Wednesday Feb 05, 2014

Recent Breaches Prove Risks to Retail Industry Higher than Ever

Recent retail data breaches serve as a sobering reminder that the retail industry continues to be a key target of cybercriminals in 2014.

In fact, according to the recent Verizon Data Breach Investigations Report, nearly a quarter of all data breaches occurred in retail environments and restaurants.

What can retailers do to lower their risk?

Know Who Wants Your Data

The Verizon report demonstrates that there exists a relationship between industry, attack motive, and threat actor. Payment card data is often stolen from retailers by organized criminals from many different geographies. They are going for volume and so should you. Protect your biggest targeted assets first – your databases.

Know Where Your Data Resides and Who Has Access

Common attacks leverage legitimate user credentials to access sensitive databases and steal sensitive payment card data. Implement controls around what users have access to and enforce least privilege, especially in consolidated environments. Also, audit database activity to detect and stop unauthorized activity as well as collect critical forensic data that might be needed.

Develop a Security Inside Out Strategy

Despite following PCI DSS requirements, data breaches are a constant reminder that compliance is not enough to thwart a motivated attacker. Assess your existing controls to identify your company-specific vulnerabilities that put your organization's data at risk.

Oracle suggests retailers adopt a defense-in-depth approach to protect sensitive data from the inside out and future-proof against evolving regulatory requirements such as the new Payment Card Industry Data Security Standards.

To learn more about Oracle’s Security Inside Out approach and assess your data security posture for potentially disastrous vulnerabilities in your environment, please contact your Oracle Security account team to setup a complementary consultation. 

Nice Article on Oracle Data Redaction

Gavin Soorma provides a nice article on the new Data Redaction feature in Oracle Database 12c (and backported to 11g R2). Very nice blog-demo, complete with explanations and screenshots.

Wednesday Jan 22, 2014

SANS Analyst Reviews Oracle Audit Vault and Database Firewall

New SANS Institute Report Puts Oracle Audit Vault and Database Firewall to the Test

A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives:

  • audit collection,
  • SQL traffic monitoring, 
  • security event reporting.  
SANS Analyst Review of Oracle Audit Vault and Database Firewall

With Oracle Audit Vault and Database Firewall, organizations can monitor both Oracle and non-Oracle database traffic, and detect and block threats. It also enhances compliance by consolidating audit data from disparate sources—including databases, operating systems, directories, custom applications, and more—into a secure data warehouse for reporting and alerting.

"Our review concluded that AVDF did what it claimed to do and is a valuable solution for organizations looking for a first line of defense that protects their data and databases, says SANS Analyst, Tanya Baccam. "The functionality of AVDF became apparent through the review as we looked at audit trails and reports and tested SQL injections. AVDF comes with a variety of useful audit reports based on multiple regulations and standards, and it can monitor for malicious activity out of the box."

Register for the report here

Watch the webcast here

Oracle at RSA Conference 2014, Meet the Authors and Experts

Amidst the increasing frequency and growing onslaught of security attacks, data breaches and mobile threats, it's critical to have access to the latest in security insights, solutions, products and a network of peers facing the same issues you do. Attend RSA Conference, February 24 - 28 and prepare for five intensive days of knowledge gathering and information sharing.

Join Oracle (Booth #1509) as we demonstrate how our complete, best-of-breed security solutions enable you to secure critical applications and sensitive data, lower operational costs, and comply with regulatory requirements. Learn more about:

  • Oracle's Security Inside Out approach
  • Comprehensive defense in depth database security
  • The platform approach to identity management for cloud, mobile and social

To secure your complimentary RSA Conference 2014 Exhibit Hall Pass, click here and enter Oracle Code EC4ORACL by Friday, February 21.

Meet the Authors
Plan to meet the authors of the new book Securing Oracle Database 12c: A Technical Primer, as they give out autographed copies of their new book, while supplies last.

Book-signing hours:
Monday, February 24, 2014
6:30 p.m. – 7:30 p.m.

Tuesday, February 25, 2014
1:00 p.m. – 2:00 p.m.

Wednesday, February 26, 2014
5:00 p.m. – 6:00 p.m. (During Pub Crawl)

Event Exhibition: Meet the Experts
Visit with our security experts, see live product demonstrations, and more:

Monday, February 24, 2014
6:00 p.m. – 8:00 p.m. (Welcome Reception – Delegates & Expo Plus Only)

Tuesday, February 25, 2014
11:00 a.m. – 6:00 p.m.

