Author
 Adrian Lane

Profile of Adrian Lane

News & Commentary Posts: 102
Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, contributed articles to many major publications, and is easily recognizable by his "network hair" and propensity to wear loud colors.
Articles by Adrian Lane

DAM Market Observation

2/24/2011
Despite talk about the lack of innovation in the data security market, excellent technologies like DAM and DLP have been available for years before customers embraced them

Post a Comment

Clearing The Air On DAM

2/23/2011
There are two very important things to understand: First, a database firewall and a database activity monitor (DAM) are exactly the same things! Second, a database firewall can upset normal IT operations

Post a Comment

Going Out With A Bang

1/4/2011
We like to think that most firms have 'gotten the memo' that hackers hack databases, yet the flurry of breaches at years end suggests otherwise

Post a Comment

Gawker Goof

12/13/2010
Sometimes it helps knowing what not to do with database security to clarify why you need database security -- and sometimes somebody else goofs up real bad and sheds light on the little security details you need to get right

Post a Comment

NoSQL: Not Much, Anyway

11/4/2010
I don't get the NoSQL movement. Most old-school database administrators don't. In fact, a lot of people don't understand what NoSQL is exactly because, quite frankly, there's not much there. Most of the features and functions we consider synonymous with databases are unwanted by developers of nontransactional systems and are falling by the wayside as companies push applications into the cloud.

Post a Comment

Protegrity Gets Aggressive

9/20/2010
Last week Protegrity announced it had filed patent infringement suits against NuBridges and Voltage Security Inc., its main competitors. Patent infringements suits are nothing new with technology companies, but this one was a little odd in that the suits were actually filed in May.

Post a Comment

Seven Features To Look For In Database Assessment Tools

9/7/2010
As a follow-up to my "Essentials of Database Assessment" post, I want to go over some of the basic features and functions to look for in a database assessment product. Many features differentiate one tool from another, but I'll focus in on the top seven items you should review.

Post a Comment

The Essentials Of Database Assessment

8/30/2010
The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

Post a Comment

Database Threat Modeling And Strip Poker

8/17/2010
Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.

Post a Comment

How To Protect Oracle Database Vault

8/9/2010
In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.

Post a Comment

SIEM Ain't DAM

7/19/2010
I've been getting questions about the difference between system information and event management (SIEM) and database activity monitoring (DAM) platforms. It's easy to get confused given their similarities in architecture. There's also a great deal of overlap in events that each collects and the way they handle information. Couple that with aggressive marketing claims, and it seems impossible to differentiate between the two platforms.

Post a Comment

Patching And Risk Mitigation

7/15/2010
I followed an interesting discussion on a DBA chat board this week regarding whether to patch a database. The root issue for the DBA was a minor vulnerability was corrected by a recent patch release, but fear that a multipatch install process could fail halted the upgrade.

Post a Comment

Massachusetts Data Privacy Standard: Comply Or Not?

6/8/2010
In my previous position at a database security vendor, I was often asked by marketing to explain the applicability of technology to problems: how you could use assessment for PCI compliance, or why database activity monitoring was applicable to privacy laws, for example.

Post a Comment

What Oracle Gets In The Secerno Buy

5/24/2010
One key takeaway from Oracle's acquisition of Secerno is that the database giant now has a database activity monitoring (DAM) solution, closing a big gap in its current security capabilities.

Post a Comment

Goldman Sachs Lawsuit Shows Need For DAM

5/18/2010
When Goldman Sachs was hit with a lawsuit by Ipreo Networks, I got a call from Dark Reading contributor Ericka Chickowski to talk about the alleged misuse of the "BigDough" database. Specific details on this case remain scarce, but threats to Customer Relationship Management (CRM) systems and SaaS based data services are well known.

Post a Comment

PCI: Data Token Alternatives

4/20/2010
When a merchant cannot -- or will not -- replace credit card numbers with tokens provided by its payment processor, how does it secure it database to be PCI-compliant?

Post a Comment

PCI Database Security Primer

4/6/2010
I have written a lot about compliance in that past three months, but most of the guidance has been generic. Now I want to talk about database security specifically in relation to the Payment Card Industry (PCI) Data Security Standard, and consider compliance more from an architectural standpoint as opposed to a tools- or policy-based perspective.

Post a Comment

Insiders Not The Real Database Threat

3/31/2010
The recent incident where an HSBC employee raided a corporate database of customer information and then attempted to sell information to French tax collectors has been characterized as a user-access control issue. But I don't agree.

