Monday Aug 04, 2014

Securing Data in the New Digital Economy Webcast

2014 has already witnessed some of the largest data breaches on record. As the black market for stolen data becomes increasingly organized, the supply chain for information is providing an efficient means to monetize a vast array of stolen information. A the same time, our legal economy is becoming more hyper-connected providing more digital services, and making companies are more vulnerable to attacks. In this session we will explore the security requirements for information in the new digital economy and with the vast amount of case information from breach investigations, distill a security strategy to reduce risk.

Register to hear the recorded webcast. 

Thursday Jul 17, 2014

What's the Difference Between Oracle Transparent Data Encryption, Data Masking and Data Redaction?

Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences.

Oracle Advanced Security 

Transparent Data Encryption (TDE), a capability of Oracle Advanced Security, is transparent to applications and users by encrypting data within the Oracle Database on disk, without any changes to existing applications. TDE is available as a part of the Oracle Database, so if you have Oracle, you have Oracle Advanced Security and would simply require a license to activate.

When would you use TDE? 

TDE stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.

Data Redaction, also a capability of Oracle Advanced Security, provides selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. 

When would you use data redaction? 

Existing applications often return sensitive data to call center and support staff employees, or even customers that include date of birth, social security numbers, and more.  Traditionally, organizations would have to access and change application source code in order to redact sensitive data. This can be error-prone, laborious, and performance-heavy. Data redaction mitigates this risk and helps organizations comply with compliance requirements, such as PCI DSS, by masking displayed data within applications.

Learn more about transparent data encryption and data redaction. 

Oracle Data Masking and Subsetting

Data Masking enables sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore teams for other nonproduction purposes..  

When would you use data masking?  

Data masking is used for nonproduction environments for quality assurance, testing, and development purposes. Many organizations inadvertently breach information when they routinely copy sensitive and regulated production data into nonproduction environments. Data in nonproduction environments, which can be lost or stolen, has increasingly become the target of cyber criminals. Data masking helps organizations reduce this risk and comply with compliance requirements.

Learn more about data masking. 

Monday Jun 30, 2014

June Ed of Security Inside Out Newsletter Is Out

Get the latest edition of Oracle Security Inside Out Newsletter and subscribe to future editions. As a bi-monthly security newsletter, we cover all things security for both Oracle Database Security and Identity Management solutions, news, and events. Here are this month's database security articles:

Five Hard Lessons Learned from the Verizon Report on APT1 Attack

Advanced persistent threats (APT) are a type of ongoing cyberattack from well-coordinated and funded cybercriminals who penetrate an organization slowly and methodically. Find out from Oracle experts what key lessons your organization can take away from the analysis of an APT attack.
Read More


Know Your Enemy: Profile Attackers and Defend Targeted Assets

In the new Countering Adversaries webcast series now available on demand, security experts explain how to identify the kinds of adversaries specific industries attract, understand the types of data they are after, and focus in on the tools that provide the most effective deterrence against these specific threats.
Read More

Friday Jun 27, 2014

Securing Gas and Electrical Utilities with Oracle Audit Vault and Database Firewall

Medicine Hat is a city of 61,180 people in southeast Alberta, Canada. The City of Medicine Hat Electric Utility began generating electricity in 1910 using diesel fuel. Today, the power plant uses co-generation turbines with natural gas and steam to produce electricity for its customers. The Electric Utility generates, transmits and distributes electricity to approximately 30,000 customers within the City of Medicine Hat, Redcliff, Dunmore, Veinerville and outlying rural areas adjacent to the city.

Medicine Hat IT security challenges

  • Provide secure online utility billing system with direct database access
  • Work with limited IT department resources, including 17 people for the entire city
  • Secure a heterogeneous database environment: Oracle and SQL Server

Solution

The City of Medicine Hat chose Oracle Audit Vault and Database Firewall to monitor database traffic and detect and block threats such as SQL injection and privilege escalation attacks. 

Listen to the podcast to hear database administrator Chris Maxwell explain how the City of Medicine Hat uses Oracle Audit Vault and Database Firewall to protect their billing system web application and Microsoft SQL Server database.


Wednesday Jun 11, 2014

Q&A: Oracle's Paul Needham on How to Defend Against Insider Attacks

Source: Database Insider Newsletter:

The threat from insider attacks continues to grow. In fact, just since January 1, 2014, insider breaches have been reported by a major consumer bank, a major healthcare organization, and a range of state and local agencies, according to the Privacy Rights Clearinghouse

We asked Paul Needham, Oracle senior director, product management, to shed light on the nature of these pernicious risks—and how organizations can best defend themselves against the threat from insider risks.

Q. First, can you please define the term "insider" in this context?

A. According to the CERT Insider Threat Center, a malicious insider is a current or former employee, contractor, or business partner who "has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems." 

