happening.”

Why Data Breaches Can Go Unnoticed By Their Victims

By Brian Prince, eWeek

An analysis of data breaches by Trustwave found just 9 percent were uncovered internally by the companies’ that were breached. The report mirrors other studies, and underscores the importance of having visibility into your IT environment as well as being able to correlate disparate events on a network.

You might expect an enterprise to be the first to notice its records had been breached. But as a report from Trustwave illustrates, that is rarely the case.

According to a study of more than 200 data breaches that occurred in 2009, Trustwave found that just nine percent were uncovered by the organization that was attacked. The vast majority – 80 percent – were discovered by credit card companies with access to the breached organization’s data. According to security pros, the reasons for this vary, but come down to the ability of businesses to understand and correlate the massive amounts of data at their fingerprints.

Many organizations spend too much time and effort creating database compliance and auditing reports using homegrown scripts, native logs, triggers and stored procedures, said Phil Neray, vice president of security strategy at IBM’s Guardium. This isn’t an effective way to detect breaches, he explained, because it’s not real-time and the massive amounts of transaction log data produced by database environments make it easy to miss an incident or connect the dots between events.

“This is (also) costing them time and money, especially in heterogeneous environments, where each database platform—Oracle, SQL Server, DB2, etc.—requires its own handcrafted approach,” he said. 

Texas Bank Sues Customer After $800,000 Scam

Banks Asks Court to Declare Security Measures ‘Reasonable’
Linda McGlasson, Managing Editor, Bank Info Security

A Texas bank is suing one of its commercial banking customers following an incident in which the customer lost $800,000 through fraudulent ACH transactions.

PlainsCapital Bank, a $4.4 billion bank headquartered in Dallas, has filed suit against Texas-based Hillary Machinery Inc., following a series of incidents that began last November, when cyber thieves made a series of ACH transactions that totaled $801,495 from Hillary Machinery Inc.’s bank account.

The bank was able to retrieve about $600,000 of the money, but when Hillary subsequently sent a letter requesting that the bank refund the remaining $200,000, PlainsCapital responded by filing the lawsuit in U.S. District Court for the Eastern District of Texas. The lawsuit requests that the court certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. Documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.

Phil Neray, vice president of security strategy for Guardium, an IBM Company, sees the fraudsters winning the battle, as they seem to be targeting the regional banks and community bank commercial customers. “It’s a game of catch-up for those institutions that don’t have the layered protections and checks and balances across their network,” Neray says. 

Don't Wait To Lock Down DB2

Existing access control, trusted context features in DB2 are not widely deployed

By Ericka Chickowski
DarkReading

As pundits ponder how IBM will leverage its acquisition of database security vendor Guardium to add more security features and functionalities to its in-house DB2 databases, now is the time for organizations to re-examine their DB2 security strategies. But many haven’t even tapped the security features they already have available in DB2.

Many organizations don’t take advantage of the existing capabilities that DB2 provides for locking down access to information, IBM executives say. Among DB2’s extant security controls, some of the most powerful features that organizations often leave untouched—to their detriment—revolve around access control. These include two biggies: utilities label-based access control (LBAC) and trusted context.

LBAC, which is designed to offer fine-grained access control, lets DB2 administrators extend controls over data that reach far beyond the simple masking of rows or columns. Administrators can use LBAC to control table objects by attaching security labels to them. Users who try to access these objects must have the corresponding security label granted to them in order to view that data.

“I think that’s one of the newer areas where, in my experience with clients, they haven’t leveraged a lot of it yet,” says Jim Lee, director of product management and strategy for IBM’s Information Management division. “I think LBAC is not commonly used today.”

Similarly, many DB2 administrators are also forgoing the platform’s ability to offer trusted context to access roles. “The thing that I see as one big glaring gap in DB2 practices, for example, [is in using] a thing called trusted content,” says Curt Cotner, IBM fellow and vice president and CTO for database servers.

Trusted content “basically gives the DBA a way to grant privileges to a role, and then applications accessing the database from the network would inherit the role based on whether they came from a trusted application server or not,” he says. 

Four Database Security Tips for Dealing with SQL Injections

By Brian Prince, eWeek

SQL injection placed No. 3 on Verizon’s list of the 15 most common attacks in its data breach report. Preventing SQL injections can be the difference between data security and a screaming headline. Here are a few short tips on how to help protect your databases and applications.

On Dec. 6, a researcher posted proof that he had compromised NASA Websites via a SQL injection. Fortunately for NASA, his motive appears to only have been to illustrate weaknesses in its sites.

Other entities, however, have not been so lucky. There were of course the breaches of Heartland Payment Systems and Hannaford Brothers, but also mass compromises affecting thousands of Websites.

For all the security tools on the market, SQL injection placed No. 3 on Verizon’s list of the 15 most common security attacks (PDF) in its latest data breach report, issued Dec. 9.

“The key issue is educating Web developers about how to build secure applications,” said Phil Neray, vice president of security strategy at Guardium, now an IBM company.

IBM Picks Up Database Activity Monitoring Vendor Guardium

By Ericka Chickowski, CRN

The acquisition is a big validation of the database activity monitoring (DAM) market, which has managed to maintain healthy traction within the channel even in the down market.

IBM announced plans to acquire database security vendor Guardium for what some sources have pinned at $225 million.

The acquisition is a big validation of the database activity monitoring (DAM) market, which has managed to maintain healthy traction within the channel even in the down market.

“These products play a critical role in establishing a 360-degree capability to monitor the security of critical applications. The healthy valuation Guardium seems to have drawn reflects the importance of real-time, application-centric security monitoring,” says Alison Andrews, CEO of Vigilant, a New York-based Guardium partner. “As security monitoring has become significantly more multi-layered and complex, resources that can be assigned to the task are finite.  In this environment, its critical to focus monitoring efforts directly on the assets that matter most to the business.”

According to IBM officials, Big Blue was drawn to Guardium for its ability to not only help customers monitor IBM database systems, but also keep tabs across platforms.

“This marks a significant expansion in our ability to help our clients monitor and govern data in multiplatform environments,” says Arvind Krishna, general manager, IBM Information Management. “Structured information is at the center of many business transformations and the integrity of data is critical if an organization is going to use information as a strategic assets. This cross platform support is critical for our and is a key competitive differentiator for IBM.”

Andrew Lawton explains to Janine Milne how database security could prevent another T-Mobile-style data loss disaster

By Janine Milne, CBR

Q: What are the particular issues with database security?
A: The problems T-Mobile had recently [where one or more employees sold private customer details to third parties] show how there’s a lot of pressure to get more control over users. We’re hoping government will put stronger controls in place about data protection. If database administrators are corrupt, then they have complete power over data. The fact that T Mobile was unaware of the problem should be unacceptable.

We’ve seen a number of other cases where data has been sold. For example, there was a case of health information stolen from a private doctor on Harley Street, who had outsourced database management and that company outsourced again to India where a database administrator sold the data. A lot of companies are asking their outsourcers to prove what their staff are doing.

Q: What singles you out from other players in the market?
A: What we provide is like an IPS (intrusion prevention system) for databases – it’s like putting a firewall around a database. There are a set of rules that control access to the database even for privileged users. Everything can be built into the rule set. The software is real-time, so security faults are flagged immediately.

There are a lot of other players in security, but few in database security that do what we do in the way we do it. We control the centre – the database access management and control – and there are few competitors in that space. We are real-time and have 100% connection between users and actions in the database. Often applications people pool IDs and then it’s very difficult to track one individual user. So from a SOX (Sarbanes Oxley) or PCI compliance perspective, if you need to absolutely track users’ activity, you can do it against set of rules. We can group users or go down to an individual level, whereas other companies don’t go down to the individual level.

Police website hit by SQL injection, commentors claim due to budget-restricted web development

Dan Raywood

The hacking of a police website earlier this week is indicative of a lack of secure website development.

Phil Neray, vice president of security strategy for Guardium, claimed that SQL injection is a big problem worldwide, and restricted budgets mean organisations are unable to hire the most sophisticated web developers, which results in security flaws like SQL injection.

The Durham police website was hacked earlier this week with messages posted protesting over terrorist-related deaths in Pakistan. A spokesperson for Durham police told BBC News that an investigation was now under way and the ‘offending matter’ was being removed by computer specialists. A spokesman said: “We are aware of a problem with the force website and the offending matter is being removed. An investigation into how this occurred is under way.”

Neray said: “Since it’s now fairly easy to download automated toolkits for finding these flaws, almost anyone can perform these attacks, including politically-minded cybervandals.

“In the case of the Durham Police attack, it’s more of an embarrassment and a nuisance, but now you see how organised crime uses the same approach to loot websites for hundreds of thousands of credit card numbers, which they can then sell on the open market for anywhere from 7 to 70 Euros per card. That’s the real threat from cyberattacks like SQL injection.”

Federal data breach notification standard must pre-empt state laws

BY JILL R. AITORO

Two Senate measures would regulate how both public and private sector organizations protect personal information and respond to data breaches, but the real impact of any federal standards will depend on whether they pre-empt existing state laws.

The Data Breach Notification Act, introduced in January by Sen. Dianne Feinstein, D-Calif., would authorize the attorney general to bring civil actions against firms that failed to notify people whose personal information had been compromised in a breach and would extend notification requirements to government agencies. The Personal Data Privacy and Security Act, introduced in July by Sen. Patrick Leahy, D-Vt., also would set notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and would require businesses to implement preventive security standards to guard against threats to their databases.

Both bills cleared the Senate Judiciary Committee and have been placed on the calendar for consideration by the full Senate.

State and federal measures stem from numerous high-profile data breaches in recent years, including the exposure of the personal information of 26.5 million veterans in 2006, after a laptop was stolen from a contractor’s home. The fear in such instances is that personal information will be used for identity theft or financial fraud.

“A federal breach notification law would force management to put budget and controls in place” in both government and industry, said Phil Neray, vice president of strategy at database security company Guardium. “Most organizations are driven by what they have to do, not what they should do.”

The Office of Management and Budget requires federal agencies to notify individuals in the event of a breach of their personal information. But a patchwork of state laws dictate how other public and private organizations should handle breaches of sensitive information. Forty-seven states plus the District of Columbia, New York City and Puerto Rico have their own laws, which vary widely.

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases has been accessed by someone who isn’t authorized to view it. It’s also one of only a handful of states that incorporated a broader definition of personal information into legislation that includes not only name, Social Security number, driver’s license number and financial data, but also health information, which hackers can use to file fraudulent insurance claims or acquire prescription medications to sell on the black market.

Massachusetts also included as a supplement to its 2007 data breach notification law (MGL Chapter 93H) a series of data security requirements that government and industry must follow to protect the personal information of state residents. Among the requirements, which go into effect in March 2010, are encryption of laptops and portable devices and security training programs.

This is a good example of why a federal standard is needed, Neray said.

“Most organizations are national and international. To have to hire lawyers to study differences in the laws and define what they have to do in each state doesn’t make sense from a cost or efficiency point of view,” he said. “I’d hope any federal regulation would pre-empt state laws, because it would be the more business friendly approach. You can argue about how much regulation should be imposed on businesses, but this is not a value-based issue, it’s a national issue.

The Guardian and the difficult job of database security

ComputerWeekly.com
By Phil Neray, vice president of security strategy, Guardium

Job hunting is a tough job in itself. Battling with eight percent unemployment, rehearsing for job interviews, adding relevant yet interesting hobbies to your CV...and then you receive an email from The Guardian’s jobsite to say that your personal details may have been stolen in a “deliberate and sophisticated” attack, and that you ought to get yourself registered with the UK’s fraud prevention service, CIFAS.

But this is what happened to thousands of job hunters just last week. The personal data of more than 500,000 users was accessed and stolen from the website http://jobs.guardian.co.uk, one of the most popular jobsites in Britain with more than ten million unique users. Managed by third-party job board software supplier Madgex, the cracked database contained names, email addresses, covering letters and CVs.  Other details, including passwords and financial data, were reportedly not breached.

Modern day criminals want our data: credit, financial, personal. There’s a strong black market in each, and identity thieves are more inventive than ever.  The cost of identity theft to the UK economy is estimated to be £1.2 billion annually. Every year we share more of ourselves online: a trend that’s set to continue as we spend more money on ecommerce sites, share details of our lives across multiple social media platforms, and even job hunt online. Each time we do any of these things, we place our data and our faith in commercial databases: Oracle, Microsoft SQL Server, IBM DB2, Sybase, MySQL and the overarching security measures taken by businesses that own these databases.

While Scotland Yard’s e-Crime unit gets on the case, The Guardian breach has alerted IT and security managers of the need to protect their user data and to consider data security from every angle. Most have already spent time, money and valuable resources securing their network perimeters with firewalls and anti-virus software, and even protecting their laptops with hard disc encryption and DLP solutions. It’s a necessary step, but one which can also be guilty of generating a false sense of security.

So how was The Guardian’s data accessed?  Well, all fingers point to an SQL injection vulnerability, a method currently in favour with hackers and data thieves. SQL injection attacks exploit vulnerabilities at the Web application layer to access sensitive data in back-end databases. These web-based attacks pass undetected through firewalls and other perimeter defences including IDS (intrusion detection) and IPS (intrusion prevention) systems, then hijack the application server to gain access to underlying database records. 

This threat is rising. In 2008, the number of SQL injection attacks leapt by a staggering 134% to several hundred thousand occurring each day. And according to a data breach report published by the Verizon Business RISK team, seventy-five percent of all breached records came from compromised database servers - while other IT assets such as laptops and backup tapes accounted for less than 0.05 percent of compromised data, and a staggering 90 percent involved groups identified as engaged in organised crime.

Yet databases remain vulnerable. Which prompts the question, just how many organisations are still open to this type of attack?  And how many organisations simply do not understand that they are even at risk?

Until recently, identifying unauthorised or suspicious access to databases was impractical and complex.  Logging all activity in the database itself significantly degrades system performance while at the same time generating massive amounts of transaction records, which creates a “needle in the haystack” problem since all of the monitoring data must then be analysed and filtered to identify anomalous activity, typically using home-grown scripts.

Thankfully, a new class of database monitoring appliance has emerged during the last few years that continuously monitors and analyses all database activities in real-time – from outside the database - without impacting database performance.  These systems, which can also be implemented as virtual appliances (software-only), mitigate the risk of external and internal attacks by immediately identifying suspicious behaviour based on automated policies and continuous comparisons to baselines of normal activity.  They also simplify security and compliance by providing a single integrated solution for heterogeneous environments (Oracle, Microsoft SQL Server, IBM DB2, etc.).

But why access The Guardian’s jobsite at all?  The answer is the first rule of hacking: because somebody discovered that they could.  It may be argued that the theft of names, email addresses, CVs and cover letters is relatively unimportant, almost unthreatening. Not so - data thieves are creative.  Consumers who value the security of their personal data enough to rush out and buy shredders may not lose personal data from a rubbish bin, but does that matter if it’s there for the taking online? 

The definition of sensitive data has broadened. Dates of birth, addresses, personal histories, details of daily lives – all this data is useful to a fraudster, and might be the first steps towards more complete identity theft. Businesses have to understand that any and all personal data is valuable, and that it is imperative that they ensure the public has unshakable faith in their data storage. A deliberate attack that resulted in the theft of half a million personal records from a very high profile organisation is not to be sniffed at.  Any enterprise that holds any personal data needs to take every step to safeguard it.  But it’s not an easy job - just ask The Guardian.

Marc Buchwald, Guardium : « nous protégeons les applications à partir des données »

par Emmanuelle Lamandé

Guardium s’inscrit, depuis 2002, dans le domaine de la sécurité des bases de données. Présent pour la première fois aux Assises de la Sécurité, nous avons rencontré Marc Buchwald, Regional Director Southern Europe de Guardium, qui nous explique sa stratégie.

Guardium Safeguards McAfee.com, Automates PCI Compliance Controls

Largest Dedicated Security Technology Company Chooses Guardium to Track and Monitor All Access to Cardholder Data, Without Impacting Performance or Reliability; Solution Deployed in Less Than 48 Hours

Guardium announced that McAfee has successfully deployed Guardium’s real-time database security and monitoring solution to safeguard sensitive cardholder data in its high-volume, business-critical McAfee.com environment.

McAfee.com processes millions of credit card transactions per year for McAfee’s online stores, serving home, home office and small business consumers. The site also serves customers of McAfee’s national ISP partners such as Comcast and Cox Communications, who have strict Service Level Agreements (SLAs). It is hosted in multiple world-class, geo-separated data centers hosting large-scale, clustered database systems.

“McAfee needed a solution with continuous real-time visibility into all sensitive cardholder data “ in order to quickly spot unauthorized activity and comply with the Payment Card Industry Data Security Standard (PCI DSS) “ but given our significant transaction volumes, performance and reliability considerations were crucial,” said Tony Gunn, director of security engineering, McAfee. “We were initially using a database auditing solution that collected information from native DBMS logs and stored it in an audit repository, but granular logging significantly impacted our database servers and the audit repository was simply unable to handle the massive transaction volume generated by our McAfee.com environment.

