Former U.S. Cyber Security Czar Richard Clarke and Noted Security Experts Discuss Data Security at Application Security, Inc. Event

Business Wire, Nov 28, 2006

Exclusive Wall Street Panel Highlights Database Security Risks and Best Practices for Fortune 500 Companies

NEW YORK -- Application Security, Inc., (AppSecInc) (www.appsecinc.com), the global leader in database security, hosted an invitation-only seminar for CXO-level IT security professionals featuring key perspectives from industry experts, Richard Clarke, Chairman of Good Harbor Consulting, LLC and former presidential advisor for cyber security and counterterrorism, and Neil MacDonald, Vice President and Distinguished Analyst from Gartner, Inc.

The exclusive Wall Street panel was held at the legendary Harvard Club of New York and included representatives of Fortune 500 enterprises from the financial, retail, and government sectors among others. The presenters discussed emerging IT security threats, steps corporations can take to address risks to data security, and the true costs of industrial espionage.

Featured Presenters and Key Findings:

Richard A. Clarke, Chairman, Good Harbor Consulting, LLC

Featured speaker Richard Clarke, the internationally recognized expert on security - including homeland security, national security, cyber security, and counterterrorism - shared his views on IT security threats faced by Fortune 500 companies today and new threats on the horizon. Among Mr. Clarke's key observations were:

* Today's IT security threats are increasingly focused on stealing valuable data. In this environment, relying on outdated measures like focusing exclusively on perimeter security is insufficient.

* Corporations vastly underrate the value of data within the enterprise. While much of the media has focused on consumer credit card data and social security numbers, the theft of proprietary company information can be just as damaging. Organizations must begin to recognize the value of sensitive data stored in a corporate database like pricing models, customer billing and payment information, trade secrets, and valuable R&D intellectual property.

* The risks from data leakage, cyber terrorism, and industrial espionage are real. To stay ahead of these threats, corporations must act quickly and decisively to know what risks exist within their enterprise; harden their existing IT infrastructure; and monitor against threats in real-time. All of these efforts must include robust protections at the database layer.

Neil MacDonald, a Gartner Vice President and Distinguished Analyst

Also during the session, featured security expert, Neil MacDonald, a Gartner Vice President and Distinguished Analyst, provided insight and actionable recommendations regarding current and emerging IT security threats. Among Mr. MacDonald's recommendations was that organizations should "operationalize for efficiency; architect for effectiveness." Further in the discussion, Mr. MacDonald encouraged organizations to be aware of the changing threat environment in IT security and to avoid complacency.

According to Gartner's 2006 Information Security Technology Hype Cycle, explained in detail during the event, emerging IT security threats that organizations face include zero-day threats, rootkits, and database wormsaall of which can be used to target database assets within the enterprise.

Ted Julian, Vice President of Marketing and Strategy at Application Security, Inc.

Ted Julian, Vice President of Marketing and Strategy for Application Security, Inc., rounded out the panel and closed the executive summit by sharing observations from his database security experience. Mr. Julian offered a perspective arising from his decade of experience as a security industry pioneer and tenure as a well-known industry analyst.

Mr. Julian provided five tactical recommendations to address emerging database threats:

1. Apply the existing vulnerability management program to the database. Organizations have been managing vulnerabilities on their network and general-purpose hosts for over a decade. Today's targeted attacks demand that this best practice be extended to include databases. This step includes the ongoing process of discovery, assessment, hardening, activity monitoring, and reporting.

2. Utilize robust database access controls and policies. Institute automated policies that deter or prevent unauthorized data access and are specifically mapped to key regulatory guidelines such as: PCI, Sarbanes-Oxley, Basel II, DISA-STIG, and CIS/NSA.

3. Extend configuration control and awareness to the database. Control and awareness measures are an essential part of existing perimeter security programs. Extend these principles to the database layer to provide defense-in-depth that proactively identifies unauthorized database alterations, reconfigurations, and access control violations.

4. Establish segregation of duties and strict control policies. Comprehensive role-based access controls enable organizations to restrict access to data as it resides in the database and help prevent unauthorized modification, loss, and disclosure.

5. Protect the integrity of your systems and data against insider threats. To be effective, strong security policies must be enforced with strong monitoring technologies. Monitor the activities of external and internal users (including administrators) and provide real-time alerts on violations or other suspicious activity.