Wednesday Jun 04, 2014
Tuesday May 27, 2014
By Troy Kitch-Oracle on May 27, 2014
The New York Oracle Users Group will get a sneak peek of Oracle Key Vault on Tuesday, June 3, by Todd Bottger, Senior Principal Product Manager, Oracle.
If you recall, Oracle Key Vault made its first appearance at last year's Oracle OpenWorld in San Francisco within the session "Introducing Oracle Key Vault: Enterprise Database Encryption Key Management."
You can catch Todd's talk from 9:30 to 10:30 am.
With many global regulations calling for data encryption, centralized and secure key management has become a need for most organizations. This session introduces Oracle Key Vault for centrally managing encryption keys, wallets, and passwords for databases and other enterprise servers. Oracle Key Vault enables large-scale deployments of Oracle Advanced Security’s Transparent Data Encryption feature and secure sharing of keys between Oracle Real Application Clusters (Oracle RAC), Oracle Active Data Guard, and Oracle GoldenGate deployments. With support for industry standards such as OASIS KMIP and PKCS #11, Oracle Key Vault can centrally manage keys and passwords for other endpoints in your organization and provide greater reliability, availability, and security.
Wednesday May 14, 2014
By Troy Kitch-Oracle on May 14, 2014
Oracle released an update to Oracle Audit Vault and Database Firewall, which provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories. A highly accurate SQL grammar-based technology monitors and blocks unauthorized SQL traffic before it reaches the database. Information from the network is combined with detailed audit information for easy compliance reporting and alerting. With Oracle Audit Vault and Database Firewall, monitoring controls can be easily tailored to meet enterprise security requirements.
New Enterprise-Grade Features
- iSCSI SAN storage support for audit repository
- NFS storage support for audit data archiving
- Simplified Audit Vault Agent deployment
- Audit Vault Agent automatic update
- Policy alerts forwarding to syslog
- Audit Vault repository protection by Oracle Database Vault
Extended Platform Support
- Database Firewall support for Oracle Database 9i and MySQL 5.6
- Windows and Linux 32-bit host OS for Audit Vault Agents
- Oracle Linux 6.x OS (with auditd 2.2.2 up to version 6.4) auditing support
Monday May 12, 2014
By Troy Kitch-Oracle on May 12, 2014
...according to the Independent Oracle Users Group (IOUG) Enterprise Data Security survey. Joe McKendrick, Forbes and Database Trends and Applications (DBTA) Analyst/Contributor, writes about the escalating stakes of data security.
"When asked what they saw as the greatest risks, threats, or vulnerabilities to their data, human error came out on top, cited by 77% of respondents. Second was fear of inside hacks, cited by 63%, up from 57% in 2010."
The new 2014 Verizon Data Breach Investigations Report provides even further details around types of errors that are most common, including misdelivery (44%), publishing error (22%), and more.
Both are interesting reads, so check into them when you get a chance. And, if you are a member of the IOUG, please be sure to provide your responses to this year's 2014 Enterprise Data Security Survey. You should have received your invitation to participate via email.
"The data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other."
Wednesday Apr 16, 2014
By Troy Kitch-Oracle on Apr 16, 2014
I wanted to call everyone's attention to the new Oracle Data Masking and Subsetting blog.
Dinesh has recently joined our database security product management team and he's begun blogging on our excellent data masking solution.
- Oracle Data Masking Product Page
- Oracle Technology Network: Data Masking
- Oracle Technology Network: Data Subsetting
- Oracle in Gartner Magic Quadrant for Data Masking
Monday Apr 14, 2014
Vote for Oracle Audit Vault and Database Firewall in Database Trends and Applications Reader's Choice Awards
By Troy Kitch-Oracle on Apr 14, 2014
Vote for Oracle Audit Vault and Database Firewall
We are honored that Oracle Audit Vault and Database Firewall has been nominated for a Database Trends and Applications Reader’s Choice Award. Voting is now open, so please take a moment to cast your vote for this and other Oracle solutions. And thank you!
- Select Oracle Audit Vault and Database Firewall under “Best Database Security solutions”
- Additionally, vote for other Oracle solutions
- Click submit button at end
- Please promote and forward to others
Voting Ends May 23
Winners will be showcased in a special section on the DBTA website and in the August 2014 edition of Database Trends and Applications Magazine!
Monitor Database Activity, Block Threats, and Audit Efficiently Across the Enterprise
Oracle Audit Vault and Database Firewall monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources.
Friday Apr 11, 2014
By Troy Kitch-Oracle on Apr 11, 2014
Required by Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards mandate sweeping security programs for North America’s electricity industry. Oracle’s data security and identity management solutions empower bulk power companies to implement enterprise-wide protection. North America’s power suppliers and distributors are under intense pressure to protect the bulk electric system (BES). The widespread use of standard computing platforms and systems linked to the Internet expose the electric grid to new risks of internal and external compromise, and potential disruption that did not exist even a decade ago.
Read the whitepaper Protecting the Electric Grid in a Dangerous World to learn about Oracle’s identity management and database security solutions that offer an effective, defense-in-depth security strategy to help meet NERC CIP compliance.
Tuesday Apr 01, 2014
By Troy Kitch-Oracle on Apr 01, 2014
In June 2013, Oracle commissioned Forrester Consulting to examine the total economic impact and potential return on investment that enterprises may realize by implementing Oracle Data masking Pack, part of Oracle's portfolio of database securing solutions.
Read the report here for more.
|ROI||Payback period||Total benefits (PV)||Total costs||Net present value (NPV)|
Friday Mar 21, 2014
By Troy Kitch-Oracle on Mar 21, 2014
We're kicking off a three part webcast series with (ISC)2 entitled "Countering Adversaries." These webcasts are for IT managers and directors, database and systems administrators, and all security professionals. Register and learn how to protect your organization.
Countering Adversaries Part 1: Espionage and Stolen Credentials
March 27, 2014, 10:00 am PT/1:00 pm ET. Register Here.
By profiling criminal activity, the Verizon Data Breach Investigations Report has been able to identify three distinct threat actors including espionage, organized crime, and activists. Organizations can take proactive steps to mitigate potential risks by understanding each threat actor’s methods and targets. In this three part series, (ISC)2 and Oracle will examine these three threat actors, the industries they target, and how to protect sensitive customer and organizational data. We begin with countering espionage threats and their preference for using stolen credentials.
Countering Adversaries Part 2: Organized Crime and Brute Force
April 24, 2014 10:00 am PT/1:00 pm ET Register Here.
Hailing from Eastern Europe and North America, organized criminals have a penchant for using brute-force hacking and multiple strands of malware to target financial and retail organizations for monetary gain, according to the Verizon DBIR. It is common for these cybercriminals to directly access databases and extract payment cards, credentials, and bank account information. Join (ISC)2 and Oracle as we discuss tactics employed by these cybercriminals and how organizations should implement a defense in depth database security strategy to help mitigate the threat.
Countering Adversaries Part 3: Hacktivists and SQL Injection Attacks
May 22, 2014, 10:00 am PT/1:00 pm ET Register here.
Activists break into organizational web applications and databases to find personal and organizational data in order to expose this private information. The Verizon Data Breach investigations report says “Hacktivists generally act out of ideological motivations, but sometimes just for the fun and epic lutz.” In this third webcast of a three part series, (ISC)2 and Oracle will examine their number one tool of choice: SQL injection attacks. SQL injection attacks are both simple to perform and difficult to detect. We’ll discuss detecting and blocking SQL injection attacks in order to protect your most sensitive customer and organizational data from “epic lutz”.
Wednesday Mar 19, 2014
By Troy Kitch-Oracle on Mar 19, 2014
Oracle Database Security Experts Wanted!
The 2014 Call for Proposals for Oracle OpenWorld is open. It’s worth the time to share your expertise with thousands of Oracle users.
If you’re an Oracle Database security expert, conference attendees want to hear it straight from you. So don’t wait-proposals must be submitted by April 15.
Share if you are planning to attend and/or present. We look forward to meeting you.