The Guardium solution provided enterprise-class scalability in a solution and was deployed in less than 48 hours. In addition to safeguarding our customers’ trust, Guardium’s technology also automates our PCI database controls and reduces DBA workload while enforcing separation of duties to protect against both internal and external threats.”

McAfee is now expanding its Guardium implementation to protect its SAP systems for Sarbanes-Oxley (SOX) compliance, as well as to safeguard other sensitive financial databases in the corporation. The company is also integrating Guardium with its correlation engine and enterprise-wide Security Information and Event Management (SIEM) platform to consolidate database security alerts and events into a single console.

Guardium’s scalable platform uses centralized, cross-DBMS policies to immediately identify unauthorized or suspicious activities in real-time, without relying on database-resident logs that add overhead and can easily be disabled or modified by hackers or privileged insiders employing anti-forensic tactics. Guardium is a founding member of the McAfee Security Innovation Alliance, and its Guardium 7 platform has been integrated with McAfee ePolicy Orchestrator’ (ePO) and has been awarded the “McAfee compatible” designation. SIA is a core element of McAfee’s technology partner ecosystem, and was established in 2007 to increase the customer value of McAfee Security Risk Management (SRM) solutions.

“We’re very pleased that McAfee, the world’s largest dedicated security technology provider, has selected Guardium to safeguard their brand and consumers’ trust,” said Ram Metser, Guardium CEO. “Safeguarding enterprise databases is a critical task which requires the right architecture and a robust solution derived from ongoing feedback from the most demanding data center environments worldwide. Guardium is committed to providing practical solutions that safeguard our customers’ businesses while at the same time simplifying database security and compliance for their IT organizations.”

OPINION / DLP or database security first?

By Phil Neray

How many breaches in the past year were caused by someone IM’ing sensitive information or stealing data with a USB stick? I can’t think of any.

So why are so many government organizations still relying solely on traditional data loss prevention (DLP) solutions to protect their critical data from leakage via e-mail attachments, instant messaging and portable USB devices?

DLP alone doesn’t cut it. According to the Verizon 2009 Data Breach Investigations Report, DLP doesn’t address the highest priority risk: breaches that occur at the database layer. The report reveals that, “Although much angst and security funding is given to offline data, mobile devices, and end-user systems, these assets are simply not a major point of compromise.”

It’s easy to see why database servers have become the principal targets for criminals and rogue insiders. Not only do they contain your organization’s most sensitive and valuable information—such as personally identifiable information (PII), financial data and classified information—but penetrating databases has become markedly easier in the last 12 months. 

Convicted hacker given the keys to prison computer system shuts down the mainframe

By Dan Raywood, SC Magazine

A story about a convicted hacker who was given complete access to a prison mainframe and subsequently closed it down is reminiscent of modern business practise.

A report by the Daily Mirror claimed that a jailed hacker shut down a prison’s entire computer system after he was given the job of programming it.

It claimed that Douglas Havard, who was serving six years for stealing up to £6.5 million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.

He was then left unguarded and hacked into the system’s hard drive at Ranby Prison in Nottinghamshire. He apparently set up a series of passwords so no one else could get into the system. He was put in segregation as punishment after having left the system crippled.

Phil Neray, VP of security strategy for Guardium, claimed that this is reminiscent of how organisations are not implementing the right monitoring controls to ensure that insiders do not abuse their privileges.

Neray said: “This is clearly a serious judgment error, in that they gave a sophisticated cybercriminal access to important computer systems. However most organisations give similar administrative access to their IT employees, developers and even to their outsourced personnel.

“The vast majority of IT insiders are not malicious, but you never know when you might encounter a rogue employee who’s having personal financial issues or is simply disgruntled. In other words, you need to ‘trust but verify’ by continuously monitoring the activities of anyone who has the ‘keys to the kingdom’.”

DuPont sues Chinese scientist for trade-secret theft

By Jaikumar Vijayan, Computerworld

For the second time in less than three years, a research scientist at DuPont has been accused of misappropriating trade secrets from the company and attempting to use them to build competing products in China.

In a lawsuit filed in Delaware Chancery Court, DuPont accused Hong Meng, a former senior research scientist at the company, of stealing data on a new, thin-computer display technology called “organic light emitting diode” or OLED. DuPont claims that Meng planned to use the stolen information to develop and commercialize products using OLED technology with his alma mater, Peking University, in Beijing, which is also developing similar technology.

“As indicated by our civil complaint, a recent internal investigation revealed evidence that Hong Meng was attempting to misappropriate proprietary company information,” Thomas Sager, DuPont’s general counsel, said in the statement. “Hong Meng’s employment with the company was terminated and we promptly filed suit to ensure that he not use or disclose DuPont trade secrets,” Sager said. The company its commitment to protecting the proprietary science and technology it has developed.

Too often, the focus of security efforts is on satisfying compliance requirements such as those involving the protection of credit card and other financial data, said Phil Neray, vice president of security strategy at Guardium, a vendor of database protection products. “What this reminds us is that many companies have a lot of valuable data that is not covered by compliance” and, therefore, not as well protected he said.

While such thefts can be hard to stop, security controls are available at multiple layers that can help, he said. For instance, activity monitoring products can help detect suspicious activity such as a high volume of downloads involving sensitive data, or downloads that occur after hours, he said. Similarly, tools can help companies restrict the copying and downloading of certain kinds of data to USB devices, for instance, or to an e-mail account, Neray said.

DuPont sues employee for trade secrets data breach

By Chuck Miller, SC Magazine

Industrial manufacturing giant DuPont has sued an employee it claims was planning to smuggle trade secrets to China, according to a report this week in The News Journal of Delaware.

The employee, Hong Meng, a senior research chemist, admitted to DuPont security officials that in August he downloaded confidential company files from his company-issued laptop to an external hard drive. The data included research on organic light-emitting diode (OLED) technology, said the report, citing court papers.

A database can be secure, but that doesn’t help if people with legitimate access are abusing their rights, said Phil Neray, vice president of security strategy at Guardium.

“Most insiders have access to information they need to do their job,” Neray told SCMagazineUS.com. “The challenge is to be sure that you have sufficient controls in place to identify when someone is abusing their privileges.”

Most companies have policies, but what are missing are mechanisms for enforcing those policies, Neray said.

“Most of the focus has been on financial data, but what this story shows is that companies have other types of data of a proprietary nature that also must be protected,” he said. “The message is: Don’t forget about proprietary information databases.”

Six Products That Might Have Thwarted The Credit Card Heist

The theft of more than 130 million credit card numbers, for which three people were indicted Monday, was carried out by a combination of packet sniffing and SQL injection. Here are six products, looked at by the Test Center, that compromised networks might have used to ward off the intrusions.

Our data is under attack. That was made readily apparent as details emerge following the indictment of several individuals in what is being called the biggest case of credit card theft ever. How did they do it? It happened because of poor security defenses within the networks of the businesses that got hacked. These companies failed to implement strong defenses against data extraction --- data that contained millions of customer credit and debit card numbers. What’s so appalling is that there are security products out there engineered to thwart the types of security breaches that were used in this crime. Here are six products we have looked at in the Test Center that these compromised networks could have used.

Guardium 7.0 Database And Security Management Appliance

Guardium’s Database Security and Management Appliance protects against inside and external threats. Guardium’s solution prevents database compromise by offering real-time monitoring and alerting, including the monitoring of privileged user accounts such as those of database administrators. SQL injection attacks are stopped by anomaly detection.

In the event of a detected attack or data compromise, such as an SQL injection, Guardium 7.0 Database and Security Management Appliance will provide detailed monitoring of attacks, pinpointing what IP was used, what was targeted, which tables were accessed and which application was involved. Information on the users who may have been compromised is provided as well. There is also the ability to prevent unauthorized access to sensitive data and to mask sensitive information in tables. This solution features templates and high-level, yet easy-to-work-with, best practice reports for PCI, SOX, OMB and data privacy.

Indictments announced for Heartland, Hannaford breaches

By Greg Masters, SC Magazine

Federal indictments were handed down in Washington, D.C. on Monday against three men accused of involvement in what the U.S. Department of Justice (DoJ) is calling the largest credit- and debit-card data breach in the United States. The men allegedly used sophisticated techniques to bypass network firewalls and penetrate the databases of several large companies, including Heartland Payment Systems, a card-payment processor; 7-Eleven, the nationwide convenience store chain; and Hannaford Brothers, a supermarket chain. The personally identifiable information (PII) of more than 130 million credit and debit card holders is believed to have been stolen.

Albert Gonzalez, 28 years old, of Miami, aka “segvec,” “soupnazi” and “j4guar17,” along with two unnamed co-conspirators, Hackers 1 and 2, residing in or near Russia, were charged with conspiracy and conspiracy to engage in wire fraud. The hackers are accused of using SQL injection attacks to get around the victims’ firewall to gain access to computers connected to the internet.

The good news is that people are getting indicted, Upesh Patel, VP, business development at Waltham, Mass.-based Guardium, a vendor of safeguards for application and database infrastructure, told SCMagazineUS.com on Tuesday. “Our security industry is fighting. We now have an avenue to funnel our concerns.”

The fact that this indictment is attracting attention in the mainstream media underscores that corporations are realizing that the database is where the crown jewels are, Patel said. The lesson to be learned here, he said, is that corporations must put a set of controls in place to monitor and secure their data.

It is no longer enough to rely merely on compliance and audits, said Patel. “The breach at Heartland could have been prevented if controls had been put in place to monitor in real time any changes taking place with the configuration files on their network. Nobody would be able to install a trojan,” he said.

Mega-Breaches Employed Familiar, Preventable Attacks

By Kelly Jackson Higgins, DarkReading

Alleged mastermind behind TJX, Heartland, and Hannaford’s breaches used SQL injection, sniffers, custom backdoor malware in many of the attacks

The attacks that led to the mass theft of over 130 million credit and debit card accounts may hold the record for the biggest overall breach ever charged in the U.S., but the attackers used classic and well-known methods that could have been thwarted, according to experts.

In the wake of the big news yesterday that one man is suspected to be behind the biggest breaches ever charged in U.S. history, security experts say the indictment of 28-year-old Albert Gonzalez, aka “segvec,” “soupnazi,” and “j4guar17,” of Miami, Fla., revealed that Gonzalez and his cohorts exploited vulnerabilities that are typically found in many cybercrime cases --SQL injection, packet sniffing, and backdoor malware designed to evade detection.

The indictment (PDF) revealed that Gonzalez, who previously had been charged for his alleged role in the breach of TJX, BJ’s Wholesale Club, Barnes & Noble, and Dave & Buster’s, has now also been indicted for allegedly conspiring to break into computers and stealing credit and debit card data from Heartland Payment Systems; 7-Eleven Inc., Hannaford Brothers Co., and two other major national retailers whose names were withheld in the filing.

While the attacks appear to be phased-in and coordinated, the attackers didn’t employ any hacks that the victim organizations could not have defended against, experts say. SQL injection, for instance, is the most commonly exploited flaw in Web attacks, according to data from the Web Hacking Incident Database.

There’s no indication in the filing that the database itself was breached, but Upesh Patel, vice president of business development at Guardium, says the attackers must have exploited applications with authenticated connections to the database. “The breaches involved vast amounts of data that clearly resides in the database,” Patel says. “Since a SQL Injection attack exploits vulnerabilities in the database, the attack could have occurred from any end-user application that was accessing the database.”

Database Administrators Playing Increasingly Crucial Role In Security

By Ericka Chickowski, DarkReading

Long left out of the security picture, DBAs now find themselves performing key tasks in the enterprise

[Excerpted from The Database Administrator’s Guide To Security, a new report published today in Dark Reading’s Database Security Tech Center.]

In the past, database administrators weren’t expected to do much with security. Their focus was on the speed, performance, and accuracy of the data. Security was a relatively low priority.

Recently, however, that prioritization has begun to shift. The number of structured information stores is mushrooming within the enterprise. The value of the data increases as businesses share it with customers and partners. Regulators and auditors are taking a hard look at who has access to database information. And financially motivated hackers are salivating at the prospect of breaking into these concentrated—and potentially lucrative—repositories of data.

All of these trends are converging to form one universal truth of data protection: DBAs can no longer ignore security. Like their administrative counterparts in Windows and networking environments, DBAs must finally knuckle down and count security as a vital part of their jobs.

While the security team certainly plays a major factor in shoring up the defenses of enterprise databases, all of its work won’t help much if DBAs don’t lay the necessary risk mitigation groundwork first, experts say. In addition to improving patch management and password management practices, DBAs can help by taking the right steps in configuration management.

“Figuring out if you have the right privileges on certain tables is completely outside the scope of a network vulnerability scan,” says Phil Neray, vice president of strategy for Guardium, a database security tool vendor. “The DBAs need to go and make sure the privileges are right—not just for the items in the database, but also for files and executables outside the database.”

PCI Compliance Only the Start of Security

By Brian Prince, eWeek

Reports that companies involved in some of the latest data breaches were PCI-compliant continues to spark discussion of whether PCI is a solid measuring stick for overall security. Industry observers say yes, but businesses need to change their check-list approach.  When the Network Solutions breach was reported last week, the usual buzz about whether or not the company was PCI-compliant began almost immediately.

• “The worst part of passing a PCI audit is that it creates a false sense within upper management that your systems are fully protected,” said Phil Neray, vice president of security strategy at Guardium. “Management needs to understand that security and compliance are continuous, ongoing processes, not one-time ‘check-off’ events, and they need to prioritize the people and budgets to make this happen.”
• PCI compliance, he continued, provides a set of guidelines and a starting point for security and application teams. But it doesn’t replace a detailed analysis of insider and outsider threats in an organization, or rigorous attention to processes for closing security holes, he added.
• PCI compliance is, after all, just a snap shot in time. Organizations compliant at the time of an audit can theoretically be knocked out of compliance before the next one by a single control change.
• “Security is a 24/7, 365-day-a-year thing,” said Bob Russo, general manager of the PCI Security Standards Council.
• “Most organizations seem to have a checkbox attitude toward PCI and want to use PCI as an excuse if anything bad happens. … There seems to be significant misunderstanding between the concepts of compliance, validation and security,” Forrester Research analyst John Kindervag said. “Compliance incentivizes security. PCI exists because companies who took credit cards didn’t have adequate basic security, and now it is being forced upon them.”

DETAILS EMERGE IN U.S. CYBER ATTACKS

Malware that targeted Web sites of The White House, Department of Homeland Security, the FAA, and others appears to be a MyDoom variant.

By J. Nicholas Hoover, InformationWeek

DDOS [Distributed Denial of Service] attacks have targeted the private sector for years and many companies have taken protective measures, but recent cyber attacks on Estonia and Georgia as well as this one could portend an increase in politically motivated attacks.

“It’s no longer hackers defacing Web sites to become famous,” says Phil Neray, VP of strategy at database security company Guardium. “It’s political cyberterrorism, which is a very serious threat.”
The targets included the Web sites of The White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration as well as The New York Stock Exchange, NASDAQ, and The Washington Post.

Cybersecurity has become an increasingly high priority for the federal government, and President Barack Obama recently laid out plans to appoint a new high-level cybersecurity coordinator.  Secretary of Defense Robert Gates recently said that the military had spent more than $100 million over six months responding to cyber attacks.

U.S., South Korean cyberattacks have little impact here

By William Jackson, GCN

The distributed denial-of-service attacks used networks of compromised computers called botnets to send high volumes of traffic to sites with the intention of overloading the Web servers and making the sites unavailable.

“It’s been more of a nuisance,” said Phil Neray, vice president of security strategy at Guardium. “We have countermeasures for denial-of-service attacks.”

Sophisticated attacks that do not draw attention to themselves and might allow information to be quietly gathered or manipulated without the owners’ knowledge are a more serious threat than denial-of-service attacks, Neray said.

Neray called the attacks an example of political cyber terrorism probably being carried out by a nation state, although there is little evidence of the source of the attacks. Reports from South Korea earlier this year indicated that North Korea had established a cyber warfare unit. Neray said the denial-of-service attack could be another example of North Korean provocations, in line with the recent missile tests.

Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, said today that the incidents highlight the need for improved cyber defenses.  Carper called for passage of legislation he introduced in April — the U.S. Information and Communications Enhancement Act of 2009 (S. 921), which would rewrite the Federal Information Security Management Act [FISMA] of 2002. The legislation would enhance the power of the Homeland Security Department’s U.S. Computer Emergency Readiness Team to take action before a cyberattack penetrates government networks.

Beating the Breach

Computerworld UK

Getting to grips with best practices in database security and monitoring.

Things used to be simple. You could have on-site security guards and identity checks at the server room. You could stop outsiders from accessing your data by restricting physical access to the machines that process it.

In today’s web-enabled world, that’s no longer the case. To be useful, a company’s data must be connected to the internet. That exposes it to more automated and targeted attacks than ever before. Hackers are highly motivated, with crime syndicates willing to pay hard cash for personal information hacked from customer databases. Should the database be breached, a company risks financial penalties from governments and credit card companies, as well as lost competitive advantage and customer trust. But defending the business requires companies to rethink how they protect their IT infrastructures.

Breach Analysis: Highest Risk is to Online Data Versus End-User Devices
The 2009 Data Breach Investigations Report from the Verizon Business RISK Team examines 285 million records that were compromised in 2008. While much media attention and security funding have focused on lost laptops and backup tapes, the study reveals some startling statistics: only 0.05 percent (1/20th of one percent!) of breached records came from mobile devices such as USB drives, end-user systems such as laptops, and offline data. In comparison, the #1 source of breached records was database servers - which accounted for a massive 75 percent of all compromised records.

The Threat from Privileged Insiders
One of the primary threats comes from insiders. Privileged users such as database administrators (DBAs), developers and outsourced personnel typically have unfettered access to databases as part of their daily jobs.  It only takes one dissatisfied employee to cause a breach. Privileged users can also disrupt business applications by making unauthorized or even accidental changes to sensitive data - bypassing formal change control processes - and in most organizations, no one would know the difference.

External Attacks: SQL Injection
According to a recent IBM report, SQL injection attacks have now become the number one web application vulnerability, increasing 134 percent in 2008. Most modern businesses use web applications, which are essentially windows into your most critical databases used by customers, partners and employees. By typing malicious code into poorly-coded web forms, hackers can steal sensitive data and even plant malware on unsuspecting users that visit vulnerable sites. This type of attack completely bypasses traditional security measures because it leverages web applications to penetrate your perimeter.

Database Activity Monitoring (DAM)
With these threats ever-present, businesses need to start protecting themselves more proactively. One way is do this is to deploy a database activity monitoring (DAM) solution. These do exactly what their name implies - they track all database activities in real time. Some also create a granular audit trail of all activities, which can’t be modified by privileged users - which is important for auditors. If unauthorized or anomalous access occurs, based on predefined policies, DAM immediately triggers a real-time alert. Some solutions can even shut down the threat before any damage occurs.

DAM solutions offer additional business benefits beyond safeguarding critical data. Many offer automation and centralization of key security controls, across multiple DBMS platforms and applications, replacing manual processes that may already be in place. This automated approach produces a significant ROI by reducing the time and cost required to both catch unauthorized access and generate the detailed compliance reports required for regulations such as PCI-DSS and European data protection laws.

Hackers hit U.S. Army websites

by Chuck Miller, SC Magazine

A group of computer hackers based in Turkey breached the sites of two U.S. Army facilities, leveraging SQL injection attacks, according to reports.

The group, which calls itself “m0sted,” defaced the page and redirected users to pages that included anti-American and anti-Israeli statements, Information Week reported last week.

The defaced pages were set up to provide public access to the McAlester Ammunition Plant in McAlester, Okla., and the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va., home of the Gulf Regional Division, a division of the Army that is responsible for reconstruction projects in Iraq.

“The question of vulnerability to SQL injection attacks has come up frequently,” Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. “The number is rising dramatically. SQL injection is a serious threat. Not enough organizations are paying attention to it.”

DoD Official Charged With Handing Over Classified Data To China

by Kelly Jackson Higgins, DarkReading

User with classified data access sold Defense Department information, documents

A Department of Defense official with top-secret security clearance allegedly provided an official working for the Chinese government with classified department data and documents.

According to a Department of Justice announcement, officials have charged James Wilbur Fondren Jr., deputy director for the U.S. Pacific Command (PACOM) Washington Liaison Office, with espionage conspiracy for providing classified information to an agent of a foreign government. Fondren sold information to a Taiwanese-American man in the form of “opinion papers” that included classified DoD data via an at-home consulting business he ran on the side, according to the affidavit filed this week.

“This case really highlights the question a lot of people are asking themselves these days: Where is the perimeter? Or maybe there is no perimeter?” says Phil Neray, vice president of security strategy for Guardium. “The traditional perimeter of firewalls doesn’t exist [here] because the perimeter was this person. You might even say the data is the perimeter.”

This situation is the equivalent of a privileged user with inside access to sensitive information. “As part of this job, he had access to these classified documents,” Neray says. “It doesn’t appear that there were any controls in place to look for suspicious usage of those documents.”

British consumers do not trust the government to protect data but are satisfied with banks

Staff, SC Magazine

British consumers are concerned about the security of their personal and financial data.

According to a survey by Guardium, consumers were asked to share their views on the safety of their personal data from both internal and external threats across a range of organisations. Of the three types of organisation, banks emerged as the most trusted, followed by retailers and the government.

Of those surveyed, 43 per cent were worried about their bank’s ability to protect their credit cards from fraud, while 40 per cent had concerns about their bank’s ability to protect their personal data.

Almost one-fifth of the respondents had been victims of fraud, although 87 per cent of those affected had been pleased with their bank’s ability to handle the situation and provide a positive outcome.

Meanwhile consumers were more concerned about external threats – such as criminal attacks – to their banking information than internal threats, although 25 per cent said they were worried about the potential threat from rogue or disgruntled employees in the wake of the global financial crisis.

David Valovcin, vice president for Guardium, said: “Traditional perimeter defences such as firewalls and anti-virus are no longer sufficient to defend against cybercriminals who can easily bypass them with web application attacks such as SQL injection.”

National Academy of Sciences says U.S. needs cyberattack plan

by Angela Moscaritolo, SC Magazine

U.S. cyber capabilities are at least as powerful as its most sophisticated adversary, but the country needs a clear plan should it decide to unleash a digital attack of its own, according to a report from the National Academy of Sciences (NAS).

The report, entitled “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” said a number of challenges lie ahead, including developing rules for the use of cyberweapons, coordinating allied nations and public and private entities, determining the outcome of cyberattacks on enemies and dealing with the possible “significant” operational implications a cyberattack could have on the U.S. private sector.

Phil Neray, vice president of strategy at database security company Guardium, told SCMagazineUS.com that cyberattack policy is needed because of the changing nature of war. Because cyberattacks can be launched at a distance anonymously, it is conceivable that a foreign nation would launch a cyberattack instead of a more traditional attack. And for, private entities, it would be difficult to know how to respond to such an attack or how to enlist the government’s help, he said.

Guardium Adds DB2/400 Support to Database Security Platform

Guardium has added support for DB2/400 (DB2 for i) with its database security software, the company announced this month. Guardium’s software monitors all major database management systems in real time for signs of unauthorized or malicious activity from internal and external threats, such as malevolent DBAs and SQL injection attacks. The software does not affect database performance and provides another layer of protection for critical business systems on top of traditional network security tools, the company says.

“The key issue for database security is that most companies have no visibility into what’s really going on with their database,” says Phil Neray, Guardium’s vice president of marketing. “They don’t really know who’s accessing those databases, and they don’t have any mechanisms for identifying unauthorized or suspicious activity.”

Read more about how Guardium gives customers better visibility into database activities. 

SQL Injection Invasion

Weak Web Applications Increasingly Fall Prey To This Potentially Devastating Attack

As security measures in data centers become progressively more stringent, hackers are turning to more unique methods to access sensitive data. One of these is SQL injection, which replaced cross-site scripting as the predominant Web application vulnerability in 2008, according to an IBM study.

Key Points

• SQL injection threats are now the top Web application vulnerability and pose a serious threat to servers and databases holding sensitive data.
• Coding procedures should keep an eye on the potential for SQL injection by preventing unexpected user input.
• Certain intrusion systems and regular testing can bolster efforts to prevent these attacks.

Guardium’s Neray recommends implementing real-time database activity monitoring technology to track all SQL transactions and continuously checking for unusual or suspicious activity, such as a high volume of failed logins, an unusually high volume of queries in a given period of time, or the execution of SQL commands that are not typically executed by the organization’s Web applications.

GhostNet spy network phishes international victims

by Chuck Miller, SC Magazine

A cyberespionage network, known as GhostNet, possibly operating out of China, is making use of malicious websites and phishing emails to take control of hundreds of sensitive government machines across 103 countries, researchers revealed this weekend.

A pair of Canadian researchers at the Munk Center for International Studies at the University of Toronto said GhostNet struck “high-value targets,” such as foreign embassies and ministries, and even a NATO network. So far, some 1,300 computers have been infected by servers that trace back to China. The researchers, Ron Deibert and Rafal Rohozinski, released their 53-page report Sunday after 10 months of investigation.

“The attacker(s) are able to exploit several infection vectors,” the researchers wrote. “First, they create web pages that contain drive-by exploit code that infects the computers of those who visit the page. Second, the attacker(s) have also shown that they engage in spear phishing in which contextually relevant emails are sent to targets with PDF and DOC attachments.”

In the spear-phishing attacks, when the attachments are downloaded, they create backdoors that “cause the infected computer to connect to a control server and await further instructions,” the researchers wrote. The compromised machines then can be directed to download and install a remote administration trojan..

“Some of the things they did indicate that they were very sophisticated,” Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. “The machines were told to send the data stolen using a Tor network in an encrypted form. Also, the way the trojans communicated with the command servers made use of a complex control program that enabled them to completely control users’ PCs.”

The GhostNet operation is still operating and continues to hit more than a dozen additional computers per week, according to the University of Toronto researchers.

Website-infecting SQL injection attacks hit 450,000 a day

by Byron Acohido, USA Today

Cybercriminals are spreading invisible infections far and wide across the Internet by hammering hundreds of thousands of websites each day with so-called SQL injection attacks. The trend started last summer and has continued to accelerate. IBM Internet Security Systems says it identified 50% more infected Web pages in the last three months of 2008 than it did in all of 2007.

Giant financial institutions and online merchants have put up strong defenses, says Phil Neray, vice president of security strategy at Guardium, a database security firm. “The same is not necessarily true of regional banks and credit unions, smaller online retailers and state government agencies.”

Five considerations for securing a midmarket company

by Marcia Savage, SearchSecurity
Issue: Mar 2009

Just like their large counterparts, midsize companies with 100 to 1,000 employees face regulatory compliance pressures. They also face the same kinds of threats and can’t afford a reputation-destroying and costly data security breach. But unlike big enterprises, midsize businesses don’t have the luxury of ample resources and large security teams. They rely on ingenuity to figure out ways to secure their data assets on sometimes shoestring budgets and are well-versed in the resourcefulness the recession requires of companies of all sizes.

For Cimarex Energy, Guardium provides automated database security monitoring that goes beyond the ability of a human. The Denver-based independent oil and gas exploration and production company, which counts about 850 employees, has an ERP application that processes about a million database transactions an hour.

“At that rate, there’s no way you could have a human doing any kind of monitoring,” says Ann Auerbach, manager of IT compliance at Cimarex. “Auditors always ask how you know the IT staff isn’t going in at night and changing the data…Without the tool, I don’t know how we would prove to the auditors that unauthorized transactions were not entered into the database.”

The tool also helps IT staff at Cimarex locate problems such as infected PCs by tracking unusual activity such as invalid database logins, she adds.

This article discusses the five essential considerations for securing a midsize business.

Insider Data Theft Exacerbated by Economic Crisis

by Angela Moscaritolo, SC Magazine

The majority of individuals laid off, fired or changing jobs in the last 12 months stole data from their former employer, according to a new survey from the Ponemon Institute and Symantec.

Some 945 individuals in the United States who were fired or left their job willingly were surveyed and 59 percent admitted to taking company information when leaving. And it seems, according to the survey, email lists are most susceptible to theft. Typically, a bad impression of the company increased the odds of theft; few companies are taking the proper steps to prevent this problem, the survey found. Further, a portion of companies did not revoke employee access to computer systems right away, Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com Monday.

Mike Spinney, senior privacy analyst at the Ponemon Institute, told SCMagazineUS.com Tuesday in an email that the economic crisis plays a role in these findings.

“As news reports and rumors swirl related to a falling economy and job-loss anxiety grows, people feel greater pressure to make rash decisions based on a fear of finding themselves in dire financial circumstances,” Spinney said.

In times of economic hardship, people are tempted to do things they normally wouldn’t do, and that includes stealing confidential data, Phil Neray, vice president of strategy for database security company Guardium, told SCMagazineUS.com.  “Economic situations tend to make people forget their ethics,” Neray said.

But, the economic crisis is not fully to blame though, he added. Economic incentives to take confidential data continue to increase. 

Simplifying IT

by Al Perlman, SearchStorageChannel.com

Managing IT has never been simple, but it seems to be getting more and more complex these days, with 24x7 Internet access, and regulatory compliance, and virtualization, and SOA, and on and on and on. For Guardium, simplifying IT has been part of its core mission since its inception in 2002—focusing specifically on enterprise-level data security with real-time database security and monitoring. The key to Guardium’s success has been a solution that is delivered on a pre-configured appliance that runs a suite of real-time monitoring, security and compliance applications on an embedded Linux kernel running on a Dell PowerEdge server. The result is a highly scalable product that installs quickly and solves some of IT’s most pressing challenges. In fact, Guardium’s product does its job so well, when Dell was looking to simplify its own IT department, it chose Guardium as a solution. This Channel Success Story highlights the ways in which Guardium’s innovative approach can simplify even the most complex IT challenges.

Industry Reaction to Heartland Data Breach

by Linda McGlasson, Bank Info Security

Information security companies reacted quickly to the news of the Heartland Payment Systems (HPY) breach. Here is a roundup of thoughts on the breach, recommendations on how to handle personal sensitive data, and what industry thought-leaders see emerging as a result of this breach:

Phil Neray, VP/Security Strategy. Guardium:
This breach highlights the need to go beyond ‘old school’ security techniques like simply reading your log. Organizations need to implement technologies such as real-time activity monitoring to catch 21st-century criminals.

As the Heartland breach illustrates, you can be PCI compliant and still be breached. Good compliance does not mean good security.

Database security: Protecting the crown jewels

by Deb Radcliff, SC Magazine

Universities, banks, SMBs and large brands alike are waking up to the fact that their databases are no longer safe inside their perimeter firewalls, intrusion prevention systems and other edge protections.  The question is, how and what are they logging and auditing? And how are they handling the remaining security areas — access controls and assessment — particularly in light of what Noel Yuhanna, principal analyst at Forrester, calls a “security gap” in current database technologies.

“Right now, database topologies are not flexible enough to differentiate between a user and an attacker,” Yuhanna says. “If there’s a suspicious activity around user queries — say, they’re querying sensitive data a hundred times — the database doesn’t care, so long as the user has a valid name and password. All database vendors have the same gap.”

Washington Metropolitan Area Transit Authority (WMATA) in Washington, DC, also uses Guardium to monitor, audit and manage vulnerabilities and changes on its critical database systems. With more than 11,000 employees, WMATA conducts more than seven million financial transactions a year, making it responsible for passing Level 1 merchant audit, according to the PCI DSS.

“It used to be that all we could see was what application, such as PeopleSoft, was accessing the database. Now, with Guardium, we can see who’s accessing the database through the application,” says Victor Iwugo, director of IT security at WMATA.

Combined with its database vulnerability features, Guardium has helped his organization carry out separation of duties, wherein administrators can’t have access to the critical data itself, catch and block attempted SQL injections and other pests, repair systems, and fine-tune access control policy.

Guardium also gets close to the database while not in the database. In this case, it resides in the database’s underlying operating system to avoid impact on performance.

Report: Businesses Failing to Protect Site Visitors From Malware Threats

by Erika Morphy, E-Commerce Times Part of the ECT News Network

Companies aren’t taking adequate measures to protect their Web site visitors from becoming victims of malware attacks, according to a new report from IBM. There may be little businesses can do stop the attackers altogether, but they could be doing a whole lot more to safeguard their own Web sites.

Poorly secured corporate Web sites are becoming a top cybersecurity threat as companies are increasingly putting their own clients at risk, according to the latest IBM (NYSE: IBM) X-Force Trend and Risk Report, released on Monday.

This growing online threat to consumers is the result of two trends:
** one, the longstanding problem of commercial software and even custom-built applications that come riddled with bugs and vulnerabilities; and
** two, the increasing number of malware distributors who use legitimate business sites as launch pads for their activities—usually through large-scale, automated SQL injection attacks that typically redirect visitors of legitimate sites to Web browser exploit toolkits. Attackers are refining these techniques for maximum impact: IBM X-Force noted that they are incorporating new types of exploits that link to malware-infected movies and documents.

Too many companies assume their Web sites are safe because they have a firewall deployed, observed Phil Neray, database expert and VP of strategy at Guardium.  “Companies need to move beyond the perimeter network security model of relying on firewalls and move to newer security technology that allows them to monitor in real time who is accessing their Web site,” he told the E-Commerce Times.

Stimulus bill includes protection for digital health care records

by Dan Kaplan, SC Magazine

There is rising interest in patient privacy because of the huge financial incentives related to medical fraud – either billing insurance companies for medical services that were never rendered, or using someone else’s medical identity to get medical services and prescription medications.  The article discusses this threat, as well as the more traditional threat of exposing someone’s confidential health information.

“A portion of the $818 billion stimulus bill that was passed this week by the U.S. House calls for computerizing all health records in five years, but the legislation also contains stringent privacy and security controls to protect this online data.

Experts said these measures would complement the Health Insurance Portability and Accountability Act (HIPAA), approved in 1996, by bringing privacy and security regulations more in line with the digital age. That’s an important move, considering the digitization of health records is likely to spur increased attempts at malicious intrusion … However, the legislation fails to reference medical identity theft, a growing problem that affects an estimated quarter of a million people each year, Dixon said.

