Friday Jun 27, 2014

Securing Gas and Electrical Utilities with Oracle Audit Vault and Database Firewall

Medicine Hat is a city of 61,180 people in southeast Alberta, Canada. The City of Medicine Hat Electric Utility began generating electricity in 1910 using diesel fuel. Today, the power plant uses co-generation turbines with natural gas and steam to produce electricity for its customers. The Electric Utility generates, transmits and distributes electricity to approximately 30,000 customers within the City of Medicine Hat, Redcliff, Dunmore, Veinerville and outlying rural areas adjacent to the city.

Medicine Hat IT security challenges

  • Provide secure online utility billing system with direct database access
  • Work with limited IT department resources, including 17 people for the entire city
  • Secure a heterogeneous database environment: Oracle and SQL Server

Solution

The City of Medicine Hat chose Oracle Audit Vault and Database Firewall to monitor database traffic and detect and block threats such as SQL injection and privilege escalation attacks. 

Listen to the podcast to hear database administrator Chris Maxwell explain how the City of Medicine Hat uses Oracle Audit Vault and Database Firewall to protect their billing system web application and Microsoft SQL Server database.


Wednesday Jun 11, 2014

Q&A: Oracle's Paul Needham on How to Defend Against Insider Attacks

Source: Database Insider Newsletter:

The threat from insider attacks continues to grow. In fact, just since January 1, 2014, insider breaches have been reported by a major consumer bank, a major healthcare organization, and a range of state and local agencies, according to the Privacy Rights Clearinghouse

We asked Paul Needham, Oracle senior director, product management, to shed light on the nature of these pernicious risks—and how organizations can best defend themselves against the threat from insider risks.

Q. First, can you please define the term "insider" in this context?

A. According to the CERT Insider Threat Center, a malicious insider is a current or former employee, contractor, or business partner who "has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems." 

Q. What has changed with regard to insider risks?

A. We are actually seeing the risk of privileged insiders growing. In the latest Independent Oracle Users Group Data Security Survey, the number of organizations that had not taken steps to prevent privileged user access to sensitive information had grown from 37 percent to 42 percent. Additionally, 63 percent of respondents say that insider attacks represent a medium-to-high risk—higher than any other category except human error (by an insider, I might add).

Q. What are the dangers of this type of risk?

A. Insiders tend to have special insight and access into the kinds of data that are especially sensitive. Breaches can result in long-term legal issues and financial penalties. They can also damage an organization's brand in a way that directly impacts its bottom line. Finally, there is the potential loss of intellectual property, which can have serious long-term consequences because of the loss of market advantage. 

Q. How can organizations protect themselves against abuse of privileged access?

A. Every organization has privileged users and that will always be the case. The questions are how much access should those users have to application data stored in the database, and how can that default access be controlled? Oracle Database Vault (See image) was designed specifically for this purpose and helps protect application data against unauthorized access. 

Oracle Database Vault can be used to block default privileged user access from inside the database, as well as increase security controls on the application itself. Attacks can and do come from inside the organization, and they are just as likely to come from outside as attempts to exploit a privileged account. 

Using Oracle Database Vault protection, boundaries can be placed around database schemas, objects, and roles, preventing privileged account access from being exploited by hackers and insiders. 

A new Oracle Database Vault capability called privilege analysis identifies privileges and roles used at runtime, which can then be audited or revoked by the security administrators to reduce the attack surface and increase the security of applications overall. 

For a more comprehensive look at controlling data access and restricting privileged data in Oracle Database, download Needham's new e-book, Securing Oracle Database 12c: A Technical Primer

Friday Jun 06, 2014

Payback Is The Coupon King

PAYBACK GmbH operates the largest marketing and couponing platforms in the world—with more than 50 million subscribers in Germany, Poland, India, Italy, and Mexico. 

The Security Challenge

Payback handles millions of requests for customer loyalty coupons and card-related transactions per day under tight latency constraints—with up to 1,000 attributes or more for each PAYBACK subscriber. Among the many challenges they solved using Oracle, they had to ensure that storage of sensitive data complied with the company’s stringent privacy standards aimed at protecting customer and purchase information from unintended disclosure.