Monday Mar 10, 2014
By Troy Kitch-Oracle on Mar 10, 2014
This is the fourth and final excerpt from Chapter 1 of Securing Oracle Database 12c: A Technical Primer ebook, Oracle Press. You can read the complete chapter on controlling data access and restricting privileged data by downloading your own copy. Thanks for reading.
Controlling Privileged Users
System privileges and powerful roles give significant control of the database, including the ability to view all data and make changes to the data. Some administrative users need these powerful privileges for maintenance, tuning, and backups, but they don’t need access to all of the data. Even though the administrative users are trusted, it is important to secure company data assets and personal information even from these privileged accounts in order to prevent unauthorized use by insiders or attackers.
Oracle Database Vault provides several kinds of operational controls within the database including realms, which enforce limits on access to specified objects such as tables and views. After creating a Database Vault realm, objects are added to the realm and database users can be designated as realm participants. This provides access only to the realm participants, and excludes other users, even if they have powerful system privileges like SELECT ANY TABLE that would otherwise allow them to access the objects in the realm.
The following illustration shows an example of two realms, protecting database schemas containing human resources (HR) and finance (FIN) data. Once enabled, the realms prevent privileged administrative users or other application owners from using their elevated privileges to access data. The privileged application owner HR is prevented from accessing data inside the FIN realm, and even an administrator with the DBA role is unable to access data in the HR and FIN realms.
In addition to regular realms, Oracle Database 12c adds the ability to create mandatory realms. A regular realm will block the use of system privileges such as SELECT ANY TABLE if the user is not a realm participant, but it doesn’t block the schema owner or other users who gain access to the data using object privileges. Mandatory realms prevent access by anyone who is not a realm participant. One popular use for a mandatory realm is to continue to protect sensitive data during patching and upgrades, when an administrator needs to make changes to the application schema but should not have access to the data tables in that schema.
When Oracle Database Vault is configured, a couple of additional users are created. The first of these is the Database Vault owner, who can create and manage realms to control access to sensitive data. The second user is the Database Vault account manager, who has the responsibility for creating users in the database. While a single user could perform both functions, the ability to divide these duties among multiple users allows for separation of duty as described earlier. Furthermore, there is a DVOWNER role that can be granted to other users to delegate the ability to manage Database Vault realms. This role should be granted to administrators who are responsible for the security configuration of the database, rather than the general database administrator.
The following illustration shows the use of the Database Configuration Assistant for enabling Oracle Database Vault. Management of Database Vault requires the use of these specialized users and roles. The SYSDBA administrative privilege cannot be used for realm or user management when Database Vault is enabled.
From the free ebook, Oracle Database 12c: A Technical Primer by Michelle Malcher, Paul Needham, and Scott Rotondo.
Friday Feb 28, 2014
By Troy Kitch-Oracle on Feb 28, 2014
Get the latest edition of our bi-monthly (that's every other month) Security Inside Out newsletter featuring both database security and identity management news. This month's articles:
SANS Study Explores Maturity of Security Strategies Among Healthcare Organizations
A new report from the SANS Institute, a leading security education and research organization, surveys real-world organizations to discover how the healthcare industry is adapting to this new security landscape. Find out how organizations like yours are responding to the new challenges of more-stringent regulations and new mobile and cloud technologies.
New Report Puts Oracle Audit Vault and Database Firewall to the Test
A new report from leading security organization SANS Institute finds that Oracle Audit Vault and Database Firewall successfully achieves three key security objectives: audit collection, SQL traffic monitoring, and security event reporting.
Key Cloud Security Paradigms and Oracle’s Identity Management Roadmap
Find out the most common approaches to achieving security in the cloud and whether using a third-party identity management solution is a good strategy.
By Troy Kitch-Oracle on Feb 28, 2014
There are a lot of interesting nuggets to pull from the downfall of Mt. Gox, but the Christian Science Monitor sums it up under "What it All Means":
Mt. Gox serves as a reminder that you're not just buying Bitcoins; you're also involved in the company performing the exchange. There are no watchmen to answer to, and things can go downhill quickly if a breach happens. It's not an isolated incident, either: In 2012, the exchange site Bitcoinica was hacked for over $460,000 worth of Bitcoins, according to The Verge.
