On a recent visit to Asia I had the opportunity to sit with many of our regional partners to discuss IT security regulations specific to web applications and databases.  There was no surprise that PCI was at the top of the list followed by SOX for some international companies, primarily American, and then a short list of ISO and country specific regulations.  Each partner I spoke with talked about a different local requirement usually still being defined or just about to become officially enforced.  In each case I received the same question, "Will SecureSphere support the legislation?"

The short answer I gave them all was the same.  If the legislation requires web application security and/or monitoring, and/or defines requirements for securing and/or monitoring database and data access, the answer is 'yes'.  The reality that I have experienced so far has been that while there are various data security regulations, they all typically require the same fundamental output.  Data privacy regulations, regardless of the industry or country, at a minimum, require complying organizations to restrict and/or monitor (audit) who has access to, and to what degree they have access to, the data that must be regulated.

  Jimmy Private Data

This, of course, is quite easy for SecureSphere since it has the ability to secure and monitor (audit) any aspect of database and application activity.  All that is required of the administrator is to know what elements of data access should be monitored to comply with the regulation and to configure SecureSphere to secure and/or monitor that activity.  Of course, SecureSphere is pre-configured with the most common regulations, but as I say, it can be easily configured to meet even the most obscure legislation.

The most common current Asia regulations I identified are below:

PCI

SOX

J-SOX

K-SOX

ISO27001

As I stated above, there are some regulations in development for various countries, but they have yet to be ratified.  Additionally, some countries have existing regulations, but have yet to include IT data to the requirements and are still very much focused on the 'paper' books rather than electronic data.  Having worked extensively in various locations around the globe, it's always interesting to see the considerable differences from region to region and country to country.

Ellen Messmer, at Network World, published a short, entertaining article about an unemployed Russian system administrator who hacked into a giant public billboard on a Moscow street, replacing the advertisement with a pornographic movie.

…Interior Ministry's high-tech crime unit says the suspected billboard hacker is a 41-year-old unemployed man who police believe used the IP address of an organization based in Chechnya to breach a Moscow server…

Needless to say, this stopped traffic both on the street and on the sidewalks stuffing them with gawkers and cell phone videophiles.  Considering the ‘rubber-neck’ traffic created by someone changing a tire where I live, I can only imagine the backup caused this incident.  Taking the security of the billboard server and public safety issues of stopping traffic aside, this article underscored for me the idle hands environment we find ourselves into today with unemployment rates steadily rising. 

Statements attributed to police sources says the hacker was breaking into computers out of curiosity and had admitted to the stunt, which he allegedly said was an effort to entertain

At least in this case, the alleged intent was curiosity and entertainment rather than data theft or destruction. I also consider the distribution method in this case and how the billboard could have been made to show healthcare information, credit card numbers, private financial data, etc…

Network World's reporter Ellen Messmer published an article today about an Oracle vulnerability identified by David Litchfield for the purpose of refuting Larry Ellison's claim that his database was "unbreakable".

David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level.

The security-industry veteran said ever since he heard Oracle's chief Larry Ellison touting his database as being "unbreakable, I took umbrage at that." Litchfield noted he and Oracle have had a "rocky relationship" for a long time.

Mr. Litchfield is targeting Oracle in this case, but most database vendors make similar efforts to calm their user's fears of vulnerabilities.  The DB attack discussed is an example of the challenges that database vendors face when trying secure their own code.  Databases are large complex software packages and to expect them to be inherently secure from the vendor, regardless of CEO comments or promises, is risky.