3 posts from June 2013
June 27, 2013
 Why Data Security Pros Are Knocking Down Firewalls
Pin It

Disa1Yesterday, a very interesting article in the AFCEA caught my eye: “DISA Eliminating Firewalls.” Although the title seemed provocative at first, the article itself just made me smile.

DISA gets it, they really get it.

One of the advantages of working with the father of the modern firewall is that I have an insider’s perspective on how security has evolved over the years – from the early days of Stateful Inspection firewalls, when perimeter and interdepartmental separation was the focus, to the realization that data (a company’s lifeblood) is the single most important asset to protect. Not this or that network, but the data.      

In the article, Lt. Gen. Ronnie Hawkins JR explains that network separation, while widely accepted, does not encourage business collaboration, like easily accessing and sharing content.

Here’s my favorite snippet from the article: “In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data.” (Emphasis is mine.) 

Yes, firewalls are important. They help solve network security problems by creating barriers that prevent unwanted network access. But they do not control data access.

That’s why I find DISA’s new approach so fascinating. It’s based on the realization that the threats have changed. Hackers want data like IPs, PINs, credentials, proprietary information, and more. And it’s very easy for them to steal data due to poor security controls or outright mismanagement.  

Only time will tell how DISA will implement their new plan. But they’re likely to make the following changes:

  1. Data will be classified in databases and file systems
  2. Role-based access that is based on entities will be mapped against the data classifications
  3. Business logic rules (i.e., “only a Lt. Gen. or above, reporting to a specific unit, may read/write this kind of data) will be created
  4. Access to content will be controlled and audited
  5. A discovery process for new data at rest will be implemented
  6. Data will be monitored for configuration, permission, and vulnerability issues

Of course, these are only a few examples coming from best practices in data security. And while each example can be easily expanded, the basic idea is pretty clear. There’s a new focus in town: data access control will increasingly trump network access control. It’s the next logical step in the evolution of data security in enabling large organizations to collaborate in a way that is both easier and more secure.

Personally I hope that the DISA’s decision becomes a guidepost for other organizations to follow.

And that’s why I salute you, DISA. A job well done.


June 18, 2013
 Data Leakage In A Google World
Pin It

Gg3In the past, information leakage conjured images of securing data from physical theft (remember the alleged FBI laptop?) but thanks to the web, organizations need to secure information from growing “search giants”. In short, data leakage has taken on a whole new meaning in the Google age.

The causes of data leakage range from simple misconfiguration or improper classification of data, which makes it possible for Web servers to publish private and/or sensitive information, to users unwittingly (or not) storing sensitive data where they shouldn’t, Even best business practices such as site scraping -- a known method for gathering competitive intelligence in which company A automatically reads company B’s website for available data like price tables, and uses it to cut its own prices and remain on top – can lead to leakage of information.

Search Engines

By their very nature, search engines are the Internet’s biggest and most public Indexers. Search engines analyze websites, indexing them for the benefit of everyone who has ever done an Internet search. One urban legend even states that Google has a complete copy of the entire public Internet on file for data mining and analysis purposes.

As consumers and users of the Internet, we like to believe that most organizations do their best to remove sensitive information from their websites, FTP sites and other front facing business applications, As it turns out, however, this is not always the case.

Google Tables Search

Google has always been a pioneer of search algorithms, search visibility and advanced indexing, remaining one step ahead of other search engines, and introducing news ways to tag images by context, and even FTP sites for content. Their recently added Table Search capabilities, however, really brings to surface the idea of impact of data leakage in an indexed world.

This is not to say that Google is causing data leakage, but abilities like “Indexed FTP”,”Sesrch by image”, and now “Table Search” offer new ways to discover and extract data, which would otherwise have remained undiscovered.

Here’s one scary example (you can think of other interesting tables: PII, salaries,CC,…)

We used:


Which is a structured representation of -


What is the Security takeaway?

The takeaway here is that Web security is more important now than ever before. Obviously, it doesn’t make sense to block Google from indexing your site (a business driver), but you should be aware of what content you are allowing access to, and who is accessing it.

Companies should:

  1. Implement web application security to mitigate hacker risk.
  2. Validate the content that is accessible via your web servers on a regular basis and/or implement policies to check for outgoing data.
  3. Implement policies to mitigate Bots that may scrape your website for available content.

The bottom line is that no one really wants to block Google from indexing your website, however controlling the content that your website serves is important. Organizations should note that once content is up there, the “search giants” will index it and with ever-evolving mechanisms it will become easier to get around leaked information.


 Webinar: CMS Hacking 101
Pin It

With the rise of blogs, forums, online magazines, e-commerce, and corporate websites, many organizations are turning to Content Management Systems (CMS), such as Joomla or SharePoint, to create rich websites. CMSs simplify website delivery - but they also expose your organization to a new set of vulnerabilities.

Join Barry Shteiman, Imperva Sr. Security Strategist, to see how malicious hackers exploit vulnerabilities found in popular Content Management Systems to systematically identify and attack unsuspecting organizations.

Presenter: Barry Shteiman, Sr. Security Strategist, Imperva

Date: Wednesday, June 26, 2013

Time: 11:00 AM PDT | 2:00 PM EDT

Register Now



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: