Author: admini

“There has been a lot of spending on network security, but the perception is there is not a lot of risk in that area,” says Forrester senior analyst Tim Sheedy. Sheedy claims that in a few years IT security will be measured much like other business metrics. Businesses will be able to factor in the actual information security risk, based on factors such as employee behaviour, system readiness and the financial ramifications of employees who expose an organization’s most sensitive information — either willingly or by accident. “Putting actual metrics — and particularly financial metrics — around security is going to be a major trend,” Sheedy said.

By 2010, says Pullen, industries like retail, construction and finished goods will have to deal with the same online nasties that plague online banking today — and most won’t be ready.

“In 37 months time I think there will be a public company either forced into chapter 11 (US bankruptcy code) or forced into bankruptcy in Australia because of a security breach that either resulted in goods being stolen from them or an incident with such an impact a company is forced to shut down,” he said.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005164&taxonomyId=17&intsrc=kc_feat&WT.svl=bestoftheweb1

But Ted Julian, vice president of marketing for AppSec, which sells vulnerability scanning tools for databases, says the lopsided vulnerability count may be more a function of where the more valuable corporate data typically lies — in the Oracle database. “I see plenty of companies that have confidential data in SQL Server, Oracle, DB2 and Sybase. It is certainly not as if it all sits on Oracle,” he says.

But either way you slice it, hacking a database is like striking gold, whether it’s via a Web app or database bug — or both. “If you can break into a Web application, you can get access to the database using the same application,” Friedrichs says.

And you can’t count on that firewalled DMZ to protect your database anymore: Databases are most at risk to an insider threat, ESG’s Ogren says, and these attacks don’t typically use vulnerabilities at all.

http://www.darkreading.com/document.asp?doc_id=110881&WT.svl=news2_3