Criminals who gain unauthorized access to patient data can, for example, alter the records to falsely show that a victim has a certain disease, she said. They then can bill insurance companies for expensive drugs never prescribed or treatments never given …

Phil Neray, vice president of marketing at data security firm Guardium, said that because patient records will be stored in the cloud, they will attract the ire of hackers. Celebrities and politicians could be targeted, much like Britney Spears’ records were last year by hospital workers.  Controls such as monitoring must be required and enforced, Neray added.

‘In order to make the information widely accessible to doctors, insurance companies and patients, they’re going to have to build web interfaces,” he told SCMagazineUS.com. “Once you’ve done that, you’ve essentially created a tunnel into the database.’”

Network Security Against Today's Threats - Guardium 7 Product Review

by Samara Lynn, CRN ChannelWeb

Guardium’s database security may contain the most powerful compliance regulations tools that the Test Center has ever seen.

SQL server attacks abounded last year, evidenced in the Test Center’s threat reports of 2008. A relentless amount of SQL hacking attempts were logged as well.

Compromised databases accounted for many of the big computer security breach news stories in 2008. This is why a lot of companies are turning to database security solutions like Guardium.

Guardium’s database security and management appliance protects against inside and external threats: 

** Guardium’s solution prevents database compromise by offering real-time monitoring and alerting, including the monitoring of privileged user accounts such as those of database administrators.
** Guardium employs a sophisticated level of vulnerability assessment. This, along with database analytics and forensics, provides detailed information on what or whom is threatening or trying to threaten data.
** There is also the ability to prevent unauthorized access to sensitive data.
** Installation of the S-TAP is easy and quick. Even better, the S-TAP service is self-auditing and self-monitoring; an alert will be sent if an uninstall of the service is attempted.
** Another impressive feature is the lack of overhead with database performance. Logging and monitoring are all done on the appliance. This result uses way less overhead than using native database monitoring.

Click here to download PDF version of Guardium 7 product review. 

Strictest data law in nation

by Greg Masters, SC Magazine

The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Mass. 201 CMR 17 from Jan. 1 until May 1. This state law, which requires that data of Mass. residents be protected (notably by encryption) by “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” is said to be the strictest data security law in the country.

Unlike the EU, which has broad data privacy legislation for member states (EU Data Directive 95/46/EC), the U.S. does not have a holistic approach to protecting personal information, says Phil Neray, VP of marketing at Guardium. “Instead, it is left to individual states, as well as regulators (HIPAA, GLBA) and ‘self-regulation’ by industry (PCI-DSS).”

He agrees that the new Massachusetts law will likely become a standard for stricter laws in other states because it goes far beyond simple breach notification. “For example, the Massachusetts law has a strong emphasis on insider threats, with requirements for employee training, ongoing monitoring to identify unauthorized access, and ensuring that users aren’t sharing credentials or using vendor-supplied default accounts.”

CheckFree’s Hack Attack Has a Long Tail

by John Adams, Bank Technology News

For a five-hour period in December, customers accessing CheckFree’s electronic bill payment site instead found themselves unknowingly redirected to the worst neighborhood on the Internet—a bogus malware site manned by Ukrainian hackers. That’s the easy part to figure out. According to a notice recently filed by CheckFree parent Fiserv with the New Hampshire attorney general’s office, about 160,000 customers were exposed to the breach. Yet the firm and a number of its banking clients are alerting a whopping five million consumers to possible exposure.

...brutal year for security, with Guardium estimating a 50 percent increase in data breaches across all industries in 2008—affecting nearly 36 million Americans—with another 50 percent increase predicted for 2009. Phil Neray, vp of security strategy for Guardium, says the rising tide of breaches gives management little choice but to increase spending. “Part of the problem is upper management not allocating the proper budget to implement the monitoring and prevention controls required to deal with the increased sophistication of the attacks.

Yahoo limits hold on sensitive data

by Byron Acohido, USA TODAY tech reporter and co-author of Zero Day Threat

Yahoo has taken a bold step by saying it will hold some Personally Identifiable Information (PII), which it gathers from folks using its search service, for no more than 90 days. Google reportedly keeps some PII for 9 months; Microsoft for 18 months.

“This is a good example of a company that’s being proactive in protecting sensitive customer data, rather than being reactive and in crisis mode, post-breach,” says Phil Neray VP at database security company Guardium.

Podcast Discusses Protecting Against Insider Threats in a Down Economy

by Jason Meserve, NetworkWorld

With the economy in the tank and employees anxious about their jobs, corporations have to be extra vigilant against insider threats.

In this brief podcast, Phil Neray, vice-president of marketing at Guardium, shares tips on how to monitor for potential insider threats and how to prevent losses.
(16:44)

Is security recession proof?

by Greg Masters, SC Magazine

It’s official. According to an Oct. 30 release from the Commerce Department, the U.S. economy shrank at an annual rate of 0.3 percent in the third quarter of 2008, the first time this has happened since 1991. Business spending on new equipment and software fell by 5.5 percent, and Forrester recently predicted that software and IT vendors will average 3 to 5 percent growth compared to the 9 to 12 percent they had earlier in 2008.

Phil Neray, vice president of strategy at Guardium, agrees that most companies, especially those in financial services, absolutely must safeguard the integrity of their data. But, he adds, when times are tough, companies look at how they can do more with less. “If you can replace manual processes with automated processes, you have a good shot of being approved by the CFO,” he says.

While security personnel may not be accustomed to making an ROI argument to get budget approval, he says, outlining how an automated, centralized, appliance-based approach can replace licenses, mass storage of log files, third-party personnel digging through those logs, makes for a pursuasive case.

“This is especially true if you can demonstrate how a software system will pay for itself in less than six months.”

Security Distributors Fight Corner

by Doug Woodburn, CRN

Major players have reacted to claims that their place in the security channel is under threat

An article published in CRN, in which resellers said that distributors must do more to justify their role in the channel (ChannelWeb, 13 October), has provoked a bitter reaction from several top names in niche distribution.

Dave Ellis, e-security director at Computerlinks, the UK’s largest IT security distributor, claimed that the ability of distributors to support global deals and incubate new technologies has only made them more relevant.

“Customers increasingly have to deliver projects globally and most resellers just do not have the skills and infrastructure to support the logistical aspects, nor are they able to offer the end user the support that their customers demand,” he explained. Ellis added that the climate had forced security resellers to become more risk averse in terms of technology investment.

“When it comes to adopting new technology, I would suggest that many security resellers are less willing to take as much risk as they may have done in the past,” he said. “By bringing new vendors to the market, as Computerlinks has done with Guardium, many of the costs and risks associated with entering a new market are stripped away from the reseller...”

Nation's First Encryption Law

by Greg Masters, SC Magazine

For the first time in the United States, a law specifies that encryption be used for the transmission of any electronic data. Nevada’s NRS 597.970, which went into effect on Oct. 1, states: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

While 39 states have already passed data protection laws, most requiring disclosure of breaches, Nevada’s statute is thought to be the first law requiring encryption of transmitted data … Phil Neray, vice president of marketing at Guardium, says that any business governed by PCI is already encrypting data in transit in order to be compliant. While he says any law that encourages better security is a good thing, he argues that hackers are looking for bigger targets than email attachments.

“The focus should be on areas that have potential for massive data breaches, like data centers,” he says. “Thieves and organized crime are not looking for retailers sending Social Security numbers in email, they’re looking for databases containing sensitive information.” Therefore, companies and regulators need to implement tighter controls around corporate databases. “From a security and controls point of view, as well as a regulatory point of view, he says.

Hackers got into 18 computer servers at World Bank

by Byron Acohido, USA TODAY

Cyberintruders used the Internet to crack into at least 18 computer servers [including several SAP systems and an RSA SecurID server] at the World Bank Group last July.

The intrusion, revealed Friday in a FoxNews.com story, underscores how relentlessly criminals probe corporate IT systems, especially banks, say tech-security experts.

One bank memo lists the breached servers and makes this assessment: “As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data, and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group.”

Banks, indeed, are not the only targets. Corporate intrusions in general are on the rise, says Phil Neray, vice president at database security firm Guardium. Cybercrooks seek out [credentials] used by privileged insiders so they can access sensitive databases. “Many organizations don’t have any real-time monitoring or alerting mechanisms in place to identify unauthorized activities [by privileged users],” Neray says.

According to the FOX News story, “They were able to acquire passwords — including the password for the systems administrator.  That enabled them to jump into the servers at MIGA, the bank’s giant insurance arm. It was there that they captured the security administrator’s password as he was logging on to his computer.”

Click here for a related article in CNET.

'Super Users' Could Threaten Database Security, Study Says

Survey by Independent Oracle Users Group says most database administrators haven’t implemented proper defenses

In a survey of more than 300 IT and database administrators, the group found that the greatest risks to corporate data comes from internal access, either by unauthorized users or by “super users” with special access privileges.

“The problems are both organizational and technical,” says Ron Bennatan, CTO of Guardium. “DBAs have traditionally focused on performance and availability as their key priorities, while IT security has primarily focused on perimeter and end-point security. Now the two groups need to work together, usually in conjunction with risk and compliance people, to close these gaping holes.

“On a technical level, there are a number of well known limitations with native database logging and auditing utilities, such as their complexity and impact on database performance,” Bennatan says. “That means that most DBAs are very reluctant to turn them on, because it just creates more headaches for them and doesn’t really address the core problems.”

Wall Street Meltdown Expected to Drive Risk Management Investments

by Jaikumar Vijayan, Computerworld

The ongoing chaos on Wall Street could hold an upside for vendors of risk management technologies and practices, as well as sellers of compliance management products.

Analysts expect an increased interest in these products from financial companies for competitive reasons, and to comply with the new regulations that many predict are inevitable following the meltdown.

Phil Neray, vice president of marketing at Guardium, expects increased regulatory oversight that will result in more demand for compliance monitoring and enforcement tools, such as database monitoring tools available from Guardium, as well as identity and access management products and electronic discovery tools.

For VARs, Wall Street Mess Creates Upheaval and Opportunities

by Jennifer Bosavage, CRN ChannelWeb

The financial crisis that struck Wall Street giants Lehman Brothers and Merrill Lynch as well as insurance behemoth AIG has many solution providers shaking their heads in dismay.

“Projects that are focused on reducing costs will get higher priority especially if they can show a clear ROI,” Phil Neray, vice president at database security company Guardium said. “In part, those will have to do with reducing compliance cost. For example, many companies initially instituted simple, manual approaches to SOX, so they are now looking at automating those controls.”

Products that can enable customers to implement new business initiatives will have legs.

“For example, bring a new SOA solution to allow partners to have a more efficient online ordering system. So there’s not only opportunity for that kind of product, but also the security that goes along with it. As more infrastructure is opened up, the right security must be put in place,” said Guardium’s Neray. “Many financial services companies have outsourced day-to-day operations to offshore facilities. The right security and controls are needed around those DBAs.” A layer of security is needed by many companies to protect against intrusion, whether accidentally or intentionally.”

California Data Breach Bill - Sans Retail Reimbursement- Awaits Governor's Decision

by Eric Athas, StorefrontBacktalk

Almost a year ago, California Gov. Arnold Schwarzenegger vetoed a controversial state breach bill that would have forced retailers to reimburse financial institutions for replacing compromised credit and debit cards.

But in Schwarzenegger’s veto message to the State legislature, he specified that it was the reimbursement provision that he objected to, not the bill itself. Although the bill had more than enough votes to sustain an override of the veto, legislative backers opted instead to recraft the bill without that provision.

Phil Neray, VP of Guardium, a database security company, praised the bill, saying it would motivate retailers to apply tighter standards to data security. “I think what we’re seeing in California is frustration with the pace in which retailers are being compliant with PCI,” Neray said.

Slurping the USB port

by Deb Radcliff, SC Magazine

Portable media devices are being used to lift corporate data, but there are tools to defend against this practice.

Two years ago, the 17,000-member South Western Federal Credit Union (SWFCU) began hearing about internal data breaches among peer institutions and began to overhaul its data protection measures. The result is a locked down organization where critical data is blocked from being copied outside the protected boundaries – particularly through USB ports.

“Start at the database by controlling and monitoring access, since the data must first be drawn from the database to the endpoint before it can pass through the USB port, says Phil Neray, vice president of Guardium, a database activity monitoring company. Set simple controls, such as manager sign-off on downloads of over 10 records, he adds. “A lot of our customers have policies in place about what people are allowed to see and download and store on their local machines,” he says. “What’s lacking is a way to automate that to any degree of granularity.”

"It's the data stupid" so you'd better vote to protect it

by Linda Musthaler, Network World

Two enterprise security platforms designed to protect corporate data: Guardium and Vontu

“It’s the data, stupid.” OK, the phrase is not quite catchy enough to become a must-have bumper sticker, but it’s a mantra for every organization with sensitive information. Today’s article looks at two enterprise security platforms designed to protect corporate data. Guardium focuses on securing the data and actions involving databases, and Symantec’s Vontu platform provides data loss prevention on the network, at the endpoint, and in storage devices.

Guardium’s technology platform safeguards databases and enterprise applications. It uses policy-based controls and anomaly detection to prevent unauthorized activities by potential hackers, privileged insiders, and end users of enterprise databases and applications such as Oracle EBS, PeopleSoft and SAP. All user activities are monitored, including those by privileged users, application users, DBAs accessing databases directly, remote developers, and even batch processes.

Guardium has the ability to monitor for anomalous activities at a very granular level, such as a single transaction by a specific user. The software can initiate responses to specific behaviors if desired. For example, when a particular user attempts to access sensitive tables, he can be sent a pop-up alert telling him his action is forbidden.

Princeton Review Data Exposed Due to Configuration Flaw

by Thomas Claburn, InformationWeek

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review’s Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported.

Phil Neray, VP marketing at Guardium, a database security firm, said the problem lies in management. “Boards of directors and management teams have not made [data protection] a priority in many, many companies,” he said. “The reason why this has to come from the top is that in many cases you’re asking business units to change bad business practices. And you need budgets [to invest in database protection].”

5 Steps for Stopping the Insider Threat

by Melanie Rodier, Wall Street & Technology

Guardium’s Phil Neray offers guidance on preventing insider data theft.

Financial Firms Try to Protect Themselves Against the Insider Job (see sidebar)

The threat of insider fraud appears to be increasing. Insider data theft accounted for nearly 16 percent of all data breaches in 2008, up from 6 percent a year earlier, according to a study by the Identity Theft Resource Center. And perhaps more alarming, customer data stolen by an employee is misused more frequently than data obtained through an external breach, a recent study by ID Analytics reveals.

Phil Neray, VP of database security company Guardium, says there are two main reasons for the rise in the insider threat: Demand for sensitive corporate data has increased, and there is now a thriving black market where fraudsters can buy and sell this type of data.

“Also, most corporations have spent the last 10 years focusing on tighter controls around the perimeter of networks,” Neray adds. “It’s getting harder to break into firms from the outside in traditional hacking attacks, so the bad guys are focusing on how to use insiders to get to the data.”

Guardium CTO Interviewed on Data Security Trends

by Cristina Molina, Business News Americas

Ron Bennatan, Ph.D., CTO and VP/Guardium

Companies are showing increased interest in having several layers of security to protect information.  And as the information is mainly located in databases, the opportunities for companies such as database security solutions provider Guardium are constantly increasing.

High ranking executives from Guardium were recently invited to a security seminar that took place in Santiago, Chile, organized by Chilean IT security solutions provider Neosecure. BNamericas spoke with Guardium’s CTO and VP Ron Ben-Natan.

“There are a lot of places where you can invest in security, and one thing that people try to solve is leakage of data. There are many more issues regarding direct access to the repository, direct access to the database. So we are saying “the data sits inside the database, how do we guarantee there is no unauthorized access?” And even when it leaves the database on a pen drive or in an email it started inside the database, so the question is how did it get onto somebody’s desktop so they could put it on an email? Today the hardest problem is direct access to the database and new regulations are looking at how to control the data inside the database itself … It is all about making it easier, more practical, and making it cost less.”

Prevent Privileged Users from Accessing Sensitive Data

by Megan Bearly, SQL Server Magazine

With SQL injection attacks and data thefts happening more and more frequently, many companies are looking for a solution that not only provides database activity monitoring and alerting functionality, but also preventative control over who can access data. Recently, I spoke with Phil Neray, Guardium’s vice president of strategy, about Guardium 7.0 and S-GATE, which provide granular control over data access.

According to Neray, this product provides a practical way to enforce data access policies. Guardium 7.0 also includes vulnerability assessment functionality that monitors for various vulnerabilities and threats. Guardium 7.0 even monitors encrypted data. In addition, this product ships with more than 100 preconfigured best practice reports for SOX and PCI compliance.

S-GATE lets you block privileged users, such as DBAs, from accessing sensitive data, without having to worry about whether you’re blocking legitimate access as well. This product includes real-time preventive controls, continuous access policy enforcement, and fine-grained auditing.