Wednesday, February 26, 2014
11:00 a.m. – 6:00 p.m. (South Expo – Pub Crawl from 5:00 – 6:00 pm)
10:00 a.m. – 5:00 p.m. (North Expo)

Thursday, February 27, 2014
11:00 a.m. – 3:00 p.m.

OASIS Security Standards Showcase
Oracle will be demonstrating products that support OASIS KMIP and PKCS11 standards at the OASIS XACML Interop in booth #1909. The showcase hours are the same as the exhibit hours.

Thursday Jan 09, 2014

Now Available, Securing Oracle Database 12c: A Technical Primer eBook

Get your complimentary copy of the new database security ebook: Securing Oracle Database 12c: A Technical Primer.

The book is for database administrators who want to learn more about Oracle Database security and for security professionals who want to learn more about how to secure Oracle Databases in an overall IT environment. While the title references Oracle Database 12c, most of the content is applicable to Oracle Database 9i and above.

Add this to your electronic book shelf and keep readily available as your new go-to book for Oracle Database 12security. 

The book was written by two members of our database security team: Paul Needham, Senior Director of Product Management, and Scott Rotondo, Consulting Member of Technical Staff; as well as Michelle Malcher, IOUG President and DBA Team Lead, DRW Holdings. What they've compiled is a great technical primer of the security capabilities available for Oracle Database 12c and how you can take advantage of them now.

And a big thanks to Tom Kyte (and here) for writing the forward to the book.  

Also, please submit your comments about the ebook below, we'd love to hear what you think!

Wednesday Dec 18, 2013

Teaser for New eBook on Securing Oracle Database 12c

I am really excited about our new book from the Oracle Database Security team here at Oracle. Securing Oracle Database 12c: A Technical Primer, will be available as an early gift to database and security practitioners around the world this holiday season. Go pre-register for your free copy (code: db12c) of the ebook and as a teaser, here's the Introduction. Enjoy.

Introduction to Oracle Database 12c: A Technical Primer

The problem of securing important information has unfortunately become a familiar one to organizations everywhere. A constant stream of news reports tells of successful attacks that gain access to sensitive data and the legal, economic, and reputational damage that results. Even though the vast majority of sensitive data is stored in relational databases, very little of the information security effort in most organizations is devoted to making those databases secure.

While there are many technologies and products available to improve the security of a database in various ways, what is needed is a brief but comprehensive overview that describes the major threats and appropriate techniques to address them. Attackers can be expected to exploit any available weakness including incorrect configuration of security controls in the database, unpatched operating system vulnerabilities, or compromised user accounts. More indirect methods such as SQL injection or intercepting data on the network are also possible. Truly securing a database system requires consideration of any opening an attacker might use.

Each chapter in this book covers a single threat area, but they are all related. There is no single solution that prevents all methods of attack, and each security mechanism reinforces the others. Defense-in-depth is the only way to effectively combat both threats that are known today and those that will be discovered tomorrow.

We begin with security features available within the database itself.

  • Chapter 1: Controlling Data Access and Restricting Privileged Users describes the fundamental notions of authenticating users and controlling the data that they can access. It covers best practices for determining the access that each user requires and limiting the powers of highly privileged users.
  • Chapter 2: Preventing Direct Access to Data explains the use of encryption to prevent attacks that attempt to gain access to data directly, bypassing the access controls described in the previous chapter.
  • Chapter 3: Advanced Access Control covers more sophisticated access control mechanisms that allow for more precise control. These mechanisms include Virtual Private Database, Oracle Label Security, and Real Application Security.
  • Chapter 4: Auditing Database Activity describes the techniques for maintaining an effective audit trail, which is a vital defense-in-depth technique to detect misuse by privileged users and unexpected violations of the security policies implemented in the previous chapters.

We then broaden the discussion to include external components that improve the security of the database and the data it stores.

  • Chapter 5: Controlling SQL Input explains the use of a specialized database firewall to monitor the SQL statements going to the database. This helps to protect the database against SQL injection attacks launched by Web users
  • Chapter 6: Masking Sensitive Data covers the use of data masking to remove sensitive information from data that is used for test or development purposes. It also describes the use of Data Redaction to dynamically mask the results of queries on production databases.
  • Chapter 7: Validating Configuration Compliance describes the need to evaluate the database configuration against accepted standards and the tools available for performing the evaluation to ensure continued compliance.

Throughout the book, we highlight new features found in Oracle Database 12c. However, the majority of the solutions described in this book are applicable to earlier Oracle Database releases as well.

