Category: Audit

What Every Database Administrator Should Know About Security

[The following is excerpted from "What Every Database Administrator Should Know About Security," a new report posted this week on Dark Reading's Database Security Tech Center.] To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly. Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is…

Click for complete article >>

De-FUD-ing Privileged User Management

I am proud to write this column for Dark Reading. The biggest reason is I get to share two decades of stuff I’ve seen with databases and security with you, and it starts really good conversations every time I attend security conferences and meet readers face-to-face. I can share perspective, help clarify issues around database threats, and explain the pros and cons of database security products. On occasion, I even get to call BS on things I believe only confuse DBAs and…

Click for complete article >>

Pain Comes Immediately – Secure Development Takes TimeTeam Shatter Exclusive


I recently came upon a blog post by Adrian Lane of Securosis titled ‘Pain comes instantly – fixes come later’, in which he comments on yet another blog post ‘Pain comes instantly’ by Oracle’s CSO, Mary Ann Davidson. Anything ‘Oracle security’ always gets me curious, so I went ahead and worked my way through both articles. Let’s just say one of them is a rather lengthy read. The core point of Mary Ann Davidson’s post is an objection she has…

Click for complete article >>

PCI Council To Establish Network Of Certified Security Testers For Banks

Posted February 13, 2012 by Tim Whitman in Audit, Best Practices, Database Security, Finance and Banking, PCI with 0 comments
PCI Council

Holding up his iPhone, Bob Russo, general manager of the PCI Council, declares, “This is the most insecure device in the world, and my life is on it.” The task of providing the right security layers for payment products, especially in the emerging field of mobile payments, is daunting for many banks. Russo and brand-new PCI Council Chairman Michael Mitchell, who is also vice president, global network operations at American Express Merchant Services, are stepping up the security best practices…

Click for complete article >>

Database Logging Basics For The Secure DBATeam Shatter Exclusive

Logging 101

Building a secure system requires employing multiple processes, tools and techniques. This post will take a look at how to properly configure a file-based logging process.  Logging is the process of collecting information that details what events took place on the system or what state the system is in. Logs are absolutely necessary to establish accountability, investigate system disruption, monitor for unauthorized activities, determine the extent of the damage inflicted as result of an attack, trace the source of the…

Click for complete article >>

How HIPAA Data Breaches Impact Business

HIPAA Security

According to the Ponemon Institute’s 2011 Benchmark Study on Patient Privacy and Data Security, data security breaches cost the U.S. healthcare industry an estimated $6.5 billion a year, up 10 percent from last year. About 29 percent of the providers reported that one consequence of data breaches was medical identity theft. The major causes of healthcare data breaches include lost or stolen devices (nearly 50 percent), third party/business associate mistakes (46 percent) and unintentional employee actions. The prevalence of business…

Click for complete article >>

ICO: Many U.K. Organizations Still Failing On The Basics Of Data Protection

fail uk breach

The Information Commissioner’s Office (ICO) has imposed only six monetary penalties against organizations for data breaches since gaining the power in April 2010, says deputy commissioner David Smith. “These penalties are not imposed for losing data, but for failing to meet the requirement of addressing the risk and having appropriate measures in place,” he told attendees of a Trusted Computing seminar, hosted by Wave Systems in London in association with ISSA-UK. Smith highlighted several other trends that have emerged from…

Click for complete article >>

Palo Alto: Audit Finds Breach – Employee And Customer Information At Risk

Posted October 17, 2011 by TeamSHATTER Admin in Audit, Best Practices, Data Breach, Database Security, Government (State), User Rights with 0 comments
city of palo alto breach

The City of Palo Alto’s business operation had a significant security breach that left sensitive employee and customer information open to outside access, an investigation by the City Auditor’s Office found. According to the audit, which was released this week, the firm SAP failed to secure a “powerful account,” allowing the auditor’s office access to sensitive and confidential information for what the report called an “extended period of time.” The report also found that the Administrative Services Department, which oversees…

Click for complete article >>

ICO Calls For Audit Enforcement Power

security audit ico

Information Commissioner Christopher Graham says the data protection watchdog should be able to audit local authorities, businesses and the NHS without their consent. Currently, the ICO only has compulsory audit powers over central government, with consent required for an audit to be carried out in other sectors. However, Graham argues that these sectors are sources of particular concern. The NHS accounted for 40% of data breaches since April this year, while two thirds thirds of data breach fines were issued…

Click for complete article >>
Powered by