Ex-Countrywide Employee Charged With Selling Customer Data

by Kelly Jackson Higgins, Senior Editor, Dark Reading

The FBI has busted a former Countrywide Home Loan worker who is suspected of downloading the personal data of some 20,000 customers a week over a period of two years and selling it to third parties.

According to a published report, the data may have been sold to companies that wanted to offer their own loans to the Countrywide victims. Up to 2 million Countrywide customer names were “run and sold,” according to the report.

Phil Neray, vice president at Guardium, says Countrywide’s breach was caused in part by a lack of proper internal controls. “The lack of internal IT controls is perhaps indicative of a corporate culture that was less focused on internal controls than other objectives,” Neray says.

TJX Hacker, ID Theft Ring Indicted

Bank Technology News

By now you’ve heard the news that law enforcement nationwide has indicted 11 members of a global crime ring, charging three Americans and a variety of foreigners with stealing the data of more than 40 million cardholders from TJX and eight other national merchants.

The indictments make up what is being billed as the biggest bust of its kind.

“I think the most interesting piece of news is that the authorities linked so many cases to the same ring.  There was always speculation that the same criminals were perpetrating multiple crimes—now they finally proved it,” says Avivah Litan, Gartner analyst.  “But what was equally interesting is that a few of the well-publicized breaches, such as the breach against Card Systems International and Ralph Lauren Polo, weren’t connected by these indictments. I had expected them to be.”

Some highlights of the news:

— The alleged ringleader, Albert Gonzales of Miami, was on the payroll as a Secret Service confidential informant, but was playing both sides. Not only was Gonzales continuing his own life of crime while working as an informer, reports indicate he was also tipping his criminal confidants off to law enforcement info he became privy to.

— A number of the nine retailers the 11 are accused of infiltrating—including Boston Market and Barnes and Noble— were quoted in various publications saying they had no idea, or confirmation, that they had been breached. This indicates that they didn’t have monitoring controls to identify anomalous transactions like large downloads of credit card numbers or access from unauthorized applications and locations, says Phil Neray, vp at database security vendor Guardium.

P2P File-Sharing Sinks Ships

by Erika Morphy, CRM Buyer magazine

“Data security” may soon rank right up there alongside “military intelligence” as an oxymoron of the high-tech era. If it’s not lost or stolen laptops, it’s hackers breaking into sloppy networks—or perhaps thousands of unwitting music lovers sharing sensitive corporate secrets along with the latest hot tracks.

Monitoring what employees are doing may be the most urgent piece that companies need to address, said Phil Neray, vice president of marketing at Guardium. Many companies have established some type of security policy, at least on paper, he told CRM Buyer."What they haven’t done is implement what Gartner calls ‘content monitoring software’—products that examine network traffic and specific protocols to identify suspicious behavior,” Neray said. “These products have been in the market for at least a few years, but it has only been recently that adoption has begun to take off.”

This particular incident was bad, especially considering how long it took for the information to be taken down, he continued. “It could have been much worse though—too many people still don’t realize the dangers of using P2P networks. Now, can you imagine if this employee had worked for a credit card company or a bank or insurance company? It wouldn’t have been a couple of thousands of names out there—but tens or hundreds of thousands.”

File sharing's threat to agency data is growing, analysts say

by Gautham Nagesh, Government Exec magazine

The security breach that led to the loss of personal information for 800 clients of a Washington-area investment firm, including that of Supreme Court Justice Stephen Breyer, is becoming increasingly common in the federal government, according to a peer-to-peer intelligence company.

The trend to outsource more government work also has led to more security breaches. “More outsourcing means trusting a third party with the data.  Forty to 60 percent of breaches are from a third party. Smaller organizations don’t have the kind of IT oversight that bigger companies have. For most companies, these organizations are the weak links in the chain.”

“You need three things: people, process and technology,” said Phil Neray, vice president of marketing at database security company Guardium. “Educate the people about what’s not acceptable, have a process and policies in place to deal with it, and technology to enforce the policies. If you only implement one of the three, you’re not going to be effective in preventing unauthorized behavior.”

Enforcing Policies to Prevent Data Leakage

by Jaikumar Vijayan, Computerworld

Wagner Resource Corp. recently learned the hard way what Pfizer Inc. and many other companies have similarly discovered in the past: installing peer-to-peer file-sharing software on corporate computers is a bad idea.  The Alexandria, Va.-based investment firm last week had to notify about 2,000 of its clients that their names, Social Security numbers and birth dates had potentially been exposed on the LimeWire P2P network. Among the individuals whose personal data was exposed in the Wagner compromise was Supreme Court Justice Stephen Breyer.

“The key to limiting P2P exposures is to have not just the proper controls in place but also policies for enforcing them, said Phil Neray, a vice president at database security software vendor Guardium Inc. in Waltham, Mass. It’s hard to completely prevent employees from downloading P2P software, because some people will find a way around the controls, Neray said. So, he added, the focus should be more on monitoring and filtering the content that is traveling into and out of corporate networks, in order to stop sensitive data from leaking out.

Supreme Court Justice's records exposed in peer-to-peer breach

by Rebecca Sausner, Bank Technology News

“Some companies have policies, but don’t have controls, and some companies don’t have either,” says Phil Neray, VP of marketing at database security vendor Guardium.”

Podcast Discusses Need to Monitor Database Activity, Not Just Email & P2P

by Dan Kaplan

In this brief podcast, Phil Neray, vice-president of marketing at Guardium, breaks down the Walter Reed Medical Center peer-to-peer data breach and offers up suggestions for organizations needing to protect sensitive data, including monitoring data extracts from databases holding sensitive information (as mandated by OMB 06-16).  The podcast also discusses how preventive controls can enforce data access policies, and the differences between data leak prevention (DLP) and database activity monitoring (DAM).

Walter Reed Breach Highlights Need to Monitor Outsourcers

by Sue Marquette Poremba

A data breach involving Walter Reed Medical Center and other military hospitals has exposed the personal information of nearly 1,000 patients. “One of the biggest problems is monitoring contractors,” said Phil Neray, Guardium vice-president of marketing.  “Outsourcers are given access to a lot of information, and too often, they aren’t being monitored.”

Guardium upgrade blocks rogue DBAs

By Ellen Messmer

Guardium’s S-GATE blocks privileged users based on detailed controls, rather than simply flagging activities with a warning to the security manager.  A number of publicized data breach disclosures linked to insider attacks, including the one made by the Certegy division of Fidelity National Information Services last year, have highlighted the damage that a rogue database administrator can do through abuse of power.  Guardium’s add-on to its S-TAP software, dubbed S-GATE, runs on any database server.

How to Protect A Company's Data

by Andy Greenberg

The old protection strategy of trying to harden the outside of companies’ networks to protect against hacker threats--what security researcher Bill Cheswick once called the “crunchy outside with a soft, chewy center” approach--is giving way to a new strategy: safeguarding the data itself. Instead of trying to fortify the perimeter of the company’s network, some security technologies are aiming to evaluate the sensitivity of individual pieces of information and then apply security directly to movable chunks of information.

[One of the] data-centric segment[s] of the security industry involves monitoring the activity that happens around databases and major applications. For instance, Waltham, Mass.-based Guardium [offers] software that classifies data by modeling their movement and watching for anomalies that might be signs of penetrations or insider misbehavior.

Information-centric security won’t stop all data leaks, says Rich Mogull, an independent security consultant and founder of Securosis. But the overall movement toward protecting information rather than building walls around networks is a major step in reducing risk, he says.  “In a 7-Eleven, there’s never more than a few hundred dollars in the register. The rest is in the safe, and even that’s guarded by cameras,” Mogull says. “Companies are applying risk-reduction controls to our sensitive information based on the information itself. That’s why this is so different.”

Bank Information Security Talks to Guardium About Trends in Data Security

In this brief podcast, Bank Information Security talks to Guardium about key trends in information security for financial services companies, and the types of business problems addressed by Guardium.

10 Steps to Database Security

Most small and mid-sized businesses that build and administer databases focus on performance and availability. Security is usually an afterthought. Until you read the headlines about the well-publicized data breaches.  And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. 

Which brings us to another tough statistic—a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders … DBAs should seek out the newest database security releases instead of relying on what’s on their systems now, says Forrester’s Yuhanna. For example, the latest offerings from Oracle, IBM, SQL Server, and Guardium offer far more advanced features. Guardium’s appliance, for example, features continuous tracking of all database activity, including failed logins, and includes an email alert service that can let others know of any suspicious activity.

Coding error exposes personal data

A software security researcher has exploited a flaw in the sex offender registry webpage operated by the Oklahoma Department of Corrections. The vulnerability, caused by a SQL query in the page’s URL, allowed the researcher to download the Social Security numbers of more than 10,000 individuals.  The URL pointing to the DoC site contained a SQL query string, in addition to the site’s address.  The SQL query string gave the visitor direct access to the SQL database containing the sex offenders’ registry, which includes the name, address and other identifying information of sex offenders as mandated by federal law.

Phil Neray, vice president of marketing at security vendor Guardium, agreed with [security researcher Alex] Papadimoulis on the poor coding practices. “The people who wrote the web application made some basic mistakes in how they wrote it, specifically in the case of SQL injection,” he told SCMagazineUS.com. “You need to verify the input from web application before forwarding the query to the database, and obviously they were not doing that.”

Baseline Talks to Guardium About PCI

In this online video interview (1:04 minutes), Baseline Magazine reporter Erica Chicowski speaks to Guardium’s Phil Neray about how DAM protects cardholder data for PCI.

Unified threat management, demystified

Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion public company that operates a gaseous diffusion plant in Paducah, Ky., knew he was going to get even busier.

USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense in depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, an atypical function for a UTM.

Database monitoring meets vulnerability assessment

Guardium is moving into the area of vulnerability management with the latest release of its database security and compliance platform.

In Guardium 7, the company is looking to address the entire database security and compliance lifecycle.  “We added vulnerability management to our solution because we saw huge advantages to providing an integrated solution with a common Web console, back-end database for tracking all database systems and configurations, and workflow automation,” said Phil Neray, vice president of marketing at Guardium.  “It often takes three to six months to patch business-critical systems, due to change management and testing processes in most organizations. By combining [database activity monitoring] with vulnerability assessment, you can protect unpatched systems with signature-based policies that watch for potential attacks until these systems can be patched.”

“This integration is definitely beneficial - after all, it’s all about data security, whether it’s scanning, discovering, assessing the environment, auditing or monitoring,” said Noel Yuhanna, an analyst with Forrester Research. “Enterprises want more integrated data security solutions that can do everything possible, with common interfaces and controls,” he said. “No one wants to install five products from five different vendors.”

Guardium is "On a Roll"

Guardium doubled its customer base in 2007 and is now installed in more than 350 data centers worldwide, including more than 60 Global 500 and Fortune 1000 companies in all major industries.

Organizations that have chosen Guardium include 3 of the top 4 global banks, one of the top cardholder brands worldwide, one of the world’s largest PC suppliers, a global soft drink brand, one of the top 3 global retailers and one of the market leaders in business intelligence software. 

Guardium partners with Network Appliance to simplify PCI compliance

Guardium and Network Appliance recently announced the first joint solution for protecting cardholder data in databases without costly and time-consuming application re-writes. The combined solution allows organizations to quickly and easily comply with the Payment Card Industry Data Security Standard (PCI DSS), providing significant business benefits immediately and in the long term. Other types of sensitive corporate data, such as financial, HR, CRM, and intellectual property information, can also be secured using this combined solution.

Database monitoring as a compensating control for PCI-DSS

Database monitoring as a compensating control for PCI-DSS
Your Data: Love It Or Lose It
by Ericka Chickowski, Baseline

According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete. The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with media-level encryption until it can employ full database encryption.

“The benefit is that it doesn’t require any changes to your databases or applications,” says Phil Neray, vice president of marketing at Guardium, a database security company.

Hacker arrested in Greece accused of stealing, selling weapons

Authorities have arrested a 58-year-old man in Greece they said hacked into computer systems of France’s Dassault Group for more than five years, stole sensitive weapons technology data and sold it to a variety of countries.

Computerlinks signs UK distribution agreement with Guardium

Computerlinks will work with a select number of reseller partners, providing its IT security and professional services expertise to exploit the demand for solutions that prevent data vulnerabilities and address audit findings.

Guardium delivers an enterprise security platform for preventing information leaks from the data centre and enforcing change controls, in order to assure the privacy and integrity of sensitive corporate information. The technology prevents unauthorised activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle and SAP, while simplifying and automating compliance processes.

5-Minute Podcast: Data tape lost with JC Penney customer info

SC Magazine talks with Guardium about the latest retail data breach. Plus, why all organizations need a holistic data security plan that includes both physical and “digital” activity monitoring.

Former Cox employee who shut down 911 sentenced to five months in prison

A former Cox Communications employee has been sentenced to five months in federal prison for remotely shutting down portions of the company’s system – including 911 emergency services – after being asked to resign his position.

Phil Neray, vice president of marketing at data-security vendor Guardium, said administrators need to be able to quickly observe strange behavior from other employees to prevent similar incidents. “I think the moral of the story is that privileged users are given a high amount of power that they need to have as a part of their jobs,” he said. “As a result, when you have a disgruntled employee, you have to be able to quickly determine anomalous behavior.”

Mass SQL injection attack compromises 70,000 websites

An automated SQL injection attack, which at one point compromised more than 70,000 websites, hijacked visitors’ PCs with a variety of exploits last week, according to researchers.

The cyberattackers used a SQL injection attack on Microsoft’s SQL Server database product to compromise the array of sites. “[It was] an application that accessed system tables not commonly accessed [by the application server],” said Phil Neray, vice president of marketing at Guardium. “[The affected tables] told the hacking application where to insert the malicious code in the database,” he said.

Read more

70,000 Web Pages Hacked By Database Attack

Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. Guardium’s database activity monitoring technology immediately detects this type of anomalous activity in real-time—and then takes proactive, customizable actions such as issuing SNMP/SMTP alerts and automatically locking the exposed database account. 

Tech Insight: Database Activity Monitoring

If you weren’t concerned about unauthorized database access before, maybe now you should give a DAM. It’s mid-afternoon. Do you know who’s accessing your databases?

Until recently, the answer for many organizations—including the TJX Companies and Ameritrade—the answer has been no. While all databases come with tools for security and access control, many users—mostly employees or other insiders—have found ways to circumvent them, leaving IT people in the dark about who’s been using the data, and when. The problem isn’t just headline-grabbing external hacks, such as the one at TJX, but also insiders who, for one reason or another, find it inconvenient to follow security policy. “It’s not that the users are malicious,” says Phil Neray, vice president of marketing for Guardium, a maker of database security tools. “They’re doing it for the sake of convenience.”

Protecting Critical Data at the Source

Regulatory requirements, malfeasance, and criminal attacks are driving companies to find new ways to secure their corporate data. Companies are now adopting Database Activity Monitoring (DAM) as an essential layer of their data security architectures. This article describes why traditional security technologies are insufficient and describes the key capabilities provided by DAM solutions.
(UK publication)

Silicon Valley Minute Goes to Black Hat 2007

Video interview (0:30) with Guardium VP Phil Neray, courtesy of Liz Safran and Silicon Valley Minute.

Compliance and Security Concerns Drive Data Auditing

A recent Forrester report, “The Forrester Wave: Enterprise Database Auditing and Real-Time Protection, Q4 2007,” estimates the value of the database auditing and real-time protection market—including new licenses, support and services—to be $450 million, and predicts that number will double by 2010. “[Customers are realizing that] other technologies like IDS/IPS [intrusion detection/intrusion prevention], SIEM and DLP systems address part of the broader data security issue, but don’t really cut it in the database monitoring space because they don’t have the specialized understanding required to capture and analyze database activities. For example, systems that analyze HTTP traffic are fairly easy to develop because HTTP consists of only 10 or so primitives, whereas SQL consists of over 350 individual commands as well as a full programming language, with additional variations and subtleties for each DBMS platform.”

Database Security: Guardium SQL Guard 6.0

In an industry flush with products for securing the network perimeter, Guardium’s SQL Guard 6.0 serves as an important addition for monitoring and managing connections to and from a wide variety of enterprise database products. SQL Guard has evolved from an impressive technology to an enterprise-class data security product that should be on every organization’s radar.

Former Cox Communications employee pleads guilty to hacking company network

There are several reasons why a former Cox Communications employee still had the access needed to shut down his former employer’s telecommunications services after he was asked to resign. “The issue in a lot of organizations is that privileged users share accounts, so they can access one account that can’t be turned off,” said Phil Neray, vice president of marketing at data security vendor Guardium.

Guardium Offers Visibility Into DB2 Blind Spot

When it comes to security auditing, the mainframe just hasn’t kept up with the times ... The new Guardium for Mainframes product, a combination appliance and software, provides visibility into all DB2 activity, including who’s reading what on the database. “This would be important for PCI because you need to know who’s accessing sensitive data,” says Phil Neray, vice president of marketing for Guardium. “Until now, there’s not been a practical way to track all database activities without impacting performance.”