Pre-Register for the ebook now, it will be available before 2014! 

Use access code "db12c". 

Tuesday Dec 17, 2013

Top Database Security Trends in 2014

Analysts estimate that two-thirds of organizations' sensitive and regulated data resides in their databases—and the total amount of that sensitive data is growing fast, along with the rest of the digital universe. One analyst claims it will reach 35 zettabytes by 2020. 

As a result, security professionals and database administrators need to be asking two fundamental questions.
  • Where is all of my sensitive data?
  • Who has access to that data?

As we look forward into 2014, the following trends highlight the importance of data security. Read More in the latest edition of the Security Inside Out Newsletter.

Friday Dec 13, 2013

Security Inside Out Newsletter, December Edition

Get the latest edition of Security Inside Out newsletter to learn the top database security trends in 2014 and read the Q&A with Oracle and IOUG data security experts as they discuss key highlights for the new 2013 IOUG Enterprise Data Security Survey Report. Plus, much more.

And don't miss the opportunity to subscribe and receive the newsletter in your inbox every other month! 

Friday Dec 06, 2013

Q&A: 2013 IOUG Enterprise Data Security Survey Report

With the recent release of the 2013 Independent Oracle Users Group (IOUG) Enterprise Data Security Survey Report, I caught up with security experts Roxana Bradescu, Director of Database Security Product Management at Oracle and Michelle Malcher, IOUG President and Oracle Ace Director, to get their perspectives on the report, and what organizations should take away from the results. 

This year, the report broke down the respondents into database security leaders and laggards based on how proactive they were in protecting their data. What are your thoughts on this?

MM: We thought it was more meaningful to contrast the security practices of leaders and laggards, rather than just report an average, which is not really as representative of what’s happening out there. We decided that for an organization to be a leader, they had to first know where all of their sensitive and regulated data resides, they have to encrypt that data, either at rest or in motion, to protect it outside the database, and monitor for database changes such as sensitive data reads and writes. For those respondents who answered negative to all three, the report qualifies them as laggards. So, we have 22% indicated as leaders at one end of a bell curve and 20% of laggards on the other; everyone else is somewhere on the bell curve.

RB: I think looking at the survey results on a bell curve this year really makes this report more actionable for organizations. Many of the companies I talk to are somewhere on the bell curve and are trying to figure out how to be in that top 22%. A lot of attacks are opportunistic and no one wants to be in that bottom 20%, the ones the survey found more likely to face a data breach. To be ahead of the curve, organizations need a defense-in-depth strategy. They need preventive controls like encrypting data, detective controls like monitoring for database changes, as well as administrative controls like knowing where all the sensitive and regulated data resides. But leaders go well beyond that to protect their data.

Of course being a leader requires organizations to make an investment. Michelle, what would you tell IOUG members are the benefits of being a leader?

MM: It is not surprising to see the report found that leadership behavior lowers risk.  Over the past year, leaders experienced a data breach nearly 3 times less than laggards. That’s for actual data breaches. When asked whether a data breach was likely over the next 12 months, 50% of the leaders said they were unlikely to experience one, whereas 62% of laggards said that yes, it is likely, or they were uncertain. 

Roxana, how does an organization move from a laggard to leader position?

Although each organization is different, the approach to protecting databases is common. I suggest organizations start with a database security assessment to understand their risks and controls. It’s critical they consider:

  • Preventing database by-pass
  • Preventing application by-pass
  • Managing privileged user access
  • Detecting and blocking SQL injection attacks 
  • Monitoring databases for system changes

Being able to proactively monitor a secure configuration for the database environment is important as well. Change control in the environment is critical. Oracle offers a lot of materials for customers to protect the mission critical data in their databases.

How can database administrators prepare for the New Year?

MM: Leaders say they have experienced less breaches than laggards, and are less likely to experience them in the future. When we examine what they are doing differently, it’s obvious why. I encourage database administrators and security professionals to read the report and discover where they can improve. 

RB: DBAs play a major role in the security within their organization. IDC states that 66% of sensitive and regulated data resides in databases. By securing their databases, DBAs can protect 66% of the data in their organization - that’s huge. We are seeing DBAs increasingly becoming proactive with a comprehensive database security strategy that includes preventive, detective, and administrative security controls. 

For more analysis and steps you can take to become a leader:

 

Tuesday Nov 26, 2013

Security Inside Out: Where to Start?

Guest article written by Eric Maurice, Director for Oracle Software Security Assurance.