If you're not familiar with the story, Mt Gox (Picture Source: The building that houses the Mt. Gox offices in Tokyo. Photo: Ariel Zambelich/WIRED) was targeted by hackers who stole around $350 million in Bitcoins over a two year period and they have stopped exchanging bitcoins as of Tuesday.
Wired has a great write-up here on the exploit and alleged repercussions and predictions of the attack, some of which have already come true: bankruptcy. The hackers exploited a bug in Mt. Gox's website, but it's not clear exactly what they did at this point:
Now, according to the alleged leaked document, it looks like hackers had been exploiting that bug for two years, and even removing bitcoins from supposedly secure “cold” wallets that the company had stored offline. Typically, cold wallets are disconnected from the internet and cannot be emptied by online attackers. However, the “cold storage has been wiped out due to a leak in the hot wallet,” the document states.
Wired is referring to this leaked document. Analysis at the end of the document says "Expertise to find: Analysts, top class developers (crypto), IT security expert..." I'll say they need an IT security expert.
There's more to learn on this one.
Thursday Feb 27, 2014
By Troy Kitch-Oracle on Feb 27, 2014
This is the third post on controlling data access and restricting privileged data in Oracle Database, pulled from the free ebook, Securing Oracle Database 12c: A Technical Primer. Here are the first and second posts. The book highlights new security features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.
Users with Administrative Privileges
Certain users can connect with special administrative privileges, such as SYSDBA and SYSOPER, to allow maintenance operations even when the database is not open. These users can authenticate using a network-based authentication service such as Oracle Internet Directory or based on membership of the connecting user in a particular operating system group.
Proxy Authentication and Authorization
Sometimes administrators need to connect to an application schema to perform maintenance. Sharing the application schema password among several administrators would provide no accountability. Instead, proxy authentication allows the administrators to authenticate with their own credentials first and then proxy to the application schema. In such cases, the audit records show the actual user who performed the maintenance activities. This form of proxy authentication is supported in Oracle Call Interface (OCI), JDBC, and on the SQL*PLUS command line. Here is an example where the user app_dba is allowed to connect to the database and act as hrapp.
ALTER USER hrapp GRANT CONNECT THROUGH app_dba;
Now the user app_dba can connect using his own password and assume the identity of the hrapp user by proxy as follows:
Enter password: <app_dba_password>
Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here. Also, let me know if you are enjoying these posts by adding comments below.
Friday Feb 21, 2014
By Troy Kitch-Oracle on Feb 21, 2014
This is the second post on controlling data access and restricting privileged data in Oracle Database, pulled from the ebook, Securing Oracle Database 12c: A Technical Primer. The first post can be found here. The book highlights new features found in Oracle Database 12c; however, the majority of the solutions are applicable to earlier Oracle Database releases as well.
Users are expected to provide the password when they connect to the database, but applications, middle-tier systems, and batch jobs cannot depend on a human to type the password. Earlier, a common way to provide passwords was to embed user names and passwords in the code or in scripts. This increased the attack surface and people had to make sure that their scripts were not exposed to anyone else. Also, if passwords were ever changed, changes to the scripts were required. Now you can store password credentials by using a client-side Oracle wallet. This reduces risks because the passwords are no longer exposed on command-line history, and password management policies are more easily enforced without changing application code whenever user names or passwords change.
To configure password storage using an Oracle wallet, set the WALLET_LOCATION parameter in the sqlnet.ora file. The applications can then connect to the database without providing login credentials, as follows:
Stay tuned for more. Or, you can read ahead by downloading the complimentary ebook here.
Who are we?
Follow us on
- Oracle Database 12c Real Application Security Administration Application - Now Available on OTN
- Security Inside Out Newsletter, May Edition
- Securing the Big Data Life Cycle: A New MIT Technology Review and Oracle Paper
- Using Earthquakes to Predict Cybercrime
- 86% of Data Breaches Miss Detection, How Do You Beat The Odds?
- Three Big Data Threat Vectors
- Security and Governance Will Increase Big Data Innovation in 2015
- Securing Information in the New Digital Economy
- Top Two Cloud Security Concerns: Data Breaches and Data Loss
- All Data is Not Equal, Map Security Controls to the Value of Data