THE BANKING MALWARE SCOURGE | INSIDE WINDOWS 7 SECURITY INFORMATIONINFORMATION ECURITY ® S MAY 2010 DATA: Do You Know Where It’s Going? Database activity monitoring keeps watch over your data INFOSECURITYMAG.COM Database protection and compliance made simple. Guardium, an IBM Company, provides the simplest, most robust solution for continuously monitoring access to high-value databases and automating compliance controls for heterogeneous environments – assuring the integrity of trusted information and enabling enterprises to drive smarter business outcomes. • Gain 100% visibility and control over your entire DBMS infrastructure. • Reduce complexity with a single set of cross-DBMS auditing and access control policies. • Enforce separation of duties and eliminate overhead of native DBMS logs. • Monitor privileged users, detect insider fraud and prevent cyberattacks. • Automate vulnerability assessment, data discovery, compliance reporting and sign-offs. For more information, visit www.guardium.com/SearchSecurity Copyright © 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both. MAY 2010 contentsVOLUME 12 NUMBER 4 FEATURES 19 Data in Check DATABASE ACTIVITY MONITORING Database activity monitoring keeps watch over your data. BY ADRIAN LANE 26 Under Attack MALWARE Cybercriminals are using increasingly stealthy and sophisticated malware to hijack online business banking accounts. BY MARCIA SAVAGE 37 Target: Security and Simplicity OPERATING SYSTEM SECURITY With Windows 7, Microsoft aims to improve security in the enterprise but without the headaches of Vista. BY BETH QUINLAN ALSO 5 EDITOR’S DESK Lacking Details The Cybersecurity Act of 2010 has potential but raises a lot of questions. BY MARCIA SAVAGE 12 SCAN n OWASP Adds Risk to the Equation 9 PERSPECTIVES Organization aims to make Top 10 list of coding errors easier to use by adding risk to the methodology. The Real Risk Equation BY ROBERT WESTERVELT A simplified risk equation helps translate risk to users and allows 14 SNAPSHOT security to partner with the business. BY RON WOERNER Avalanche of Patches 16 INFOSEC LEADERS CAREER ADVICE Take Four Steps Toward an Information Security Career Plan Experts Lee Kushner and Mike Murray explain how having a long-term information security career goal isn’t enough. BY LEE KUSHNER AND MIKE MURRAY 46 Advertising Index 3 INF ORMATION SECURITY May 2010 Courion helps organizations manage risk and demonstrate compliance through: Access certification and compliance management Role management User provisioning Password management Courion’s Access Assurance strategy ensures that only the right people have the right access to the right resources and are doing the right things. This approach increases operational efficiency and trans- parency, strengthens security, and improves compliance, while delivering the industry’s fastest time to value and lowest total cost of ownership. To see how Gartner and Burton recognize Courion, visit: www.courion.com EDITOR’S DESK Lacking Details The Cybersecurity Act of 2010 has potential but raises a lot of questions. BY MARCIA SAVAGE TABLE OF CONTENTS THE ROCKEFELLER-SNOWE cybersecurity legislation is promising on several fronts, but if you actually plow through the bill’s text, you’ll find some questionable provisions and EDITOR’S DESK parts that beg for clarification. To be sure, the new draft of the Cybersecurity Act of 2010 (S. 773) is an improvement over last year’s version, which included an infamous “kill switch” that would give the PERSPECTIVES president the authority to shut down the Internet in the event of a massive cyberattack. The idea went over like a lead balloon and Sen. Jay Rockefeller, who co-sponsored the revised legislation with Sen. Olympia Snowe (R-Maine), was careful to note that it SCAN “does not give any new or broader authority to the president.”However, it does allow tthe president to declare a cybersecurity emergency—without defining what would constitute a cybersecurity emergency. SNAPSHOT Rockefeller says the legislation is designed Rockefeller says the legislation to prepare the U.S. for a major cyberattack by providing a framework for private-public is designed to prepare the CAREERS sector collaboration. Among other things, U.S. for a major cyberattack the bill would support major new R&D into cybersecurity, establish a certification program by providing a framework DATABASE ACTIVITY MONITORING for security professionals, initiate a new cyber- for private-public sector security public awareness campaign, and call on the private sector and government to share collaboration. BANKING MALWARE threat and vulnerability information. Certainly, the bill takes several positive steps. With