X

An Oracle blog about PeopleSoft Technology

We don't need no stinkin' passwords!

Greg Kelly
Product Strategy Director - Security

To plagiarize a movie quote:
         "passwords? passwords?
                       We don't need no stinkin' passwords!"


A password is a chimera, like the TSA line at airports, or the gates on "gated" communities. They might not provide absolute security, but they make people feel safer.
If a hacker wants to access a system all they need is for some user to click on a link in an email, or sometimes even opening an email or an attractive sounding web page.

Remember Stuxnet, the "found" USB drives, and the pointy haired boss illustration.
No password required.
 

As long as the following personality types or conditions  exist in an organization, they will be prone to compromise:

  • Moral Luck
  • Moral Hazard
  • Normalization of Deviance
    • "Familiarity Breeds Contempt"
  • Broken Pane Syndrome
  • Willful Blindness
  • Hubris
  • Disengagement/Disenchantment
  • "Elastic" Morality
  • Preference Cascade

Look around you and see where you recognize the type or combination of types.

(Note: I haven't provided any links in this list, since using any of the phrases in your favorite search engine will return lots of relevant information)

User Behavior Analytics (UBA) with "north south" and "east west" detection and restriction would provide organizations with enhanced levels of protection.

Read on for references to emerging security protection being used in the industry. These are provided as additional background.

Oracle and Passwordless

About Passwordless Login [link]

OAM provides passwordless authentication, which allows you to bypass the standard web-form-based authentication when using a mobile device. Passwordless authentication allows access to the protected resource without the need for entering the username and password every time. However, the first-time login is through the standard login form.

During the first time while accessing the protected resource, you are redirected to the standard login form. After successful login, you can enable passwordless notification-based authentication.

The next time (and subsequently) when you access the protected page and are required to login, a message is displayed (instead of the standard login page) mentioning that a push notification is sent to your mobile device. To authenticate, you must open the Oracle Mobile Authenticator (OMA) app on your registered mobile device and allow access. You are then redirected to the protected page.

 

User Behavior Analytics (UBA)

What is Oracle CASB?

The Importance of User Behavior Analytics for Cloud Service Security [link]

... To improve security for both cloud services and traditional IT, many enterprises are implementing security solutions that analyze user behavior. Rather than focusing solely on quickly identifying attack objects such as viruses and malware or beating the hackers to the punch with early discovery of vulnerabilities in operating systems or browsers, these UBA solutions focus analysis on actions performed by particular users, forming a baseline of normal behavior and continuously monitoring for deviations from the accepted norm.

 

Oracle and "north-south traffic" and "east-west traffic" protection [link]

... Architecture

[This] reference architecture consists of a firewall that controls north-south traffic and east-west traffic. North-south traffic is the traffic that comes from the internet (through the internet gateway) or the on-premises environment (through the dynamic routing gateway) to the VCNs. East-west traffic is the traffic between VCNs in your tenancy. This architecture shows how to design the network and where to place the firewall.

 

Oracle and NDR - Network Detection and Response (NDR)

Oracle Communications Security Shield Cloud  [link]

... The Oracle Communications Security Shield Cloud (OCSS Cloud) service evaluates calls crossing an enterprise’s network edge, detects malicious call signatures and behaviors, and produces a risk assessment for each call, all in real-time. Guided by this risk assessment, it uses policy-based actions to then automatically control the call’s resolution, aligning the call’s handling with an enterprise’s own perspective towards risk.

 

Two additional links for interest:

Something, Something, Security - Troy Hunt [link]

DEF CON 15 - Johnny Long No Tech Hacking [link]