Oracle Advanced Security

The company deployed Oracle Advanced Security to achieve reliable, cost-effective data protection for back-up files and gain the ability to transparently encrypt data transfers.

By using Oracle Advanced Security, organizations can comply with privacy and regulatory mandates that require encrypting and redacting (display masking) application data, such as credit cards, social security numbers, or personally identifiable information (PII).

Learn more about how PAYBACK uses Oracle.

Wednesday Jun 04, 2014

The Top Ten Security Top Ten Lists

As a marketer, we're always putting together the top 3, or 5 best, or an assortment of top ten lists. So instead of going that route, I've put together my top ten security top ten lists. These are not only for security practitioners, but also for the average Joe/Jane; because who isn't concerned about security these days? Now, there might not be ten for each one of these lists, but the title works best that way. Top Ten Security Top Ten Lists

Starting with my number ten (in no particular order):

10. Top 10 Most Influential Security-Related Movies

Amrit Williams pulls together a great collection of security-related movies. He asks for comments on which one made you want to get into the business. I would have to say that my most influential movie(s), that made me want to get into the business of "stopping the bad guys" would have to be the James Bond series. I grew up on James Bond movies: thwarting the bad guy and saving the world. I recall being both ecstatic and worried when Silicon Valley-themed "A View to A Kill" hit theaters: "An investigation of a horse-racing scam leads 007 to a mad industrialist who plans to create a worldwide microchip monopoly by destroying California's Silicon Valley." Yikes!

9. Top Ten Security Careers

From movies that got you into the career, here’s a top 10 list of security-related careers. It starts with number then, Information Security Analyst and ends with number one, Malware Analyst. They point out the significant growth in security careers and indicate that "according to the Bureau of Labor Statistics, the field is expected to experience growth rates of 22% between 2010-2020. If you are interested in getting into the field, Oracle has many great opportunities all around the world

8. Top 125 Network Security Tools

A bit outside of the range of 10, the top 125 Network Security Tools is an important list because it includes a prioritized list of key security tools practitioners are using in the hacking community, regardless of whether they are vendor supplied or open source. The exhaustive list provides ratings, reviews, searching, and sorting.

7. Top 10 Security Practices

I have to give a shout out to my alma mater, Cal Poly, SLO: Go Mustangs! They have compiled their list of top 10 practices for students and faculty to follow. Educational institutions are a common target of web based attacks and miscellaneous errors according to the 2014 Verizon Data Breach Investigations Report.   

6. (ISC)2 Top 10 Safe and Secure Online Tips for Parents

This list is arguably the most important list on my list. The tips were "gathered from (ISC)2 member volunteers who participate in the organization’s Safe and Secure Online program, a worldwide initiative that brings top cyber security experts into schools to teach children ages 11-14 how to protect themselves in a cyber-connected world…If you are a parent, educator or organization that would like the Safe and Secure Online presentation delivered at your local school, or would like more information about the program, please visit here.”

5. Top Ten Data Breaches of the Past 12 Months

This type of list is always changing, so it's nice to have a current one here from Techrader.com. They've compiled and commented on the top breaches. It is likely that most readers here were effected in some way or another.

4. Top Ten Security Comic Books

Although mostly physical security controls, I threw this one in for fun. My vote for #1 (not on the list) would be Professor X. The guy can breach confidentiality, integrity, and availability just by messing with your thoughts.

3. The IOUG Data Security Survey's Top 10+ Threats to Organizations

The Independent Oracle Users Group annual survey on enterprise data security, Leaders Vs. Laggards, highlights what Oracle Database users deem as the top 12 threats to their organization. You can find a nice graph on page 9; Figure 7: Greatest Threats to Data Security.

2. The Ten Most Common Database Security Vulnerabilities

Though I don't necessarily agree with all of the vulnerabilities in this order...I like a list that focuses on where two-thirds of your sensitive and regulated data resides (Source: IDC). 

