Received this below announcement about database scanning. How many people check their database security as part of the routine security assessment? Why do we have so many e-business sites' databases get hacked? Why do they not hide their database behind the firewall, instead of infront of? Or are they misconfiguring the firewall rules and allowing an open port from the outside to the internal database? Database Scanner 4.0.1 just received a very positive review in the January 2001 issue of SQL Server Magazine. According to the reviewer: "Database Scanner 4.0.1 from Internet Security Systems (ISS) is a must-have for any DBA responsible for security. [...] Database Scanner can help you replace a high-priced security consultant or help you become a better, more efficient consultant or security administrator yourself. [...] I believe the ISS programmers spent their time programming the right thing: a killer security-scanning application that is never out-of-date." Despite some minor caveats about the usability of the GUI, the reviewer praises Database Scanner's overall ease of use, built-in expertise, and flexibility, and he notes that, because it operates from a client machine, Database Scanner leaves no footprint on the tested database server. You can find the complete review at http://www.sqlmag.com/Articles/Index.cfm?ArticleID=16059&pg=1. Another favorable review of Database Scanner also appeared last fall in the September issue of Information Security magazine, as part of the article "Securing Oracle." Although the reviewer only tested version 3.0, the article demonstrates Database Scanner's status as the only true database security assessment tool on the market. To view the complete article, go to http://www.infosecuritymag.com/, and then click Archived Articles and select September 2000. Making the case for database security Database Scanner is the better mousetrap, but sometimes enterprises and organizations don't realize they have mice, so to speak. Below are notes from the news of the last year that indicate the need for a dynamic, easy-to-use database security tool that incorporates a wealth of security expertise and best practices. In the news last year: * CDUniverse.com customer database hacked. 25,000 credit card numbers are posted to the Internet by a cracker named Maxus after the company refused to pay him US$100,000. He claimed to have stolen as many as 300,000 credit card numbers from CDUniverse.com's customer database. (January) * Advised by a Russian security consultant, MSNBC exploits blank SQL Server passwords to access customers' personal information at seven Internet sites, all of which are named in the article. (January) * Western Union online service database hacked. Almost 16,000 credit card numbers stolen from the Western Union database after the launch of its MoneyZap online service. (September) * Hacker Herbless exploits a default blank 'sa' password in SQL Server to hack 168 web sites and place messages protesting high English fuel prices. Herbless later posted his "linsql" script to BugTraq, explaining that it "can execute arbitrary commands on an MS-SQL host that uses a blank 'sa' password." There is a high probability that a similar eploit was used to place pro-Napster messages on other corporate Web sites. (August-September) * CreditCards.com customer database hacked. 55,000 credit card numbers stolen. (December) * University of Washington Hospital patient database hacked. Medical records, including social security numbers and medical history, for 5,000 heart patients are stolen. (December) * Egghead.com hacked. High-profile hack in late December, 2000, that may have exposed as many as 55,000 customer credit card numbers. Egghead has yet to announce whether or not information was stolen from their database. (December) The Gartner group estimates that "two thirds of Web servers are vulnerable to simple content defacement attacks and 50 percent are vulnerable to information theft attacks." What is more, "Given the ease of substitution in the online industry, the loss of trust in a vendor by consumers or in a payment service provider by vendors can result in termination -- not just interuption -- of revenue as customers change their practices or suppliers" (J. Pescatore, Gartner FirstTake, 19 December 2000). This loss of trust is readily evident in the comments of an Egghead.com customer following the recent breach: "'Any company that's going to do something as stupid as maintain a credit card online on a vulnerable server that long after the transaction, I have no reason to trust them at all. That goes against every industry best practice that's out there." According to the article in ZDNet (1 January 2001), the customer "said [he] won't ever shop at Egghead again." While the safest solution is to make customer databases physically inaccessible from the Internet, such measures sacrifice the gains in efficiency that Internet-enabled technologies make possible. Lost customer trust is not the only risk faced by companies and organizations that fail to adequately protect customer and patient data. Legal action and the spectre of regulatory intervention also raise the stakes of database security. "The situation is ripe for a lawsuit," according to a senior Clinton administration official cited in ZDNet: "Companies are going to have to be taught that they are liable for such damages. In the next two years, I would say a major lawsuit will do that" (Robert Lemos, "Top 10 Security Stories of 2000," ZDNet News, 26 December 2000). Conclusion Internet-enabled organizations need a database security solution that is flexible, easy to use, and saves valuable resources. Database Scanner meets this need, empowering organizations to protect their valuable data and the continued operation of their critical systems. Kristy [EMAIL PROTECTED] ________________________________________________________________________ --> get your free, private gURLmail account at http://www.gURLmail.com!! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