Eric Maurice Director Oracle Software Security AssuranceIn my current role, I assist with the definition and communication of many Oracle security policies as they apply to the development of our products as well as how we look at security internally for the protection of our corporate systems and the systems we host on behalf of our customers.  Since Oracle runs its business on Oracle products, our security organizations have developed extensive expertise in how to secure our products “across the stack” and in various deployment scenarios.  I often interact with customers to answer security questions related to our products (e.g., questions around Oracle’s secure development and vulnerability handling practices) and security processes (e.g., questions related to how we handle security patching and define and enforce secure configurations). 

In addition, I am periodically engaged in more general discussions with customers in regards to how to best strategically approach security in their organizations.  These conversations are usually prompted by failed security audits of some systems, change in IT management in the organization (new IT managers or CISO), launch of major IT projects, or suspicions and sometimes evidence of a past security incident.  In such instances, a renewed focus on securing the organization can quickly become overwhelming.  There are many IT frameworks intended to help organizations tackle security policies such as COBIT and ISO/IEC 27000.  However, what IT professionals more often need in these instances is to adopt a security philosophy, and to switch to a new perspective on IT operations.  Only then can they fully leverage the various frameworks available to them, as opposed to blindly engaging in a security documentation exercise that has little practical value for the organization besides generating healthy profits for outside auditors and pen testers.

So where do you start?  What intellectual process must you follow to take a fresh look at your organization’s security posture?  In my opinion, the first challenge is to come to the realization that your organization needs to “get back to the basics.”  What are your top 10 business-critical systems (or mission-critical systems)?  What components of your IT infrastructure comprise these business-critical systems?  What does it mean if any one of them is compromised or unavailable?  What are the top threats in your environment?  In my experience, many organizations’ IT investments or security policies are not intended to address the top threats that affect their business critical systems.  Are yours?  Do you actually invest your time and security resources to address significant threats to your business-critical systems?  The ugly truth that we all have to come to term with is that unless you have an unlimited IT budget or a very small IT environment to manage (and no operational needs to ever change it), you cannot afford to strongly secure all your systems equally well all the time. 

The second challenge with taking a fresh look at your organization’s security posture is thinking multidimensionally.  Security does not exist in a silo, even though most large organizations where specialization is required have such IT silos.  Are DBA’s aware of existing network security access controls around the databases they manage?  Do they understand the security model of the applications?  Do application managers and users understand database security models?  Have system security configurations been developed collaboratively between the different IT staffs?  Do systems administrators understand the chain of trust that exists between the different systems they manage?  This is where the traditional concept of “security-in-depth” comes to play.  Has the organization implemented complementary (and not necessarily redundant) security controls across the technology stack in the enterprise?  For example, application bypass attacks can be prevented by strong database access control security policies.  OS access control policies should be enforced so that privileges around system files as well as against relevant database and application files (and log files), and resources on all servers in the environment are tightly controlled.    At a network level, network access control policies should be set so as to limit, as much as possible, connections of database servers with their respective application servers.  Note, however, that network access control policies should not prevent customers from implementing valid node-checking in their databases. 

On a related topic, native network encryption and SSL/TLS and strong authentication services (Kerberos, PKI, and RADIUS) no longer require a separate  license and are available in all licensed editions of all supported releases of the Oracle database.  Database customers should take advantage of this licensing change to enable network encryption and, if possible, strong authentication.  A similar hardening approach should be used between applications servers and web servers when the applications are exposed to the Internet.  Tightly controlling subnets around critical systems and controlling how systems can connect with each other bring organizations a long way toward maintaining a good security posture.

Multidimensional thinking should not be limited to technical issues affecting the IT environment.  Multidimensional security thinking should also apply to the organization overall.  For example, the human factor remains one of the weakest links from a security perspective.  Organizations generally train staff about what constitute good passwords, but do they sensitize staff to social engineering issues?  Ongoing security training for all staff is necessary for the organization in the same way that firewalls and traditional security technologies are required. 

So where do you start when you need to reassess the security posture of the organization?  Start with the basics: know your systems and who uses them.  Try to think like a hacker and question closely-held assumptions and technical silos: malicious hackers will not feel bound by technical diagrams and organizational expectations of how systems will be accessed.  By all means, take advantage of the various security methodologies and frameworks, but do not get caught exclusively in a policy documentation or audit exercise.  Periodically assess your security readiness, and when appropriate do selective pen-testing (keeping in mind that demonstrating how to break a window does not necessarily help you safeguard the entire house).  Understand the security assurance practices of your strategic vendors as they will have great impact on the security posture of the organization.  And of course, keep up with releases and Oracle’s Critical Patch Updates.  Obsolete and unsupported versions, regardless of their initial vendors, can become ticking time bombs, as security patches become no longer available, but exploits for these systems become widely known (and scripted into hacking tools).  