Q. What has changed with regard to insider risks?

A. We are actually seeing the risk of privileged insiders growing. In the latest Independent Oracle Users Group Data Security Survey, the number of organizations that had not taken steps to prevent privileged user access to sensitive information had grown from 37 percent to 42 percent. Additionally, 63 percent of respondents say that insider attacks represent a medium-to-high risk—higher than any other category except human error (by an insider, I might add).

Q. What are the dangers of this type of risk?

A. Insiders tend to have special insight and access into the kinds of data that are especially sensitive. Breaches can result in long-term legal issues and financial penalties. They can also damage an organization's brand in a way that directly impacts its bottom line. Finally, there is the potential loss of intellectual property, which can have serious long-term consequences because of the loss of market advantage. 

Q. How can organizations protect themselves against abuse of privileged access?

A. Every organization has privileged users and that will always be the case. The questions are how much access should those users have to application data stored in the database, and how can that default access be controlled? Oracle Database Vault (See image) was designed specifically for this purpose and helps protect application data against unauthorized access. 

Oracle Database Vault can be used to block default privileged user access from inside the database, as well as increase security controls on the application itself. Attacks can and do come from inside the organization, and they are just as likely to come from outside as attempts to exploit a privileged account. 

Using Oracle Database Vault protection, boundaries can be placed around database schemas, objects, and roles, preventing privileged account access from being exploited by hackers and insiders. 

A new Oracle Database Vault capability called privilege analysis identifies privileges and roles used at runtime, which can then be audited or revoked by the security administrators to reduce the attack surface and increase the security of applications overall. 

For a more comprehensive look at controlling data access and restricting privileged data in Oracle Database, download Needham's new e-book, Securing Oracle Database 12c: A Technical Primer

Friday Jun 06, 2014

Payback Is The Coupon King

PAYBACK GmbH operates the largest marketing and couponing platforms in the world—with more than 50 million subscribers in Germany, Poland, India, Italy, and Mexico. 

The Security Challenge

Payback handles millions of requests for customer loyalty coupons and card-related transactions per day under tight latency constraints—with up to 1,000 attributes or more for each PAYBACK subscriber. Among the many challenges they solved using Oracle, they had to ensure that storage of sensitive data complied with the company’s stringent privacy standards aimed at protecting customer and purchase information from unintended disclosure.

Oracle Advanced Security

The company deployed Oracle Advanced Security to achieve reliable, cost-effective data protection for back-up files and gain the ability to transparently encrypt data transfers.

By using Oracle Advanced Security, organizations can comply with privacy and regulatory mandates that require encrypting and redacting (display masking) application data, such as credit cards, social security numbers, or personally identifiable information (PII).

Learn more about how PAYBACK uses Oracle.

Wednesday Jun 04, 2014

The Top Ten Security Top Ten Lists

As a marketer, we're always putting together the top 3, or 5 best, or an assortment of top ten lists. So instead of going that route, I've put together my top ten security top ten lists. These are not only for security practitioners, but also for the average Joe/Jane; because who isn't concerned about security these days? Now, there might not be ten for each one of these lists, but the title works best that way. Top Ten Security Top Ten Lists

Starting with my number ten (in no particular order):

10. Top 10 Most Influential Security-Related Movies

Amrit Williams pulls together a great collection of security-related movies. He asks for comments on which one made you want to get into the business. I would have to say that my most influential movie(s), that made me want to get into the business of "stopping the bad guys" would have to be the James Bond series. I grew up on James Bond movies: thwarting the bad guy and saving the world. I recall being both ecstatic and worried when Silicon Valley-themed "A View to A Kill" hit theaters: "An investigation of a horse-racing scam leads 007 to a mad industrialist who plans to create a worldwide microchip monopoly by destroying California's Silicon Valley." Yikes!

9. Top Ten Security Careers

From movies that got you into the career, here’s a top 10 list of security-related careers. It starts with number then, Information Security Analyst and ends with number one, Malware Analyst. They point out the significant growth in security careers and indicate that "according to the Bureau of Labor Statistics, the field is expected to experience growth rates of 22% between 2010-2020. If you are interested in getting into the field, Oracle has many great opportunities all around the world

8. Top 125 Network Security Tools

A bit outside of the range of 10, the top 125 Network Security Tools is an important list because it includes a prioritized list of key security tools practitioners are using in the hacking community, regardless of whether they are vendor supplied or open source. The exhaustive list provides ratings, reviews, searching, and sorting.

7. Top 10 Security Practices

I have to give a shout out to my alma mater, Cal Poly, SLO: Go Mustangs! They have compiled their list of top 10 practices for students and faculty to follow. Educational institutions are a common target of web based attacks and miscellaneous errors according to the 2014 Verizon Data Breach Investigations Report.   