1. OWASP Top Ten Project

The Online Web Application Security Project puts together their annual list of the 10 most critical web application security risks that organizations should be including in their overall security, business risk and compliance plans. In particular, SQL injection risks continues to rear its ugly head each year. Oracle Audit Vault and Database Firewall can help prevent SQL injection attacks and monitor database and system activity as a detective security control.

Did I miss any?

Tuesday May 27, 2014

Oracle Key Vault Sneak Peek at NYOUG

The New York Oracle Users Group will get a sneak peek of Oracle Key Vault on Tuesday, June 3, by Todd Bottger, Senior Principal Product Manager, Oracle.Oracle Key Vault

If you recall, Oracle Key Vault made its first appearance at last year's Oracle OpenWorld in San Francisco within the session "Introducing Oracle Key Vault: Enterprise Database Encryption Key Management."

You can catch Todd's talk from 9:30 to 10:30 am.

Session Abstract

With many global regulations calling for data encryption, centralized and secure key management has become a need for most organizations. This session introduces Oracle Key Vault for centrally managing encryption keys, wallets, and passwords for databases and other enterprise servers. Oracle Key Vault enables large-scale deployments of Oracle Advanced Security’s Transparent Data Encryption feature and secure sharing of keys between Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, and Oracle GoldenGate deployments. With support for industry standards such as OASIS KMIP and PKCS #11, Oracle Key Vault can centrally manage keys and passwords for other endpoints in your organization and provide greater reliability, availability, and security. 

Wednesday May 14, 2014

What's New in Oracle Audit Vault and Database Firewall

Oracle released an update to Oracle Audit Vault and Database Firewall, which provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories. A highly accurate SQL grammar-based technology monitors and blocks unauthorized SQL traffic before it reaches the database. Information from the network is combined with detailed audit information for easy compliance reporting and alerting. With Oracle Audit Vault and Database Firewall, monitoring controls can be easily tailored to meet enterprise security requirements.

New Enterprise-Grade Features

  • iSCSI SAN storage support for audit repository
  • NFS storage support for audit data archiving
  • Simplified Audit Vault Agent deployment
  • Audit Vault Agent automatic update
  • Policy alerts forwarding to syslog
  • Audit Vault repository protection by Oracle Database Vault

Extended Platform Support

  • Database Firewall support for Oracle Database 9i and MySQL 5.6
  • Windows and Linux 32-bit host OS for Audit Vault Agents
  • Oracle Linux 6.x OS (with auditd 2.2.2 up to version 6.4) auditing support
Go here for additional enhancements, and to download Oracle Audit Vault and Database Firewall.

Monday May 12, 2014

Human Error is Greatest Risk to Data Security...

...according to the Independent Oracle Users Group (IOUG) Enterprise Data Security survey. Joe McKendrick, Forbes and Database Trends and Applications (DBTA) Analyst/Contributor, writes about the escalating stakes of data security.

"When asked what they saw as the greatest risks, threats, or vulnerabilities to their data, human error came out on top, cited by 77% of respondents. Second was fear of inside hacks, cited by 63%, up from 57% in 2010."

The new 2014 Verizon Data Breach Investigations Report provides even further details around types of errors that are most common, including misdelivery (44%), publishing error (22%), and more. 

"The data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other."

Both are interesting reads, so check into them when you get a chance. And, if you are a member of the IOUG, please be sure to provide your responses to this year's 2014 Enterprise Data Security Survey. You should have received your invitation to participate via email. 


Wednesday Apr 16, 2014

New Oracle Data Masking and Subsetting Blog

I wanted to call everyone's attention to the new Oracle Data Masking and Subsetting blog.

Dinesh has recently joined our database security product management team and he's begun blogging on our excellent data masking solution. 

More Information

 

Monday Apr 14, 2014

Vote for Oracle Audit Vault and Database Firewall in Database Trends and Applications Reader's Choice Awards

Vote for Oracle Audit Vault and Database Firewall

We are honored that Oracle Audit Vault and Database Firewall has been nominated for a Database Trends and Applications Reader’s Choice AwardDBTA Reader's Choice Awards Voting is now open, so please take a moment to cast your vote for this and other Oracle solutions. And thank you!  