Guardium for Mainfames covered in Rich Mogul's blog, Securosis

Guardium extends its database security solution to the mainframe, “a really smart move, especially since they partnered with Neon who sells to the mainframe buying center. They can now offer full database monitoring (including SELECT queries) on the mainframe outside of network sniffing (which misses certain kinds of connections) ... Now you have an independent way to enforce separation of duties on mainframe administrators without interfering with how they work or affecting performance. And you can integrate the policies for alerts, and the logs, with all your other database monitoring.”

As data breaches snowball, IT pros look for answers

Ann Auerbach, IT and compliance manager for Denver-based Cimarex Energy Co., acknowledges that the biggest concern for the oil and gas exploration company is that it is able to adequately respond to auditors examining its security controls. For that, she chose technology from database security vendor Guardium. She said version 6 of Guardium provides her, among other things, with regular reports auditors can study to see who is doing what on the network.

Overall Rating: Five Stars

Guardium provides a sophisticated database security solution that is simple to install and deploy. Businesses have a legal duty to protect their customer information, and this has the tools to ensure they meet regulations.

TJX Lesson: PCI Compliance Might Stop Data Breaches

“The Canadian report was interesting,” says Phil Neray, a vice president at Guardium. “TJX was cited for not having an activity monitoring process. We also recommend a multi-layered security approach.” This he likened to the security layers around a castle, first a moat, then a drawbridge, and a gate. “What might get through one layer, will hopefully get stopped at the next layer,” Neray adds.

Most companies have a good “traditional” perimeter security set up, but have been slow to adopt newer technology, such as database monitoring. “Had TJX had some type of activity monitoring in place, the breach would have been detected sooner, rather than going on for months and months. There will always be holes in the environment where hackers or insiders can exploit data. If you have activity monitoring in place, this allows you in almost every situation to detect when an intruder is cutting through your layered defenses.”

PCI Is Security Simplicity, Not Complexity

All it takes is one successful hack attack to wipe out years of so called “savings” gleaned from not implementing security. Online crime has become more sophisticated and far better organized over the past several years. No business wants to risk its bottom line or consumer confidence on the hopeful idea that a security breach just won’t happen to them.

The time to take security seriously is before an attack happens, not after. That is precisely what PCI aims to do.

TD Ameritrade database breach an inside job?

The TD Ameritrade theft of information on 6.3 million customers might have been caused by an inside attack. “This has all the signs of an inside job,” said Phil Neray, vice president of marketing at Guardium. He added that unauthorized malicious code placed on one of the company’s databases, “could only be put there by someone with administrative access to the database.”

Ten Tech Companies to Watch -- Guardium

“Guardium’s Linux-based security software resides on a hardened appliance plugged into the client’s network, and all it does is analyze database traffic very, very closely. Given that financial databases contain millions of records and are sometimes sprawling, multi-national affairs, it’s a lot of traffic to watch ... Guardium is in the right place at the right time with the right partners.”

Gold Winner in Auditing and Compliance

“This year’s Auditing and Compliance category Gold Winner, Guardium Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, provides auditing with an eye toward protecting sensitive data against theft, including data breaches by privileged users inside an organization. Data Privacy Accelerator gives organizations an edge on not only preventing data breaches, but also on stopping them in real time.”

Sentencing in DuPont insider theft case delayed again

“Phil Neray, vice president of marketing at Guardium, told SCMagazine.com, ‘Policies are important, but you have to have [automated] tools in place to enforce those policies.’ Putting automated monitoring systems on a corporate network gives enterprises two key tools in combating insider threats, added Neray. ‘They allow identifying the unlawful activity with real-time alerts and they create a body of forensics-quality evidence the enterprise can use’ to prosecute insiders who’ve stolen proprietary information.”

Former Boeing employee charged in data theft

“Many large companies simply fail to ‘verify what their [privileged] employees are doing,’ said Phil Neray, vice president of marketing at Guardium, a vendor of database-access monitoring products. ‘This was an employee with unfettered access to sensitive information as part of his job.’ Had Boeing deployed automated activity-monitoring technology, Neray pointed out, ‘it would have immediately noticed that something that didn’t fit inside of [Edwards’] normal patterns of activity was happening.”

Getting Inside the Insider Threat

“Still, Ron Ben-Natan, CTO of Guardium, based in Waltham, Mass., said businesses should operate under the Cold War adage of ‘trust but verify.’ ‘We all want to hire trustworth personnel but we must act to identify IT policy violations for both security and regulatory requirements. Trust is not a strategy and hope is not a policy. By integrating checks and balances into our daily network and database operations, we get early warning signs to find malicious acts like data breaches and preent them from happening.’ “

Guardium Adds Tracking Solution

“Guardium’s new Universal Local-Access Monitoring solves a very real problem for IT security personnel who are responsible for monitoring privileged users and ensuring the privacy and integrity of corporate data,” said Jon Oltsik, senior analyst, Enterprise Strategy Group (ESG). “The combination of all-inclusive network and local-access monitoring provides an advanced level of oversight and control that helps enterprises both enforce policies and demonstrate compliance.”

New Report Chronicles the Cost of Data Leaks

This article on McAfee’s Datamonitor report chronicles the cost of data leaks. It quotes Phil Neray, Guardium’s VP of Marketing, “Most sensitive data is stored in enterprise databases that are at the core of your Oracle Financials, SAP or PeopleSoft systems. Privileged insiders such as administrators, developers and outsourced personnel have virtually unfettered access to these data sources.”

Database monitoring appliance curbs leaks

Guardium unveils data-leak prevention appliance for database monitoring
Guardium next month intends to deliver a database-monitoring appliance designed to identify suspicious activity and prevent leaks of sensitive data.

Technology May Ease Compliance Burden

Auditors may ask IT shops for database reports to prove that organizations can track changes made to critical databases containing customer information. “The company panics and tells IT to turn on the native database auditing utilities, which reduces system performance, impacts the stability and produces so many reports that it is impossible for the IT staff to go through them all,” says Guardium’s Vice President of Marketing, Phil Neray.

(Problem Solved) - Answers For Auditors

CIO David Vordick selected Guardium for a real-time database monitoring solution to help USEC Inc. pass its audits. After two audits with the solution in place, their investment has paid off. Guardium simplifies data governance by centralizing Sarbanes-Oxley controls across database platforms and providing preconfigured reports. “When it comes to Sarbanes-Oxley,” says Vordick, “it’s good to have one less thing to worry about.”

Secure your enterprise data

Regulations and a fear of banner headlines put the focus on data, not network, security
Security experts are painfully aware that clamping down on insider threats and data leaks is far more difficult than stopping malware. While recognition of the data-security problem is spreading fast, very few enterprises have acted to lock down their sensitive data and intellectual property. This articles talks about both the need to protect privileged data and ways to combat the issues, such as creating and enforcing policies. “You’ve got to focus on insiders and trust – trust and verify,” says Phil Neray, Guardium’s Vice President of Marketing.

Database activity monitoring helps USEC with SOX compliance

Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. The company needed to find a way to monitor and track DBA activity but not hinder them in doing their job. USEC found that Guardium’s solution was the most effective product on the market, monitoring and logging everything that the DBAs do at the SQL statement level, so the security manager can see exactly what they’re doing with the database. The DBAs follow a change control process to give the security manager advance notice of any planned, and authorized, database work. Any time a DBA or other privileged user connects to the database, the security manager gets an alert and can compare that activity against approved changes.

Field Report: Nuclear Fuel Supplier Tightens Database Security

Keeping tabs on enriched uranium? Challenging. Keeping track of database integrity for SOX? Piece of cake.
Global energy company USEC, Inc. implemented Guardium’s appliance-based solution to support SOX compliance. USEC needed to upgrade internal security on its financial databases by adding tools that monitor the actions of “privileged users,” namely, the DBAs. USEC now uses Guardium’s database activity monitoring and auditing solution to watch activity on inventory, HR, and financial databases. Robert Gorrie, information security manager says, “You have to trust your DBA, but ‘trust’ is not something that will keep your auditors at bay.”

Data Theft Shows Insider Risks

Gary Min, who worked as a scientist at DuPont for 10 years, highlights the damage insiders can do to companies that do not monitor behavior. He covertly used DuPont’s computer systems to steal trade secrets valued at more than $400 million after joining a rival company but before resigning from DuPont. “What happened at DuPont is not surprising at all,” said Phil Neray, vice president of marketing at Guardium. Neray said the apparently unfettered access that Min had to the data on DuPont’s EDL server is evidence of the lack of monitoring that is typical inside corporate networks. “The objective should be to give insiders as much access as they need but no more.”

DuPont case highlights insider threat

Corporate executives who doubt that malicious employees are among their greatest potential security threats should look at the case of a former DuPont Co. senior scientist as the ultimate cautionary tale, one security expert said Thursday. “By default you trust insiders,” said Ron Ben-Natan, Guardium CTO. “The challenge is always in how you balance the trust you give them with the right amount of security so a few bad apples can’t get away with this sort of thing.” Ben-Natan goes on to list several lessons that can be learned from this case and applied to any enterprise IT shop.

Preventing data breaches is hard; detecting them later can be harder

Jaikumar Vijayan notes the lag between when a database intrusion occurs and when it may be detected, noting that this gap may be due to the myriad ways attackers can gain access to systems and conceal their tracks. USEC Inc., a $1.6 billion energy company, uses a Guardium solution to “detect unauthorized changes and other policy violations that could affect the integrity to USEC’s financial data in real time,” said CIO David Vordick. The product also enables USEC to “monitor compliance with its Sarbanes-Oxley financial reporting obligations and provides the company with a real-time, security-alerting capability.”

Guardium Database Compliance Tool Tracks All Changes

Guardium released its latest set of compliance automation tools, aiming to help businesses record and monitor every alteration workers make to their enterprise information vaults. While most companies have developed database change control guidelines since the arrival of mandates such as Sarbanes-Oxley, few have been able to build systems that track every change made to their systems and alert administrators when policies are violated. Guardium’s Change Control Solution for Database aims to do just that, offering the ability to monitor every adjustment made to database objects – including database structures, permissions, stored information, and configuration files.

Guardium to Protect Database

Guardium announced the first database security and monitoring solution that provides granular visibility into all changes todatabase objects – including database structures, permissions, data, and configuration files – without relying on database-resident functions such as trace and transaction logs or native auditing. Most organizations have formal change control policies and processes that govern how and when changes are made to production databases. Until now, however, there were no effective and tamper-proof solutions for detecting when critical changes were made outside of these policies and processes.

Passing the SOX Audit: More than 60% Say They Aren’t Ready

A survey from the Oracle Applications Users Group (OAUG) reveals that manual controls increase operational costs significantly. Despite years of effort and millions of dollars of investment, nearly 61 percent of companies say they have not yet finished implementing their SOX compliance processes. “Security and compliance go hand in hand,” says Phil Neray, Vice President of Marketing for Guardium. “Securing the data in real-time and automating database activity monitoring are key ways organizations can protect their critical information while increasing operational effectiveness.”

Taking A Holistic View Of Risk And Privacy

Christine Dunn reports that companies using technology to help with compliance are turning to systems that allow them to implement controls for governance as well as privacy regulations. “Customers know not to treat each regulation with standalone initiatives,” says Ron Ben-Natan, Guardium’s Chief Technology Officer. “Instead they bundle them into two groups, governance (think Sarbanes-Oxley) and privacy (HIPAA or SB-1386), and then put systems into place to manage all changes and access to the data.”

An Ominous Milestone: 100 Million Data Leaks

Kevin Poulsen, senior editor for Wired News, noted in his blog that 100,152,801 records have been compromised in data breaches since the ChoicePoint breach nearly two years ago. Educational institutions were twice as likely to report suffering a breach as any other type of entity, followed by government, general businesses, financial service and healthcare companies. “College and university databases are the ideal target for cyber criminals and unscrupulous insiders,” said Ron Ben-Natan, the chief technology officer of Guardium. “They store large volumes of high-value data on students and parents, including financial aid, alumni, and credit card records. At the same time, these organizations need open networks to effectively support their faculty, students, and corporate partners.”

A Dubious Milestone – Privacy Rights Clearinghouse Reports Exposed Record No. 100 Million

Two months after the U.S. population reached 300 million people, the nation realized a more troubling statistical milestone when the Privacy Rights Clearinghouse today reported that more than 100 million records have been exposed since the ChoicePoint data breach. Colleges and universities were popular hacking victims. Phil Neray, vice president of marketing at data security firm Guardium, says colleges store large amounts of sensitive information, including financial data, while having fewer resources to protect that property. “That combination makes them particularly vulnerable,” he said. “Databases are incredibly complex pieces of software. They’re complex and easier to penetrate.”

IBM Tackles Data Control

In the world’s premier knowledge economy, 50 companies ally with Big Blue on data management.
On the day after the University of California, Los Angeles, said hackers gained access to a critical university database, compromising data on 800,000 staff and students, IBM announced a new service that tackles the uniquely Information Age problem of data governance. The Armonk, New York giant engaged almost 50 organizations to come up with an overall approach to data governance or control. Phil Neray, vice president of marketing at Guardium, said, “Wal-Mart buys and sells millions of items, but it’s Wal-Mart’s data that describes and defines what Wal-Mart is. But most companies don’t really have their data firmly under control.” Guardium is a member of IBM’s Data Governance Council.

Breach at UCLA Exposes Data on 800,000

The University of California, Los Angeles is notifying more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year. The breached database includes the names, Social Security numbers, dates of birth, and addresses of current and former faculty, staff, and students and, in some cases, the parents of students at the university. Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston, and Ron Ben-Natan, Guardium’s chief technology officer, comment on how misperceptions about monitoring and auditing databases for security breaches cause organizations to limit their scope or not do it all, which contributes to the problem.

Data Governance Rises to Top of Compliance Efforts

NEW YORK—A panel of analysts, consultants and software vendors gathered here Nov. 9 for a discussion of IT security and regulatory compliance issues stumped hard for companies to increase their focus on better managing their databases. Speaking at a compliance strategy event hosted by IBM and software maker Guardium, the experts said that the database—one of the most complex pieces of enterprise infrastructure—must be tackled correctly to help ensure compliance with regulatory guidelines such as the Sarbanes-Oxley Act. 

Oracle to Better Explain Future Patches

“Many enterprises still haven’t been able to get their arms around the new requirements that compliance demands. A new survey conducted by the Oracle Applications Users Group (OAUG) in conjunction with Unisphere Research found that… while Sarbanes-Oxley touched the largest number respondents of the survey, only 26 percent of the respondents considered themselves SOX-ready… Close to one out of three respondents said that they require at least five full-time employees to handle database monitoring and compliance reporting – which translates into a fully-loaded cost of several hundred thousand dollars per year… by automating IT processes, data managers can more efficiently validate that controls are effective and ensure that changes have been made to the environment properly.”

PCI Council Needs Better Coordination

The creation of the Payment Card Industry (PCI) council this month doesn’t go far enough in coordinating security standards among the major card brands, according to an analysis from Gartner Inc.’s Avivah Litan. Each of the payment brands “will still be responsible for enforcing the PCI standard… and may have different definitions of compliance levels,” says Litan. She recommends to enterprises that accept credit cards that if sensitive cardholder data can’t be encrypted, database activity should be monitored and applications should be scanned for vulnerabilities. Preparing and installing encryption systems can be costly and take several years, says Phil Neray, a vice president at Guardium Inc. The firm sells a data-monitoring product which guards against both external hackers and insiders, he says.

SOX II: Time to Cut Costs

By the time most companies have gone through their second SOX audit – or its frequent companion, the SAS 70 – it’s painfully clear that something has to be done to tame the manpower-sucking, cut-and-paste approach to proving the validity of internal controls and compliance … “Our clients are calling it phase II of SOX compliance, saying ‘We don’t want to just be compliant; we want to be efficient,’” says Phil Neray, VP of marketing at Guardium, a database security vendor.

List of Data Breach Notices Lengthening

AT&T, Sovereign and Verizon Wireless among latest to report security snafus
If there’s a continuing lesson to be learned from such incidents, it’s that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.

“The bottom line is that the data is leaking and is not being contained in the way it should be,” he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added. 

Vendor Briefs, September 2006

According to Phil Neray, vice president of marketing for Guardium, a major compliance issue for most companies is that “DBAs are being asked to create reports that they’ve never created before.” The ability to automate tracking, auditing, and reporting for compliance is especially crucial for mid-sized companies, which often require existing IT staff to bear the compliance burden. Guardium’s Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, protects sensitive data against theft, including situations in which insiders obtain data through unauthorized access. The Data Privacy Accelerator is one of several Guardium database compliance accelerators.

Agencies Struggle To Follow OMB's Instructions on Data Security

In the wake of well-publicized breaches at the Veterans Affairs Department and other agencies, the Office of Management and Budget instructed all agencies in a June 23 memo to take four steps, [including] … Record all removal of information from sensitive databases and verify that the information is erased after 90 days unless it is still needed …[Alan Paller, director of research at the SANS Institute] estimated that while many agencies encrypt data and practice two-factor authentication, almost none can track what information is removed from databases … “I would guess that very few [agencies] have [taken the steps] because it’s a fairly short deadline,” said Phil Neray, vice president of marketing at Guardium, Inc., which makes appliances that can track information extracted from databases …"There is no doubt that [the government push to secure data] has raised awareness about the need for security,” Neray said.

A Holistic Approach to Database Compliance

“We see forward-thinking organizations taking a more holistic approach to SOX compliance to pass not only this year’s audits, but to streamline reporting and compliance ownership responsibilities as well as create an auditing infrastructure that supports evolving requirements – without the need to hire additional personnel.” – Phil Neray, vice-president of marketing, Guardium.

Cover Story: Coming Up Roses

Organizations can deploy tools and enact polices to monitor third-party vendors to ensure they are playing fair. “There are cost-effective, non-disruptive technologies that you can implement to easily take care of these issues,” says Phil Neray, vice president at Guardium. “They don’t require consultants. They just plug into your network and monitor activity.” For example, the appliances observe what data is being accessed and what changes are being made, and they flag any unauthorized use. Not only do they help preserve the integrity of a company’s critical data, but they also provide a “verifiable audit trail” for compliance. Neray also suggests that organizations combine these tools with certain policies — such as restricting partners from reaching sensitive data at suspicious times, and limiting how they can access that information.

Oracle's 65 Flaw Update

Oracle’s July Critical Patch Update (CPU) is now out with fixes for a whopping 65 bugs … Ron Ben-Natan, CTO of database security and compliance company Guardium, commented that more than 75 percent of the vulnerabilities addressed in the July Critical Patch Update could impact database server availability, compared with less than 30 percent of the vulnerabilities disclosed in April … “The silver lining with these vulnerabilities is that most affect only data availability and integrity, not confidentiality.” Ben-Natan said. “Still, companies need to be aggressive in updating their software, as skilled hackers can quickly compromise un-patched database servers.”

'Foundation Controls' For IT Systems

A new study says businesses struggling with controls over IT systems should focus on a select number of “foundational controls” that can make the greatest improvement in a company’s operating and security performance as well as meet regulatory requirements. Phil Neray, vice president of marketing for Guardium, comments, “If you’re looking at foundational controls that address more than one area at a time, such as operational effectiveness, security and efficiency, you’re providing a strategic or competitive advantage to your business.”

Guardium Receives Strategic Investment From Cisco

Cisco’s investment … provides strong validation of Guardium’s market leadership and the new database access control product category that provides companies with the ability to track and control access to sensitive data in their critical business systems and ensure regulatory compliance.

Guardium 7 Awarded 5-Star Ratings

by David Mitchell, SC Magazine

Lab Review Cites “Swift Deployment, Extensive Database Support, Sophisticated Policy-Based Security, Unique S-Tap and S-Gate Probes, [and] Vulnerability Assessment Tools”

Guardium, the database security company, received 5 out of 5 stars on Features, Performance and Ease-of-Use in an extensive Guardium 7 lab review published in the April 2009 issue of SC Magazine UK.

The review states that Guardium 7 “provides essential tools to protect against the ever-increasing number of security threats” and “provides a range of security measures that allow companies to audit database usage and enforce policies to prevent unauthorized access” while providing an “intuitive web interface” that “offers a range of preconfigured interfaces for data privacy regulations and compliancy guidelines.”

The review concludes that “you have to ask yourself whether you can afford not to have [Guardium 7].”

The Verdict: 5 Stars

With database attacks on the increase Guardium can make sure businesses don’t get caught with their pants down.

by Dave Mitchell, IT PRO
London,England,UK

“The Verdict: 5 Stars: Regulatory compliance isn’t just about protecting databases but also about having laid down reporting and data access auditing procedures that can be enforced. Guardium is capable of ensuring consistent practices can be maintained across multiple databases and provides the tools to safeguard them and ensure their integrity.”

“With database attacks on the increase Guardium can make sure businesses don’t get caught with their pants down.  Businesses have a legal obligation to protect personal and sensitive information in their databases and yet it is truly stunning how many are still failing to comply with regulatory guidelines. It’s now a well known fact that SQL injection attacks are increasing massively thanks to freely available hacker kits and this year has started with security company Kasperksy ironically having one of its customer databases hacked into.”

“There’s certainly no shortage of database security products on the market and Guardium has traditionally offered an impressive array of defences against these types of attacks and more. Deployed as a well specified Dell PowerEdge 1950 appliance, it provides database monitoring and auditing plus security policy enforcement for blocking unauthorised access.”

"Most Powerful Compliance Regulations Tools ... Ever Seen"

“SQL server attacks abounded last year, evidenced in the Test Center’s threat reports of 2008. A relentless amount of SQL hacking attempts were logged as well. Compromised databases accounted for many of the big computer security breach news stories in 2008. This is why a lot of companies are turning to database security solutions like Guardium ... [which] may contain the most powerful compliance regulations tools that the Test Center has ever seen.”

Red Herring 100 Winner

Guardium has been named a Red Herring 100 North America winner, a selection of the 100 most innovative private technology companies in North America.  The magazine’s editorial board identified the top 100 out of more than 1,500 closely evaluated companies that are leading the next wave of IT innovation.  Previous award winners include Google, Yahoo!, Skype, Netscape, Salesforce.com, and YouTube.

"A Leader Across the Board"

According to Forrester, Guardium is “A Leader across the board” with “dominance and momentum on its side (Forrester Wave: Enterprise Database Auditing And Real-Time Protection, Q4 2007, October 2007).  In its comprehensive assessment, Forrester evaluated 14 large and small vendors across 116 criteria, with Guardium earning the #1 score for Architecture and the highest overall scores for Current Offering, Product Strategy, and Corporate Strategy.  Forrester expects Guardium to “maintain its leadership in supporting large heterogeneous environments, delivering high performance and scalability, simplifying administration, and performing real-time database protection.”

Best Intellectual Property Protection

Guardium was named a finalist for the Reader’s Trust Award for Best Intellectual Property Protection. Guardium is the only database security company selected as a finalist by SC Magazine readers. Placement in the SC Magazine Awards program is based on voting by more than 9,000 of the publication’s readers who are responsible for IT security, compliance and risk management in organizations worldwide.

5-Star Rating

SC Magazine gave Guardium 5-Star ratings for Features, Performance and Ease-of-Use, citing its “easy installation, massive database support, sophisticated reporting, strong policy-based security [and] PCI out-of-the-box.” The review described the product as a “sophisticated database security solution that is simple to install and deploy” with “an extensive range of security features that allow companies to monitor and audit database usage and enforce policies to prevent unauthorized access.”

Top of Class

Guardium was rated “at the top of the DBEP [database extrusion prevention] class” with a “solid feature set that should please security pros looking to take back control of database security” in a lab review conducted by InformationWeek magazine.  According to the review, Guardium “has thrown in practically every feature you’ll need to lock down sensitive data” with a “well-designed and attractive Web interface that shows off the maturity of the 6.0 release.” The review concludes that Guardium 6.0 provides “capabilities that stand out from other products we’ve tested.” These products include Imperva’s SecureSphere Database Security Gateway and RippleTech’s Informant. 

Enterprise-Class Security

The Verdict: Guardium’s solution “has evolved from an impressive technology to an enterprise-class security product that should be on every organization’s radar.” Guardium “continues to address one of the most typical database audit failure points. Most auditors will not issue a ‘pass’ if you leverage a database’s native logging features because they are owned and controlled by the groups you are trying to monitor (for example, DBAs should not be responsible for configuring and monitoring DBAs). Guardium 6.0 ensures a system of checks and balances between the security and database engineering teams.”

Gold Winner in Auditing and Compliance

“This year’s Auditing and Compliance category Gold Winner, Guardium Data Privacy Accelerator, an add-on to the company’s SQL Guard compliance solution, provides auditing with an eye toward protecting sensitive data against theft, including data breaches by privileged users inside an organization. Data Privacy Accelerator gives organizations an edge on not only preventing data breaches, but also on stopping them in real time.”

"One of 10 technology companies to watch”

Bank Technology News named Guardium ”one of 10 technology companies to watch”, stating that the company’s “innovation is getting them noticed” and that Guardium is “in the right place at the right time with the right partners.” Past winners of this prestigious award have included Oracle and RSA, The Security Division of EMC.  The publication notes that ING Investment Management is one of Guardium’s customers, while citing Guardium’s “top talent, led by chief technology officer Ron Bennatan, who’s developed apps for J.P. Morgan, Merrill Lynch, [AT&T Bell Laboratories] and Intel.”

Gold Winner in Security

The editors and writers of SQL Server Magazine created the first annual Editors’ Choice Awards to recognize superior products in the market. Winners in 17 categories were chosen based on strategic importance to the market, competitive advantages, and value to the customer.

American Business Awards Finalist

Guardium was named a finalist for the prestigious 2008 American Business Awards in the category of “Best New Product or Service - Computer Software.” Guardium 6 was one of more than 2,600 nominations spanning 40+ categories.  Other finalists include: Microsoft; Adobe Systems; Citrix Online; salesforce.com; and WebEx Communications.  Hailed as “the business world’s own Oscars” (New York Post, April 27, 2005), The American Business Awards are the only national, all-encompassing awards program honoring great performances in business. 

Your Enterprise Database Security Strategy 2010

By Noel Yuhanna, Principal Anyalyst, Forrester Research

SQL injection attacks and internal data thefts are on the rise – but DBAs spend less than 5% of their time on database security.

Read “Your Enterprise Database Security Strategy for 2010”, authored by Noel Yuhanna, principal analyst at Forrester Research Inc., to learn:

• Why AAA and basic security are no longer sufficient.
• The 3 key pillars of a database security plan (foundation, preventive, detection).
• Why 60% of internal database threats go undetected.
• Why privileged user monitoring and role separation are important (and how to implement them).
• Reducing compliance costs and effort by standardizing controls across regulations and applications.

Databases at Risk

by Jon Oltsik, Principal Analyst, Enterprise Strategy Group
In a recent Research Brief, ESG analyzed the current state of database security.  Based upon a survey of 179 North American-based security professionals working at organizations with over 1,000 employees, ESG found that:

• Databases house a higher percentage of confidential data than any other type of data repository.
• Database security depends upon too many manual processes.
• Enterprise-class organizations aren’t diligent enough about database security.

This Research Brief categorizes databases as a “dangerous and growing security gap,” and offers steps to improve database security across the enterprise.

Forrester Wave: Guardium Is "A Leader Across The Board"

According to Forrester, Guardium is “a Leader across the board” with “dominance and momentum on its side.” Forrester expects Guardium to “maintain its leadership in supporting large heterogeneous environments, delivering high performance and scalability, simplifying administration, and performing real-time database protection.”

Forrester Case Study: Guardium Secures SAP & Siebel Data, Achieving 239% ROI

This commissioned case study by Forrester Consulting describes how a global manufacturer implemented Guardium’s real-time monitoring technology to protect corporate data and enforce change controls for critical databases supporting SAP, Siebel and 22 other key financial systems. The customer is a Fortune 500 manufacturer whose brands are household names around the world. According to Forrester, the Guardium solution delivered a risk-adjusted ROI of 239 percent and payback period of less than 6 months compared to the “significant labor and capital costs” that would have otherwise been required using an in-house solution and traditional database logging utilities.

Forrester SOX Case Study

This commissioned case study by Forrester Consulting explains how a leading NYSE-traded energy company simplified database monitoring for SOX while strengthening database security and change controls.

OAUG Survey: Automating Compliance – The Role of Automation in Database Compliance Monitoring

The latest survey commissioned by the Oracle Applications Users Group (OAUG), the leading Oracle user group, in cooperation with Guardium, finds that IT organizations are devoting major amounts of staff resources to database monitoring and compliance reporting. Discover what other businesses are saying about compliance challenges and costs, automating database monitoring and auditing, and the benefits and opportunities that lie ahead.

Bring Database Activity into Compliance

by Eric Ogren, Security Analyst, Enterprise Strategy Group
This special report, commissioned by Guardium, examines a comprehensive approach to securing confidential data and auditing database activity for compliance with government regulations and corporate security policies. The purpose is to provide information and make recommendations for database security to assure true compliance and business continuity. Information in this report derives from Enterprise Strategy Group research and interviews with security executives of global operations.

Data Centric Security

by Spire Research
This white paper talks about how to protect your valuable and sensitive databases. Safeguarding information assets is vital, yet it can be difficult to apply controls that are restrictive or inhibit performance. Learn more about the traditional issues surrounding database security, an approach to implement a database security monitoring program, and insights into how Guardium addresses the challenges of security and compliance with its powerful solutions.

Aberdeen Group: Guardium Receives Strategic Investment from Cisco

Waltham, Mass.-based Guardium received a strategic investment from Cisco as part of a strategic funding round totaling $6.3 million.  Cisco’s investment in the four year old company is the first investment in this market by a major technology company and provides strong validation of Guardium’s market leadership and the new database access control product category that provides companies with the ability to track and control access to sensitive data in their critical business systems and ensure regulatory compliance.  Cisco, for a relatively small investment, gains access to new technology which may help drive Cisco revenue in the future as the company expands and refines product offerings. 

IBM Acquires Guardium

Helps Organizations Safeguard Critical Enterprise Data

Bank CISO to Present at Data Security Seminar

Security and Compliance Leaders Meet in Toronto to Discuss Data Security Initiatives for Key Regulations, Privacy Standards and Reporting Requirements

Guardium Continues Expansion Across EMEA Region

Andrew Lawton Appointed VP to Address Growing EMEA Demand for Safeguarding Sensitive Data from Cybercriminals and Insider Threats

Guardium Research Reveals Alarming Lack of French Consumer Confidence in Online Security

New data security survey discovers that 73% of French consumers lack confidence in retailers’ abilities to safeguard financial data; 43% concerned about Carte Vitale

Verizon Business Forensics Investigator Discusses “Lessons from the 2009 Data Breach Investigations Report” in Webcast

Experts Shed Light on Headline Breaches and Reveal Best Practices for Cyber Defense

Guardium Safeguards McAfee.com

Largest Dedicated Security Technology Company Chooses Guardium to Track and Monitor All Access to Cardholder Data, Without Impacting Performance or Reliability; Solution Deployed in Less Than 48 Hours

Guardium Hosts Executive Financial Services Seminar on Leading Practices for Data Security, Privacy & Compliance

Top Data Protection Professionals from Deloitte & Touche LLP, ING Americas Financial Services and Leading Analyst Firm Address Compliance Issues Including Cost and Complexity

Guardium CTO Shares Best Practices for Database Security and Addressing Insider Threats at San Francisco ISACA Fall Conference

High Profile Breaches and Spying Demonstrate Need for Database Monitoring and Auditing

Guardium Enhances Support for Sybase Data Auditing and Vulnerability Assessment

Sybase Recommends Customers Implement Guardium’s Database Security and Auditing Solution

Guardium Sponsors Educational Web Site Focused on Database Security

New Dark Reading Tech Center Covers Database Vulnerabilities, Common Mistakes and Defenses for Protecting Against Both Internal and External Threats

Guardium Appoints Security Industry Veteran to Lead Strategic Practice for Government Markets

Key Hire with 20+ Years of Federal Technology Experience Will Continue Guardium’s Rapid Growth Safeguarding Data for Government Sector

Abu Dhabi Commercial Bank Implements Guardium to Strengthen Database Controls

Security Initiative Driven by ADCB Audit Strategy to Monitor DBAs and Prevent Unauthorized Changes to Critical Databases

Guardium Hosts Executive Cybersecurity Seminar on Best Practices for Database Security, Privacy & Compliance

Leading Data Protection Experts Highlight Pressing Government Issues Including Cybersecurity and Emerging Threats

Guardium 7 Awarded 5-Star Ratings by SC Magazine

Lab Review Cites “Swift Deployment, Extensive Database Support, Sophisticated Policy-Based Security, Unique S-Tap and S-Gate Probes, [and] Vulnerability Assessment Tools”

Guardium Survey: British Public Worried About the Security of Personal Data Held by Banks, Retailers and Government

A fifth of respondents have been victim to fraud; Only two percent have ‘total faith’ in government security policies

Guardium Integrates Enterprise Database Security with Microsoft Forefront Code-Named “Stirling”

Leading Provider of Real-Time Database Security and Monitoring Announces Support for Microsoft Forefront “Stirling”

Guardium Fuels Customer Momentum for IBM Database Software by Mitigating Risk and Lowering Operational Costs

Supports Data Center Consolidation with Expanded Support for IBM DB2, Informix, Cognos Software and IBM i and System z Operating Systems with z/VM and Linux

Guardium Hosts “Best Practices for Database Security & Compliance” Webcast Featuring Leading Industry Analyst

Real-World Case Studies Help Companies Learn Effective Strategies for Protecting Sensitive Corporate Data While Reducing Cost of Compliance

"Most Powerful Compliance Regulations Tools ... Ever"

Tune in for CRN’s Virtual Trade Show Review of Guardium 7 on February 25th; Review Examines Need for Multi-Layered Security Including Real-Time Database Security & Monitoring

Guardium CTO to Present at Infosecurity Europe Event

Data Breaches Demonstrate Critical Need for Data-Centric Security

Washington Metro Automates PCI Controls

Level 1 Merchant with 9 Million Transactions Yearly Protects Consumer Trust By Shielding Database Infrastructure from Internal and External Threats

Dell Simplifies Enterprise Security with Guardium

“Deployment of the Guardium platform successfully met the requirements established by Dell without causing an outage to any of its databases, and produced a significant reduction in auditing overhead.”