Tuesday Oct 29, 2013

Get the Latest Security Inside Out Newsletter, October Edition

The latest October edition of the Security Inside Out newsletter is now available and covers the following important security news:

Oracle Security Inside Out Newsletter

Securing Oracle Database 12c: A Technical Primer

The new multitenant architecture of Oracle Database 12c calls for adopting an updated approach to database security. In response, Oracle security experts have written a new book that is expected to become a key resource for database administrators. Find out how to get a complimentary copy. 

Read More

HIPAA Omnibus Rule Is in Effect: Are You Ready?

On September 23, 2013, the HIPAA Omnibus Rule went into full effect. To help Oracle’s healthcare customers ready their organizations for the new requirements, law firm Ballard Spahr LLP and the Oracle Security team hosted a webcast titled “Addressing the Final HIPAA Omnibus Rule and Securing Protected Health Information.” Find out three key changes affecting Oracle customers. 

Read More

The Internet of Things: A New Identity Management Paradigm

By 2020, it’s predicted there will be 50 billion devices wirelessly connected to the internet, from consumer products to highly complex industrial and manufacturing equipment and processes. Find out the key challenges of protecting identity and data for the new paradigm called the Internet of Things. 

Read More

Sunday Oct 06, 2013

New Database Threats Require New Innovations in Security

If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry. 

While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.

 It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding. 

The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:

  • Database Redaction - learn more here
  • Privilege Analysis - learn more here.
  • Audit Vault Firewall - learn more here.
  • More about security in 12c here.
For a limited time, you can register for a free copy of a new book on Database Security 12c. 

Wednesday Oct 02, 2013

Security in Oracle Database 12c Gives Reason for Customers to Upgrade

The latest edition of Oracle Magazine, headlined with Plug into the Cloud, gives many reasons for customers to upgrade to the latest release of Oracle Database 12c

In the article Time to Upgrade, Michelle Malcher, President of the Independent Oracle Users Group (IOUG) and Oracle ACE Director, says "Oracle Database 12c is packed with several new and enhanced security features. A great new security feature is privilege analysis, which allows DBAs to get to the bottom of what permissions are really needed and used. How much time is that going to save in audit reports and managing the security for least privilege?"

To prepare for the latest edition of Oracle Database, Malcher had an opportunity sit down and beta test the latest features with others. During this time, we captured some of her comments, along with other beta testers, about another new feature: data redaction (see below video).

She goes on to say "Redaction is another security features that is easy to implement and probably will save a lot of time previously spent having to mask data in different environments or code solutions to hide private data and information. Setting up a comprehensive redaction policy for users, applications, and environments can further protect sensitive data.

Learn more about the new security features in the latest release of Oracle Database 12c.

Friday Sep 27, 2013

Oracle OpenWorld News: Oracle Big Data Appliance Secures Big Data in the Enterprise

Software Enhancements to Leading Big Data Appliance Help Organizations Secure Data and Accelerate Strategic Business Insights

While Hadoop provides a scalable foundation for Big Data projects, the lack of built-in security has been an obstacle for many enterprises. To meet this need, Oracle has enhanced the Oracle Big Data Appliance to include enterprise-class security capabilities for Hadoop using Oracle Audit Vault and Database Firewall

By consolidating and analyzing the Hadoop audit trail, Oracle Audit Vault and Database Firewall can enforce policies to alert suspicious or unauthorized activities. Additionally, the consolidated audit data allows organizations to demonstrate the controls and generate the reports needed for regulatory compliance and audits.

Read the press release. 

Monday Sep 16, 2013

Limited Time Complimentary eBook, Securing Oracle Database 12c


Securing Oracle Database 12c: A Technical Primer

Pre-register For Your Copy Now

With the launch of Oracle Database 12c, securing your databases is more important than ever. For a limited time you can pre-register for a new complimentary eBook and learn about Oracle Database Security from the experts who brought you the #1 database in the world.

Are you an Oracle DBA who wants to protect your databases? The new ebook, Securing Oracle Database 12c: A Technical Primer, will be the book that database administrators will want to turn to for their database security questions.

For a limited time, Oracle Press will be offering this book free of charge, so pre-register for your copy now.

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today