  1. Select Oracle Audit Vault and Database Firewall under “Best Database Security solutions”
  2. Additionally, vote for other Oracle solutions 
  3. Click submit button at end
  4. Please promote and forward to others

Voting Ends May 23

Winners will be showcased in a special section on the DBTA website and in the August 2014 edition of Database Trends and Applications Magazine!

Monitor Database Activity, Block Threats, and Audit Efficiently Across the Enterprise

Oracle Audit Vault and Database Firewall monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources.

Friday Apr 11, 2014

Protecting the Electric Grid in a Dangerous World

Required by Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards mandate sweeping security programs for North America’s electricity industry. Oracle’s data security and identity management solutions empower bulk power companies to implement enterprise-wide protection. North America’s power suppliers and distributors are under intense pressure to protect the bulk electric system (BES). The widespread use of standard computing platforms and systems linked to the Internet expose the electric grid to new risks of internal and external compromise, and potential disruption that did not exist even a decade ago.

Read the whitepaper Protecting the Electric Grid in a Dangerous World to learn about Oracle’s identity management and database security solutions that offer an effective, defense-in-depth security strategy to help meet NERC CIP compliance.

Tuesday Apr 01, 2014

Forrester Report: Total Economic Impact of Oracle Data Masking

In June 2013, Oracle commissioned Forrester Consulting to examine the total economic impact and potential return on investment that enterprises may realize by implementing Oracle Data masking Pack, part of Oracle's portfolio of database securing solutions. 

Read the report here for more.

In summary: 

 ROI  Payback period  Total benefits (PV)  Total costs  Net present value (NPV)
 242%  5.4 months  $1,616,709  ($472,618)  $1,144,091

Friday Mar 21, 2014

Countering Adversaries Webcast Series

We're kicking off a three part webcast series with (ISC)2 entitled "Countering Adversaries." These webcasts are for IT managers and directors, database and systems administrators, and all security professionals. Register and learn how to protect your organization.

Countering Adversaries Part 1: Espionage and Stolen Credentials

March 27, 2014, 10:00 am PT/1:00 pm ET. Register Here.

By profiling criminal activity, the Verizon Data Breach Investigations Report has been able to identify three distinct threat actors including espionage, organized crime, and activists. Organizations can take proactive steps to mitigate potential risks by understanding each threat actor’s methods and targets. In this three part series, (ISC)2 and Oracle will examine these three threat actors, the industries they target, and how to protect sensitive customer and organizational data. We begin with countering espionage threats and their preference for using stolen credentials.

Countering Adversaries Part 2: Organized Crime and Brute Force

April 24, 2014 10:00 am PT/1:00 pm ET Register Here.

Hailing from Eastern Europe and North America, organized criminals have a penchant for using brute-force hacking and multiple strands of malware to target financial and retail organizations for monetary gain, according to the Verizon DBIR. It is common for these cybercriminals to directly access databases and extract payment cards, credentials, and bank account information. Join (ISC)2 and Oracle as we discuss tactics employed by these cybercriminals and how organizations should implement a defense in depth database security strategy to help mitigate the threat.

Countering Adversaries Part 3: Hacktivists and SQL Injection Attacks

May 22, 2014, 10:00 am PT/1:00 pm ET Register here.

Activists break into organizational web applications and databases to find personal and organizational data in order to expose this private information. The Verizon Data Breach investigations report says “Hacktivists generally act out of ideological motivations, but sometimes just for the fun and epic lutz.” In this third webcast of a three part series, (ISC)2 and Oracle will examine their number one tool of choice: SQL injection attacks.  SQL injection attacks are both simple to perform and difficult to detect. We’ll discuss detecting and blocking SQL injection attacks in order to protect your most sensitive customer and organizational data from “epic lutz”. 

Wednesday Mar 19, 2014

Oracle Open World 2014 Call for Proposals (Papers)

Oracle Database Security Experts Wanted!

