TeamSHATTER

By Josh Shaul Malicious insiders account for nearly 50 percent of all data breaches and pose a significant threat to sensitive enterprise information. This data ranges from proprietary research information, corporate best practices, Social Security and credit-card numbers, and other confidential, personally identifiable information. For any organization, it’s imperative that sensitive information remains secure. Meeting the regulatory requirements to safeguard valuable information is critical, and meeting the compliance mandates to do so can be challenging. By leveraging the principle of…

Yesterday, Gawker was in the news, but not for breaking a juicy story, instead for letting its users learn it wasn’t keen on security. According to the New York Times more than 1.3 million user names and passwords were compromised, though it was unclear whether all of the data had been decrypted The database attack against Gawker is an example of what could happen to any organization that doesn’t take security seriously. Look at any news organization just for an…

It’s just about two months since PCI DSS 2.0 was released.  And it wasn’t that hard to digest the new changes.  You can read the summary of changes directly from PCI SSC website or have a look at a nice summary of changes from Branden Williams. Yes or no?  Is this updated version worthy of a 2.0?  I would say no.  Sure, some clarifications were made about technology and about specific wording in the test procedures themselves, but no, this…

I saw a survey today asking if readers thought WikiLeaks is a hero or a villain. I won’t get political here, that’s for someone else to write about. What I will say is, what it boils down to is WikiLeaks enabling the world to see sensitive government information that spans nearly a decade. Right or wrong, to me, this is about data security and user rights. Our SHATTER researchers and experts talk time and time again that organizations need to…

The title to this post suggests that security and compliance are opposite concepts, but we all know they are not.  In fact, we know that the two to be intricately intertwined.  Security for databases still requires more awareness, but the problem should no longer be an unknown.  I recently re-read an article published in InformationWeek titled “Epic Fail” by Greg Shipley, and he skillfully points out, “… with databases a top target and related security spending being relatively minimal, it’s…

Researchers this week revealed that a major portion of the world’s Internet traffic was redirected to China’s primary telecommunications carrier for a period of about 20 minutes earlier this year.”At 15:54 GMT on April 8, 2010, McAfee detected a routing announcement from China’s state-controlled telecommunications company, China Telecom, which advertised 15 percent of the world’s Internet routes,” said researchers at security company McAfee in today’s blog. “For at least the next 18 minutes — up until China Telecom withdrew the…

Data should be encrypted at rest and in motion. As discussed in previous posts, encrypting data at rest and in motion is one of TeamSHATTER’s Top 10 Database Vulnerabilities and Misconfigurations. In this post, I’ll discuss encrypting data files rather than securing database communications. There are several different approaches to encrypt data: There’s encryption in the application that feeds to the database where extra code is written to automatically encrypt selecting, inserting or updating of data. Secondly, there are file…

Let’s talk about SQL Injections in the Database Management System (DBMS). SQL Injections are a well-known attack vector in the DBMS through Web applications because of a failure to sanitize user inputs. Similar to the Web-based variant, SQL Injection in the DBMS exploits passing SQL commands as a parameter of a function or stored procedure. This will then execute the malicious SQL commands in the context of the component that provides the called function. This is often done using components…

Yesterday I came across an article on a hack at the Louisiana Department of Health and Hospitals. A state licensing database that contained personally identifiable information of 56,000 EMTs was compromised due to a database hack. The unauthorized entry gave the hacker access to an individual’s name and personal information, including Social Security numbers. According to Lisa Faust the Department of Health and Hospitals spokesperson, “What we don’t know is whether the hacker was able to access any information.”  She…

Yesterday, Application Security launched a major report, “Data in the Dark: Organizational Disconnect Hampers Information Security.”  PASS members were polled across 761 organizations to determine their challenges and priorities relative to database security. Highlights The study found that approximately 75% of respondents, the majority of whom are database administrators, are responsible for protecting their organization’s database. Nearly half of the study’s respondents said that a database breach would have greater impact on organizational security than any other IT component. However, about 40%…