new threats emerging all the time, more cybersecurity R&D and increased efforts to develop and recruit the next generation WINDOWS 7 of information security pros are critical. And the bill addresses a long-standing sore spot SECURITY in the security industry by supporting research into integrating secure coding into core computer science curriculum. But here’s where it gets sketchy. The legislation also includes a plan for “positive SPONSOR RESOURCES recognition” for critical infrastructure companies that report compliance with cyber- security risk measurement techniques and best practices. NIST is designated as the body to recognize and promote these best practices, but it’s unclear what they would be. Moreover, how many companies would be eager to publicly proclaim themselves secure? What about a company that doesn’t receive the positive recognition? Either way, a company could become a target for hackers based on public disclosure about the state of their security, says Paul Rohmeyer, a faculty member in the graduate school at Stevens Institute of Technology and consultant. “It’s a bad idea all around,”he says. The legislation also doesn’t account for differences between industries and doesn’t 5 INFORMATION SECURITY May 2010 describe how it relates to existing mandates such as Gramm-Leach-Bliley, Sarbanes- Oxley and HIPAA, Rohmeyer says. Also, the creation of a training and certification program for critical infrastructure security pros will create a huge market for trainers, he adds, but there’s no provision for how the trainers themselves would be qualified. Other parts of the bill—like the call for public-private collaboration on cyber- security and information sharing—are nothing new. Perhaps giving cleared private sector executives access to classified threat information, as the legislation proposes, TABLE OF CONTENTS would make a difference. However, as industry analyst Richard Stiennon points out, the FBI’s InfraGard already provides businesses with threat information. Ultimately, how much the Cybersecurity Act would prepare the country for a EDITOR’S DESK cyberattack is anybody’s guess. Rohmeyer for one isn’t convinced it would help. He’s hesitant to be too critical—cybersecurity legislation is needed and this bill is generally headed in the right direction, he says—but it leaves too many unanswered questions. PERSPECTIVES “If I’m a compliance officer in a company that’s in one of the critical infrastructure industries, I don’t know what my obligations are under this law,”he says. The Rockefeller-Snowe cybersecurity legislation is a good start but needs some SCAN work to truly address the country’s pressing cybersecurity needs and not create more compliance headaches for businesses.w SNAPSHOT Marcia Savage is editor of Information Security. Send comments on this column to [email protected]. CAREERS DATABASE ACTIVITY MONITORING BANKING MALWARE WINDOWS 7 SECURITY SPONSOR RESOURCES 6 INFORMATION SECURITY May 2010 COMING IN JUNE Endpoint Cloud Governance, Risk TABLE OF CONTENTS Encryption Computing Risks and Compliance EDITOR’S DESK PERSPECTIVES Increasingly mobile workforces Business managers are eager Governance, risk and compli- mean more sensitive customer to move enterprise operations ance is a term that’s been SCAN and corporate data floating to a cloud computing model hyped in the industry to the around on laptops outside the in order to cut costs. However, point where it’s become a enterprise. A lost or missing security managers remain catch-all phrase for most infor- SNAPSHOT laptop could have costly and wary of the risks associated mation security strategies and damaging consequences. But with cloud computing. In this various products. The promises CAREERS organizations can protect data feature, we’ll examine how of GRC—reduced risk and on laptops — and avoid breach enterprise risks change with streamlined compliance—were notification requirements - with cloud computing, what use obscured. This feature will look DATABASE ACTIVITY encryption. This feature will cases are best suited for the at how an organization can MONITORING examine the different types of cloud, and what information successfully develop a GRC laptop encryption available, security pros should do to program to achieve those goals. BANKING MALWARE including full disk, file/folder, prepare for moving into the It will offer strategic advice for and pre-encrypted drives. It cloud. We’ll also look at enterprise security managers also will cover deployment emerging standards for and include an examination of WINDOWS 7 SECURITY options (key management cloud computing. tools and frameworks in the and policy management) and GRC market. look at