A lot of not this week. I was not at SECtor, although I understand it was a good time. I am not going to Oracle Open World. I should be going, but too many projects are either beginning or remain unfinished for me to travel to the Bay Area, visiting old friends and finding a good bar to hang out at. That is lots of fun I will not be having. I will not be going to Atlanta in November as the Tech Target event for data security has been knocked off the calendar. And I am not taking a free Mexican holiday in Peurta de Cancun or wherever Rich is enjoying himself. Oh well, weather has been awesome in Phoenix.
With the posts for Dark Reading this week I spent a bunch of time rummaging around for old database versions and looking through notes for database audit performance testing. Some of the old Oracle 7.3 tests with nearly 50% transactional degradation still seem unreal, but I guess it should not surprising that auditing features in older databases are a problem. They were not designed to audit transactions like we do today. They were designed to capture a sample of activity so administrators could understand how people were using the database. Performance and resource allocation were the end goals. Once a sample was collected, auditing was turned off. Security was not really a consideration, and no thought given to compliance. Yet the order of use and priority has been turned upside down, as they fill a critical compliance need but require careful deployment.
While I was at RSA this year, one database vendor pointed out some of the security vendors citing this 50% penalty as what you could expect. Bollocks! Database security and compliance vendors who do not use native database auditing would like you to embrace this performance myth. They have a competitive offering to sell, so the more people are fearful of performance degradation, the better their odds of selling you an alternative to accomplish this task. I hear DBAs complain a lot about using native auditing features because it used to be a huge performance problem, and DBAs would get complaints from database and application users.
Auditing produces a lot of data. Something has to be done with that data. It needs to be parsed for significant events, reported on, acted upon, erased or backed up, or some combination thereof. In the past, database administrators performed these functions manually, or wrote scripts to partially automate the responsibility, and rewrote them any time something within IT changed. As a form of self preservation, DBAs in general do not like accepting this responsibility. And I admit, it takes a little time to get it set up right, and you may even discover some settings to be counter-intuitive. However, auditing is a powerful tool and it should not be dismissed out of hand. It is not my first choice for database security; no way, no how! But for compliance reporting and control validation, especially for SOX, it’s really effective. Plus, much of this burden can be removed by using third party vendors to handle the setup, data extraction, cleanup, and reporting.
Anyway, enough about database auditing. On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post on Database Auditing Essentials.
- David Mortman’s Diversity of Thinking article on Threatpost.
- Adrian’s follow-up Dark Reading post on Auditing Pitfalls.
Favorite Securosis Posts
- Rich: Database Audit Events. This is a lot of research!
- Adrian: This week’s Friday Summary. No link necessary!
- David Meier & David Mortman: Visa’s Data Field Encryption.
Favorite Outside Posts
- Rich: Coconut Television. “No tequila yet, but we will see how the night goes.”
- Adrian & Mortman: JJ on SecTor’s Wall of Shame.
- Meier: Comcast pop-ups alert customers to PC infections. It may be effective, but why are you inspecting my traffic? How do I opt out?
Top News and Posts
- Bloggers who review products must disclose compensation. But nothing says you need to disclose compensation for not writing about a product (wink-wink). Payola may be illegal, but hush money is bueno!
- Statistics from the Hotmail Phishing Scam. This closely mimics some of the weak password detection and dictionary attack work I conducted. You will notice any dictionary attack must be altered for regional preferences.
- Express Scripts notifying 700,000 in Pharma data breach.
- Bank fraud Malware that rewrites your bank statement.
- PayPal Pissed!
- Why the FBI Director does not bank online.
- Botnet research conducted by University of California at Santa Barbara. Full research paper forthcoming.
- AVG launches new AV suite while Microsoft is breathing down their necks.
- Hundreds arrested in Phishing scam where as much as $1M US was stolen. What I found most interesting about this is MSNBC and Fox News only mention ‘overseas’ participants, while small investigative papers like the Sacramento Bee and others gave details and noted the cooperation of Egyptian authorities. I guess ‘fair and balanced’ does not necessarily mean ‘complete and accurate’.
- McAfee and Verizon partnership.
- Passwords for Gmail, Yahoo and Hotmail accounts leaked. What’s wrong with a wall of sheep? Kidding.
- People who don’t understand security grasping at straws.
- Malware Flea Market.
Blog Comment of the Week
This week’s best comment comes from Adam in response to Mortman’s Online Fraud Report:
It’s sort of hard to answer without knowing more about what data he has, but what I’d like is raw data, anonymized to the extent needed, and shared in both data and analyzed forms, so other people can apply their own analysis to the data.