We've been blogging for awhile here on the Obama administration and Cybersecurity.

• Obama following through on Cyber Security
• All the responsibility and none of the authority

It looks like he is in fact following through. According to boston.com - President Obama said that cyberspace is one of the biggest threats to the economy and the military.
 

Obama goes on to site a survey claiming that in the past two years alone cyber crime has cost Americans more than $8 billion and that he has personally had his privacy violated by cyber criminals. He also speaks to this being an issue of remaining competitive in a global economy and protecting sensitive information from...

"the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion. In short, America's economic prosperity in the 21st century will depend on cybersecurity. For all these reasons, it's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation."

President Obama restated a line from speeches earlier in his administration stating that - our digital infrastructure will be treated as a strategic national asset. He highlight five key areas of focus and responsibility for this new initiative.

1. Develop a comprehensive strategy
2. Unified approach bringing together federal, state and local government as well as private sector
3. Collaborate with and strengthen public/private partnerships
4. Continued investment in research and development
5. Embark on a national campaign of cybersecurity awareness and digital literacy

Unlike "cyber czars" of the past administrations - it looks like the one under the Obama administration is going to have greater support from the President and a more defined strategy.

This is a continuation of multiple educational video demonstrations related to Web application attacks. This video is focused on parameter tampering. The definition can be found in the Imperva ADC Glossary here.

"In addition to its existing network-based monitoring and blocking of unauthorized activity by trusted insiders, SecureSphere can now terminate local user activity and quarantine user accounts in the event of a security policy violation. This extends Imperva's unmatched database protection to a full 360 degrees."

If you have subscription to this week's issue of Credit Union Journal (Registration Required) you can read how SecureSphere is used to combat cyber security at 66 FCU.

Online crooks wielding SQL-injections have become more interested in 66 FCU as it works to expand its website business, with features such as membership enrollment.
"We're also seeing a lot of bot scans," in addition to SQL-injection attempts, said Clint Brown, programmer at the $400-million CU. "People are phishing to see where we as programmers have put down our guard."

Listen to the Podcast here or directly through iTunes. Download the Transcript here.

Brian Contos: Joining us today is Richard Stiennon, security expert and industry analyst that is known for shaking up the industry and providing actual guidance to vendors and end users. He recently re-launched the security blog, Threat Chaos, and is the founder of IT‑Harvest, an independent analyst firm that researches 1200 IT security vendors.

Richard has held positions as chief marketing officer at Fortinet, VP of research at Webroot Software, and VP of research at Gartner.

Welcome to the podcast, Richard!

Richard Stiennon:  Hey, Brian, good to be talking to you again.

Brian Contos:  Before we get started, a little bird told me that you might have a book in your future.

Richard Stiennon:  Yeah. I've been talking and blogging and writing about cyberwar for so long that I accumulated a bunch of stories. And then last year, I was up in Halifax and some guys were doing a freelance report on cyber hacking, and they got me in front of a camera. They said it was just for a couple of statements, but they had me there for about an hour and when they were done they said, "Man, have you written a book on this?" and that was the seed of the idea. So, it's been a year since then, and obviously a lot of developments. Since then, the Pentagon was owned by the Chinese, the German Chancellery was owned by the Chinese; we've had skirmishes between Russia and Estonia, Russia and Georgia, Hamas and Israel; so there's a ton there. So, yeah, that's got me going for my next big project.

Brian Contos:  What a timely subject. I'm looking forward to it. What we're here to talk about today is data centric security, or data security. There are lots of ways to really address it, but when I say that term, what does that mean to you? You've been around the industry for so long, all these buzzwords and terms, when you hear "data security" what do you think of?

 

TechNewsWord just came out with an article about biometrics that is a pretty interesting read; and I'm not just saying that because they quoted me a couple times. It is clear that the convergence of physical and logical security is here, and regardless of biometric readers, common access cards (CAC), RFID, or video analytic systems, physical security is becoming more integrated with and more dependent on logical systems such as network gear, databases, applications, etc.

 

Computer scientists at NIST developed a working-draft definition of cloud computing in collaboration with industry (Imperva included) and government. 

NIST will use the definitions as the foundation for a special publication that will cover cloud architectures, security, and deployment strategies for the federal government. Comments on the definition can be sent to the email address: "cloud" at "nist" with a dot "gov" at the end.

http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

You can also find our feedback on the Federal Cloud RFI here. 

Learn how Agilent Technologies, the world's premier measurement company, is using Imperva SecureSphere to address their strategic security and compliance needs. By addressing Web applications and databases in tandem, Agilent is able to better mitigate risks and satisfy audit requirements. 

"We don't just view Imperva SecureSphere as a technology solution, we see it as an integrated and indispensable part of our daily security and compliance processes and long term strategy," says Chad Lorenc of Agilent Technologies.

• Case Study (PDF)
• Podcast (MP3)

On this episode of the Imperva Security Podcast Chad Lorenc of Agilent is interviewed. As an Imperva customer with a vast and complex infrastructure, Agilent has stepped up in a big way to meet the demands of application and database security as well as regulations such as Sarbanes-Oxley. Chad discusses how the Imperva SecureSphere solutions helped Agilent discover critical assets, monitor their operations, and provide an ongoing strategic resource for their data security initiatives.

".....A review of recent data security breaches suggests Structured Query Language (SQL) injection attacks on e-commerce Web sites and Web-based applications that manage card accounts (e.g., PIN updates, monetary additions, account holder updates) have become more prevalent...... These latest SQL injection attacks pose serious additional risks to cardholder data stored or transmitted within systems (e.g., Microsoft and UNIX-based) and networks connected to the affected environment."

    Since I've been in security, I can't remember a time when "Insiders" - malicious, careless or otherwise, weren't a hot topic of conversation. Heck - I even wrote a book about it.  My family tells me it's just the right size for propping open the garage door.

<Start Psychoanalysis>

Most malicious insiders are driven by monetary gain - either need or greed.  Even individuals that wouldn't consider doing something illegal will when given the appropriate trigger such as a professional, personal, or financial crisis. There must also be opportunity to commit the crime and the criminal must overcome natural inhibitions to criminal behavior such as loyalty or friendships. Psychology plays a role too and character weaknesses can manifest in antisocial tendencies or in narcissism that can lead to malicious behavior.

</End Psychoanalysis>

Since the economy tanked, and the financials went under, stats have been flowing freely like campaign in the grotto about how bad things are and are going to get. Especially around how likely it would be for an employee to steal from their employer (former employer). Vendor studies give us stats, as do analysts and trade journals, but it isn't until more mainstream media picks it up that we pay closer attention.  Enter the May 2009 issue of Playboy.

According to Playboy, "58% of surveyed Wall Street workers say they would steal company data and take it with them if they were being laid off and thought they wouldn't be caught."

There you have it; if you can't trust stats from Playboy, then who can you?