Post a Comment

Measuring Database Security

2/16/2010
How much does it cost to secure your database, and how do you calculate that? One of the more vexing problems in security is the lack of metrics models for measuring and optimizing security efforts. Without frameworks and metrics to measure the efficiency and effectiveness of security programs, it's difficult both to improve processes and to communicate our value to nontechnical decision makers.

Post a Comment

Oracle 0-Days

2/12/2010
During BlackHat, David Litchfield disclosed a security issue with the Oracle 10g and 11g database platforms. The vulnerability centers on the ability to exploit low security privileges to compromise Oracle's Java implementation, resulting in a total takeover of the database. While the issue appears relatively easy to address, behind the scenes this disclosure has raised a stir in database security circles. The big issue is not the bug or misconfiguration issue, or whatever you want to call it.

Post a Comment

Amazon's SimpleDB Not Your Typical Database

2/6/2010
Several cloud providers offer databases specifically designed for cloud deployment. Amazon's SimpleDB, while technically a database, deviates from what most of us recognize as a database platform. Although SimpleDB is still in prerelease beta format, developers have begun designing applications for it.

Post a Comment

Wiping Out Wimpy Passwords

1/29/2010
Recent breaches at Rockyou.com and Hotmail illustrate the consistency of human behavior: Since the dawn of access control systems, users continue to choose easily guessed passwords.

Post a Comment

What Data Discovery Tools Really Do

1/20/2010
Data discovery tools are becoming increasingly necessary for getting a handle on where sensitive data resides. When you have a production database schema with 40,000 tables, most of which are undocumented by the developers who created them, finding information within a single database is cumbersome. Now multiply that problem across financial, HR, business processing, testing, and decision support databases -- and you have a big mess.

Post a Comment

Discovery And Your Database

1/13/2010
Database discovery is the act of locating databases on a network. Years ago, this was simple because companies had only one or two databases. Now just about every application created relies on database services to provide data integrity and transactional consistency.

Post a Comment

Data Masking Primer

12/26/2009
Data masking is an approach to data security used to conceal sensitive information. Unlike encryption, which renders data unusable until it is restored to clear text, masking is designed to protect data while retaining business functionality.

Post a Comment

What IBM's Acquisition Of Guardium Really Means

12/2/2009
IBM's acquisition of database activity monitoring (DAM) vendor Guardium has created a lot of buzz in the security industry. This is the first major acquisition in the database security market, the first time a large company has bet on DAM technology, and if the rumored sales price is accurate, then it suggests IBM paid a premium. And given the value this product can provide to IBM customers, it looks like a good investment.

Post a Comment

Two Ways To Encrypt Your Database

11/20/2009
File/operating system level-encryption is actually implemented outside the database engine -- but it's still a form of database encryption. And it's referred to as "transparent" encryption because it doesn't require any changes to the database, or calling an application.

Post a Comment

A Peek At Transparent Database Encryption

11/13/2009
There are several different ways to encrypt data stored within databases -- some residing inside the database, others outside. You can encrypt data programmatically at the application layer or at the database layer, and automatically by the OS/file system or by the database engine itself. Each has a slightly different use case, with differing degrees of data security, complexity, and impact on performance.

Post a Comment

Cell-Level Encryption

11/10/2009
A friend of mine was wondering why cell-level encryption isn't used often in databases. What would seem to be a fast and efficient approach to data security actually requires a complex implementation. Cell-level encryption stands in stark contrast to commonly adopted transparent forms of database encryption, and helps us identify hidden costs and complexity.

Post a Comment

What DAM Does

11/4/2009
Database activity monitoring (DAM) tools have a range of capabilities, including data collection and analysis. But the real question is: How does this technology help you?

Post a Comment

The ABCs Of DAM

10/26/2009
Database activity monitoring (DAM) has been the biggest advancement in database security in the past decade. Identity management controls access, and encryption protects data on media, but monitoring verifies usage.

Post a Comment

Getting Around Vertical Database Security

10/14/2009
A few database administrators told me they wanted to know why database security is vertical and how they can fix it. True, database access controls are vertical. The basic construct of a database is a table, and access controls grant access to tables or columns. This means you can see all of the entries from top to bottom, or none at all. Access is vertical and it lacks granularity.

Post a Comment

Avoiding Database Audit Pitfalls

10/8/2009
Many seasoned database administrators howl in protest at the mere suggestion of running native auditing functions due to the poor performance and log management headaches that often come with auditing.

Post a Comment
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youíre still focused on securing endpoints, youíve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web