European Financial Services Company Selects Guardium

Guardium and Telindus Belgacom ICT Luxembourg Sign Partnership Agreement

Guardium CTO to Present at UK Oracle Conference

Recognised Database Security Expert to Discuss Best Practices for Monitoring Privileged Users and Preventing Fraud in Enterprise Applications

National Bank of Kuwait Implements Guardium

Guardium and StarLink Announce Distribution Partnership to Provide Real-Time Database Security and Monitoring to Middle East Region

Guardium Achieves ArcSight Certification

Integration with the ArcSight SIEM Platform Provides Enterprises with Clear Visibility into Internal and External Database Threats

Guardium Expands International Reach

Market Leader Continues Momentum in Europe, Latin America & Asia-Pacific Markets

Executive Seminar with Forrester

Leading Industry Analyst and CTO to Discuss Critical Enterprise Data Protection, Governance and Compliance Issues

Government Database Security & Compliance Webcast

Online Seminar Outlines Effective Strategies for Securing Personally Identifiable Information (PII) and Complying with OMB Directive M-06-16

Guardium is Red Herring 100 Winner

Past Winners – Including Google, YouTube, Salesforce.com, Netscape, Yahoo! and Skype – Demonstrate Waves of Technology and Business Innovation

Blocking Unauthorized Privileged User Access

For the First Time, Organizations Can Fully Enforce Separation of Duties – Without Disrupting Business Processes or How DBAs Do Their Jobs

Guardium: Finalist for American Business Awards

6th Annual Stevie® Awards Recognize Guardium 6 As One of the Best New Software Products of 2007

Guardium Chosen as Red Herring 100 Finalist

Award Recognizes the 100 “Most Promising” Companies Leading the Next Wave of Innovation

Guardium Hosts Best Practices Seminars Featuring Gartner

Experts to Highlight Data Privacy, Governance and Compliance Essentials

Gartner Reveals DAM Best Practices

On-Demand Video Details Top Strategies for Securing Critical Enterprise Data

Guardium 7 Monitors Oracle ASO Encrypted Traffic

Guardium 7 Supports Oracle Advanced Security Option (ASO) Network Encryption, Monitoring Data-in-Motion from Privileged Users and Enterprise Applications such as Oracle EBS and PeopleSoft

Guardium 7 Adds Vulnerability Management

First Solution to Integrate Vulnerability Assessment with Sensitive Data Discovery, Real-Time Activity Monitoring, Policy-Based Controls, Configuration Auditing and Compliance Workflow Automation

Guardium 7 Integrates with SIEM, Log Management

Integration with ArcSight ESM, CA, Cisco MARS, LogLogic, RSA enVision and SenSage Provides 100% Visibility and Database Analytics for SOX, PCI-DSS and Data Privacy

Guardium Installed in 350+ Data Centers Worldwide

Installed in More Than 350 Data Centers Worldwide, Including 3 of Top 4 Banks, One of the World’s Largest PC Manufacturers and a Global Soft Drink Brand

Guardium Hosts Best Practices Webinar with Forrester

On-Demand Web Seminar Outlines Effective Strategies for Securing Critical Data From Malicious Outsiders and Trusted Insiders

Securing Microsoft SQL Server 2008

Support for SQL Server Advanced Security Features Provides Comprehensive Visibility into Critical Database Activities

Guardium Secures SAP & Siebel Data

Guardium Solution Automates SOX Controls and Prevents Unauthorized Changes to Critical Databases, According to Case Study by Leading Analyst Firm

Best Intellectual Property Protection

Readers Value Real-time Monitoring of Business-Critical Information as Keys to Protecting Intellectual Property

Guardium Teams with NetApp for PCI

Joint Solution Combines Real-Time Activity Monitoring and Granular Access Controls with Media Encryption to Protect Cardholder Data

Forrester: Guardium is "A Leader Across the Board"

With "Dominance and Momentum On Its Side," Guardium Earns Highest Overall Scores for Current Offering, Product Strategy and Corporate Strategy; Cited for "Leadership in Supporting Large Heterogeneous Environments"

Guardium Partners with NEON on Mainframe

Announces First Solution for 100% Real-Time Visibility Into All Mainframe Database Activity Without Impacting Business Processes; Practical and Comprehensive Solution for Preventing Unauthorized Access to Sensitive Data in Large Corporations

Guardium Receives 5-Star Ratings

Lab Review Cites "Easy Installation, Massive Database Support, Sophisticated Reporting, Strong Policy-Based Security [and] PCI Out of the Box"

Guardium Joins PCI Security Council

Brings Real-Time Database Security and Monitoring Expertise to Help Organizations Protect Cardholder Data with Practical, Cost-Effective Solutions That Don't Impact Existing Business Processes

Guardium Rated at the Top of Class

"Guardium has thrown in practically every feature you'll need to lock down sensitive data" with "capabilities that stand out from other products we've tested" and a "well-designed and attractive Web interface that shows off the maturity of the 6.0 release"

Guardium Wins Back-to-Back Awards

Industry Recognition Signals Growing Importance of Data-Centric Security and Market Leadership Achieved by Guardium's Appliance-Based Solution

Guardium Expands Team to Drive Channels

Martin W. Pejko to Expand Channel Partnerships to Capitalize on Explosive Demand for Real-Time Database Security and Monitoring Solutions

Guardium Receives RSA Certification

Guardium Joins RSA Secured® Partner Program to Enhance Data-Centric Security

Guardium and Cigital Announce Partnership

Alliance Combines Best-of-Breed Consulting with Appliance-Based Technology for Protecting Web-Facing Applications and Critical Data

Guardium & Cisco Discuss Security and Compliance

TechWiseTV Educational Broadcast Highlights Best Practices for Preventing Information Leaks and Protecting Sensitive Data

Guardium Strengthens Executive Team

Upesh Patel to Drive Technology Partnerships Leading to Enhanced Data-Centric Security

Guardium Slams “Back Door” to Privileged Users

First Solution to Monitor All Local-Access Connections Without Performance Overhead and Security Risk of Native Logs

Guardium Expands Worldwide Distribution

Company Continues Rapid Expansion by Adding 14 New Resellers in North and South America, Europe, the Middle East, and the Pacific Rim

Guardium Launches Database Leak Prevention

Automatically Pinpoints and Tags Sensitive Information in Databases; Assigns Granular Access Policies; Prevents Unauthorized Access; Delivers Automated Controls and Reporting for PCI DSS

Guardium Strengthens European Presence

Seasoned Professional Leads London–Based HQ to Meet Growing Demand for Protecting Critical Enterprise Data from Hackers and Trusted Insiders

Guardium Partners with Xtivia

Enhances Data Security, Data Governance and Compliance for Fortune 500 and Mid-Market Customers Across the U.S.

Guardium Experiences Strong Growth

Extends Early Lead in Market by Tripling Size of Installed Base; Works with Industry Leaders to Accelerate Data Security and Data Governance Initiatives

First Solution To Track All Database Changes

New Offering Supports Auditors' Requirements to Tighten Controls and Increases Staff Efficiency

Receives IBM "Advanced Industry-Optimized" Status

Joins IBM PartnerWorld Industry Networks to Deliver On Demand Solutions that Accelerate Data Security and Data Governance Initiatives

Survey Shows Companies Not Ready for SOX Audit

Survey From Oracle Applications Users Group (OAUG) Shows Manual Controls Significantly Increase Operational Costs

Global Energy Company Implements Guardium

Appliance-Based Technology Helps NYSE-Traded Company Simplify and Automate Database Activity Monitoring for Oracle & SQL Server – Without Impacting Business Processes

Guardium & IBM Host Seminar with Gartner

Guardium and IBM Sponsor Wall Street Seminar About Best Practices for Protecting Critical Data, Meeting Auditors' Requirements, and Reducing Compliance Costs

Guardium Named Gold Winner

Self-Contained Network Appliance Provides Automated SOX Reporting & Real-Time Security Without Impacting System Performance or Stability

Premier Systems Integrator Selects Guardium

Top Cisco, Oracle, Sun, and EMC Reseller Targets Growing Demand for Data Privacy and Compliance

Energy Producer Achieves ROI with Guardium

Case Study by Leading Analyst Firm Demonstrates Strong Security and Compliance Benefits with Solid Financial Return

Finalist for MITX Technology Award

Third Annual MITX What's Next Forum & Technology Awards Recognize Outstanding Technology Advancements in New England Region

Guardium Adds Cisco as Strategic Investor

Cisco Invests in Guardium’s Network-Based Platform for Protecting Sensitive Corporate Information

Guardium Adds Support for New IBM Platforms

Enhances Ability to Create Unified Controls Across Heterogeneous, Multi-Vendor Database Infrastructures

Guardium Hosts Data Privacy Seminar with Gartner

Analysts to Highlight Best Practices for Data Security and Compliance

Premier MSP Selects Guardium

Implements Guardium Database Security and Auditing to Protect Oracle ERP System at Leading Manufacturer

Guardium & Forrester Outline Best Practices

Feb. 28 Web Seminar to Highlight Network-Based Database Security and Auditing Appliances

Guardium Expands Global Installed Base

Demand for Database Security and Compliance Solutions Fuels Growth, Industry Partnerships and New Product Innovation

Guardium Protects Against Identity Theft

Network Appliance Prevents Unauthorized Access From Both Inside and Outside the Firewall

Phil Neray Joins Guardium

Phil Neray Joins Technology Leader to Raise Awareness for Company’s Advanced Data Privacy and Compliance Solutions

Guardium Joins IBM Data Governance Council

Helps Clarify, Resolve Data Governance Challenges Related to Information Security, Privacy and Corporate Compliance

Next Generation Database Firewall

SQL-Level, Policy-Based Database Firewall Re-Enforces Guardium's Leadership in Database Auditing, Compliance and Security Markets

SQL Guard Security System & EMC Centera API Integration

Combination Delivers a Storage Solution For Data-Centric Auditing and Compliance Initiatives

Identity Theft Protection Solution

Enables Organizations to Accelerate and Simplify Credit Card Data Protection for New PCI Data Security Compliance Standard

$5.5 Million Raised in 3rd Financing Round

Ascent Venture Partners Leads Investment Group to Provide Funding for Guardium’s Continued Rapid Growth in Database Security Market

Cyber Security Chief Joins Board of Directors

Amit Yoran to Provide Insight and Guidance to the Leading Database Security Company

2005 MITX Technology Awards Finalist

Second Annual MITX Technology Awards Recognize Outstanding Technology Advancements in New England Region

Enterprise-Class Security Platform Expansion

New SQL RemoteGuard Non-Intrusive Monitoring Probe Provides Flexible SQL Guard Options for Departmental and Remote Distributed Databases

Information Security Decisions Presentation

SQL Guard Advanced Database Security Solutions Automate Database Security, Auditing, Compliance, and Identity Theft Prevention

International Reseller Program Expansion

Leading Resellers Worldwide Add SQL Guard^™ Database Security Solution to Audit and Protect Enterprise Databases

Guardium Teams with Nebulas Security

Leading United Kingdom Value Added Reseller Provides Robust Database Security Solutions that Protect Critical Enterprise Assets

Guardium Builds Momentum in 2004

Database Security Leader Experiences Exceptional Revenue Growth, Organization Expansion; Delivers Market-Leading Solutions for Securing Corporate Databases and Automating SOX/GLBA Compliance Initiatives

Guardium Security Suite Named Hot Pick

Recognized as a “Must-have” Database Security Solution for Enterprises; Placed in “a League of its Own”

Guardium Launches SOX & GLBA Solution

New Auditing, Assessment and Firewall Capabilities Accelerate Compliance Initiatives

Breakthrough Database Firewall

Innovative Policy-Based Firewall Extends SQL Guard Family and Leadership in Database Security Market

Guardium Joins EMC NAS Partner Program

Robust Database Security and Auditing Solutions with EMC’s Leading NAS Solutions Deliver Critical Information Protection Solutions

Guardium Addresses SOX Solutions

Will Share Insights into New Approaches That Simplify Financial Database Access Control and Auditing To Support Sarbanes-Oxley Compliance

Guardium Enters Alliance

Delivers Unprecedented Continuous Visibility and Access Control for All Network-Based Access To Distributed Sybase Databases

Breaking New Ground in Database Security

Enables and Simplifies Database Security Assessment, Access Policy Control, Auditing and Regulatory Compliance in a Single Enterprise Solution

Guardium Secures Second Round of Financing

Database Security Provider Will Use Funds to Pursue Significant Market Opportunity

Guardium Extends Database Support

SQL Guard Database Security Platform Now Supports IBM DB2; Guardium Joins IBM PartnerWorld Program

Guardium Joins Oracle Partner Network

Provides Robust Database Security for Oracle Customers

Guardium Introduces SQL Guard

First Non-Intrusive, Network-Based Data Access Security Appliance for Protecting Valuable Corporate Data Fills Key Security Gap by Delivering Unprecedented Visibility and Knowledge Into Enterprise Database Access

Rounding Out the Executive Management Team

Michael Castricone and David Valovcin Bring Extensive Sales, Finance

Guardium Extends Executive Management Team

Nathan Kalowski And Roy Barr Bring Extensive Track Records In Building Successful High Growth Companies To Data Access Security Provider

Guardium Closes $4M Venture Capital

Guardium Targets the Enterprise Application and Database Security Market

RSA 2010

March 1 - 4, 2010
Moscone Center,
San Francisco, CA

The RSA® Conference 2010 is your information security event! As the information security field continues to grow in importance and influence, RSA® Conference plays an integral role in educating and connecting security professionals across the globe.

Exhibits:
Guardium Booth # 632 - South Hall
IBM Booth # 1316 - South Hall

Session:
Come meet Ron Ben Natan, Guardium’s CTO, who will be the featured speaker in a session entitled the “HOWTO Secure and Audit Oracle 10g and 11g”
Data Security Track: DAS-203
10:40–11:50 am.
Wednesday, March 3

Register for a complimentary exhibit hall only pass by using the Guardium code # EC10GDM. Click Here for RSA Registration Page. Offer good until February 26, 2010.

IANS Mid-Atlantic Information Security Forum

March 16 - 17, 2010
JW Marriott,
Washington, DC

Information Security Forums bring together experienced IT and information security practitioners for confidential information sharing on the industry’s most important issues, technologies, and trends. The two-day event includes keynote addresses, peer-to-peer technical and strategic roundtable discussions led by IANS’ Faculty, and was inspired by the Harvard Business School teaching method.

Databases at Risk – and HOWTO Address Them: Live Webcast

Date:  March 25, 2010
Time:  2:00 PM ET
Duration:  60-minutes

If your SAP, Oracle Financials, PeopleSoft or product design system were breached by cybercriminals with compromised superuser credentials – would you know?  And could you prove it to your auditors?

A recent Enterprise Strategy Group (ESG) survey found that nearly 75% of security professionals expect database attacks to increase in the future. 

Join Jon Oltsik, ESG Principal Analyst, to learn about best practices and what your peers are saying about database security: 

• Security professionals’ top 2 concerns are (1) attacks by privileged users with root access, and (2) attacks on Web-facing applications connected to databases.
• In most organizations (63%), database security depends primarily on manual or ad hoc processes – which are no match for well-organized cybercriminals, malicious insiders and accidental changes.
• No one group “owns” database security, which weakens security due to lack of accountability.

Phil Neray, VP of Security Strategy for Guardium, an IBM Company, will present case studies about enterprises that have implemented Guardium’s automated, cross-DBMS solution to secure sensitive data and reduce compliance costs.

Check out this educational webcast to learn HOWTO mitigate internal and external database threats.

Infosecurity Europe 2010

April 27 - 29, 2010
Earls Court,
London, UK

Visit Guardium at Stand L40

Engage and participate in the unrivalled free education programme where influential global experts stimulate debate and industry practitioners share case study experiences. Enjoy the vibrant atmosphere whilst meeting international solution providers who showcase current and emerging technologies on the showfloor and deliver practical, professional & technical expertise enabling you to solve your information security business challenges.

IANS New York Metro Information Security Forum

May 4 - 5, 2010

Information Security Forums bring together experienced IT and information security practitioners for confidential information sharing on the industry’s most important issues, technologies, and trends. The two-day event includes keynote addresses, peer-to-peer technical and strategic roundtable discussions led by IANS’ Faculty, and was inspired by the Harvard Business School teaching method.

RMISC 2010 - Rocky Mountain Information Security Conference

May 5, 2010
Marriott Denver Tech Center
Denver, CO

ISSA and ISACA Denver Chapters have partnered together again to deliver a comprehensive conference addressing information security, IT auditing, compliance and governance.

IBM Information On Demand EMEA 2010

May 19 - 21, 2010
Marriott Park Hotel
Rome, Italy

The IBM IOD EMEA Conference is the industry-leading event on information-led transformation in Europe, Middle East & Africa (EMEA). This Conference offers you an agenda that’s bursting with sessions, demos, networking events, and more-all geared to making your organisation achieve optimal business results.