6. (ISC)2 Top 10 Safe and Secure Online Tips for Parents

This list is arguably the most important list on my list. The tips were "gathered from (ISC)2 member volunteers who participate in the organization’s Safe and Secure Online program, a worldwide initiative that brings top cyber security experts into schools to teach children ages 11-14 how to protect themselves in a cyber-connected world…If you are a parent, educator or organization that would like the Safe and Secure Online presentation delivered at your local school, or would like more information about the program, please visit here.”

5. Top Ten Data Breaches of the Past 12 Months

This type of list is always changing, so it's nice to have a current one here from Techrader.com. They've compiled and commented on the top breaches. It is likely that most readers here were effected in some way or another.

4. Top Ten Security Comic Books

Although mostly physical security controls, I threw this one in for fun. My vote for #1 (not on the list) would be Professor X. The guy can breach confidentiality, integrity, and availability just by messing with your thoughts.

3. The IOUG Data Security Survey's Top 10+ Threats to Organizations

The Independent Oracle Users Group annual survey on enterprise data security, Leaders Vs. Laggards, highlights what Oracle Database users deem as the top 12 threats to their organization. You can find a nice graph on page 9; Figure 7: Greatest Threats to Data Security.

2. The Ten Most Common Database Security Vulnerabilities

Though I don't necessarily agree with all of the vulnerabilities in this order...I like a list that focuses on where two-thirds of your sensitive and regulated data resides (Source: IDC). 

1. OWASP Top Ten Project

The Online Web Application Security Project puts together their annual list of the 10 most critical web application security risks that organizations should be including in their overall security, business risk and compliance plans. In particular, SQL injection risks continues to rear its ugly head each year. Oracle Audit Vault and Database Firewall can help prevent SQL injection attacks and monitor database and system activity as a detective security control.

Did I miss any?

Tuesday May 27, 2014

Oracle Key Vault Sneak Peek at NYOUG

The New York Oracle Users Group will get a sneak peek of Oracle Key Vault on Tuesday, June 3, by Todd Bottger, Senior Principal Product Manager, Oracle.Oracle Key Vault

If you recall, Oracle Key Vault made its first appearance at last year's Oracle OpenWorld in San Francisco within the session "Introducing Oracle Key Vault: Enterprise Database Encryption Key Management."

You can catch Todd's talk from 9:30 to 10:30 am.

Session Abstract

With many global regulations calling for data encryption, centralized and secure key management has become a need for most organizations. This session introduces Oracle Key Vault for centrally managing encryption keys, wallets, and passwords for databases and other enterprise servers. Oracle Key Vault enables large-scale deployments of Oracle Advanced Security’s Transparent Data Encryption feature and secure sharing of keys between Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, and Oracle GoldenGate deployments. With support for industry standards such as OASIS KMIP and PKCS #11, Oracle Key Vault can centrally manage keys and passwords for other endpoints in your organization and provide greater reliability, availability, and security. 

Wednesday May 14, 2014

What's New in Oracle Audit Vault and Database Firewall

Oracle released an update to Oracle Audit Vault and Database Firewall, which provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories. A highly accurate SQL grammar-based technology monitors and blocks unauthorized SQL traffic before it reaches the database. Information from the network is combined with detailed audit information for easy compliance reporting and alerting. With Oracle Audit Vault and Database Firewall, monitoring controls can be easily tailored to meet enterprise security requirements.

New Enterprise-Grade Features

  • iSCSI SAN storage support for audit repository
  • NFS storage support for audit data archiving
  • Simplified Audit Vault Agent deployment
  • Audit Vault Agent automatic update
  • Policy alerts forwarding to syslog
  • Audit Vault repository protection by Oracle Database Vault

Extended Platform Support

  • Database Firewall support for Oracle Database 9i and MySQL 5.6
  • Windows and Linux 32-bit host OS for Audit Vault Agents
  • Oracle Linux 6.x OS (with auditd 2.2.2 up to version 6.4) auditing support
Go here for additional enhancements, and to download Oracle Audit Vault and Database Firewall.

Monday May 12, 2014

Human Error is Greatest Risk to Data Security...

...according to the Independent Oracle Users Group (IOUG) Enterprise Data Security survey. Joe McKendrick, Forbes and Database Trends and Applications (DBTA) Analyst/Contributor, writes about the escalating stakes of data security.

"When asked what they saw as the greatest risks, threats, or vulnerabilities to their data, human error came out on top, cited by 77% of respondents. Second was fear of inside hacks, cited by 63%, up from 57% in 2010."

The new 2014 Verizon Data Breach Investigations Report provides even further details around types of errors that are most common, including misdelivery (44%), publishing error (22%), and more. 