The 2014 Call for Proposals for Oracle OpenWorld is open. It’s worth the time to share your expertise with thousands of Oracle users.

If you’re an Oracle Database security expert, conference attendees want to hear it straight from you. So don’t wait-proposals must be submitted by April 15.

Share if you are planning to attend and/or present.  We look forward to meeting you.

Monday Mar 10, 2014

Part 4: Controlling Data Access and Restricting Privileged Data in Oracle Database

This is the fourth and final excerpt from Chapter 1 of Securing Oracle Database 12c: A Technical Primer ebook, Oracle Press. You can read the complete chapter on controlling data access and restricting privileged data by downloading your own copy. Thanks for reading.

Controlling Privileged Users

System privileges and powerful roles give significant control of the database, including the ability to view all data and make changes to the data. Some administrative users need these powerful privileges for maintenance, tuning, and backups, but they don’t need access to all of the data. Even though the administrative users are trusted, it is important to secure company data assets and personal information even from these privileged accounts in order to prevent unauthorized use by insiders or attackers.

Oracle Database Vault provides several kinds of operational controls within the database including realms, which enforce limits on access to specified objects such as tables and views. After creating a Database Vault realm, objects are added to the realm and database users can be designated as realm participants. This provides access only to the realm participants, and excludes other users, even if they have powerful system privileges like SELECT ANY TABLE that would otherwise allow them to access the objects in the realm.

The following illustration shows an example of two realms, protecting database schemas containing human resources (HR) and finance (FIN) data. Once enabled, the realms prevent privileged administrative users or other application owners from using their elevated privileges to access data. The privileged application owner HR is prevented from accessing data inside the FIN realm, and even an administrator with the DBA role is unable to access data in the HR and FIN realms.

Oracle Database Vault Realms

In addition to regular realms, Oracle Database 12c adds the ability to create mandatory realms. A regular realm will block the use of system privileges such as SELECT ANY TABLE if the user is not a realm participant, but it doesn’t block the schema owner or other users who gain access to the data using object privileges. Mandatory realms prevent access by anyone who is not a realm participant. One popular use for a mandatory realm is to continue to protect sensitive data during patching and upgrades, when an administrator needs to make changes to the application schema but should not have access to the data tables in that schema.

When Oracle Database Vault is configured, a couple of additional users are created. The first of these is the Database Vault owner, who can create and manage realms to control access to sensitive data. The second user is the Database Vault account manager, who has the responsibility for creating users in the database. While a single user could perform both functions, the ability to divide these duties among multiple users allows for separation of duty as described earlier. Furthermore, there is a DVOWNER role that can be granted to other users to delegate the ability to manage Database Vault realms. This role should be granted to administrators who are responsible for the security configuration of the database, rather than the general database administrator.

The following illustration shows the use of the Database Configuration Assistant for enabling Oracle Database Vault. Management of Database Vault requires the use of these specialized users and roles. The SYSDBA administrative privilege cannot be used for realm or user management when Database Vault is enabled.

Oracle Database Vault and Label Security

From the free ebook, Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo.

Friday Feb 28, 2014

February Edition of Security Inside Out Newsletter, Now Available

Get the latest edition of our bi-monthly (that's every other month) Security Inside Out newsletter featuring both database security and identity management news. This month's articles:

SANS Study Explores Maturity of Security Strategies Among Healthcare Organizations

A new report from the SANS Institute, a leading security education and research organization, surveys real-world organizations to discover how the healthcare industry is adapting to this new security landscape. Find out how organizations like yours are responding to the new challenges of more-stringent regulations and new mobile and cloud technologies.

New Report Puts Oracle Audit Vault and Database Firewall to the Test

A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives: audit collection, SQL traffic monitoring, and security event reporting.

Key Cloud Security Paradigms and Oracle’s Identity Management Roadmap

Find out the most common approaches to achieving security in the cloud and whether using a third-party identity management solution is a good strategy. 

Read more here

About

Who are we?

Follow us on

  • TwitterFacebookLinkedIn

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today