"The data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other."

Both are interesting reads, so check into them when you get a chance. And, if you are a member of the IOUG, please be sure to provide your responses to this year's 2014 Enterprise Data Security Survey. You should have received your invitation to participate via email. 


Wednesday Apr 16, 2014

New Oracle Data Masking and Subsetting Blog

I wanted to call everyone's attention to the new Oracle Data Masking and Subsetting blog.

Dinesh has recently joined our database security product management team and he's begun blogging on our excellent data masking solution. 

More Information

 

Monday Apr 14, 2014

Vote for Oracle Audit Vault and Database Firewall in Database Trends and Applications Reader's Choice Awards

Vote for Oracle Audit Vault and Database Firewall

We are honored that Oracle Audit Vault and Database Firewall has been nominated for a Database Trends and Applications Reader’s Choice AwardDBTA Reader's Choice Awards Voting is now open, so please take a moment to cast your vote for this and other Oracle solutions. And thank you!  

  1. Select Oracle Audit Vault and Database Firewall under “Best Database Security solutions”
  2. Additionally, vote for other Oracle solutions 
  3. Click submit button at end
  4. Please promote and forward to others

Voting Ends May 23

Winners will be showcased in a special section on the DBTA website and in the August 2014 edition of Database Trends and Applications Magazine!

Monitor Database Activity, Block Threats, and Audit Efficiently Across the Enterprise

Oracle Audit Vault and Database Firewall monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources.

Friday Apr 11, 2014

Protecting the Electric Grid in a Dangerous World

Required by Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards mandate sweeping security programs for North America’s electricity industry. Oracle’s data security and identity management solutions empower bulk power companies to implement enterprise-wide protection. North America’s power suppliers and distributors are under intense pressure to protect the bulk electric system (BES). The widespread use of standard computing platforms and systems linked to the Internet expose the electric grid to new risks of internal and external compromise, and potential disruption that did not exist even a decade ago.

Read the whitepaper Protecting the Electric Grid in a Dangerous World to learn about Oracle’s identity management and database security solutions that offer an effective, defense-in-depth security strategy to help meet NERC CIP compliance.

Tuesday Apr 01, 2014

Forrester Report: Total Economic Impact of Oracle Data Masking

In June 2013, Oracle commissioned Forrester Consulting to examine the total economic impact and potential return on investment that enterprises may realize by implementing Oracle Data masking Pack, part of Oracle's portfolio of database securing solutions. 

Read the report here for more.

In summary: 

 ROI  Payback period  Total benefits (PV)  Total costs  Net present value (NPV)
 242%  5.4 months  $1,616,709  ($472,618)  $1,144,091

Friday Mar 21, 2014

Countering Adversaries Webcast Series

We're kicking off a three part webcast series with (ISC)2 entitled "Countering Adversaries." These webcasts are for IT managers and directors, database and systems administrators, and all security professionals. Register and learn how to protect your organization.

Countering Adversaries Part 1: Espionage and Stolen Credentials

March 27, 2014, 10:00 am PT/1:00 pm ET. Register Here.

By profiling criminal activity, the Verizon Data Breach Investigations Report has been able to identify three distinct threat actors including espionage, organized crime, and activists. Organizations can take proactive steps to mitigate potential risks by understanding each threat actor’s methods and targets. In this three part series, (ISC)2 and Oracle will examine these three threat actors, the industries they target, and how to protect sensitive customer and organizational data. We begin with countering espionage threats and their preference for using stolen credentials.

Countering Adversaries Part 2: Organized Crime and Brute Force

April 24, 2014 10:00 am PT/1:00 pm ET Register Here.

Hailing from Eastern Europe and North America, organized criminals have a penchant for using brute-force hacking and multiple strands of malware to target financial and retail organizations for monetary gain, according to the Verizon DBIR. It is common for these cybercriminals to directly access databases and extract payment cards, credentials, and bank account information. Join (ISC)2 and Oracle as we discuss tactics employed by these cybercriminals and how organizations should implement a defense in depth database security strategy to help mitigate the threat.

Countering Adversaries Part 3: Hacktivists and SQL Injection Attacks

May 22, 2014, 10:00 am PT/1:00 pm ET Register here.

Activists break into organizational web applications and databases to find personal and organizational data in order to expose this private information. The Verizon Data Breach investigations report says “Hacktivists generally act out of ideological motivations, but sometimes just for the fun and epic lutz.” In this third webcast of a three part series, (ISC)2 and Oracle will examine their number one tool of choice: SQL injection attacks.  SQL injection attacks are both simple to perform and difficult to detect. We’ll discuss detecting and blocking SQL injection attacks in order to protect your most sensitive customer and organizational data from “epic lutz”. 

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« September 2015
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today